Skip to content

docs: add security documentation and tiered examples#14

Merged
clouatre merged 3 commits intomainfrom
feat/security-documentation
Nov 16, 2025
Merged

docs: add security documentation and tiered examples#14
clouatre merged 3 commits intomainfrom
feat/security-documentation

Conversation

@clouatre
Copy link
Copy Markdown
Member

@clouatre clouatre commented Nov 16, 2025

Summary

Adds security documentation and three-tiered workflow examples to address prompt injection risks in AI-powered code analysis.

Changes

Documentation

  • SECURITY.md - Vulnerability reporting policy (hugues@linux.com)
  • README.md - Added security warning, replaced examples with safe patterns
  • examples/README.md - Comparison of 3 security tiers

Workflow Examples

  • Tier 1: Maximum Security - AI analyzes tool output only (immune to prompt injection)
  • Tier 2: Balanced Security - AI sees file stats, manual approval for posting
  • Tier 3: Advanced Patterns - AI analyzes diffs (vulnerable, for trusted teams only)

Security Tiers

Tier Input Prompt Injection Risk Use Case
1 Tool output (JSON) None Public repos, external contributors
2 File stats Low Private repos, trusted contributors
3 Full diff High Private repos, 100% trusted team only

Models Used (Cost-Effective)

  • Tier 1: Google Gemini 2.5 Flash
  • Tier 2: Anthropic Claude Haiku 4.5
  • Tier 3: OpenAI o4-mini

Testing Plan

  • Validate YAML syntax (all 3 tiers)
  • Test Tier 1 with Google API (ruff output analysis)
  • Verify security patterns (permissions, fork protection, bot exclusion)
  • Confirm no secrets in examples

Industry Impact

First GitHub Action for AI code analysis with comprehensive security guidance. Sets standard for responsible AI integration in CI/CD.

Checklist

  • No breaking changes to existing workflows
  • All examples use latest action versions (v5, v6, v8)
  • Provider variety demonstrated (Google, Anthropic, OpenAI)
  • No hardcoded secrets or confidential information
  • Email verified in SECURITY.md (hugues@linux.com)
  • Conventional commit message format

@clouatre clouatre merged commit 068f9f0 into main Nov 16, 2025
4 checks passed
@clouatre clouatre deleted the feat/security-documentation branch November 16, 2025 03:15
@clouatre clouatre mentioned this pull request Nov 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clouatre