-
Notifications
You must be signed in to change notification settings - Fork 5.5k
66 lines (56 loc) · 1.79 KB
/
claude-security-review.yml
File metadata and controls
66 lines (56 loc) · 1.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Security Review
on:
pull_request:
types: [opened, synchronize, reopened]
# Focus on code changes that could introduce vulnerabilities
paths:
- "**/*.ts"
- "**/*.tsx"
- "**/*.js"
- "**/*.jsx"
- "**/*.json"
- "**/*.yml"
- "**/*.yaml"
- "**/Dockerfile"
- "**/.env.example"
# Allow manual security scans
workflow_dispatch:
# Cancel previous runs for the same PR
concurrency:
group: security-review-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
# Default to least privilege. Override per-job where needed.
permissions:
contents: read
jobs:
security:
# Skip for draft PRs, [skip-security] in title, or bot-triggered
if: |
github.event.pull_request.draft != true &&
!contains(github.event.pull_request.title, '[skip-security]') &&
github.actor != 'cursor[bot]' &&
github.actor != 'dependabot[bot]'
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
pull-requests: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
fetch-depth: 2
- name: Run Claude Security Review
# Note: Using @main as no stable version tag exists yet
uses: anthropics/claude-code-security-review@main
with:
claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
comment-pr: true
upload-results: true
claudecode-timeout: 30
# Exclude non-critical directories
exclude-directories: "node_modules,dist,coverage,.turbo,.next,docs"
# Use Opus 4.5 for deeper security analysis
claude-model: claude-opus-4-7