support to run on other repos

tpilli · tpilli · commit 4eb7da0c2266 · 2026-02-09T22:05:26.000-05:00
diff --git a/.github/workflows/ai-sast.yml b/.github/workflows/ai-sast.yml
@@ -0,0 +1,112 @@
+# Run AI-SAST in YOUR repo on YOUR runners. Your code never runs on ai-sast infrastructure.
+#
+# Required: copy this file as .github/workflows/ai-sast.yml, add secrets:
+#   GOOGLE_CLOUD_PROJECT, GOOGLE_CREDENTIALS
+# Default: checks out rivian/ai-sast. Optional: set AI_SAST_REPO (e.g. for a fork);
+#   AI_SAST_BASE_BRANCH (default: main); AI_SAST_REF (default: main); runs-on for self-hosted.
+
+name: AI-SAST
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  ai-sast:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && (github.base_ref == vars.AI_SAST_BASE_BRANCH || (vars.AI_SAST_BASE_BRANCH == '' && github.base_ref == 'main')))
+    runs-on: ubuntu-latest
+    continue-on-error: true
+
+    env:
+      GOOGLE_CLOUD_PROJECT: ${{ secrets.GOOGLE_CLOUD_PROJECT }}
+      GOOGLE_LOCATION: us-central1
+      GEMINI_MODEL: ${{ vars.GEMINI_MODEL || 'gemini-2.0-flash-exp' }}
+      AI_SAST_SEVERITY: ${{ vars.AI_SAST_SEVERITY || 'critical,high' }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Checkout AI-SAST
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ vars.AI_SAST_REPO || 'rivian/ai-sast' }}
+          path: ai-sast
+          ref: ${{ vars.AI_SAST_REF || 'main' }}
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: pip install --upgrade pip && pip install -r ai-sast/requirements.txt
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
+
+      - name: Run AI-SAST PR Scan
+        if: github.event_name == 'pull_request'
+        id: scan
+        run: PYTHONPATH=${{ github.workspace }}/ai-sast python -m src.main.pr_scan
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run AI-SAST Full Scan
+        if: github.event_name == 'workflow_dispatch'
+        id: scan
+        run: PYTHONPATH=${{ github.workspace }}/ai-sast python -m src.main.full_scan --max-workers 1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Post PR Comment with Results
+        if: always() && github.event_name == 'pull_request' && steps.scan.outcome != 'skipped'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            if (!fs.existsSync('pr_comment.md')) {
+              console.log('No pr_comment.md found');
+              return;
+            }
+            const report = fs.readFileSync('pr_comment.md', 'utf8');
+            if (!report || !report.trim()) {
+              console.log('pr_comment.md is empty');
+              return;
+            }
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: report
+            });
+            console.log('PR comment posted');
+
+      - name: Upload PR scan reports
+        if: always() && github.event_name == 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: ai-sast-pr-scan-reports
+          path: |
+            ai_sast_pr_scan_report_*.html
+            pr_comment.md
+          retention-days: 30
+
+      - name: Upload full scan reports
+        if: always() && github.event_name == 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: ai-sast-full-scan-report
+          path: |
+            ai_sast_full_scan_report_*.html
+            ai_sast_full_scan_report_*.txt
+          retention-days: 30
diff --git a/README.md b/README.md
@@ -60,7 +60,7 @@ python -m src.main.pr_scan
 
 **For GitHub Actions:** Add these as repository secrets:
 - `GOOGLE_CLOUD_PROJECT`: Your GCP project ID  
-- `GOOGLE_TOKEN`: Service account JSON
+- `GOOGLE_CREDENTIALS`: Service account JSON (used by the workflow’s Google auth step)
 
 That's it! Workflows in `.github/workflows/` will run automatically.
 
@@ -110,7 +110,7 @@ python -m src.core.scanner --repo https://github.com/user/repo.git --branch main
 
 1. Add repository secrets (Settings → Secrets → Actions):
    - `GOOGLE_CLOUD_PROJECT`: Your GCP project ID
-   - `GOOGLE_TOKEN`: Service account JSON
+   - `GOOGLE_CREDENTIALS`: Service account JSON (required by the workflow’s Google Cloud auth step)
 
 2. Workflows run automatically:
    - **PR Scan**: Scans changed files on pull requests
@@ -119,6 +119,20 @@ python -m src.core.scanner --repo https://github.com/user/repo.git --branch main
 
 **That's it!** Results appear as PR comments and artifacts.
 
+#### Using AI-SAST in another repository (runs in your repo, on your runners)
+
+**Your code never runs on ai-sast infrastructure.** The workflow runs in your repo on your runners and checks out the ai-sast scanner at runtime—no submodule or copy required.
+
+1. **Copy the workflow file** into your repo as `.github/workflows/ai-sast.yml`:  
+   [`.github/workflows/ai-sast.yml`](.github/workflows/ai-sast.yml)
+
+2. **Add repository secrets** (Settings → Secrets and variables → Actions):  
+   `GOOGLE_CLOUD_PROJECT`, `GOOGLE_CREDENTIALS`
+
+The workflow checks out **`rivian/ai-sast`** by default. **Optional:** set `AI_SAST_REPO` (e.g. for a fork); `AI_SAST_BASE_BRANCH` (default `main`); `runs-on: self-hosted` for your own runners. **Full scan:** Actions → “AI-SAST” → “Run workflow”.
+
+📚 **Full integration guide:** [docs/INTEGRATION.md](docs/INTEGRATION.md)
+
 ### Optional: Feedback Loop
 
 Developers can mark findings as true/false positives to improve accuracy over time. Feedback is automatically stored in SQLite.
@@ -166,7 +180,7 @@ export AI_SAST_CUSTOM_PROMPT="Focus on authentication vulnerabilities"
 | Variable | Description |
 |----------|-------------|
 | `GOOGLE_CLOUD_PROJECT` | Your GCP project ID |
-| `GOOGLE_TOKEN` | Service account JSON (for GitHub Actions) |
+| `GOOGLE_CREDENTIALS` | Repository secret: service account JSON (for GitHub Actions auth) |
 
 ### Optional Environment Variables
 
diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md
@@ -245,7 +245,7 @@ Developer reviews PR comment
 
 ### Authentication
 - **Local Development:** `gcloud auth application-default login`
-- **GitHub Actions:** Service account JSON via `GOOGLE_TOKEN` secret
+- **GitHub Actions:** Service account JSON via `GOOGLE_CREDENTIALS` repository secret (workflow auth step)
 - **Ollama:** No authentication (local only)
 
 ### Secrets Management
diff --git a/docs/INTEGRATION.md b/docs/INTEGRATION.md
@@ -0,0 +1,39 @@
+# Integrating AI-SAST into Your Repository
+
+Run AI-SAST (PR scan + full scan) **in your repo on your runners**. The workflow checks out the ai-sast scanner at runtime—no submodule or manual copy. Your code never runs on ai-sast infrastructure.
+
+## Required (2 steps)
+
+### 1. Copy the workflow file
+
+- **From this repo:** [`.github/workflows/ai-sast.yml`](../.github/workflows/ai-sast.yml)
+- **Save as:** `.github/workflows/ai-sast.yml` in **your** repository.
+
+### 2. Add Google secrets
+
+In your repository: **Settings → Secrets and variables → Actions → Secrets**
+
+| Secret | Description |
+|--------|-------------|
+| `GOOGLE_CLOUD_PROJECT` | Your GCP project ID |
+| `GOOGLE_CREDENTIALS` | Service account JSON (full contents of the key file) |
+
+The workflow checks out **`rivian/ai-sast`** by default. That’s it—PR scan runs on pull requests (when base branch matches); full scan runs when you click “Run workflow” in the Actions tab.
+
+## Optional
+
+- **Using a fork:** Set repository variable **`AI_SAST_REPO`** (e.g. `your-org/ai-sast`) to checkout your fork instead of `rivian/ai-sast`.
+- **Default branch for PR scan:** Add variable **`AI_SAST_BASE_BRANCH`** (e.g. `main`, `master`, `develop`). Default is `main` if unset.
+- **Scanner ref:** Add variable **`AI_SAST_REF`** (e.g. `main`, `v1.0`) to pin the ai-sast version. Default is `main`.
+- **Self-hosted runners:** In the workflow file, set `runs-on: self-hosted` (or your runner label).
+
+## Running scans
+
+- **PR scan**: Open a pull request that targets the branch set by `AI_SAST_BASE_BRANCH` (or `main`). The workflow runs and posts a comment with findings.
+- **Full scan**: Actions → **“AI-SAST”** → **“Run workflow”**.
+
+## Troubleshooting
+
+- **“repository not found” or checkout fails:** You may be using a fork; set `AI_SAST_REPO` to your `org/ai-sast`.
+- **No PR comment:** Check that the PR targets the branch set by `AI_SAST_BASE_BRANCH` (or `main`). Check the “Run AI-SAST PR Scan” step logs.
+- **Auth errors:** Ensure the service account has the “Vertex AI User” role and that `GOOGLE_CREDENTIALS` is the **full** JSON key (not a path).
