feat: add agentic issue and PR processing workflows#1503
Conversation
✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1503 +/- ##
==========================================
- Coverage 85.87% 85.75% -0.13%
==========================================
Files 84 84
Lines 8109 8109
Branches 1376 1376
==========================================
- Hits 6964 6954 -10
- Misses 1117 1126 +9
- Partials 28 29 +1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
@finos/git-proxy-maintainers This is ready for a first look! |
kriswest
left a comment
There was a problem hiding this comment.
Added a thought on excluding tests that contain secrets from security review.
Do we need to check with FINOS about deploying this? Will they need to set some API keys? Do we need to control its token use?
| SYSTEM_PROMPT = """You are a security analysis assistant for a GitHub repository. | ||
| You are given a pull request diff and must identify potential security issues. | ||
|
|
||
| Flag only: hardcoded secrets or credentials, injection vulnerabilities (SQL, shell, template), insecure cryptography or hashing, unsafe deserialization, path traversal, missing input validation on user-controlled data, known-vulnerable dependency versions, overly permissive file or network access. |
There was a problem hiding this comment.
Our tests contain hardcoded secrets and new tests might also. Some steering to exclude those where they relate to the purpose of the test might be needed here
There was a problem hiding this comment.
I feel these AI scanners err on the side of caution on hardcoded secrets in tests, GitHub's Secret Scanner provides a "used only in tests" option for false positives which pop up every now and then.
Wouldn't it be better to let the agent point these out since there's a chance the GitHub scanner would detect them anyways? Also, the GitHub scans suffer from bad visibility - AFAIK it doesn't send you a notification when it finds something unless you made the affected commit yourself.
There was a problem hiding this comment.
Also, this check is non-blocking, so reviewers can always point out if it's a false-positive and let it slide.
|
@kriswest Right now, I set my own API key since the actual usage is minimal on lightweight models. But if we ever want to replicate this across other FINOS projects, a standardized setup process is due. To sum it up, you can set your desired model string (
Controlling its usage would require FINOS to set limits to the API key itself. However, unless we're processing hundreds of new issues and PRs per day, I don't think costs would ever become unreasonable. I'm happy to standardize the process and contribute a doc to the FINOS website so this can be applied more widely. |
|
I think it would be worth involving help@finos.org and the FINOS TOC here, particularly if AI is going to start replying to external contributors. I support the initiative! Lets hope they do too and can help out? See this page for contact details for the TOC (mailing list or Github issue in their repo): http://finos.org/technical-oversight-committee. |
This PR adds GitHub Action workflows for automated issue triaging, PR description quality checks and diff vulnerability scanning.
Features
Issue triaging
Automatically processes freshly opened issues and:
nlast issues to check for duplicates or related issues, provides reasons why they may be related/duplicaten defaults to 100PR quality check
Automatically processes freshly opened PRs and:
CONTRIBUTING.mdCONTRIBUTING.md, provides reasoning if not compliantPR security review
Automatically processes freshly opened PRs, and also triggers when commenting "/security-review":
*.lock, etc.)Prompt details
Prompted specifically to detect:
Examples
PR scanning/quality control
Sample vulnerable diff
PR security review on obvious vulnerable diff
Screenshots
Actual GitProxy PR opened on my fork (#1457)
PR security review on actual upstream PR
Screenshots
Issue tagging
Screenshots
To-do
Notes