Skip to content

feat: add agentic issue and PR processing workflows#1503

Open
jescalada wants to merge 11 commits into
finos:mainfrom
jescalada:ai-automated-issue-and-pr-assessment
Open

feat: add agentic issue and PR processing workflows#1503
jescalada wants to merge 11 commits into
finos:mainfrom
jescalada:ai-automated-issue-and-pr-assessment

Conversation

@jescalada

@jescalada jescalada commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

This PR adds GitHub Action workflows for automated issue triaging, PR description quality checks and diff vulnerability scanning.

Features

Issue triaging

Automatically processes freshly opened issues and:

  • Adds appropriate tags
  • Analyzes the n last issues to check for duplicates or related issues, provides reasons why they may be related/duplicate
    • n defaults to 100
  • Requests more info if the description insufficient

PR quality check

Automatically processes freshly opened PRs and:

  • Points new contributors to our CONTRIBUTING.md
  • Requests more info if the description is insufficient
  • Requests linking to an issue if not done
  • Checks if the PR description complies with the CONTRIBUTING.md, provides reasoning if not compliant

PR security review

Automatically processes freshly opened PRs, and also triggers when commenting "/security-review":

  • Looks at the PR diff and scans for vulnerabilities
    • Certain generated files are always excluded (*.lock, etc.)
    • The diff for a given is truncated down to 3000 chars to prevent bloating the prompt (it may contain generated files that weren't properly excluded)
Prompt details

Prompted specifically to detect:

  • Hardcoded secrets, tokens, passwords or API keys
  • Injection vulnerabilities (SQL, shell, template, etc.)
  • Insecure use of cryptography or hashing
  • Unsafe deserialization
  • Path traversal or directory traversal risks
  • Insecure direct object references
  • Missing input validation or sanitisation on user-controlled data
  • Use of known-vulnerable dependency versions (if visible in the diff)
  • Overly permissive file or network access

Examples

PR scanning/quality control

Sample vulnerable diff

PR security review on obvious vulnerable diff

Screenshots image image

Actual GitProxy PR opened on my fork (#1457)

PR security review on actual upstream PR

Screenshots image image image

Issue tagging

Screenshots image

To-do

  • Improve/clean up prompts
    • Shorten prompts to save tokens
    • Remove emojis
    • Standardize responses
  • Extract constants/make configurable through envs
  • Extract helpers into separate file, move agent scripts to more appropriate location

Notes

  • It'd be great to improve the issue triage to reproduce bugs and look for solutions. We could also review issues in more depth and assess feasibility or critique feature requests, etc.
  • I deliberately made the PR reviewer focus only on the security aspect, as we wouldn't want to raise eyebrows with full-blown AI reviews. That said, there's definitely a lot of added value in having AI process the diff before a human gets to look at it. I'm happy to implement a more sophisticated solution if we need it 🙂

@jescalada jescalada requested a review from a team as a code owner April 15, 2026 06:27
@netlify

netlify Bot commented Apr 15, 2026

Copy link
Copy Markdown

Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name Link
🔨 Latest commit 0ded4d7
🔍 Latest deploy log https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/6a54426c2686980008d934aa

@codecov

codecov Bot commented Apr 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.75%. Comparing base (da402f3) to head (0ded4d7).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1503      +/-   ##
==========================================
- Coverage   85.87%   85.75%   -0.13%     
==========================================
  Files          84       84              
  Lines        8109     8109              
  Branches     1376     1376              
==========================================
- Hits         6964     6954      -10     
- Misses       1117     1126       +9     
- Partials       28       29       +1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jescalada jescalada linked an issue Apr 17, 2026 that may be closed by this pull request
@jescalada jescalada self-assigned this Apr 17, 2026
@jescalada

Copy link
Copy Markdown
Contributor Author

@finos/git-proxy-maintainers This is ready for a first look!

@kriswest kriswest left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a thought on excluding tests that contain secrets from security review.

Do we need to check with FINOS about deploying this? Will they need to set some API keys? Do we need to control its token use?

SYSTEM_PROMPT = """You are a security analysis assistant for a GitHub repository.
You are given a pull request diff and must identify potential security issues.

Flag only: hardcoded secrets or credentials, injection vulnerabilities (SQL, shell, template), insecure cryptography or hashing, unsafe deserialization, path traversal, missing input validation on user-controlled data, known-vulnerable dependency versions, overly permissive file or network access.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our tests contain hardcoded secrets and new tests might also. Some steering to exclude those where they relate to the purpose of the test might be needed here

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel these AI scanners err on the side of caution on hardcoded secrets in tests, GitHub's Secret Scanner provides a "used only in tests" option for false positives which pop up every now and then.

Wouldn't it be better to let the agent point these out since there's a chance the GitHub scanner would detect them anyways? Also, the GitHub scans suffer from bad visibility - AFAIK it doesn't send you a notification when it finds something unless you made the affected commit yourself.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, this check is non-blocking, so reviewers can always point out if it's a false-positive and let it slide.

@jescalada

jescalada commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

@kriswest Right now, I set my own API key since the actual usage is minimal on lightweight models. But if we ever want to replicate this across other FINOS projects, a standardized setup process is due.

To sum it up, you can set your desired model string (MODEL) and the equivalent API key secrets:

MODEL=claude-sonnet-5 requires setting ANTHROPIC_API_KEY=<your-key> and so on.

Controlling its usage would require FINOS to set limits to the API key itself. However, unless we're processing hundreds of new issues and PRs per day, I don't think costs would ever become unreasonable.

I'm happy to standardize the process and contribute a doc to the FINOS website so this can be applied more widely.

@kriswest

Copy link
Copy Markdown
Contributor

I think it would be worth involving help@finos.org and the FINOS TOC here, particularly if AI is going to start replying to external contributors. I support the initiative! Lets hope they do too and can help out?

See this page for contact details for the TOC (mailing list or Github issue in their repo): http://finos.org/technical-oversight-committee.

@jescalada jescalada changed the title feat: add agentic issue and PR processing feat: add agentic issue and PR processing workflows Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Improve and standardize Agentic AI tooling

2 participants