AI Code Gate

A GitHub Actions pipeline that detects, gates, and audits AI-generated code before it reaches your main branch. Policy-as-code enforcement, automated security scanning, sandboxed test execution, and risk-tiered review requirements — all in modular composite actions you can adopt incrementally.

Read the blog post | Follow the tutorial

How it works

PR opened → Detect AI PR → Policy Check → Security Scan → Sandbox Tests → Risk Assessment
                 │               │              │              │               │
                 ▼               ▼              ▼              ▼               ▼
           Co-author?      Allowed files?   Gitleaks      Docker build    Score 0-100
           Labels?         Blocked files?   Semgrep       npm test        LOW/MED/HIGH
           Bot author?     Scope limits?    npm audit     --network=none  PR comment

Each stage runs as an independent composite action — use the full pipeline or pick individual actions.

Quick start

1. Fork this repo and enable GitHub Actions
2. Create a branch and add a commit:

   git commit --allow-empty -m "test: verify pipeline
   
   Co-Authored-By: Claude <noreply@anthropic.com>"

3. Open a pull request — the ai-code-gate workflow triggers automatically
4. Observe: detection → policy check → security scan → sandbox test → risk assessment
5. Check the PR comment for your risk score and tier

Add to your repo in 5 minutes

Create .github/workflows/ai-code-gate.yml:

name: AI Code Gate
on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read
  pull-requests: write

jobs:
  detect:
    runs-on: ubuntu-latest
    outputs:
      is_ai_pr: ${{ steps.detect.outputs.is_ai_pr }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: InkByteStudio/ai-code-gate/.github/actions/detect-ai-pr@main
        id: detect

  policy-check:
    needs: detect
    if: needs.detect.outputs.is_ai_pr == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
      - uses: InkByteStudio/ai-code-gate/.github/actions/policy-check@main

  security-scan:
    needs: detect
    if: needs.detect.outputs.is_ai_pr == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: InkByteStudio/ai-code-gate/.github/actions/security-scan@main

Then add an .ai-code-gate.yml to your repo root (see examples/).

Policy configuration

See docs/policy-reference.md for the complete reference.

Quick example

policy:
  allowed_patterns:
    - "src/**/*.ts"
    - "tests/**"
  blocked_patterns:
    - "*.env*"
    - "**/auth/**"
  scope_limits:
    max_files: 20
    max_lines_added: 500

Composite actions

Action	Purpose	Key outputs
detect-ai-pr	Identify AI-generated PRs	is_ai_pr, agent_identity
policy-check	Validate changes against policy	policy_passed, violations_json
security-scan	Run gitleaks + Semgrep + dep audit	scan_passed, findings_count
sandbox-test	Run tests in isolated Docker container	tests_passed, test_output
risk-assessment	Calculate risk score, post PR comment	risk_score, risk_tier

Each action can be used independently: uses: InkByteStudio/ai-code-gate/.github/actions/<action>@main

Risk tiers

Tier	Score	Default behavior
LOW	0–30	Auto-merge eligible, 0 approvals
MEDIUM	31–70	1 approval required
HIGH	71–100	2 approvals + security team review

See docs/risk-tiers.md for score calculation details.

Development

npm install
npm test          # Run all tests
npm run build     # Compile TypeScript

The sample-app/ directory contains a minimal Express API used to demonstrate the pipeline.

Contributing

1. Fork the repo
2. Create a feature branch
3. Make your changes (the pipeline will gate your PR if you trigger AI detection)
4. Open a pull request

License

MIT