ci: add Claude Code /security-review workflow on PRs#1285
Merged
Conversation
github-actions
Bot
added
the
agentcore-harness-reviewing
Contributor
Package TarballHow to installnpm install https://github.com/aws/agentcore-cli/releases/download/pr-1285-tarball/aws-agentcore-0.14.0.tgz |
Contributor
Coverage Report
|
agentcore-cli-automation
suggested changes
May 18, 2026
agentcore-cli-automation
left a comment
agentcore-cli-automation
left a comment
There was a problem hiding this comment.
Workflow looks well-structured overall and the auth gate is solid. A few things worth addressing before merge — see inline comments. The biggest concerns are:
- The
synchronizetrigger differs frompr-ai-review.ymldespite the PR description claiming to mirror it — this means a full Bedrock review runs on every push, not just PR open/reopen. - Script injection risk via the
workflow_dispatchpr_numberinput being interpolated directly into agithub-scriptstep. - No
timeout-minutesguard on the job that invokes Bedrock + Claude Code Action with--max-turns 20.
github-actions
Bot
removed
the
agentcore-harness-reviewing
…cript injection, add timeout, inline comments)
tejaskash
commented
May 18, 2026
Contributor
Author
tejaskash
left a comment
tejaskash
left a comment
There was a problem hiding this comment.
Addressed in 0b32025:
- synchronize trigger — dropped from
pull_request_targettypes so the workflow now only fires on opened/reopened/labeled, matching pr-ai-review.yml. - Script injection on
pr_number— movedinputs.pr_numberintoenv:and read it viaprocess.env.PR_NUMBER_INPUTwith explicit base 10. Also applied the same env-var pattern tosteps.pr.outputs.numberin the two label-management github-script steps as defense in depth. - timeout-minutes — added
timeout-minutes: 30to the security-review job.
Also, per follow-up request: updated the prompt to instruct Claude to post inline line-level review comments instead of a single summary comment (with a fallback top-level comment if there are no findings).
…eviewers' comments
notgitika
reviewed
May 18, 2026
github-actions
Bot
added
claude-security-reviewing
notgitika
previously approved these changes
May 18, 2026
github-actions
Bot
added
claude-security-reviewing
…context The Claude Code Action runs the Agent SDK, which doesn't load the /security-review skill bundled with the local CLI binary. Resolving '/security-review' as a prompt was a no-op (num_turns: 0). Inline the bundled prompt into .github/prompts/security-review.md, gather git status/diff in a workflow step, template them in, and feed the result to the action via prompt:. Bumps --max-turns to 30 to accommodate the skill's sub-task fan-out.
github-actions
Bot
added
size/m
The Claude Code Action provides bundled MCP servers (github_inline_comment, github_comment) that buffer comments and post them via the action's post-step. Direct REST/octokit/curl calls are not available as tools and would not work even if they were. Per anthropics/claude-code-action source: - The github_inline_comment MCP server only registers when triggered by a PR-context event AND when its tool name appears in --allowedTools. - Comments are buffered to /tmp/inline-comments-buffer.jsonl and flushed by post-buffered-inline-comments.ts. Changes: - Allow-list mcp__github_inline_comment__create_inline_comment and mcp__github_comment__update_claude_comment via claude_args. - Rewrite POSTING RESULTS section of the prompt to call those MCP tools by name with the correct schema (path, line, body), and to use update_claude_comment for the summary instead of an issue-comment REST call. - Document that workflow_dispatch will not post inline comments — use only for prompt-plumbing smoke tests. - Enable show_full_output so the action transcript is visible in run logs.
notgitika
approved these changes
May 18, 2026
github-actions
Bot
added
the
claude-security-reviewing
github-actions
Bot
removed
the
claude-security-reviewing
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/pr-security-review.ymlthat runsanthropics/claude-code-action@v1with the built-in/security-reviewslash command on every PR (pull_request_target: opened/reopened/synchronize) and viaworkflow_dispatch.Mirrors the auth gate from
pr-ai-review.yml: PRs from non-collaborators are skipped to prevent prompt-injection-driven token abuse.Model:
us.anthropic.claude-opus-4-7, max-turns 20, regionus-west-2.Test plan
pull_request_targetreads workflows frommain, so the workflow only takes effect once merged.claude-security-reviewinglabel appears, the workflow run completes, and a security review comment is posted by the bot.