workflow

[Chhinna]

CodeAnt-AI Description

Automatically scan every push for secrets and fail CI on detection

What Changed

• A quality gate now runs on every push to any branch to scan for leaked secrets
• The workflow fails when secrets are detected or if the scan errors, preventing the change from proceeding
• Clear pass/fail messages are shown in the logs: “Quality Gate PASSED - No secrets detected” or an error with guidance to review issues
• Results are polled for up to 5 minutes (every 15 seconds) to provide timely feedback
• Uses the production environment for pushes to dev and main; uses test for other branches

Impact

✅ Fewer secret leaks
✅ Failed CI when secrets are detected
✅ Clearer CI pass/fail messages

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

[codeant-ai]

Pull Request Feedback 🔍

🔒 No security issues identified

⚡ Recommended areas for review Secret Handling The access token is passed as a CLI argument to the script. If the script logs its arguments, the token may be exposed in logs. Ensure the script never logs arguments, or pass the token via environment or stdin and rely on masking. Error Handling The curl invocation lacks --fail/timeout/retry options. Network hiccups can produce partial files that still get decoded/executed. Add strict flags and guard against empty/partial downloads before decoding. Logic Robustness The final status relies on ${{ job.status }} inside a shell if. Prefer step-level conditions (if: success() / if: failure()) or explicit outputs from the polling step to avoid mismatches and to make the control flow clearer and more reliable.

[codeant-ai]

Suggestion: Harden the remote download by using strict curl flags, optional checksum verification via EXPECTED_SHA256, decoding and validating the script in one step, and failing fast on any issue to mitigate supply-chain risks. [security]

[codeant-ai]

Suggestion: Pin the checkout action to a specific, immutable version to ensure deterministic builds and reduce supply-chain risk. [security]

[codeant-ai]

CodeAnt AI finished reviewing your PR.