Skip to content

workflow #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 20, 2025
Merged

workflow #1

merged 1 commit into from
Sep 20, 2025

Conversation

Chhinna
Copy link
Contributor

@Chhinna Chhinna commented Sep 20, 2025
edited by codeant-ai bot
Loading

CodeAnt-AI Description

Automatically scan every push for secrets and fail CI on detection

What Changed

  • A quality gate now runs on every push to any branch to scan for leaked secrets
  • The workflow fails when secrets are detected or if the scan errors, preventing the change from proceeding
  • Clear pass/fail messages are shown in the logs: “Quality Gate PASSED - No secrets detected” or an error with guidance to review issues
  • Results are polled for up to 5 minutes (every 15 seconds) to provide timely feedback
  • Uses the production environment for pushes to dev and main; uses test for other branches

Impact

✅ Fewer secret leaks
✅ Failed CI when secrets are detected
✅ Clearer CI pass/fail messages

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

@codeant-ai CodeAnt AI
Copy link

codeant-ai bot commented Sep 20, 2025

CodeAnt AI is reviewing your PR.

@Chhinna Chhinna merged commit 90d05b8 into main Sep 20, 2025
1 check failed
@codeant-ai codeant-ai bot added the size:M This PR changes 30-99 lines, ignoring generated files label Sep 20, 2025
@codeant-ai CodeAnt AI
Copy link

codeant-ai bot commented Sep 20, 2025

Pull Request Feedback 🔍

🔒 No security issues identified
⚡ Recommended areas for review

  • Secret Handling
    The access token is passed as a CLI argument to the script. If the script logs its arguments, the token may be exposed in logs. Ensure the script never logs arguments, or pass the token via environment or stdin and rely on masking.

  • Error Handling
    The curl invocation lacks --fail/timeout/retry options. Network hiccups can produce partial files that still get decoded/executed. Add strict flags and guard against empty/partial downloads before decoding.

  • Logic Robustness
    The final status relies on ${{ job.status }} inside a shell if. Prefer step-level conditions (if: success() / if: failure()) or explicit outputs from the polling step to avoid mismatches and to make the control flow clearer and more reliable.

codeant-ai[bot]
codeant-ai bot reviewed Sep 20, 2025
View reviewed changes
.github/workflows/qg.yaml
Comment on lines +24 to +31
curl -sS -X GET "${API_BASE}/analysis/ci/quality-gates/script/get" \
--output quality_gates.sh.b64

- name: Make script executable
run: |
base64 -d quality_gates.sh.b64 > quality_gates.sh
chmod +x quality_gates.sh

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Harden the remote download by using strict curl flags, optional checksum verification via EXPECTED_SHA256, decoding and validating the script in one step, and failing fast on any issue to mitigate supply-chain risks. [security]

.github/workflows/qg.yaml
environment: ${{ (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') && 'production' || 'test' }}
steps:
- name: Checkout
uses: actions/checkout@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin the checkout action to a specific, immutable version to ensure deterministic builds and reduce supply-chain risk. [security]

@codeant-ai CodeAnt AI
Copy link

codeant-ai bot commented Sep 20, 2025

CodeAnt AI finished reviewing your PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codeant-ai codeant-ai[bot] codeant-ai[bot] left review comments

Assignees

No one assigned

Labels

size:M This PR changes 30-99 lines, ignoring generated files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Chhinna