Releases: fendora-io/sieve-action
Releases · fendora-io/sieve-action
Release list
v1.4.4
What's Changed
- Prepare for OpenSSF Best Practices badge by @mohijalili in #25
- Validate CI/CD metadata in Docker workflow by @mohijalili in #26
- Align branding to Sieve by Fendora and add Best Practices badge by @mohijalili in #27
- Prepare OpenSSF Baseline-2 compliance by @mohijalili in #28
- Prepare OpenSSF Baseline-3 compliance by @mohijalili in #29
- Prepare v1.4.4 release by @mohijalili in #31
- Fix release signing when :latest is present by @mohijalili in #32
Full Changelog: v1.4.3...v1.4.4
v1.4.3
What's changed
- Cosign signing for GHCR images on release tags
- Sigstore bundle attached to GitHub releases
- Version pin updated to
v1.4.3
Usage
- uses: fendora-io/sieve-action@v1.4.3Full changelog: v1.4.2...v1.4.3
v1.4.2
What's changed
Supply chain & security hardening
- Pin all GitHub Actions to full commit SHAs
- Add Dependabot for GitHub Actions, Docker, and pip
- Add Semgrep SAST and CodeQL analysis in CI
- Hash-lock pip dependencies in the Docker image
- Pin Docker base image by digest
Release
- Pin
action.ymltoghcr.io/fendora-io/sieve-action:v1.4.2instead of:latest - Update README examples to
@v1.4.2
Usage
- uses: fendora-io/sieve-action@v1.4.2Full changelog: v1.4.1...v1.4.2
v1.4.1
v1.4.0
What's new
- Per-finding emoji reactions: For each flagged finding, Sieve now posts a dedicated sub-comment in the PR thread:
🔍 `missing-user-entrypoint` · `Dockerfile:7` · score 0.97
React 👍 if this is a real vulnerability · 👎 if it's a false positive - Reactions are picked up server-side every 15 minutes — no new tab, no typing required.
- Slash command fallback (
/sieve real|fp) still works for keyboard users.
Usage
on:
pull_request:
types: [opened, synchronize, reopened]
issue_comment:
types: [created]
permissions:
contents: read
pull-requests: write
jobs:
sieve:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: fendora-io/sieve-action@v1.4.0v1.3.0
What's new
- Slash command feedback: Replace 👍/👎 links (opened a new tab) with
/sieve realand/sieve fp [rule]slash commands. Reply directly on the PR comment — no new tab, stays in GitHub. - PR comments now embed a hidden findings block so the action can match commands to specific findings and record them to Qdrant.
Usage
Add issue_comment trigger to your workflow to enable slash commands:
on:
pull_request:
types: [opened, synchronize, reopened]
issue_comment:
types: [created]Then reply on a PR comment:
/sieve fp— mark all findings as false positives/sieve real— mark all findings as real vulnerabilities/sieve fp sql-injection— mark a specific rule as false positive
v1.2.0
What's new
- Feedback links: Each finding row in the PR comment now includes 👍 (real vulnerability) and 👎 (false positive) links. Clicking records your label to Sieve's training database — helping the model improve over time.
Usage
- uses: fendora-io/sieve-action@v1.2.0
with:
repo-alias: my-org/my-repo # optional
fail-on-findings: "true" # optional, default truev1.1.0
What's changed
- Implementation details hidden — logs show only scan results, not internal tooling
- Docker-based action for clean output
- Fixed GitHub token passing to Docker container for PR comments
- Added Data & Privacy documentation
Usage
- uses: fendora-io/sieve-action@v1.1.0No setup, no API keys, no configuration required.
v1.0.0
Sieve Security Scan — v1.0.0
AI-powered security scanner for pull requests. No setup, no API keys, no configuration required.
Usage
- uses: fendora-io/sieve-action@v1What's included
- Scans your repository for security issues
- Posts a comment on PRs with flagged findings
- Suppresses false positives automatically
- Fails the check if real vulnerabilities are found (configurable)
Inputs
| Input | Default | Description |
|---|---|---|
repo-alias |
repo name | Short name used in scan results |
fail-on-findings |
true |
Fail the check if real vulnerabilities are found |