Skip to content

Releases: fendora-io/sieve-action

v1.4.4

Choose a tag to compare

@mohijalili mohijalili released this 14 Jul 20:12
4bddc81

What's Changed

Full Changelog: v1.4.3...v1.4.4

v1.4.3

Choose a tag to compare

@mohijalili mohijalili released this 13 Jul 15:38
dfa7547

What's changed

  • Cosign signing for GHCR images on release tags
  • Sigstore bundle attached to GitHub releases
  • Version pin updated to v1.4.3

Usage

- uses: fendora-io/sieve-action@v1.4.3

Full changelog: v1.4.2...v1.4.3

v1.4.2

Choose a tag to compare

@mohijalili mohijalili released this 14 Jul 20:12
26c7ddd

What's changed

Supply chain & security hardening

  • Pin all GitHub Actions to full commit SHAs
  • Add Dependabot for GitHub Actions, Docker, and pip
  • Add Semgrep SAST and CodeQL analysis in CI
  • Hash-lock pip dependencies in the Docker image
  • Pin Docker base image by digest

Release

  • Pin action.yml to ghcr.io/fendora-io/sieve-action:v1.4.2 instead of :latest
  • Update README examples to @v1.4.2

Usage

- uses: fendora-io/sieve-action@v1.4.2

Full changelog: v1.4.1...v1.4.2

v1.4.1

Choose a tag to compare

@mohijalili mohijalili released this 28 Jun 14:52
e6b8613
  • Update action branding color to blue

v1.4.0

Choose a tag to compare

@mohijalili mohijalili released this 27 Jun 23:13
ca03a35

What's new

  • Per-finding emoji reactions: For each flagged finding, Sieve now posts a dedicated sub-comment in the PR thread:

    🔍 `missing-user-entrypoint` · `Dockerfile:7` · score 0.97
    React 👍 if this is a real vulnerability · 👎 if it's a false positive

  • Reactions are picked up server-side every 15 minutes — no new tab, no typing required.
  • Slash command fallback (/sieve real|fp) still works for keyboard users.

Usage

on:
  pull_request:
    types: [opened, synchronize, reopened]
  issue_comment:
    types: [created]

permissions:
  contents: read
  pull-requests: write

jobs:
  sieve:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: fendora-io/sieve-action@v1.4.0

v1.3.0

Choose a tag to compare

@mohijalili mohijalili released this 27 Jun 22:35
f457532

What's new

  • Slash command feedback: Replace 👍/👎 links (opened a new tab) with /sieve real and /sieve fp [rule] slash commands. Reply directly on the PR comment — no new tab, stays in GitHub.
  • PR comments now embed a hidden findings block so the action can match commands to specific findings and record them to Qdrant.

Usage

Add issue_comment trigger to your workflow to enable slash commands:

on:
  pull_request:
    types: [opened, synchronize, reopened]
  issue_comment:
    types: [created]

Then reply on a PR comment:

  • /sieve fp — mark all findings as false positives
  • /sieve real — mark all findings as real vulnerabilities
  • /sieve fp sql-injection — mark a specific rule as false positive

v1.2.0

Choose a tag to compare

@mohijalili mohijalili released this 27 Jun 22:14
5e1d54b

What's new

  • Feedback links: Each finding row in the PR comment now includes 👍 (real vulnerability) and 👎 (false positive) links. Clicking records your label to Sieve's training database — helping the model improve over time.

Usage

- uses: fendora-io/sieve-action@v1.2.0
  with:
    repo-alias: my-org/my-repo   # optional
    fail-on-findings: "true"     # optional, default true

v1.1.0

Choose a tag to compare

@mohijalili mohijalili released this 27 Jun 22:15
d010ac4

What's changed

  • Implementation details hidden — logs show only scan results, not internal tooling
  • Docker-based action for clean output
  • Fixed GitHub token passing to Docker container for PR comments
  • Added Data & Privacy documentation

Usage

- uses: fendora-io/sieve-action@v1.1.0

No setup, no API keys, no configuration required.

v1.0.0

Choose a tag to compare

@mohijalili mohijalili released this 24 Jun 15:39
3e9e213

Sieve Security Scan — v1.0.0

AI-powered security scanner for pull requests. No setup, no API keys, no configuration required.

Usage

- uses: fendora-io/sieve-action@v1

What's included

  • Scans your repository for security issues
  • Posts a comment on PRs with flagged findings
  • Suppresses false positives automatically
  • Fails the check if real vulnerabilities are found (configurable)

Inputs

Input Default Description
repo-alias repo name Short name used in scan results
fail-on-findings true Fail the check if real vulnerabilities are found