From 139d7059781cfec5c0b5721da582c4ea2c4d145d Mon Sep 17 00:00:00 2001 From: Mike Spinks Date: Thu, 5 Jun 2025 11:28:16 +0100 Subject: [PATCH 1/4] feat: add manual trigger to github action --- .github/workflows/saist.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/saist.yml b/.github/workflows/saist.yml index cf64459..dfb5aaa 100644 --- a/.github/workflows/saist.yml +++ b/.github/workflows/saist.yml @@ -4,6 +4,20 @@ on: pull_request: types: [opened, synchronize, reopened] + workflow_dispatch: + inputs: + llm_provider: + description: + required: true + default: 'openai' + type: choice + options: + - 'openai' + - anthropic + - deepseek + - gemini + - ollama + jobs: security-check: runs-on: ubuntu-latest From 6e05c1f9cab6889a8b11405acce250cd820ab315 Mon Sep 17 00:00:00 2001 From: Mike Spinks Date: Thu, 5 Jun 2025 11:36:02 +0100 Subject: [PATCH 2/4] feat: add missing description --- .github/workflows/saist.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/saist.yml b/.github/workflows/saist.yml index dfb5aaa..3c1f241 100644 --- a/.github/workflows/saist.yml +++ b/.github/workflows/saist.yml @@ -7,12 +7,12 @@ on: workflow_dispatch: inputs: llm_provider: - description: + description: 'LLM Provider' required: true default: 'openai' type: choice options: - - 'openai' + - openai - anthropic - deepseek - gemini From c6820fbe76b9921ca2033a60f87c1e1d1e9036ec Mon Sep 17 00:00:00 2001 From: Mike Spinks Date: Thu, 5 Jun 2025 11:37:53 +0100 Subject: [PATCH 3/4] Add test workflow --- .github/workflows/test.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..8b31ae0 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,7 @@ +name: Test +on: workflow_dispatch +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "test" From 49c303630d5dc5692d199ff875f6050b804fa7b1 Mon Sep 17 00:00:00 2001 From: aclouddarkly <12762259+michaelspinks@users.noreply.github.com> Date: Thu, 5 Jun 2025 16:29:06 +0100 Subject: [PATCH 4/4] Enhanced SAIST GitHub Action with Manual Trigger and Multi-LLM Support (#2) * Fix manual run mode and add smart provider detection * Fix smart provider detection * feat: Fix smart provider detection * feat: update to add github token * feat: remove test file * feat: change LLM_PROVIDER for DEFAULT_LLM_PROVIDER || deepseek fallback * feat: fixed deepseek fallback * feat: updated anthropic to claude-sonnet-20250219 from -latest * feat: updated anthropic to comment max_tokens * feat: revert anthropic settings * feat: remove test file * feat: update SAIST_LLM_API_KEY --- .github/workflows/saist.yml | 94 ++++++++++++++++++++++++++++++++++--- .github/workflows/test.yml | 7 --- 2 files changed, 88 insertions(+), 13 deletions(-) delete mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/saist.yml b/.github/workflows/saist.yml index 3c1f241..9740951 100644 --- a/.github/workflows/saist.yml +++ b/.github/workflows/saist.yml @@ -9,7 +9,7 @@ on: llm_provider: description: 'LLM Provider' required: true - default: 'openai' + default: 'deepseek' type: choice options: - openai @@ -29,6 +29,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v3 + with: + fetch-depth: 0 - name: Set up Python uses: actions/setup-python@v4 @@ -39,13 +41,93 @@ jobs: run: | pip install -r requirements.txt + - name: Determine LLM Provider and Scan Mode + id: config + run: | + if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + LLM_PROVIDER="${{ github.event.inputs.llm_provider }}" + SCAN_MODE="filesystem" + SCAN_TARGET="." + echo "🎯 Manual run: Using $LLM_PROVIDER with filesystem scan" + else + # PR run - use default provider with proper fallback + if [ -n "${{ vars.DEFAULT_LLM_PROVIDER }}" ]; then + LLM_PROVIDER="${{ vars.DEFAULT_LLM_PROVIDER }}" + else + LLM_PROVIDER="deepseek" + fi + SCAN_MODE="github" + SCAN_TARGET="" + echo "🔄 PR run: Using $LLM_PROVIDER with github scan" + fi + + # Save for next steps + echo "llm_provider=$LLM_PROVIDER" >> $GITHUB_OUTPUT + echo "scan_mode=$SCAN_MODE" >> $GITHUB_OUTPUT + echo "scan_target=$SCAN_TARGET" >> $GITHUB_OUTPUT + + # Set API key secret name + case $LLM_PROVIDER in + openai) echo "api_key_secret=OPENAI_API_KEY" >> $GITHUB_OUTPUT ;; + anthropic) echo "api_key_secret=ANTHROPIC_API_KEY" >> $GITHUB_OUTPUT ;; + deepseek) echo "api_key_secret=DEEPSEEK_API_KEY" >> $GITHUB_OUTPUT ;; + gemini) echo "api_key_secret=GEMINI_API_KEY" >> $GITHUB_OUTPUT ;; + ollama) echo "api_key_secret=NONE" >> $GITHUB_OUTPUT ;; + esac + - name: Run Security Review - # We do NOT need a separate secret for GITHUB_TOKEN; it's provided by GitHub automatically. - # We DO need a secret for OPENAI_API_KEY, stored in your repo or org secrets. env: - GITHUB_TOKEN: ${{ github.token }} # The pipeline token + GITHUB_TOKEN: ${{ github.token }} GITHUB_REPOSITORY: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }} - SAIST_LLM_API_KEY: ${{ secrets.DEEPSEEK_API_KEY }} run: | - python saist/main.py --llm deepseek github + echo "🔍 Running SAIST with ${{ steps.config.outputs.llm_provider }}" + echo "📁 Scan mode: ${{ steps.config.outputs.scan_mode }}" + + # Get the API key for the selected provider + case "${{ steps.config.outputs.llm_provider }}" in + openai) + SAIST_LLM_API_KEY="${{ secrets.OPENAI_API_KEY }}" + ;; + anthropic) + SAIST_LLM_API_KEY="${{ secrets.ANTHROPIC_API_KEY }}" + ;; + deepseek) + SAIST_LLM_API_KEY="${{ secrets.DEEPSEEK_API_KEY }}" + ;; + gemini) + SAIST_LLM_API_KEY="${{ secrets.GEMINI_API_KEY }}" + ;; + ollama) + SAIST_LLM_API_KEY="" # Ollama doesn't need an API key + ;; + esac + + # Build the command with API key checking + if [ "${{ steps.config.outputs.scan_mode }}" = "github" ]; then + # PR mode - scan the github PR with token + if [ -n "$SAIST_LLM_API_KEY" ]; then + python saist/main.py --llm ${{ steps.config.outputs.llm_provider }} --llm-api-key "$SAIST_LLM_API_KEY" github ${{ github.repository }} ${{ github.event.pull_request.number }} --github-token "${{ github.token }}" + else + python saist/main.py --llm ${{ steps.config.outputs.llm_provider }} github ${{ github.repository }} ${{ github.event.pull_request.number }} --github-token "${{ github.token }}" + fi + else + # Manual mode - scan filesystem + if [ -n "$SAIST_LLM_API_KEY" ]; then + python saist/main.py --llm ${{ steps.config.outputs.llm_provider }} --llm-api-key "$SAIST_LLM_API_KEY" --csv filesystem ${{ steps.config.outputs.scan_target }} + else + python saist/main.py --llm ${{ steps.config.outputs.llm_provider }} --csv filesystem ${{ steps.config.outputs.scan_target }} + fi + fi + + echo "✅ SAIST scan completed" + + - name: Upload Results (Manual runs only) + if: github.event_name == 'workflow_dispatch' && always() + uses: actions/upload-artifact@v4 + with: + name: saist-results-${{ github.run_number }} + path: | + findings.csv + *.pdf + retention-days: 30 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 8b31ae0..0000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,7 +0,0 @@ -name: Test -on: workflow_dispatch -jobs: - test: - runs-on: ubuntu-latest - steps: - - run: echo "test"