Skip to content

Enhance GitHub Action with PR comments, SARIF, and changed-file scanning #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lbartoszcze wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Enhance GitHub Action with PR comments, SARIF, and changed-file scanning #3

lbartoszcze wants to merge 1 commit into from

Conversation

@lbartoszcze
Copy link
Contributor

@lbartoszcze lbartoszcze commented Feb 8, 2026

Summary

  • Rewrite action.yml as a polished composite action with new inputs: severity-threshold, scan-changed-only, post-comment, fail-on-findings, sarif-upload, and output-format
  • Add entrypoint.sh -- a comprehensive orchestration script that handles PR context detection, changed-file collection via git diff, JSON metadata extraction, GitHub Actions step summary generation, PR comment posting (with update-in-place to avoid notification spam), and configurable SARIF output for the Security tab
  • Extend codespy.py with a --files CLI argument for scanning specific files (enabling the changed-files-only workflow) and include security_score/security_grade in JSON output
  • Add example workflow at .github/workflows/example-security-scan.yml showing both basic and advanced (SARIF) usage patterns
  • Rewrite the GitHub Action section of README.md with comprehensive documentation: quick start, advanced configuration, example PR comment output, SARIF/Security tab integration, and downstream output usage

Key features

Feature Description
PR comments Automatically posts (or updates) a detailed security findings comment on PRs
Changed-file scanning In PR context, only scans files modified in the PR for fast feedback
SARIF upload Optional upload to GitHub Code Scanning / Security tab
Step summary Rich markdown summary in the Actions run page
Configurable thresholds Fail on high/critical, medium+, or never -- fully configurable
Idempotent comments Updates existing codespy comments instead of creating duplicates

Test plan

  • All 100 existing tests pass (python3 test_codespy.py)
  • --files argument correctly scans only specified files
  • JSON output includes security_score and security_grade
  • entrypoint.sh passes bash -n syntax check
  • Manual: verify GitHub Action runs correctly on a test PR
  • Manual: verify PR comment is posted and updated on re-push
  • Manual: verify SARIF upload works with sarif-upload: 'true'

Generated with Claude Code

@claude
Enhance GitHub Action with PR comments, SARIF upload, and changed-fil…
705a8c6 
…e scanning

Significantly overhaul the codespy GitHub Action to make it a first-class
CI/CD security scanning tool:

- Rewrite action.yml with new inputs: severity-threshold, scan-changed-only,
  post-comment, fail-on-findings, sarif-upload, and output-format
- Add entrypoint.sh that orchestrates the full scan workflow: PR context
  detection, changed-file collection via git diff, JSON metadata extraction,
  step summary generation, PR comment posting (with update-in-place to
  avoid spam), and configurable SARIF output
- Extend codespy.py with --files argument for scanning specific files and
  include security_score/security_grade in JSON output
- Add example workflow at .github/workflows/example-security-scan.yml
- Rewrite the GitHub Action section of README.md with comprehensive
  documentation covering quick start, advanced config, PR comment examples,
  SARIF integration, and output usage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lbartoszcze