Merge pull request #4 from step-security/int

main <- int

Author: ashishkurmi

.github/workflows/publish-container-image.yml

@@ -0,0 +1,60 @@
+name: Publish Container Image
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - int
+
+permissions: # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            auth.docker.io:443
+            deb.debian.org:80
+            ghcr.io:443
+            github.com:443
+            production.cloudflare.docker.com:443
+            proxy.golang.org:443
+            registry-1.docker.io:443
+
+      - name: Checkout Code
+        uses: actions/checkout@master
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Publish to Registry (int)
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        env:
+          API_ENDPOINT: "https://int.api.stepsecurity.io"
+        if: startsWith(github.ref, 'refs/heads/int')
+        with:
+          name: step-security/ai-codewise/int:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          buildargs: API_ENDPOINT
+
+      - name: Publish to Registry (main)
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        env:
+          API_ENDPOINT: "https://agent.api.stepsecurity.io"
+        if: startsWith(github.ref, 'refs/heads/main')
+        with:
+          name: step-security/ai-codewise/main:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          buildargs: API_ENDPOINT

.github/workflows/release-action.yml

@@ -0,0 +1,37 @@
+name: Release New Action Version
+on:
+  workflow_dispatch:
+    inputs:
+      TAG_NAME:
+        description: "Tag name that the major tag will point to"
+        required: true
+
+env:
+  TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
+defaults:
+  run:
+    shell: pwsh
+
+permissions: # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  update_tag:
+    permissions:
+      id-token: write
+    name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
+    # Remember to configure the releaseNewActionVersion environment with required approvers in the repository settings
+    environment:
+      name: releaseNewActionVersion
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
+        with:
+          allowed-endpoints: api.github.com:443
+            github.com:443
+            prod.api.stepsecurity.io:443
+      - name: Update the ${{ env.TAG_NAME }} tag
+        uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
+        with:
+          source-tag: ${{ env.TAG_NAME }}
+          token: ${{ steps.wait-for-secrets.outputs.PAT }}

.github/workflows/release-container-image.yml

@@ -0,0 +1,47 @@
+name: Release Container Image
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag"
+        required: true
+
+permissions: # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            deb.debian.org:80
+            ghcr.io:443
+            github.com:443
+            production.cloudflare.docker.com:443
+            proxy.golang.org:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+
+      - name: Code Checkout
+        uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # main
+
+      - name: Publish to registry
+        uses: elgohr/Publish-Docker-Github-Action@43dc228e327224b2eda11c8883232afd5b34943b # v5
+        env:
+          API_ENDPOINT: "https://agent.api.stepsecurity.io"
+        if: startsWith(github.ref, 'refs/heads/main')
+        with:
+          name: step-security/ai-codewise:${{ github.event.inputs.tag }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          buildargs: API_ENDPOINT

.github/workflows/test.yml

@@ -0,0 +1,51 @@
+name: Test
+
+on:
+  pull_request:
+    branches:
+      - main
+      - int
+
+permissions: # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - name: Code Checkout
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+
+      - name: Set up Go
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: 1.19
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: Test
+        run: go test -v ./...
+
+      - name: Build Container Image (int)
+        uses: elgohr/Publish-Docker-Github-Action@43dc228e327224b2eda11c8883232afd5b34943b # v5
+        env:
+          API_ENDPOINT: "https://int.api.stepsecurity.io"
+        if: startsWith(github.ref, 'refs/heads/int')
+        with:
+          no_push: true
+          buildargs: API_ENDPOINT
+
+      - name: Build Container Image (main)
+        uses: elgohr/Publish-Docker-Github-Action@43dc228e327224b2eda11c8883232afd5b34943b # v5
+        env:
+          API_ENDPOINT: "https://agent.api.stepsecurity.io"
+        if: startsWith(github.ref, 'refs/heads/main')
+        with:
+          no_push: true
+          buildargs: API_ENDPOINT

Dockerfile

@@ -0,0 +1,32 @@
+FROM golang:1.19 AS builder
+
+ENV GO111MODULE=on \
+    CGO_ENABLED=0 \
+    GOOS=linux \
+    GOARCH=amd64
+
+RUN apt-get -qq update && \
+    apt-get -yqq install upx
+
+WORKDIR /
+COPY . .
+ARG API_ENDPOINT
+RUN echo "API Endpoint: $API_ENDPOINT"
+RUN go build -ldflags "-X main.APIEndpoint=$API_ENDPOINT" \
+    -a \
+    -o /bin/app \
+    . \
+    && strip /bin/app \
+    && upx -q -9 /bin/app
+
+RUN echo "nobody:x:65534:65534:Nobody:/:" > /etc_passwd
+
+
+FROM scratch
+
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /etc_passwd /etc/passwd
+COPY --from=builder --chown=65534:0 /bin/app /app
+
+USER nobody
+ENTRYPOINT ["/app"]

README.md

@@ -1 +1,90 @@
-# ai-codewise
+# AI-CodeWise
+
+<p align="center">
+  <img  src="images/banner.png" width="400">
+</p>
+
+<div align="center">
+
+[![Maintained by stepsecurity.io](https://img.shields.io/badge/maintained%20by-stepsecurity.io-blueviolet)](https://stepsecurity.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=harden-runner)
+[![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://raw.githubusercontent.com/step-security/harden-runner/main/LICENSE)
+
+</div>
+
+---
+
+<p align="center">
+AI-Powered Code Reviews for Best Practices & Security Issues Across Languages
+</p>
+
+AI-CodeWise GitHub Action is an AI Code Reviewer.
+
+- It is triggered on a pull request and sends the diff of the code files to the StepSecurity API, which then employs prompt engineering to call the Azure OpenAI API to review the code.
+
+- AI-CodeWise automatically adds a pull request comment using the StepSecurity bot account.
+
+- The comment contains detailed information about the identified issues to improve code quality and address potential security vulnerabilities.
+
+<p align="center">
+  <img src="images/sequence-diagram.png" alt="Sequence diagram">
+</p>
+
+## Usage
+
+To use AI-CodeWise, add this GitHub Actions workflow to your repositories
+
+```yaml
+name: Code Review
+on:
+  pull_request:
+permissions:
+  contents: read
+jobs:
+  code-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            int.api.stepsecurity.io:443
+
+      - name: Code Review
+        uses: step-security/ai-codewise@v1
+```
+
+When you create a pull request in the repository, the workflow will get triggered and add a pull request comment. Here is an screenshot of what the comment will look like:
+<p align="center">
+<img src="images/sample-code-comment.png" width="600">
+</p>
+
+## Comparison with existing SAST and IaC scanners
+
+AI-CodeWise differentiates itself from existing rule-based scanners by offering the following advantages:
+
+1. Comprehensive Code Review: AI-CodeWise is a single code reviewer tool that can detect code smells, best practice violations, and security issues. Furthermore, it does this across different programming languages, making it a versatile solution for your code review needs.
+
+2. Unanticipated Issues Detection: By harnessing the power of AI, AI-CodeWise can identify potential problems that traditional rule-based systems may not have considered or anticipated. This ensures a more thorough code analysis and helps prevent potential vulnerabilities from slipping through the cracks.
+
+3. Suggested Fixes: In addition to identifying issues, AI-CodeWise goes a step further by suggesting code changes to implement fixes directly in the PR comment. These actionable insights empower developers to resolve issues more efficiently, ultimately improving overall code quality and security.
+
+## Examples
+
+Here are a few example pull requests with PR comments from AI-CodeWise
+
+1.
+2.
+3.
+
+## Limitations
+
+- AI-CodeWise will only review changes if the total number of file changes in a pull request is less than 10.
+- AI-CodeWise will only review changes if the total characters in the changes are less than 20K.
+- AI-CodeWise only works for public repositories as of now. To use on a private repository, please join the beta.

action.yml

@@ -0,0 +1,15 @@
+name: "StepSecurity AI-CodeWise action"
+description: "AI-Powered Code Reviews for Best Practices & Security Issues Across Languages"
+inputs:
+  PAT:
+    description: "INPUT: GitHub token with read access to read pull request changes"
+    required: false
+    default: ${{ github.token }}
+
+  DebugMode:
+    description: "INPUT: Flag to turn on the debug mode to print details to troubleshoot issues related to the action"
+    required: false
+    default: "false"
+runs:
+  using: "docker"
+  image: "docker://ghcr.io/step-security/ai-codewise/int:latest"