Adding an example for standalone security-review Github Action #103
Conversation
shrishabh
requested review from
QuanZhang-William,
capachino,
evanotero,
heltonduarte and
pedrour
as code owners
|
🤖 Hi @shrishabh, I've received your request, and I'm working on it now! You can track my progress in the logs for more details. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
📋 Review Summary
This pull request introduces a new example GitHub Actions workflow for running Gemini security analysis. The workflow is well-structured and provides a good starting point for users.
🔍 General Feedback
- The use of pinned actions for
create-github-app-tokenandcheckoutis a good security practice. - The workflow correctly uses concurrency controls to prevent multiple runs.
- A high-severity issue was found regarding the use of
@mainfor therun-gemini-cliaction, which should be addressed.
| REPOSITORY: '${{ github.repository }}' | ||
| run: |- | ||
| gh issue comment "${ISSUE_NUMBER}" \ | ||
| --body "${MESSAGE}" \ |
There was a problem hiding this comment.
🟠 For security and stability, it's recommended to pin the version of the google-github-actions/run-gemini-cli action to a specific release tag instead of using @main. This prevents unexpected breaking changes or malicious code from being introduced into your workflow.
| --body "${MESSAGE}" \ | |
| uses: 'google-github-actions/run-gemini-cli@v1' # ratchet:exclude |
| shell: 'bash' | ||
|
|
||
| jobs: | ||
| review: |
There was a problem hiding this comment.
🟢 For better stability and to ensure consistent builds, consider pinning the runner version to a specific version (e.g., ubuntu-22.04) instead of using ubuntu-latest.
| review: | |
| runs-on: 'ubuntu-22.04' |
| @@ -0,0 +1,128 @@ | |||
| name: '🔎 Gemini Review & Security Analysis' | |||
There was a problem hiding this comment.
Should we put the file to
~/examples/security-review.yml like https://github.com/google-github-actions/run-gemini-cli/tree/main/examples
There was a problem hiding this comment.
Eventually, yes. I think we are waiting for the go-ahead from run-gemini-cli team to add the security-review. Adding it here so that we can test and then refer to when we move to the gemini-cli repository.
There was a problem hiding this comment.
If we want to test this workflow in our repo, we need to restructure the folder to .github/workflows/security-review.yml. GHA does not support subfolders under .github/workflows/.
We should also temporarily disable the original code review workflow, as it will generate duplicated comments for us.
There was a problem hiding this comment.
This pull request adds a reusable GitHub Actions workflow for security analysis. The workflow is well-structured, but it has a potential prompt injection vulnerability and uses an unpinned version of a GitHub Action, which is not a secure practice.
🔍 General Feedback
- The workflow is well-documented and easy to understand.
- Pinning actions to a specific version is a crucial security measure to prevent supply chain attacks.
- Always treat user-provided input as untrusted and sanitize it before using it in sensitive contexts like prompts for language models.
| gemini_model: '${{ vars.GEMINI_MODEL }}' | ||
| google_api_key: '${{ secrets.GOOGLE_API_KEY }}' | ||
| use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}' | ||
| use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}' |
There was a problem hiding this comment.
| PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' | ||
| REPOSITORY: '${{ github.repository }}' | ||
| ADDITIONAL_CONTEXT: '${{ inputs.additional_context }}' | ||
| with: |
There was a problem hiding this comment.
| with: | |
| uses: 'google-github-actions/run-gemini-cli@v1.0.0' # ratchet:exclude |
2 participants
This is the template for security review action.