AI-Powered Code Reviews for Best Practices & Security Issues Across Languages

AI-CodeWise

Maintained by stepsecurity.io License: Apache 2.0

🦉 AI-Powered Code Reviews for Best Practices & Security Issues Across Languages


AI-CodeWise GitHub Action: Your AI-powered Code Reviewer!

  • 🧠 Triggers on pull requests, sending code diffs to StepSecurity API & using Azure OpenAI API for code analysis

  • 🔒 Pull request comments via StepSecurity bot, pinpointing issues to enhance code quality & tackle security risks

Sequence diagram

Usage

To use AI-CodeWise, add this GitHub Actions workflow to your repositories

name: Code Review
on:
  pull_request:
permissions:
  contents: read
jobs:
  code-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    steps:
      - name: Harden Runner
        uses: step-security/[email protected] # v2.4.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443

      - name: Code Review
        uses: step-security/[email protected]

When you create a pull request in the repository, the workflow will get triggered and add a pull request comment. The comment will be added even if the pull request is from a fork. Here is an screenshot of what the comment will look like:

The bot solely generates code comments, it does not approve or block PRs based on its suggestions. The action passes once the code comments are posted in the PR discussion.

Comparison with existing SAST and IaC scanners

🌟 AI-CodeWise: Outshining rule-based scanners with:

  1. All-in-One Review 🌐 : Detects code smells, best practice violations, & security issues across languages for versatile code review.

  2. Unforeseen Issue Detection 🎯 : AI-powered for discovering issues that rule-based systems might miss, ensuring thorough code analysis.

  3. Fix Suggestions 🔧 : Offers code change suggestions directly in PR comments, empowering devs to resolve issues efficiently, boosting code quality & security.

Examples

Here are a few example pull requests with PR comments from AI-CodeWise

  1. Terraform file with multiple security issues
  2. Java code vulnerable to XML external entities attacks
  3. JavaScript code vulnerable to open redirect
  4. Python code vulnerable to server-side request forgery (SSRF)
  5. C# code vulnerable to command injection

To try it out, you can also create a pull request in our demo repository. https://github.com/step-security/ai-codewise-demo

Support for private repositories

To use AI-CodeWise on a private repository, please join the beta.

Limitations

  • AI-CodeWise will only review changes if the total number of file changes in a pull request is less than 10.
  • AI-CodeWise will only review changes in a file if the total characters in the diff is less than approximately 10K.
Owner
StepSecurity
Software Supply Chain Security Made Simple
StepSecurity
Comments
  • [StepSecurity] Apply security best practices

    [StepSecurity] Apply security best practices

    Summary

    This pull request is created by Secure Repo at the request of @ashishkurmi. Please merge the Pull Request to incorporate the requested changes. Please tag @ashishkurmi on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.

    Security Fixes

    Pinned Dependencies

    GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

    Keeping your actions up to date with Dependabot

    With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).

    Detect Vulnerabilities with SAST Workflow

    Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as clear-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

    Secure Dockerfiles

    Pin image tags to digests in Dockerfiles. With the Docker v2 API release, it became possible to use digests in place of tags when pulling images or to use them in FROM lines in Dockerfiles.

    Add Dependency Review Workflow

    The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

    Add OpenSSF Scorecard Workflow

    OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.

    Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.

    Feedback

    For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

    Signed-off-by: StepSecurity Bot [email protected]

  • Bump actions/dependency-review-action from 2.5.1 to 3.0.4

    Bump actions/dependency-review-action from 2.5.1 to 3.0.4

    Bumps actions/dependency-review-action from 2.5.1 to 3.0.4.

    Release notes

    Sourced from actions/dependency-review-action's releases.

    3.0.4

    What's New?

    The Action can now publish a comment in the pull request if the comment-summary-in-pr option is set. More information can be found in the README.

    New Contributors

    Changelog

    Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.0.4

    3.0.3

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.0.3

    3.0.2

    This release fixes spelling errors actions/dependency-review-action#348 and upgrades dependencies to fix known vulnerabilities

    Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.0.2

    3.0.1

    This release contains the following bugfixes:

    Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.0.1

    3.0.0

    Breaking Changes

    By default the action now expects SPDX-compliant licenses everywhere. If you were previously using license names in the allow or deny lists make sure they're valid!

    What's Changed

    Support for external configuration files

    You can now specify a configuration file external to your repository. This allows organizations to have a single configuration file for all their repos.

    Broader license support

    ... (truncated)

    Commits
    • f46c48e bumping version
    • 1ac6f5d Merge pull request #437 from actions/dependabot/npm_and_yarn/typescript-eslin...
    • 30049aa Bump @​typescript-eslint/eslint-plugin from 5.54.1 to 5.55.0
    • 02b3fba Merge pull request #436 from actions/dependabot/npm_and_yarn/typescript-eslin...
    • 5c5feeb Merge pull request #435 from actions/dependabot/npm_and_yarn/types/node-16.18.16
    • 85bb837 Bump @​typescript-eslint/parser from 5.54.1 to 5.55.0
    • 463aece Bump @​types/node from 16.18.14 to 16.18.16
    • e3fb515 Merge pull request #426 from actions/dependabot/npm_and_yarn/typescript-eslin...
    • 4b088f0 Merge pull request #427 from actions/dependabot/npm_and_yarn/zod-3.21.4
    • e46d65f Bump @​typescript-eslint/eslint-plugin from 5.54.0 to 5.54.1
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump ossf/scorecard-action from 2.0.6 to 2.1.3

    Bump ossf/scorecard-action from 2.0.6 to 2.1.3

    Bumps ossf/scorecard-action from 2.0.6 to 2.1.3.

    Release notes

    Sourced from ossf/scorecard-action's releases.

    v2.1.3

    What's Changed

    Bug Fixes

    • Invalid SARIF files from a bug in scorecard
    • Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner
    • Scorecard action not reporting binary artifacts in the repo

    Full Scorecard Changelog: https://github.com/ossf/scorecard/compare/v4.10.2...v4.10.5

    Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3

    v2.1.2

    What's Changed

    Fixes

    Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.1.1...v2.1.2

    v2.1.1

    Scorecard version

    This release use Scorecard's v4.10.1

    Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.1.0...v2.1.1

    v2.1.0

    What's Changed

    Scorecard version

    This release uses scorecard v4.10.0.

    Improvements

    Documentation

    ... (truncated)

    Commits
    • 80e868c :seedling: Bump docker tag for release. (#1117)
    • aed6134 :seedling: Bump golang.org/x/net from 0.7.0 to 0.8.0 (#1099)
    • 33dfbd3 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 (#1111)
    • 193ae37 :seedling: Bump actions/dependency-review-action from 3.0.3 to 3.0.4 (#1110)
    • ca9bf95 :seedling: Bump actions/cache from 3.2.6 to 3.3.1 (#1103)
    • fa15212 :seedling: Bump github/codeql-action from 2.2.4 to 2.2.7 (#1105)
    • 136025e :seedling: Bump step-security/harden-runner from 2.1.0 to 2.2.1 (#1104)
    • c59c116 :seedling: Bump actions/cache from 3.2.5 to 3.2.6 (#1097)
    • 7cc3711 :seedling: Bump github.com/emicklei/go-restful (#1086)
    • 570a953 :seedling: Bump actions/cache from 3.2.4 to 3.2.5 (#1088)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0

    Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0

    Bumps golang.org/x/oauth2 from 0.7.0 to 0.8.0.

    Commits
    • 839de22 google: don't check for IsNotExist for well-known file
    • 0690208 go.mod: update golang.org/x dependencies
    • 451d5d6 internal: remove repeated definite articles
    • cfe200d oauth2: parse RFC 6749 error response
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golang from 1.19 to 1.20

    Bump golang from 1.19 to 1.20

    Bumps golang from 1.19 to 1.20.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump step-security/publish-action from b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d to 00f33a2a7d8b77187d08ce666d0d5d73ad1dfb93

    Bump step-security/publish-action from b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d to 00f33a2a7d8b77187d08ce666d0d5d73ad1dfb93

    Bumps step-security/publish-action from b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d to 00f33a2a7d8b77187d08ce666d0d5d73ad1dfb93.

    Commits
    • 00f33a2 Merge pull request #3 from step-security/stepsecurity_remediation_1681398636
    • 12ed719 [StepSecurity] Apply security best practices
    • See full diff in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump actions/setup-go from 3.5.0 to 4.0.0

    Bump actions/setup-go from 3.5.0 to 4.0.0

    Bumps actions/setup-go from 3.5.0 to 4.0.0.

    Release notes

    Sourced from actions/setup-go's releases.

    v4.0.0

    In scope of release we enable cache by default. The action won’t throw an error if the cache can’t be restored or saved. The action will throw a warning message but it won’t stop a build process. The cache can be disabled by specifying cache: false.

    steps:
      - uses: actions/[email protected]
      - uses: actions/setup-go@v4
        with:
          go-version: ‘1.19’
      - run: go run hello.go
    

    Besides, we introduce such changes as

    Commits
    • 4d34df0 Update configuration files (#348)
    • fdc0d67 Add Go bin if go-version input is empty (#351)
    • ebfdf6a add warning if go-version is empty (#350)
    • b27d769 fix lockfileVersion (#349)
    • c51a720 Enable caching by default with default input (#332)
    • 6b848af Merge pull request #343 from akv-platform/reusable-workflow
    • 12741cc Format update-config-files.yml
    • 7a77a6a Merge branch 'main' into reusable-workflow
    • 42a0cc8 Add update-config-files.yml
    • 7406d65 Add and configure ESLint and update configuration for Prettier (#341)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Related tags
Search and store the best cryptos for the best scalable and modern application development.

Invst Hunt Search and store the best cryptos for the best scalable and modern application development. Layout Creating... Project Challenge The Techni

Nov 12, 2021
Get and summarize iOS app reviews.

ceraxus Get and summarize iOS app reviews. Docker Version > docker --version Docker version 20.10.8, build 3967b7d > docker-compose --version docker-

May 3, 2022
Web-Security-Academy - Web Security Academy, developed in GO

Web-Security-Academy - Web Security Academy, developed in GO

Feb 23, 2022
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

Lightweight static analysis for many languages. Find bugs and enforce code standards. Semgrep is a fast, open-source, static analysis tool that finds

Jan 9, 2023
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

Dec 27, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Jan 6, 2023
SPIRE is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms
SPIRE is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms

SPIRE (the SPIFFE Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms

Jan 2, 2023
Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers.
Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers.

Log4ShellScanner Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers. Very Beta Warning!

Jun 17, 2022
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Dec 22, 2022
Dec 28, 2022
HTTP middleware for Go that facilitates some quick security wins.

Secure Secure is an HTTP middleware for Go that facilitates some quick security wins. It's a standard net/http Handler, and can be used with many fram

Jan 3, 2023
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Dec 27, 2022
set of web security test cases and a toolkit to construct new ones

Webseclab Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners

Jan 7, 2023
PHP security vulnerabilities checker

Local PHP Security Checker The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with know

Jan 3, 2023
Tracee: Linux Runtime Security and Forensics using eBPF
Tracee: Linux Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

Jan 5, 2023
Sqreen's Application Security Management for the Go language
Sqreen's Application Security Management for the Go language

Sqreen's Application Security Management for Go After performance monitoring (APM), error and log monitoring it’s time to add a security component int

Dec 27, 2022
A scalable overlay networking tool with a focus on performance, simplicity and security

What is Nebula? Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect comp

Dec 29, 2022
How to systematically secure anything: a repository about security engineering
How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Jan 5, 2023
Convenience of containers, security of virtual machines

Convenience of containers, security of virtual machines With firebuild, you can build and deploy secure VMs directly from Dockerfiles and Docker image

Dec 28, 2022