AI-CodeWise
AI-CodeWise GitHub Action: Your AI-powered Code Reviewer!
-
🧠 Triggers on pull requests, sending code diffs to StepSecurity API & using Azure OpenAI API for code analysis -
🔒 Pull request comments via StepSecurity bot, pinpointing issues to enhance code quality & tackle security risks
Usage
To use AI-CodeWise, add this GitHub Actions workflow to your repositories
name: Code Review
on:
pull_request:
permissions:
contents: read
jobs:
code-review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- name: Harden Runner
uses: step-security/[email protected] # v2.4.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Code Review
uses: step-security/[email protected]
When you create a pull request in the repository, the workflow will get triggered and add a pull request comment. The comment will be added even if the pull request is from a fork. Here is an screenshot of what the comment will look like:
The bot solely generates code comments, it does not approve or block PRs based on its suggestions. The action passes once the code comments are posted in the PR discussion.
Comparison with existing SAST and IaC scanners
-
All-in-One Review
🌐 : Detects code smells, best practice violations, & security issues across languages for versatile code review. -
Unforeseen Issue Detection
🎯 : AI-powered for discovering issues that rule-based systems might miss, ensuring thorough code analysis. -
Fix Suggestions
🔧 : Offers code change suggestions directly in PR comments, empowering devs to resolve issues efficiently, boosting code quality & security.
Examples
Here are a few example pull requests with PR comments from AI-CodeWise
- Terraform file with multiple security issues
- Java code vulnerable to XML external entities attacks
- JavaScript code vulnerable to open redirect
- Python code vulnerable to server-side request forgery (SSRF)
- C# code vulnerable to command injection
To try it out, you can also create a pull request in our demo repository. https://github.com/step-security/ai-codewise-demo
Support for private repositories
To use AI-CodeWise on a private repository, please join the beta.
Limitations
- AI-CodeWise will only review changes if the total number of file changes in a pull request is less than 10.
- AI-CodeWise will only review changes in a file if the total characters in the diff is less than approximately 10K.