Skip to content

feat(ci): add security scan workflow for PRs#446

Open
mohanadft wants to merge 3 commits intomainfrom
add-claude-github-actions-1777888886560
Open

feat(ci): add security scan workflow for PRs#446
mohanadft wants to merge 3 commits intomainfrom
add-claude-github-actions-1777888886560

Conversation

@mohanadft
Copy link
Copy Markdown
Collaborator

@mohanadft mohanadft commented May 4, 2026
edited
Loading

Summary

Add an automated security scan that runs on every PR touching security-sensitive files, using Anthropic's dedicated claude-code-security-review action.

What it does

  • Scans changed files for OWASP Top 10 vulnerabilities (injection, XSS, auth bypasses, etc.) using Claude's semantic understanding
  • Automatically posts findings as PR comments
  • Picks up our existing CLAUDE.md security rules for project-specific context

Cost & abuse controls

  • Trigger: ready_for_review only — requires write access to trigger, preventing external spam
  • Path filter: Only fires when security-sensitive files change (src/pages/api/, src/middleware/, src/store/, src/utils/, public/_headers, wrangler.toml, *.config.*)
  • Model: Sonnet (~$0.08/scan vs ~$0.40 for Opus)
  • Timeout: 10 minutes hard cap
  • Concurrency: One scan per PR at a time, cancels redundant runs
  • Caching: Built-in — won't re-scan unchanged PR content
  • Directory exclusions: Skips node_modules, dist, .astro

Setup required

Add ANTHROPIC_API_KEY to repo secrets (Settings → Secrets → Actions) if not already set.

Note

PRs opened directly as non-draft won't trigger this scan (only ready_for_review fires it). Contributors should open as draft first, then mark ready for review.

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 4, 2026
edited
Loading

Deploying website with  Cloudflare Pages  Cloudflare Pages

Latest commit: ce1b21b
Status: ✅  Deploy successful!
Preview URL: https://18be72e7.website-aun.pages.dev
Branch Preview URL: https://add-claude-github-actions-17-1fsj.website-aun.pages.dev

View logs

@mohanadft
feat(ci): add security scan workflow for PRs
c1aefde 
Replace generic Claude code review with dedicated security review action
scoped to security-sensitive paths (API routes, middleware, store, utils,
config files).
@mohanadft mohanadft force-pushed the add-claude-github-actions-1777888886560 branch from d1c92c1 to c1aefde Compare May 4, 2026 10:09
@mohanadft mohanadft changed the title Add Claude Code GitHub Workflow feat(ci): add security scan workflow for PRs May 4, 2026
mohanadft added 2 commits May 4, 2026 13:16
@mohanadft
fix(ci): optimize security scan with cost controls and correct config
898d8d5 
Use correct input names, add Sonnet model, 10min timeout, directory
exclusions, and required checkout step.
@mohanadft
fix(ci): trigger security scan on ready_for_review with concurrency c…
ce1b21b 
…ontrol

Only scan when PR is marked ready for review (requires write access),
cancel redundant runs on the same PR.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mohanadft