secure-review-action

GitHub Action security review

Deterministic pull request security findings without sending code to external analysis APIs.

Run built-in checks, optional Semgrep, npm audit, PR comments, JSON artifacts, and SARIF upload from one focused developer-tooling action.

View repository Copy workflow
critical Possible hardcoded token
high Shell command uses interpolated input
high SQL string built with concatenation
SARIF + JSON artifacts written

Security-first scope

Rules focus on secrets, command execution, unsafe dynamic code, injection-prone patterns, and dependency alerts.

PR-aware comments

Patch mapping limits inline review comments to changed right-side lines so GitHub review publishing stays reliable.

No external analysis API

The action is deterministic by default and keeps source review inside GitHub Actions.

Workflow

name: Security review

on:
  pull_request:

permissions:
  contents: read
  pull-requests: write
  issues: write
  security-events: write

jobs:
  secure-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: SuvenSeo/secure-review-action@v0.1.0
        with:
          max-findings: "25"
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: secure-review-results.sarif

Outputs