Docs

Security review

The security review workflow scans the target repository with open-source tools — npm audit, semgrep, and gitleaks — alongside an AI code review. It files a single summary issue per run (Renovate-style) containing a GitHub task list of findings grouped Critical / High / Medium / Low.

Permission profile: issues-write — can read repo contents and create/edit issues and comments.

Pipeline

Scan tools + AI review

What it does

  • Runs npm audit, semgrep, and gitleaks plus an AI code review
  • Files one summary issue per run with a GitHub task list of findings
  • Groups findings Critical / High / Medium / Low
  • Honours SECURITY.md for known false-positives and accepted risk
  • Each run scans exactly one repo

Triggers

  • Cron: weekly on Monday at 10:00 — fans out one run per managed repo
  • CLI: security owner/repo
  • GitHub comment: @last-light security-review
  • Slack: security review owner/repo

Skill

This workflow uses the security-review skill.