Docs
Security review
The security review workflow scans the target repository with open-source
tools — npm audit, semgrep, and
gitleaks — alongside an AI code review. It files a single
summary issue per run (Renovate-style) containing a GitHub task list of
findings grouped Critical / High / Medium / Low.
Permission profile:
issues-write — can read
repo contents and create/edit issues and comments.
Pipeline
What it does
- Runs
npm audit,semgrep, andgitleaksplus an AI code review - Files one summary issue per run with a GitHub task list of findings
- Groups findings Critical / High / Medium / Low
- Honours
SECURITY.mdfor known false-positives and accepted risk - Each run scans exactly one repo
Triggers
- Cron: weekly on Monday at 10:00 — fans out one run per managed repo
- CLI:
security owner/repo - GitHub comment:
@last-light security-review - Slack:
security review owner/repo
Skill
This workflow uses the security-review skill.