pipeline config

Author: Commando-X

.github/workflows/ai-security-review.yml

@@ -1 +1,53 @@
-//TB
+name: Claude Security Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review, reopened]
+    # Optional: only run when security-sensitive areas change
+    # paths:
+    #   - "src/auth/**"
+    #   - "src/api/**"
+    #   - "infra/**"
+    #   - "config/**"
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    # Least privilege for PR review + required OIDC for the Claude GitHub App
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+
+    steps:
+      - name: Checkout PR
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+
+      - name: Claude security review
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            Perform a security-focused review. Prioritize:
+            - AuthN/AuthZ issues (BOLA/BFLA/BOPLA)
+            - Injection (SQLi/NoSQLi/Command)
+            - SSRF, deserialization, crypto misuse
+            - Sensitive data exposure, logging issues
+            - Security misconfig in code/config
+
+            For each finding, include:
+            Severity: CRITICAL/HIGH/MEDIUM/LOW
+            What/Where
+            Impact
+            Recommendation
+
+            Use inline comments for line-level issues and one top-level summary comment.
+
+          claude_args: |
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"