CI Mode
RedFlag's CI mode integrates with GitHub Actions to automate the identification of Pull Requests (PRs) that need security review. It is highly configurable, accepting custom reviewer lists, PR comments, Slack configuration for notifications, and full RedFlag configuration files.
Similar to RedFlag batch mode, CI mode can integrate with Jira to enrich the PR information, enabling the language model to make more informed decisions. This setup enhances the security review process by efficiently flagging PRs that require attention within the CI/CD pipeline.
| Input | Required | Description | Default |
|---|---|---|---|
github_token |
Yes | GitHub token for API access. | - |
bedrock_model_id |
No | The Bedrock model to use. | - |
bedrock_profile |
No | The AWS Profile to use for Bedrock. | - |
bedrock_region |
No | The AWS Region to use for Bedrock. | - |
comment_message |
No | Message to add to PR when flagged. |
This PR has been flagged for review and appropriate approvers have been added. Please reach out if you have any questions. |
config_file |
No | RedFlag config.yaml file. | - |
debug_llm |
No | Flag to enable debug LLM output. | - |
jira_token |
No | Token for Jira integration. | - |
jira_url |
No | Jira API endpoint for integration. | - |
jira_user |
No | Username for Jira integration. | - |
reviewer_teams |
No | Comma-separated string of teams to request to review the PR. | - |
reviewer_users |
No | Comma-separated string of users to request to review the PR. | - |
slack_channel |
No | Channel ID for posting to Slack. | - |
slack_headline |
No | Message headline for posting to Slack. | - |
slack_token |
No | Bot token for authenticating to Slack. | - |
RedFlag expects AWS credentials to be available in the environment. Below is an example of how to run RedFlag as a GitHub Action.
name: 'RedFlag'
on:
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
permissions:
contents: write
pull-requests: write
id-token: write # For use of AWS OIDC Role Assumption
jobs:
redflag:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: 'us-west-2'
role-to-assume: 'arn:aws:iam::0123456789:role/RedFlag-Role'
role-session-name: GitHubActions
role-chaining: false
- name: RedFlag
uses: Addepar/RedFlag@v1
with:
config_file: '.github/redflag-config.yml'
github_token: ${{ secrets.GITHUB_TOKEN }}
jira_token: ${{ secrets.JIRA_TOKEN }}
jira_url: 'https://YourCompany.atlassian.net'
jira_user: ${{ secrets.JIRA_USERNAME }}
reviewer_users: 'exampleuser'
slack_channel: 'C0123456789'
slack_token: ${{ secrets.SLACK_TOKEN }}
# Additional inputs as neededRedFlag can output a custom comment on the PR and attached reviewers.
