{"id":34579396,"url":"https://github.com/erans/autoagent-action","last_synced_at":"2026-05-27T15:32:48.224Z","repository":{"id":314192647,"uuid":"1054532572","full_name":"erans/autoagent-action","owner":"erans","description":null,"archived":false,"fork":false,"pushed_at":"2025-09-11T03:36:00.000Z","size":92,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-11T05:26:09.429Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/erans.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-09-11T01:31:20.000Z","updated_at":"2025-09-11T03:36:03.000Z","dependencies_parsed_at":"2025-09-11T05:26:11.240Z","dependency_job_id":"3fa26589-8b1e-40ff-9e06-cae453c533c2","html_url":"https://github.com/erans/autoagent-action","commit_stats":null,"previous_names":["erans/autoagent-action"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/erans/autoagent-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erans%2Fautoagent-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erans%2Fautoagent-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erans%2Fautoagent-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erans%2Fautoagent-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/erans","download_url":"https://codeload.github.com/erans/autoagent-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erans%2Fautoagent-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33573250,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-27T02:00:06.184Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-24T09:59:15.572Z","updated_at":"2026-05-27T15:32:48.218Z","avatar_url":"https://github.com/erans.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AutoAgent\n\n\u003e **⚠️ Experimental Project**: This project was created during a hackathon at the Cursor offices on September 10, 2025. Use at your own risk. Future updates will focus on making it production CI/CD ready. 🚧  - Thank you to the Curosr team for hosting!\n\nA composable GitHub Action that integrates with AI agents like [Cursor CLI](https://cursor.com/cli), [Claude Code](https://claude.ai/code), [Gemini CLI](https://github.com/google-gemini/gemini-cli), [Codex CLI](https://github.com/openai/codex), [Amp Code](https://ampcode.com/), and [OpenCode](https://opencode.ai/) to run prompts on a repository as part of Pull Request workflows.\n\n## Features\n\n- **Predefined Rules**: Run curated rules like OWASP security checks or refactoring suggestions\n- **Custom Prompt Support**: Extend analysis with team-specific custom instructions\n- **Agent Auto Installation**: Automatically installs the agent unless explicitly disabled\n- **Multiple Agents Support**: Supports multiple AI coding agents: `cursor`, `claude`, `gemini`, `codex`, `amp`, and `opencode`\n- **Configurable Scope**: Analyze only changed files (fast) or entire codebase (comprehensive)\n- **PR Comment Output**: Posts results back to GitHub PR comments in a structured format\n- **Composable Python Architecture**: Built with maintainable, modular Python code for better reliability and extensibility\n- **Configurable Logging**: Debug mode for troubleshooting with detailed execution information\n\n## Suggested Future Work\n\nI would love to get feedback if this is working well and if any of these future work items seems relevant to you:\n\n1. **Ability to stop merge if there are high vulnerability items in AutoAgent** - Block PRs automatically when critical security issues are detected\n2. **Ability to have other actions other than commenting** - Support for email notifications, Slack messages, or other integrations for important findings\n3. **Ability to fail a build if AutoAgent has important enough failures** - Set exit codes based on severity levels to integrate with CI/CD pipeline failure conditions\n4. **Ability to execute rules in parallel** - Run multiple rules concurrently to reduce overall analysis time and improve CI/CD performance\n\n## Usage\n\n### Basic Example with Cursor\n\n```yaml\nname: AutoAgent Checks\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: Run AutoAgent\n        uses: erans/autoagent@main\n        env:\n          CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          custom: |\n            Please check for inefficient SQL queries and suggest optimizations.\n          action: comment\n          install-agent: true\n          agent: cursor\n```\n\n### Example with Claude Code\n\n```yaml\nname: AutoAgent with Claude\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: Run AutoAgent\n        uses: erans/autoagent@main\n        env:\n          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          custom: |\n            Please check for inefficient SQL queries and suggest optimizations.\n          action: comment\n          install-agent: true\n          agent: claude\n```\n\n### Example with Gemini CLI\n\n```yaml\nname: AutoAgent with Gemini\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: Run AutoAgent\n        uses: erans/autoagent@main\n        env:\n          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          custom: |\n            Please check for inefficient SQL queries and suggest optimizations.\n          action: comment\n          install-agent: true\n          agent: gemini\n```\n\n### Example with Codex CLI\n\n```yaml\nname: AutoAgent with Codex\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: Run AutoAgent\n        uses: erans/autoagent@main\n        env:\n          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          custom: |\n            Please check for inefficient SQL queries and suggest optimizations.\n          action: comment\n          install-agent: true\n          agent: codex\n```\n\n### Example with Amp Code\n\n```yaml\nname: AutoAgent with Amp\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: Run AutoAgent\n        uses: erans/autoagent@main\n        env:\n          AMP_API_KEY: ${{ secrets.AMP_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          custom: |\n            Please check for inefficient SQL queries and suggest optimizations.\n          action: comment\n          install-agent: true\n          agent: amp\n```\n\n### Example with OpenCode\n\nOpenCode supports multiple AI providers (Anthropic, OpenAI, Google, etc.) and automatically uses the appropriate API key based on the model you specify:\n\n```yaml\nname: AutoAgent with OpenCode\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: Run AutoAgent\n        uses: erans/autoagent@main\n        env:\n          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}\n          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}\n          MODEL: anthropic/claude-sonnet-4-20250514\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          custom: |\n            Please check for inefficient SQL queries and suggest optimizations.\n          action: comment\n          install-agent: true\n          agent: opencode\n```\n\n#### OpenCode Model Examples\n\nYou can specify different providers and models:\n\n```yaml\n# Using Anthropic Claude\nenv:\n  ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n  MODEL: anthropic/claude-sonnet-4-20250514\n\n# Using OpenAI GPT\nenv:\n  OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}\n  MODEL: openai/gpt-4\n\n# Using Google Gemini\nenv:\n  GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}\n  MODEL: google/gemini-pro\n```\n\n### Analysis Scope Configuration\n\nAutoAgent supports two analysis modes controlled by the `scope` parameter:\n\n#### 🚀 **Changed Files Mode (Default)** - `scope: \"changed\"`\n\nThis mode analyzes only files that have been modified in the Pull Request, making it faster and more cost-effective by focusing AI analysis on the actual changes.\n\n**How it works:**\n- Automatically detects all files changed in the PR across all commits\n- Uses multiple git diff strategies for maximum compatibility\n- Provides changed file list context to AI agents\n- Falls back to GitHub API when git history is insufficient\n- Works with merge commits, rebases, and complex PR scenarios\n\n**Key Benefits:**\n- ⚡ **Faster execution** - Only processes changed files\n- 💰 **Token efficient** - Reduces API costs significantly\n- 🎯 **Focused analysis** - AI concentrates on actual changes\n- 🔄 **Auto-detection** - Handles complex git scenarios automatically\n\n**Requirements for Changed Files Mode:**\n- Must use `fetch-depth: 0` in checkout action (see examples below)\n- Requires GitHub CLI (`gh`) for API fallback\n- Works best with proper base branch setup\n\n#### Analyze Only Changed Files (Default - Faster)\n```yaml\nname: AutoAgent - Changed Files Only\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0  # Required for proper changed file detection\n      - name: Run AutoAgent on Changed Files\n        uses: erans/autoagent@main\n        env:\n          CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          scope: \"changed\"  # This is the default\n          action: comment\n          agent: cursor\n```\n\n#### 🔍 **Full Codebase Mode** - `scope: \"all\"`\n\nThis mode performs comprehensive analysis of the entire repository codebase, useful for security audits, architectural reviews, or when you need complete coverage.\n\n**When to use:**\n- Security audits requiring full codebase review\n- Architectural analysis and refactoring suggestions\n- Initial code quality assessment\n- Compliance reviews and documentation checks\n\n**Trade-offs:**\n- ⏱️ **Slower execution** - Processes entire codebase\n- 💸 **Higher cost** - Uses more API tokens\n- 📊 **Comprehensive coverage** - No missed dependencies or context\n- 🔎 **Deep analysis** - Can catch broader architectural issues\n\n#### Analyze Entire Codebase (Comprehensive)\n```yaml\nname: AutoAgent - Full Codebase Analysis\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0  # Required for proper changed file detection\n      - name: Run AutoAgent on Entire Codebase\n        uses: erans/autoagent@main\n        env:\n          CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          scope: \"all\"  # Analyze entire codebase\n          action: comment\n          agent: cursor\n```\n\n### Troubleshooting Changed Files Detection\n\nIf you see `\"No changed files detected\"` in the output, enable debug logging first to get detailed information:\n\n```yaml\n- name: Run AutoAgent with Debug\n  uses: erans/autoagent@main\n  with:\n    logging: debug  # Enable detailed debugging\n    # ... other parameters\n```\n\nThen try these solutions based on the debug output:\n\n#### **Issue: Shallow Clone**\n```yaml\n# ❌ This may cause detection issues\n- uses: actions/checkout@v4\n\n# ✅ Use this instead\n- uses: actions/checkout@v4\n  with:\n    fetch-depth: 0  # Required for changed file detection\n```\n\n#### **Issue: Missing Base Branch**\nThe action automatically fetches the base branch, but ensure your workflow runs on pull request events:\n\n```yaml\non:\n  pull_request:\n    types: [opened, synchronize, reopened]  # All required events\n```\n\n#### **Issue: Complex Merge Scenarios**\nAutoAgent uses 8 different detection strategies including:\n- Merge-base calculation\n- GitHub API fallback\n- Merge commit detection\n- Multiple git diff approaches\n\nCheck the debug output to see which strategy succeeded.\n\n#### **Issue: Permissions**\nEnsure your workflow has proper permissions:\n\n```yaml\npermissions:\n  contents: read        # Required for checkout\n  pull-requests: write  # Required for comments\n  issues: write         # Required for GitHub API\n```\n\n### Advanced Example\n\n```yaml\nname: AutoAgent Security \u0026 Quality Checks\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: Run AutoAgent\n        uses: erans/autoagent@main\n        env:\n          CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n            - refactor-suggestions\n            - duplication-check\n          custom: |\n            Please analyze the database schema changes and ensure they follow our naming conventions.\n            Also check for any potential performance issues with the new queries.\n          action: comment\n          install-agent: true\n          agent: cursor\n```\n\n### Custom Prompt Only Example\n\n```yaml\nname: AutoAgent Custom Analysis\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: Run AutoAgent\n        uses: erans/autoagent@main\n        env:\n          CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n        with:\n          custom: |\n            Please review this pull request for:\n            1. Code quality and best practices\n            2. Security vulnerabilities\n            3. Performance optimizations\n            4. Documentation completeness\n          action: comment\n          install-agent: true\n          agent: cursor\n```\n\n### Debug Logging Example\n\nEnable debug logging to troubleshoot issues with file detection, agent execution, or other problems:\n\n```yaml\nname: AutoAgent with Debug Logging\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0  # Required for proper changed file detection\n      - name: Run AutoAgent with Debug Output\n        uses: erans/autoagent@main\n        env:\n          CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          logging: debug  # Enable detailed debugging output\n          agent: cursor\n```\n\n**Debug logging includes:**\n- Detailed git diff strategies and results\n- Changed file detection process\n- Agent execution details and prompt lengths\n- Rule processing steps and timings\n- Error details and troubleshooting information\n\n### Custom Rule Files Examples\n\nAutoAgent supports custom rule files through the `customFiles` parameter, allowing you to create reusable, organization-specific analysis rules.\n\n#### Basic Custom Files Example\n\n```yaml\nname: AutoAgent with Custom Rules\n\non:\n  pull_request:\n    types: [opened, synchronize, reopened]\n\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n\njobs:\n  autoagent:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n      - name: Run AutoAgent with Custom Files\n        uses: erans/autoagent@main\n        env:\n          CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n        with:\n          rules: |\n            - owasp-check\n            - code-review\n          customFiles: |\n            - .github/rules/team-standards.prompt\n            - .github/rules/api-guidelines.prompt\n          agent: cursor\n```\n\n#### Repository-Specific Rules\n\nCreate custom rule files in your repository under `.github/rules/`:\n\n**`.github/rules/team-standards.prompt`**:\n```\nReview the code for adherence to our team's coding standards:\n\n## API Design Standards\n- All API endpoints must use consistent naming (kebab-case)\n- Response structures must include status, data, and meta fields\n- Error responses must follow RFC 7807 problem details format\n\n## Database Standards\n- All queries must use prepared statements\n- Table names must be snake_case\n- Foreign key relationships must be explicitly defined\n\n## Testing Requirements\n- All public methods must have unit tests\n- Integration tests required for API endpoints\n- Test coverage must be \u003e 80%\n\nProvide specific violations found with file locations and recommended fixes.\n```\n\n**`.github/rules/api-guidelines.prompt`**:\n```\nAnalyze the API implementation for compliance with our guidelines:\n\n## REST API Standards\n- Proper HTTP status codes usage\n- Consistent error handling patterns\n- Request/response validation\n- Rate limiting implementation\n\n## Security Requirements\n- Input sanitization for all endpoints\n- Authentication middleware on protected routes\n- SQL injection prevention\n- XSS protection measures\n\nReport any deviations from these standards with specific remediation steps.\n```\n\n#### Shared Organization Rules\n\nUse relative paths to reference shared rules from a parent directory or organization-wide rule repository:\n\n```yaml\n- name: Run AutoAgent with Shared Org Rules\n  uses: erans/autoagent@main\n  env:\n    CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n  with:\n    customFiles: |\n      - ../shared-rules/org-security.prompt\n      - ../shared-rules/performance-standards.prompt\n      - .github/rules/local-overrides.prompt\n    agent: cursor\n```\n\n#### Mixed Rules Configuration\n\nCombine predefined rules, custom files, and custom prompts:\n\n```yaml\n- name: Comprehensive AutoAgent Analysis\n  uses: erans/autoagent@main\n  env:\n    CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n  with:\n    rules: |\n      - owasp-check\n      - secrets-detection\n    customFiles: |\n      - .github/rules/team-standards.prompt\n      - .github/rules/performance-check.prompt\n    custom: |\n      Additionally, please verify that all new database migrations\n      include proper rollback procedures and performance impact analysis.\n    agent: cursor\n```\n\n#### JSON Format Support\n\nCustomFiles also supports JSON array format:\n\n```yaml\n- name: AutoAgent with JSON Custom Files\n  uses: erans/autoagent@main\n  env:\n    CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}\n  with:\n    customFiles: '[\"./rules/custom.prompt\", \".github/rules/standards.prompt\"]'\n    agent: cursor\n```\n\n#### File Path Resolution\n\n- **Relative paths**: Resolved relative to the repository root (`$GITHUB_WORKSPACE`)\n  - `./rules/custom.prompt` → `$GITHUB_WORKSPACE/rules/custom.prompt`\n  - `.github/rules/team.prompt` → `$GITHUB_WORKSPACE/.github/rules/team.prompt`\n  - `../shared/rule.prompt` → Parent directory of workspace\n\n- **Absolute paths**: Used as-is (with security validation)\n  - `/home/runner/work/shared/rule.prompt`\n\n- **Security features**:\n  - File existence and readability validation\n  - File size limits (max 1MB per file)\n  - Path traversal protection\n  - Graceful error handling for invalid files\n\n#### Rule Naming in Comments\n\nCustom rule files appear in PR comments using just the filename (without path or `.prompt` extension):\n\n- `.github/rules/team-standards.prompt` appears as `team-standards`\n- `../shared/org-security.prompt` appears as `org-security`\n- `/absolute/path/api-check.prompt` appears as `api-check`\n\n## Inputs\n\n| Input | Type | Required | Default | Description |\n|-------|------|----------|---------|-------------|\n| `rules` | String (YAML/JSON list) | ❌ No | `[]` | Predefined rules to execute |\n| `custom` | String | ❌ No | `\"\"` | Custom prompt to append to predefined rules |\n| `customFiles` | String (YAML/JSON list) | ❌ No | `[]` | Custom .prompt files to execute (supports relative and absolute paths) |\n| `action` | Enum | ✅ Yes | `comment` | What to do with results (currently `comment` only) |\n| `install-agent` | Boolean | ❌ No | `true` | Whether to install the agent automatically |\n| `agent` | String | ❌ No | `cursor` | Which agent to use (`cursor`, `claude`, `gemini`, `codex`, `amp`, `opencode`) |\n| `scope` | String | ❌ No | `changed` | Analysis scope: `changed` for PR files only, `all` for entire codebase |\n| `logging` | String | ❌ No | `info` | Logging level: `info` for normal output, `debug` for detailed debugging information |\n\n## Predefined Rules\n\n| Rule Name | Description |\n|-----------|-------------|\n| `owasp-check` | **🔒 Comprehensive security analysis** based on OWASP Top 10 2021 guidelines including broken access control, cryptographic failures, injection vulnerabilities, insecure design, security misconfigurations, vulnerable components, authentication failures, software integrity failures, logging failures, and SSRF. Also covers XSS, CSRF, path traversal, and security headers analysis. |\n| `sql-injection` | **💉 SQL injection vulnerability analysis** - Detects SQL, NoSQL, and other injection vulnerabilities across multiple languages (JavaScript, Python, Java, PHP, C#, Go) and frameworks. Covers parameterized queries, ORM security, dynamic query construction, and stored procedure vulnerabilities. |\n| `secrets-detection` | **🔑 Advanced secrets detection** - Scans for hardcoded API keys, database credentials, private keys, cloud provider secrets, third-party service keys, cryptographic material, and logging security issues. Features entropy analysis, context evaluation, false positive reduction, and multi-language support across configuration files. |\n| `code-review` | **🔍 Comprehensive code quality analysis** - Reviews naming conventions, code structure, architecture patterns, SOLID principles, performance optimization, error handling, input validation, testing quality, security best practices, documentation, and technical debt management. Includes language-specific conventions for JavaScript, Python, Java, C#. |\n| `refactor-suggestions` | **♻️ Code refactoring opportunities** - Detects code smells like long methods, duplicate code, poor naming, and suggests refactoring techniques. Includes extended codebase analysis capabilities to find patterns across multiple files. |\n| `duplication-check` | **📋 Code duplication detection** - Identifies duplicated code patterns and suggests opportunities to reuse existing implementations across the codebase. |\n\n## Output\n\nThe action posts structured results to the GitHub PR as comments:\n\n```\n### 🤖 AutoAgent Results\n\n**Rule:** `owasp-check`\n```\nNo critical security issues detected.\n```\n\n**Rule:** `code-review`\n```\nFound 2 potential improvements in the authentication logic.\n```\n\n**Rule:** `custom`\n```\nDatabase queries look optimized. Consider adding indexes for the new columns.\n```\n\n---\n*Generated by [AutoAgent](https://github.com/erans/autoagent) v1.0*\n```\n\n## Requirements\n\n- GitHub CLI (`gh`) must be available in the runner environment\n- For YAML parsing: `yq` (optional, falls back to `jq`)\n- For JSON parsing: `jq`\n- **Node.js** - Required for installing npm-based agents (Claude, Gemini, Codex)\n- **API Key** - Required for your chosen agent (see Environment Variables section)\n- **Git History** - Use `fetch-depth: 0` in checkout action for proper changed file detection\n\n## Environment Variables\n\n### Required (based on agent):\n\n- **`CURSOR_API_KEY`** - Required for Cursor CLI authentication\n- **`ANTHROPIC_API_KEY`** - Required for Claude Code authentication\n- **`GOOGLE_API_KEY`** - Required for Gemini CLI authentication\n- **`OPENAI_API_KEY`** - Required for Codex CLI authentication\n- **`AMP_API_KEY`** - Required for Amp Code authentication\n\n### OpenCode Multi-Provider Support:\n\nOpenCode supports multiple AI providers. Set the appropriate API key(s) based on the model you want to use:\n\n- **`ANTHROPIC_API_KEY`** - For Anthropic Claude models (`anthropic/claude-sonnet-4-20250514`)\n- **`OPENAI_API_KEY`** - For OpenAI models (`openai/gpt-4`, `openai/o1`)\n- **`GOOGLE_API_KEY`** - For Google Gemini models (`google/gemini-pro`)\n- **`GROQ_API_KEY`** - For Groq models (`groq/llama-3-70b`)\n- **`COHERE_API_KEY`** - For Cohere models (`cohere/command-r`)\n- **`MISTRAL_API_KEY`** - For Mistral models (`mistral/large`)\n\n### Optional:\n\n- **`MODEL`** - Optional AI model to use. Defaults vary by agent:\n  - Cursor: `gpt-5`\n  - Claude: `claude-sonnet-4-20250514` (also supports `claude-opus-4-1-20250805`, `claude-3-5-haiku-20241022`)\n  - Gemini: `pro` (also supports `flash`)\n  - Codex: `gpt-5` (also supports `o3`, `o1`)\n  - Amp: `sonnet-4` (also supports `gpt-5`)\n  - OpenCode: `anthropic/claude-sonnet-4-20250514` (supports 75+ models across providers)\n\n## Permissions\n\nThe action requires the following GitHub token permissions:\n\n```yaml\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n```\n\nAdd this to your workflow file to ensure the action can post comments to pull requests.\n\n## Setup\n\n### 1. Add API Key Based on Your Agent\n\nThe action requires an API key environment variable to be set as a repository secret based on the agent you choose:\n\n#### For Cursor Agent:\n\n1. **Get your Cursor API key**:\n   - Open Cursor IDE\n   - Go to Settings (Cmd/Ctrl + ,)\n   - Navigate to **General** → **Account**\n   - Copy your API key from the account section\n\n2. **Add the secret**: Add `CURSOR_API_KEY` as a repository secret\n\n#### For Claude Code:\n\n1. **Get your Anthropic API key**:\n   - Go to [Anthropic Console](https://console.anthropic.com/)\n   - Navigate to **API Keys**\n   - Create a new API key or copy an existing one\n\n2. **Add the secret**: Add `ANTHROPIC_API_KEY` as a repository secret\n\n#### For Gemini CLI:\n\n1. **Get your Google API key**:\n   - Go to [Google AI Studio](https://aistudio.google.com/app/apikey)\n   - Create a new API key or use an existing one\n   - Alternatively, authenticate with Google login (free tier: 60 requests/minute)\n\n2. **Add the secret**: Add `GOOGLE_API_KEY` as a repository secret\n\n#### For Codex CLI:\n\n1. **Get your OpenAI API key**:\n   - Go to [OpenAI Platform](https://platform.openai.com/api-keys)\n   - Create a new API key or use an existing one\n   - Alternatively, sign in with your ChatGPT account (Plus, Pro, Team, Edu, or Enterprise)\n\n2. **Add the secret**: Add `OPENAI_API_KEY` as a repository secret\n\n#### For Amp Code:\n\n1. **Get your Amp API key**:\n   - Go to [Amp Code](https://ampcode.com/)\n   - Sign up or log in to your account\n   - Run `amp login` in your terminal to authenticate\n   - Your API key will be stored locally and can be found in the credentials file\n\n2. **Add the secret**: Add `AMP_API_KEY` as a repository secret\n\n#### For OpenCode:\n\nOpenCode supports multiple AI providers, so you can set up one or more API keys based on which models you want to use:\n\n1. **For Anthropic Claude models** (recommended):\n   - Go to [Anthropic Console](https://console.anthropic.com/)\n   - Navigate to **API Keys**\n   - Create a new API key or copy an existing one\n   - Add `ANTHROPIC_API_KEY` as a repository secret\n\n2. **For OpenAI models**:\n   - Go to [OpenAI Platform](https://platform.openai.com/api-keys)\n   - Create a new API key or use an existing one\n   - Add `OPENAI_API_KEY` as a repository secret\n\n3. **For Google Gemini models**:\n   - Go to [Google AI Studio](https://aistudio.google.com/app/apikey)\n   - Create a new API key or use an existing one\n   - Add `GOOGLE_API_KEY` as a repository secret\n\n4. **For other providers** (optional):\n   - **Groq**: Get API key from [Groq Console](https://console.groq.com/) → Add `GROQ_API_KEY`\n   - **Cohere**: Get API key from [Cohere Dashboard](https://dashboard.cohere.ai/) → Add `COHERE_API_KEY`\n   - **Mistral**: Get API key from [Mistral Platform](https://console.mistral.ai/) → Add `MISTRAL_API_KEY`\n\n5. **Set the model**: Use the `MODEL` environment variable to specify which provider/model to use:\n   - `anthropic/claude-sonnet-4-20250514` (default)\n   - `openai/gpt-4`\n   - `google/gemini-pro`\n   - `groq/llama-3-70b`\n   - And many more...\n\n#### Steps to add any secret to your repository:\n- Go to your GitHub repository\n- Click **Settings** (in the repository toolbar)\n- In the left sidebar, click **Secrets and variables** → **Actions**\n- Click **New repository secret**\n- Name: Use the appropriate key name for your agent\n- Value: Paste your API key\n- Click **Add secret**\n\n**Important**: The API key must be added as a repository secret, not as an environment variable in the workflow file directly.\n\n### 2. Add Workflow Permissions\n\nAdd the permissions block to your workflow file (see Permissions section above).\n\n## Error Handling\n\nThe action will fail gracefully with descriptive error messages for:\n- Missing rule files\n- Agent installation failures\n- Invalid input formats\n- Missing required tools\n\n## License\n\nMIT License - see LICENSE file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferans%2Fautoagent-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ferans%2Fautoagent-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferans%2Fautoagent-action/lists"}