{"id":49401724,"url":"https://github.com/superagent-ai/brin-github","last_synced_at":"2026-04-28T18:41:08.484Z","repository":{"id":349720579,"uuid":"1200196548","full_name":"superagent-ai/brin-github","owner":"superagent-ai","description":"A GitHub App that automatically scans pull requests for security threats and evaluates contributor trust profiles","archived":false,"fork":false,"pushed_at":"2026-04-15T06:32:20.000Z","size":63,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-15T08:25:25.357Z","etag":null,"topics":["agents","contributor-security","llm-security","prompt-injection","security"],"latest_commit_sha":null,"homepage":"https://brin.sh","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/superagent-ai.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-03T06:19:55.000Z","updated_at":"2026-04-15T06:32:24.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/superagent-ai/brin-github","commit_stats":null,"previous_names":["superagent-ai/brin-github"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/superagent-ai/brin-github","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superagent-ai%2Fbrin-github","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superagent-ai%2Fbrin-github/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superagent-ai%2Fbrin-github/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superagent-ai%2Fbrin-github/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/superagent-ai","download_url":"https://codeload.github.com/superagent-ai/brin-github/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superagent-ai%2Fbrin-github/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32394477,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-28T14:34:11.604Z","status":"ssl_error","status_checked_at":"2026-04-28T14:32:37.009Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agents","contributor-security","llm-security","prompt-injection","security"],"created_at":"2026-04-28T18:41:04.786Z","updated_at":"2026-04-28T18:41:08.478Z","avatar_url":"https://github.com/superagent-ai.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Brin GitHub App\n\nA GitHub App that automatically scans pull requests for security threats and evaluates contributor trust profiles using the [Brin](https://brin.sh) API.\n\n## What it does\n\nWhen installed on a repository, the app reacts to pull request events and runs two parallel checks:\n\n**PR Security Scan** -- Analyzes the PR diff for security threats (credential leaks, obfuscated payloads, dependency attacks, etc.) and reports a score from 0-100 with a verdict.\n\n**Contributor Trust Check** -- Evaluates the PR author's GitHub profile across identity, behavior, content, and social graph dimensions to flag accounts that warrant additional review.\n\nResults are surfaced as:\n\n- **Check runs** on the PR commit (pass/fail/neutral) that integrate with branch protection rules\n- **PR comments** with detailed findings and dimension breakdowns\n- **Labels** (`pr:verified`, `pr:flagged`, `contributor:verified`, `contributor:flagged`)\n\n### Verdict flow\n\n\n| Verdict                | Check run | Label                                  | Comment | Blocks merge |\n| ---------------------- | --------- | -------------------------------------- | ------- | ------------ |\n| clean / safe           | success   | `pr:verified` / `contributor:verified` | removed | no           |\n| suspicious / caution   | neutral   | `pr:flagged` / `contributor:flagged`   | posted  | no           |\n| dangerous / score \u003c 30 | failure   | `pr:flagged` / `contributor:flagged`   | posted  | yes          |\n| pending deep scan      | neutral   | --                                     | --      | no           |\n\n\n## Setup\n\n### 1. Register a GitHub App\n\nCreate a new GitHub App at `https://github.com/settings/apps/new` with these settings:\n\n**Permissions:**\n\n- Checks: Read \u0026 Write\n- Pull requests: Read \u0026 Write\n- Issues: Read \u0026 Write (for PR comments)\n- Contents: Read (for `.github/brin.yml` config)\n- Metadata: Read\n\n**Webhook events:**\n\n- Pull request\n- Check run\n- Check suite\n- Installation\n\nSet the webhook URL to `https://\u003cyour-host\u003e/api/github/webhook`.\n\n### 2. Configure environment\n\nCopy `.env.example` to `.env` and fill in:\n\n```\nAPP_ID=\u003cyour GitHub App ID\u003e\nPRIVATE_KEY=\u003ccontents of your .pem file, with literal \\n for newlines\u003e\nWEBHOOK_SECRET=\u003cthe secret you set when creating the app\u003e\n```\n\n### 3. Install dependencies and run\n\n```bash\nnpm install\nnpm run dev      # development with hot reload\nnpm run build    # compile TypeScript\nnpm start        # run compiled output\n```\n\nThe server starts on port 3000 by default (override with `PORT` env var).\n\n### 4. Install the app on repositories\n\nGo to your app's installation page and install it on the repositories you want to protect.\n\n## Repo configuration\n\nRepositories can optionally add a `.github/brin.yml` file to customize behavior:\n\n```yaml\nprScan:\n  enabled: true\n  blockBelowScore: 30\n  suspiciousVerdicts: [suspicious]\n  tolerance: conservative\n\ncontributorTrust:\n  enabled: true\n  safeVerdicts: [safe]\n  trustedAuthors: [dependabot[bot], renovate[bot]]\n\ncomments:\n  mode: detailed   # or \"minimal\"\n```\n\nAll fields are optional. Missing fields fall back to the defaults shown above.\n\n## Architecture\n\n```\nsrc/\n├── index.ts                    # Hono server, webhook route, health check\n├── app.ts                      # GitHub App instance (octokit)\n├── events/\n│   ├── index.ts                # Event handler registration\n│   ├── pullRequest.ts          # pull_request event handler\n│   ├── checkRun.ts             # check_run.rerequested handler\n│   └── installation.ts         # installation.created handler\n├── services/\n│   ├── prScan.ts               # PR scan orchestration\n│   ├── contributorTrust.ts     # Contributor trust orchestration\n│   ├── checkRuns.ts            # GitHub Check Runs API wrapper\n│   ├── comments.ts             # Marker-based comment management + rendering\n│   ├── labels.ts               # Label ensure/set logic\n│   └── config.ts               # .github/brin.yml loader\n└── lib/\n    ├── env.ts                  # Environment variable validation\n    ├── logger.ts               # Structured logging (pino)\n    ├── types.ts                # Shared types, constants, label/marker defs\n    ├── brinApi.ts              # Brin API HTTP client\n    └── policy.ts               # Verdict evaluation and threshold logic\n```\n\n## Re-running checks\n\nMaintainers can re-run any Brin check from the GitHub UI by clicking \"Re-run\" on the check run. The app handles `check_run.rerequested` events and re-executes the corresponding scan.\n\n## Development\n\n```bash\nnpm run dev          # start with tsx watch (hot reload)\nnpm run typecheck    # type-check without emitting\nnpm run build        # compile to dist/\n```\n\nFor local webhook testing, use a tunnel like [smee.io](https://smee.io) or [ngrok](https://ngrok.com) to forward GitHub webhooks to `localhost:3000/api/github/webhook`.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsuperagent-ai%2Fbrin-github","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsuperagent-ai%2Fbrin-github","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsuperagent-ai%2Fbrin-github/lists"}