{"id":49728299,"url":"https://github.com/trustedoss/ai-coding-best-practice","last_synced_at":"2026-05-09T05:17:47.902Z","repository":{"id":353725461,"uuid":"1220647297","full_name":"trustedoss/ai-coding-best-practice","owner":"trustedoss","description":null,"archived":false,"fork":false,"pushed_at":"2026-04-25T07:30:13.000Z","size":46,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-25T09:13:58.943Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trustedoss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-25T06:29:03.000Z","updated_at":"2026-04-25T07:30:17.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/trustedoss/ai-coding-best-practice","commit_stats":null,"previous_names":["trustedoss/ai-coding-best-practice"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/trustedoss/ai-coding-best-practice","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Fai-coding-best-practice","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Fai-coding-best-practice/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Fai-coding-best-practice/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Fai-coding-best-practice/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trustedoss","download_url":"https://codeload.github.com/trustedoss/ai-coding-best-practice/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedoss%2Fai-coding-best-practice/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32808034,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-08T08:22:46.396Z","status":"online","status_checked_at":"2026-05-09T02:00:06.633Z","response_time":123,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-09T05:17:47.671Z","updated_at":"2026-05-09T05:17:47.894Z","avatar_url":"https://github.com/trustedoss.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"[🇰🇷 한국어](#한국어) | [🇺🇸 English](#english)\n\n---\n\n\u003ca id=\"한국어\"\u003e\u003c/a\u003e\n\n# AI 코딩 Best Practice\n\n[![Secret Detection](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml)\n[![SAST](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml)\n[![CodeQL](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml)\n[![OSS Policy](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml)\n[![IaC Security](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml)\n[![Container Security](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml)\n[![DAST](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml)\n[![AI Fuzzing](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml)\n\n[Trusted OSS — AI 코딩 5단계 전략](https://trustedoss.github.io/ai-coding/strategy)을 모두 구현한 참조 저장소입니다.\nfork해서 즉시 사용하거나, 설정 파일을 복사해 기존 프로젝트에 적용할 수 있습니다.\n\n---\n\n## 단계별 구현 현황\n\n| 단계 | 내용 | 구현 파일 |\n|------|------|-----------|\n| 1단계 | 프롬프트 의존 | — (도구 불필요) |\n| 2단계 | AI 규칙 내재화 | `CLAUDE.md`, `.cursorrules` |\n| 3단계 | CI/CD 자동 차단 | `.github/workflows/` (전통 도구 6개) |\n| 4단계 | AI 방어 레이어 | `ai-review.yml` (findings-driven), `ai-fuzzing.yml` |\n| 5단계 | 지속적 모니터링·자동 교정 | `dependabot.yml`, `renovate.json`, `dast.yml` |\n\n---\n\n## 3단계 CI/CD 구성\n\n| 워크플로우 | 도구 | 역할 | PR | Push/Main |\n|------------|------|------|----|-----------|\n| `secret-detection.yml` | Gitleaks | API 키·토큰 하드코딩 탐지 | ✅ | ✅ |\n| `sast.yml` | Semgrep | SQL 인젝션·취약 패턴 탐지 | ✅ | — |\n| `codeql.yml` | CodeQL | 심층 정적 분석 (주 1회 포함) | ✅ | ✅ |\n| `oss-policy.yml` | syft + grype | CVE 스캔 + 라이선스 검사 | ✅ | — |\n| `iac-security.yml` | Checkov | Dockerfile·K8s 보안 설정 검사 | ✅ | — |\n| `container-security.yml` | Trivy | Docker 이미지 취약점 스캔 | ✅ | ✅ |\n\n## 4단계 AI 방어 레이어\n\n| 워크플로우 | 도구 | 역할 | 실행 조건 |\n|-----------|------|------|-----------|\n| `ai-review.yml` | Claude API | Semgrep·grype findings → AI 검증·해석 → PR 코멘트 | PR (ANTHROPIC_API_KEY 등록 시 자동 활성화) |\n| `ai-fuzzing.yml` | Claude + requests | AI 생성 엣지케이스로 5xx 탐지 | Push to main · 주 1회 |\n\n## 5단계 지속적 모니터링·자동 교정\n\n| 워크플로우 / 설정 | 도구 | 역할 | 실행 주기 |\n|------------------|------|------|-----------|\n| `dependabot.yml` | Dependabot | 의존성 업데이트 PR 자동 생성 | 주 1회 |\n| `renovate.json` | Renovate | Critical 패치 자동 병합 | 즉시·주 1회 |\n| `dast.yml` | OWASP ZAP | 배포 후 동적 취약점 스캔 (Soft fail) | Push to main |\n\n---\n\n## 빠른 시작\n\n### 1. Fork\n\nGitHub에서 이 저장소를 fork한 뒤 클론합니다.\n\n```bash\ngit clone https://github.com/YOUR-ORG/ai-coding-best-practice.git\ncd ai-coding-best-practice\n```\n\n### 2. PR을 열어 파이프라인 확인\n\n```bash\ngit checkout -b test/pipeline-check\necho \"# test\" \u003e\u003e README.md\ngit commit -am \"test: pipeline check\"\ngit push origin test/pipeline-check\n```\n\nGitHub에서 PR을 생성하면 3단계 워크플로우 6개가 자동 실행됩니다.\n\n### 3. GitHub Secrets 등록\n\n| Secret 이름 | 용도 | 필수 여부 |\n|-------------|------|-----------|\n| `ANTHROPIC_API_KEY` | 4단계 AI 리뷰 (`ai-review.yml`), AI 퍼징 (`ai-fuzzing.yml`) | 선택 |\n\n`ANTHROPIC_API_KEY`를 등록하면 4단계 AI 방어 레이어가 자동으로 활성화됩니다.\n별도 설정 변경 없이 다음 PR부터 findings-driven AI 리뷰가 동작합니다.\n\n---\n\n## 커스터마이징\n\n| 파일 | 수정 포인트 |\n|------|------------|\n| `CLAUDE.md` | 팀 라이선스 정책, 금지 패키지 목록 |\n| `.cursorrules` | 도구별 규칙 조정 |\n| `.grype.yaml` | 취약점 임계값 (`high` ↔ `critical`) |\n| `.gitleaks.toml` | 조직 내부 패턴 예외 처리 추가 |\n| `.semgrep.yml` | 언어·프레임워크별 룰셋 추가 |\n| `renovate.json` | 자동 병합 범위, 업데이트 주기 |\n| `dast.yml` | 안정화 후 `fail_action: true` 로 변경해 Hard fail 전환 |\n\n---\n\n## 관련 가이드\n\n- [AI 코딩 5단계 전략](https://trustedoss.github.io/ai-coding/strategy)\n- [30분 완성 Quick CI/CD](https://trustedoss.github.io/ai-coding/cicd-quick)\n- [AI 보안 코드 리뷰](https://trustedoss.github.io/ai-coding/ai-security-review)\n- [DevSecOps — 전사 파이프라인 설계](https://trustedoss.github.io/devsecops/pipeline-design)\n\n---\n\n\u003ca id=\"english\"\u003e\u003c/a\u003e\n\n# AI Coding Best Practice\n\n[![Secret Detection](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml)\n[![SAST](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml)\n[![CodeQL](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml)\n[![OSS Policy](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml)\n[![IaC Security](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml)\n[![Container Security](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml)\n[![DAST](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml)\n[![AI Fuzzing](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml)\n\nA reference repository implementing all 5 stages of the [Trusted OSS — AI Coding Strategy](https://trustedoss.github.io/ai-coding/strategy).\nFork it for immediate use, or copy individual config files into your existing project.\n\n---\n\n## Implementation Status by Stage\n\n| Stage | Description | Implementation Files |\n|-------|-------------|----------------------|\n| Stage 1 | Prompt-only | — (no tools needed) |\n| Stage 2 | AI rule internalization | `CLAUDE.md`, `.cursorrules` |\n| Stage 3 | CI/CD auto-blocking | `.github/workflows/` (6 traditional tools) |\n| Stage 4 | AI defense layer | `ai-review.yml` (findings-driven), `ai-fuzzing.yml` |\n| Stage 5 | Continuous monitoring \u0026 auto-remediation | `dependabot.yml`, `renovate.json`, `dast.yml` |\n\n---\n\n## Stage 3: CI/CD Configuration\n\n| Workflow | Tool | Role | PR | Push/Main |\n|----------|------|------|----|-----------|\n| `secret-detection.yml` | Gitleaks | Detect hardcoded API keys \u0026 tokens | ✅ | ✅ |\n| `sast.yml` | Semgrep | Detect SQL injection \u0026 vulnerable patterns | ✅ | — |\n| `codeql.yml` | CodeQL | Deep static analysis (includes weekly scan) | ✅ | ✅ |\n| `oss-policy.yml` | syft + grype | CVE scan + license check | ✅ | — |\n| `iac-security.yml` | Checkov | Dockerfile \u0026 K8s security config check | ✅ | — |\n| `container-security.yml` | Trivy | Docker image vulnerability scan | ✅ | ✅ |\n\n## Stage 4: AI Defense Layer\n\n| Workflow | Tool | Role | Trigger |\n|----------|------|------|---------|\n| `ai-review.yml` | Claude API | Semgrep/grype findings → AI validation \u0026 interpretation → PR comment | PR (auto-activates when `ANTHROPIC_API_KEY` is set) |\n| `ai-fuzzing.yml` | Claude + requests | AI-generated edge cases to detect 5xx errors | Push to main · weekly |\n\n## Stage 5: Continuous Monitoring \u0026 Auto-Remediation\n\n| Workflow / Config | Tool | Role | Schedule |\n|-------------------|------|------|----------|\n| `dependabot.yml` | Dependabot | Auto-generate dependency update PRs | Weekly |\n| `renovate.json` | Renovate | Auto-merge critical patches | Immediately · weekly |\n| `dast.yml` | OWASP ZAP | Dynamic vulnerability scan after deployment (soft fail) | Push to main |\n\n---\n\n## Quick Start\n\n### 1. Fork\n\nFork this repository on GitHub, then clone it.\n\n```bash\ngit clone https://github.com/YOUR-ORG/ai-coding-best-practice.git\ncd ai-coding-best-practice\n```\n\n### 2. Open a PR to verify the pipeline\n\n```bash\ngit checkout -b test/pipeline-check\necho \"# test\" \u003e\u003e README.md\ngit commit -am \"test: pipeline check\"\ngit push origin test/pipeline-check\n```\n\nOpening a PR on GitHub will automatically trigger all 6 Stage 3 workflows.\n\n### 3. Register GitHub Secrets\n\n| Secret Name | Purpose | Required |\n|-------------|---------|----------|\n| `ANTHROPIC_API_KEY` | Stage 4 AI review (`ai-review.yml`), AI fuzzing (`ai-fuzzing.yml`) | Optional |\n\nOnce `ANTHROPIC_API_KEY` is registered, the Stage 4 AI defense layer activates automatically.\nNo additional configuration needed — findings-driven AI review starts on the next PR.\n\n---\n\n## Customization\n\n| File | What to Modify |\n|------|----------------|\n| `CLAUDE.md` | Team license policy, prohibited package list |\n| `.cursorrules` | Per-tool rule adjustments |\n| `.grype.yaml` | Vulnerability threshold (`high` ↔ `critical`) |\n| `.gitleaks.toml` | Add organization-internal pattern exceptions |\n| `.semgrep.yml` | Add language/framework-specific rulesets |\n| `renovate.json` | Auto-merge scope, update schedule |\n| `dast.yml` | Switch to hard fail by changing `fail_action: true` after stabilization |\n\n---\n\n## Related Guides\n\n- [AI Coding 5-Stage Strategy](https://trustedoss.github.io/en/ai-coding/strategy)\n- [30-Minute Quick CI/CD](https://trustedoss.github.io/en/ai-coding/cicd-quick)\n- [AI Security Code Review](https://trustedoss.github.io/en/ai-coding/ai-security-review)\n- [DevSecOps — Enterprise Pipeline Design](https://trustedoss.github.io/en/devsecops/pipeline-design)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedoss%2Fai-coding-best-practice","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrustedoss%2Fai-coding-best-practice","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedoss%2Fai-coding-best-practice/lists"}