https://github.com/mangobanaani/ai-scrummaster
AI-powered scrum master that automates GitHub project management
https://github.com/mangobanaani/ai-scrummaster
ai automation crewai devops devsecops fastapi github ollama project-management scrum
Last synced: 3 months ago
JSON representation
AI-powered scrum master that automates GitHub project management
- Host: GitHub
- URL: https://github.com/mangobanaani/ai-scrummaster
- Owner: mangobanaani
- License: mit
- Created: 2026-04-04T21:12:59.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-04-04T22:51:55.000Z (3 months ago)
- Last Synced: 2026-04-04T23:28:01.282Z (3 months ago)
- Topics: ai, automation, crewai, devops, devsecops, fastapi, github, ollama, project-management, scrum
- Language: Python
- Size: 50.8 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# AI Scrum Master
[](https://github.com/mangobanaani/ai-scrummaster/actions/workflows/ci.yml)
[](https://github.com/mangobanaani/ai-scrummaster/actions/workflows/release.yml)
[](https://github.com/mangobanaani/ai-scrummaster/releases)
[](https://www.python.org)
[](LICENSE)
An AI-powered scrum master that automates GitHub project management — triaging issues, decomposing stories into tickets, detecting duplicates, running security checks on pull requests, and maintaining project hygiene.
## What it does
- **Story decomposition** — submit a plain-text feature description and the crew breaks it down into epics, stories, and tasks, creates GitHub issues with labels, and links sub-issues automatically
- **Deduplication** — before creating tickets, existing open issues are checked for overlap (Jaccard similarity) so the same story can be submitted multiple times safely
- **Triage** — incoming GitHub webhook events are classified and routed to the appropriate handler
- **DevSecOps** — pull requests and issues are scanned for secrets (17 regex patterns), CVEs via the OSV API (with CVSS vector severity parsing), OWASP categories, and branch naming policy violations
- **Security scan** — on-demand repository scan fetches dependency manifests (requirements.txt, package.json, go.mod) and checks for known vulnerabilities
- **Maintenance** — detects stale issues, enforces WIP limits, and auto-closes abandoned issues based on configurable policy
- **Standup** — generates daily standup summaries from recent issue and PR activity
## Architecture
```
POST /stories → story decomposer agent → GitHub issues (with sub-issue linking)
POST /webhook → triage agent → dedup + devsecops + action agents
POST /scan → fetch dep files → CVE scan → findings summary
POST /maintenance → stale/WIP check → maintenance agent → nudge/close issues
POST /standup → recent activity → standup agent → summary issue
```
Agents are built with [CrewAI](https://github.com/crewai-ai/crewai) and run against a local [Ollama](https://ollama.com) instance. GitHub interactions use the REST API and an MCP server (SSE transport).
## Requirements
- Python 3.12+
- Docker and Docker Compose
- A GitHub personal access token with `repo` scope
- Ollama running `qwen2.5:27b` (production) or `qwen2.5:7b` (development)
## Setup
Copy `.env.example` to `.env` and fill in the values:
```
GITHUB_TOKEN=ghp_...
GITHUB_WEBHOOK_SECRET=your-webhook-secret
API_KEY=your-api-key
OLLAMA_BASE_URL=http://ollama:11434
OLLAMA_MODEL=qwen2.5:27b
MCP_SERVER_URL=http://github-mcp:3000
```
All three credential fields (`GITHUB_TOKEN`, `GITHUB_WEBHOOK_SECRET`, `API_KEY`) are required — the app will fail to start if any are missing.
Start the stack:
```bash
docker compose up -d
```
## Usage
### Decompose a story into tickets
```bash
curl -X POST http://localhost:8000/stories \
-H "Content-Type: application/json" \
-H "X-Api-Key: your-api-key" \
-d '{"repo":"owner/repo","story":"As a user I want to log in with email and password."}'
```
### Trigger a security scan
```bash
curl -X POST http://localhost:8000/scan \
-H "Content-Type: application/json" \
-H "X-Api-Key: your-api-key" \
-d '{"repo":"owner/repo"}'
```
### Run maintenance
```bash
curl -X POST http://localhost:8000/maintenance \
-H "Content-Type: application/json" \
-H "X-Api-Key: your-api-key" \
-d '{"repo":"owner/repo"}'
```
### Generate a standup summary
```bash
curl -X POST http://localhost:8000/standup \
-H "Content-Type: application/json" \
-H "X-Api-Key: your-api-key" \
-d '{"repo":"owner/repo","since_hours":24}'
```
The `since_hours` parameter accepts an integer between 1 and 720 (default: 24).
### GitHub webhook
Point your repository webhook at `POST /webhook` with `application/json` content type and the same secret as `GITHUB_WEBHOOK_SECRET`. Supported events: `issues`, `pull_request`, `push`.
## Policy configuration
Edit `policies/rules.yaml` to configure:
- **WIP limits** — per-label caps on open issues (e.g., feature: 5, bug: 10)
- **Stale thresholds** — days before nudge (default: 7) and auto-close (default: 30)
- **Branch naming** — regex pattern for allowed branch names
- **CVE policy** — severity levels that trigger automatic ticket creation
- **Dedup threshold** — confidence level for LLM-based duplicate detection
## Development
```bash
pip install -e ".[dev]"
pytest
```
## License
MIT