https://github.com/trustedoss/ai-coding-best-practice
https://github.com/trustedoss/ai-coding-best-practice
Last synced: 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/trustedoss/ai-coding-best-practice
- Owner: trustedoss
- Created: 2026-04-25T06:29:03.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-04-25T07:30:13.000Z (3 months ago)
- Last Synced: 2026-04-25T09:13:58.943Z (3 months ago)
- Language: Python
- Size: 44.9 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
[๐ฐ๐ท ํ๊ตญ์ด](#ํ๊ตญ์ด) | [๐บ๐ธ English](#english)
---
# AI ์ฝ๋ฉ Best Practice
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml)
[Trusted OSS โ AI ์ฝ๋ฉ 5๋จ๊ณ ์ ๋ต](https://trustedoss.github.io/ai-coding/strategy)์ ๋ชจ๋ ๊ตฌํํ ์ฐธ์กฐ ์ ์ฅ์์
๋๋ค.
forkํด์ ์ฆ์ ์ฌ์ฉํ๊ฑฐ๋, ์ค์ ํ์ผ์ ๋ณต์ฌํด ๊ธฐ์กด ํ๋ก์ ํธ์ ์ ์ฉํ ์ ์์ต๋๋ค.
---
## ๋จ๊ณ๋ณ ๊ตฌํ ํํฉ
| ๋จ๊ณ | ๋ด์ฉ | ๊ตฌํ ํ์ผ |
|------|------|-----------|
| 1๋จ๊ณ | ํ๋กฌํํธ ์์กด | โ (๋๊ตฌ ๋ถํ์) |
| 2๋จ๊ณ | AI ๊ท์น ๋ด์ฌํ | `CLAUDE.md`, `.cursorrules` |
| 3๋จ๊ณ | CI/CD ์๋ ์ฐจ๋จ | `.github/workflows/` (์ ํต ๋๊ตฌ 6๊ฐ) |
| 4๋จ๊ณ | AI ๋ฐฉ์ด ๋ ์ด์ด | `ai-review.yml` (findings-driven), `ai-fuzzing.yml` |
| 5๋จ๊ณ | ์ง์์ ๋ชจ๋ํฐ๋งยท์๋ ๊ต์ | `dependabot.yml`, `renovate.json`, `dast.yml` |
---
## 3๋จ๊ณ CI/CD ๊ตฌ์ฑ
| ์ํฌํ๋ก์ฐ | ๋๊ตฌ | ์ญํ | PR | Push/Main |
|------------|------|------|----|-----------|
| `secret-detection.yml` | Gitleaks | API ํคยทํ ํฐ ํ๋์ฝ๋ฉ ํ์ง | โ
| โ
|
| `sast.yml` | Semgrep | SQL ์ธ์ ์
ยท์ทจ์ฝ ํจํด ํ์ง | โ
| โ |
| `codeql.yml` | CodeQL | ์ฌ์ธต ์ ์ ๋ถ์ (์ฃผ 1ํ ํฌํจ) | โ
| โ
|
| `oss-policy.yml` | syft + grype | CVE ์ค์บ + ๋ผ์ด์ ์ค ๊ฒ์ฌ | โ
| โ |
| `iac-security.yml` | Checkov | DockerfileยทK8s ๋ณด์ ์ค์ ๊ฒ์ฌ | โ
| โ |
| `container-security.yml` | Trivy | Docker ์ด๋ฏธ์ง ์ทจ์ฝ์ ์ค์บ | โ
| โ
|
## 4๋จ๊ณ AI ๋ฐฉ์ด ๋ ์ด์ด
| ์ํฌํ๋ก์ฐ | ๋๊ตฌ | ์ญํ | ์คํ ์กฐ๊ฑด |
|-----------|------|------|-----------|
| `ai-review.yml` | Claude API | Semgrepยทgrype findings โ AI ๊ฒ์ฆยทํด์ โ PR ์ฝ๋ฉํธ | PR (ANTHROPIC_API_KEY ๋ฑ๋ก ์ ์๋ ํ์ฑํ) |
| `ai-fuzzing.yml` | Claude + requests | AI ์์ฑ ์ฃ์ง์ผ์ด์ค๋ก 5xx ํ์ง | Push to main ยท ์ฃผ 1ํ |
## 5๋จ๊ณ ์ง์์ ๋ชจ๋ํฐ๋งยท์๋ ๊ต์
| ์ํฌํ๋ก์ฐ / ์ค์ | ๋๊ตฌ | ์ญํ | ์คํ ์ฃผ๊ธฐ |
|------------------|------|------|-----------|
| `dependabot.yml` | Dependabot | ์์กด์ฑ ์
๋ฐ์ดํธ PR ์๋ ์์ฑ | ์ฃผ 1ํ |
| `renovate.json` | Renovate | Critical ํจ์น ์๋ ๋ณํฉ | ์ฆ์ยท์ฃผ 1ํ |
| `dast.yml` | OWASP ZAP | ๋ฐฐํฌ ํ ๋์ ์ทจ์ฝ์ ์ค์บ (Soft fail) | Push to main |
---
## ๋น ๋ฅธ ์์
### 1. Fork
GitHub์์ ์ด ์ ์ฅ์๋ฅผ forkํ ๋ค ํด๋ก ํฉ๋๋ค.
```bash
git clone https://github.com/YOUR-ORG/ai-coding-best-practice.git
cd ai-coding-best-practice
```
### 2. PR์ ์ด์ด ํ์ดํ๋ผ์ธ ํ์ธ
```bash
git checkout -b test/pipeline-check
echo "# test" >> README.md
git commit -am "test: pipeline check"
git push origin test/pipeline-check
```
GitHub์์ PR์ ์์ฑํ๋ฉด 3๋จ๊ณ ์ํฌํ๋ก์ฐ 6๊ฐ๊ฐ ์๋ ์คํ๋ฉ๋๋ค.
### 3. GitHub Secrets ๋ฑ๋ก
| Secret ์ด๋ฆ | ์ฉ๋ | ํ์ ์ฌ๋ถ |
|-------------|------|-----------|
| `ANTHROPIC_API_KEY` | 4๋จ๊ณ AI ๋ฆฌ๋ทฐ (`ai-review.yml`), AI ํผ์ง (`ai-fuzzing.yml`) | ์ ํ |
`ANTHROPIC_API_KEY`๋ฅผ ๋ฑ๋กํ๋ฉด 4๋จ๊ณ AI ๋ฐฉ์ด ๋ ์ด์ด๊ฐ ์๋์ผ๋ก ํ์ฑํ๋ฉ๋๋ค.
๋ณ๋ ์ค์ ๋ณ๊ฒฝ ์์ด ๋ค์ PR๋ถํฐ findings-driven AI ๋ฆฌ๋ทฐ๊ฐ ๋์ํฉ๋๋ค.
---
## ์ปค์คํฐ๋ง์ด์ง
| ํ์ผ | ์์ ํฌ์ธํธ |
|------|------------|
| `CLAUDE.md` | ํ ๋ผ์ด์ ์ค ์ ์ฑ
, ๊ธ์ง ํจํค์ง ๋ชฉ๋ก |
| `.cursorrules` | ๋๊ตฌ๋ณ ๊ท์น ์กฐ์ |
| `.grype.yaml` | ์ทจ์ฝ์ ์๊ณ๊ฐ (`high` โ `critical`) |
| `.gitleaks.toml` | ์กฐ์ง ๋ด๋ถ ํจํด ์์ธ ์ฒ๋ฆฌ ์ถ๊ฐ |
| `.semgrep.yml` | ์ธ์ดยทํ๋ ์์ํฌ๋ณ ๋ฃฐ์
์ถ๊ฐ |
| `renovate.json` | ์๋ ๋ณํฉ ๋ฒ์, ์
๋ฐ์ดํธ ์ฃผ๊ธฐ |
| `dast.yml` | ์์ ํ ํ `fail_action: true` ๋ก ๋ณ๊ฒฝํด Hard fail ์ ํ |
---
## ๊ด๋ จ ๊ฐ์ด๋
- [AI ์ฝ๋ฉ 5๋จ๊ณ ์ ๋ต](https://trustedoss.github.io/ai-coding/strategy)
- [30๋ถ ์์ฑ Quick CI/CD](https://trustedoss.github.io/ai-coding/cicd-quick)
- [AI ๋ณด์ ์ฝ๋ ๋ฆฌ๋ทฐ](https://trustedoss.github.io/ai-coding/ai-security-review)
- [DevSecOps โ ์ ์ฌ ํ์ดํ๋ผ์ธ ์ค๊ณ](https://trustedoss.github.io/devsecops/pipeline-design)
---
# AI Coding Best Practice
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml)
[](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml)
A reference repository implementing all 5 stages of the [Trusted OSS โ AI Coding Strategy](https://trustedoss.github.io/ai-coding/strategy).
Fork it for immediate use, or copy individual config files into your existing project.
---
## Implementation Status by Stage
| Stage | Description | Implementation Files |
|-------|-------------|----------------------|
| Stage 1 | Prompt-only | โ (no tools needed) |
| Stage 2 | AI rule internalization | `CLAUDE.md`, `.cursorrules` |
| Stage 3 | CI/CD auto-blocking | `.github/workflows/` (6 traditional tools) |
| Stage 4 | AI defense layer | `ai-review.yml` (findings-driven), `ai-fuzzing.yml` |
| Stage 5 | Continuous monitoring & auto-remediation | `dependabot.yml`, `renovate.json`, `dast.yml` |
---
## Stage 3: CI/CD Configuration
| Workflow | Tool | Role | PR | Push/Main |
|----------|------|------|----|-----------|
| `secret-detection.yml` | Gitleaks | Detect hardcoded API keys & tokens | โ
| โ
|
| `sast.yml` | Semgrep | Detect SQL injection & vulnerable patterns | โ
| โ |
| `codeql.yml` | CodeQL | Deep static analysis (includes weekly scan) | โ
| โ
|
| `oss-policy.yml` | syft + grype | CVE scan + license check | โ
| โ |
| `iac-security.yml` | Checkov | Dockerfile & K8s security config check | โ
| โ |
| `container-security.yml` | Trivy | Docker image vulnerability scan | โ
| โ
|
## Stage 4: AI Defense Layer
| Workflow | Tool | Role | Trigger |
|----------|------|------|---------|
| `ai-review.yml` | Claude API | Semgrep/grype findings โ AI validation & interpretation โ PR comment | PR (auto-activates when `ANTHROPIC_API_KEY` is set) |
| `ai-fuzzing.yml` | Claude + requests | AI-generated edge cases to detect 5xx errors | Push to main ยท weekly |
## Stage 5: Continuous Monitoring & Auto-Remediation
| Workflow / Config | Tool | Role | Schedule |
|-------------------|------|------|----------|
| `dependabot.yml` | Dependabot | Auto-generate dependency update PRs | Weekly |
| `renovate.json` | Renovate | Auto-merge critical patches | Immediately ยท weekly |
| `dast.yml` | OWASP ZAP | Dynamic vulnerability scan after deployment (soft fail) | Push to main |
---
## Quick Start
### 1. Fork
Fork this repository on GitHub, then clone it.
```bash
git clone https://github.com/YOUR-ORG/ai-coding-best-practice.git
cd ai-coding-best-practice
```
### 2. Open a PR to verify the pipeline
```bash
git checkout -b test/pipeline-check
echo "# test" >> README.md
git commit -am "test: pipeline check"
git push origin test/pipeline-check
```
Opening a PR on GitHub will automatically trigger all 6 Stage 3 workflows.
### 3. Register GitHub Secrets
| Secret Name | Purpose | Required |
|-------------|---------|----------|
| `ANTHROPIC_API_KEY` | Stage 4 AI review (`ai-review.yml`), AI fuzzing (`ai-fuzzing.yml`) | Optional |
Once `ANTHROPIC_API_KEY` is registered, the Stage 4 AI defense layer activates automatically.
No additional configuration needed โ findings-driven AI review starts on the next PR.
---
## Customization
| File | What to Modify |
|------|----------------|
| `CLAUDE.md` | Team license policy, prohibited package list |
| `.cursorrules` | Per-tool rule adjustments |
| `.grype.yaml` | Vulnerability threshold (`high` โ `critical`) |
| `.gitleaks.toml` | Add organization-internal pattern exceptions |
| `.semgrep.yml` | Add language/framework-specific rulesets |
| `renovate.json` | Auto-merge scope, update schedule |
| `dast.yml` | Switch to hard fail by changing `fail_action: true` after stabilization |
---
## Related Guides
- [AI Coding 5-Stage Strategy](https://trustedoss.github.io/en/ai-coding/strategy)
- [30-Minute Quick CI/CD](https://trustedoss.github.io/en/ai-coding/cicd-quick)
- [AI Security Code Review](https://trustedoss.github.io/en/ai-coding/ai-security-review)
- [DevSecOps โ Enterprise Pipeline Design](https://trustedoss.github.io/en/devsecops/pipeline-design)