An open API service indexing awesome lists of open source software.

https://github.com/trustedoss/ai-coding-best-practice


https://github.com/trustedoss/ai-coding-best-practice

Last synced: 2 months ago
JSON representation

Awesome Lists containing this project

README

          

[๐Ÿ‡ฐ๐Ÿ‡ท ํ•œ๊ตญ์–ด](#ํ•œ๊ตญ์–ด) | [๐Ÿ‡บ๐Ÿ‡ธ English](#english)

---

# AI ์ฝ”๋”ฉ Best Practice

[![Secret Detection](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml)
[![SAST](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml)
[![CodeQL](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml)
[![OSS Policy](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml)
[![IaC Security](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml)
[![Container Security](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml)
[![DAST](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml)
[![AI Fuzzing](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml)

[Trusted OSS โ€” AI ์ฝ”๋”ฉ 5๋‹จ๊ณ„ ์ „๋žต](https://trustedoss.github.io/ai-coding/strategy)์„ ๋ชจ๋‘ ๊ตฌํ˜„ํ•œ ์ฐธ์กฐ ์ €์žฅ์†Œ์ž…๋‹ˆ๋‹ค.
forkํ•ด์„œ ์ฆ‰์‹œ ์‚ฌ์šฉํ•˜๊ฑฐ๋‚˜, ์„ค์ • ํŒŒ์ผ์„ ๋ณต์‚ฌํ•ด ๊ธฐ์กด ํ”„๋กœ์ ํŠธ์— ์ ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

---

## ๋‹จ๊ณ„๋ณ„ ๊ตฌํ˜„ ํ˜„ํ™ฉ

| ๋‹จ๊ณ„ | ๋‚ด์šฉ | ๊ตฌํ˜„ ํŒŒ์ผ |
|------|------|-----------|
| 1๋‹จ๊ณ„ | ํ”„๋กฌํ”„ํŠธ ์˜์กด | โ€” (๋„๊ตฌ ๋ถˆํ•„์š”) |
| 2๋‹จ๊ณ„ | AI ๊ทœ์น™ ๋‚ด์žฌํ™” | `CLAUDE.md`, `.cursorrules` |
| 3๋‹จ๊ณ„ | CI/CD ์ž๋™ ์ฐจ๋‹จ | `.github/workflows/` (์ „ํ†ต ๋„๊ตฌ 6๊ฐœ) |
| 4๋‹จ๊ณ„ | AI ๋ฐฉ์–ด ๋ ˆ์ด์–ด | `ai-review.yml` (findings-driven), `ai-fuzzing.yml` |
| 5๋‹จ๊ณ„ | ์ง€์†์  ๋ชจ๋‹ˆํ„ฐ๋งยท์ž๋™ ๊ต์ • | `dependabot.yml`, `renovate.json`, `dast.yml` |

---

## 3๋‹จ๊ณ„ CI/CD ๊ตฌ์„ฑ

| ์›Œํฌํ”Œ๋กœ์šฐ | ๋„๊ตฌ | ์—ญํ•  | PR | Push/Main |
|------------|------|------|----|-----------|
| `secret-detection.yml` | Gitleaks | API ํ‚คยทํ† ํฐ ํ•˜๋“œ์ฝ”๋”ฉ ํƒ์ง€ | โœ… | โœ… |
| `sast.yml` | Semgrep | SQL ์ธ์ ์…˜ยท์ทจ์•ฝ ํŒจํ„ด ํƒ์ง€ | โœ… | โ€” |
| `codeql.yml` | CodeQL | ์‹ฌ์ธต ์ •์  ๋ถ„์„ (์ฃผ 1ํšŒ ํฌํ•จ) | โœ… | โœ… |
| `oss-policy.yml` | syft + grype | CVE ์Šค์บ” + ๋ผ์ด์„ ์Šค ๊ฒ€์‚ฌ | โœ… | โ€” |
| `iac-security.yml` | Checkov | DockerfileยทK8s ๋ณด์•ˆ ์„ค์ • ๊ฒ€์‚ฌ | โœ… | โ€” |
| `container-security.yml` | Trivy | Docker ์ด๋ฏธ์ง€ ์ทจ์•ฝ์  ์Šค์บ” | โœ… | โœ… |

## 4๋‹จ๊ณ„ AI ๋ฐฉ์–ด ๋ ˆ์ด์–ด

| ์›Œํฌํ”Œ๋กœ์šฐ | ๋„๊ตฌ | ์—ญํ•  | ์‹คํ–‰ ์กฐ๊ฑด |
|-----------|------|------|-----------|
| `ai-review.yml` | Claude API | Semgrepยทgrype findings โ†’ AI ๊ฒ€์ฆยทํ•ด์„ โ†’ PR ์ฝ”๋ฉ˜ํŠธ | PR (ANTHROPIC_API_KEY ๋“ฑ๋ก ์‹œ ์ž๋™ ํ™œ์„ฑํ™”) |
| `ai-fuzzing.yml` | Claude + requests | AI ์ƒ์„ฑ ์—ฃ์ง€์ผ€์ด์Šค๋กœ 5xx ํƒ์ง€ | Push to main ยท ์ฃผ 1ํšŒ |

## 5๋‹จ๊ณ„ ์ง€์†์  ๋ชจ๋‹ˆํ„ฐ๋งยท์ž๋™ ๊ต์ •

| ์›Œํฌํ”Œ๋กœ์šฐ / ์„ค์ • | ๋„๊ตฌ | ์—ญํ•  | ์‹คํ–‰ ์ฃผ๊ธฐ |
|------------------|------|------|-----------|
| `dependabot.yml` | Dependabot | ์˜์กด์„ฑ ์—…๋ฐ์ดํŠธ PR ์ž๋™ ์ƒ์„ฑ | ์ฃผ 1ํšŒ |
| `renovate.json` | Renovate | Critical ํŒจ์น˜ ์ž๋™ ๋ณ‘ํ•ฉ | ์ฆ‰์‹œยท์ฃผ 1ํšŒ |
| `dast.yml` | OWASP ZAP | ๋ฐฐํฌ ํ›„ ๋™์  ์ทจ์•ฝ์  ์Šค์บ” (Soft fail) | Push to main |

---

## ๋น ๋ฅธ ์‹œ์ž‘

### 1. Fork

GitHub์—์„œ ์ด ์ €์žฅ์†Œ๋ฅผ forkํ•œ ๋’ค ํด๋ก ํ•ฉ๋‹ˆ๋‹ค.

```bash
git clone https://github.com/YOUR-ORG/ai-coding-best-practice.git
cd ai-coding-best-practice
```

### 2. PR์„ ์—ด์–ด ํŒŒ์ดํ”„๋ผ์ธ ํ™•์ธ

```bash
git checkout -b test/pipeline-check
echo "# test" >> README.md
git commit -am "test: pipeline check"
git push origin test/pipeline-check
```

GitHub์—์„œ PR์„ ์ƒ์„ฑํ•˜๋ฉด 3๋‹จ๊ณ„ ์›Œํฌํ”Œ๋กœ์šฐ 6๊ฐœ๊ฐ€ ์ž๋™ ์‹คํ–‰๋ฉ๋‹ˆ๋‹ค.

### 3. GitHub Secrets ๋“ฑ๋ก

| Secret ์ด๋ฆ„ | ์šฉ๋„ | ํ•„์ˆ˜ ์—ฌ๋ถ€ |
|-------------|------|-----------|
| `ANTHROPIC_API_KEY` | 4๋‹จ๊ณ„ AI ๋ฆฌ๋ทฐ (`ai-review.yml`), AI ํผ์ง• (`ai-fuzzing.yml`) | ์„ ํƒ |

`ANTHROPIC_API_KEY`๋ฅผ ๋“ฑ๋กํ•˜๋ฉด 4๋‹จ๊ณ„ AI ๋ฐฉ์–ด ๋ ˆ์ด์–ด๊ฐ€ ์ž๋™์œผ๋กœ ํ™œ์„ฑํ™”๋ฉ๋‹ˆ๋‹ค.
๋ณ„๋„ ์„ค์ • ๋ณ€๊ฒฝ ์—†์ด ๋‹ค์Œ PR๋ถ€ํ„ฐ findings-driven AI ๋ฆฌ๋ทฐ๊ฐ€ ๋™์ž‘ํ•ฉ๋‹ˆ๋‹ค.

---

## ์ปค์Šคํ„ฐ๋งˆ์ด์ง•

| ํŒŒ์ผ | ์ˆ˜์ • ํฌ์ธํŠธ |
|------|------------|
| `CLAUDE.md` | ํŒ€ ๋ผ์ด์„ ์Šค ์ •์ฑ…, ๊ธˆ์ง€ ํŒจํ‚ค์ง€ ๋ชฉ๋ก |
| `.cursorrules` | ๋„๊ตฌ๋ณ„ ๊ทœ์น™ ์กฐ์ • |
| `.grype.yaml` | ์ทจ์•ฝ์  ์ž„๊ณ„๊ฐ’ (`high` โ†” `critical`) |
| `.gitleaks.toml` | ์กฐ์ง ๋‚ด๋ถ€ ํŒจํ„ด ์˜ˆ์™ธ ์ฒ˜๋ฆฌ ์ถ”๊ฐ€ |
| `.semgrep.yml` | ์–ธ์–ดยทํ”„๋ ˆ์ž„์›Œํฌ๋ณ„ ๋ฃฐ์…‹ ์ถ”๊ฐ€ |
| `renovate.json` | ์ž๋™ ๋ณ‘ํ•ฉ ๋ฒ”์œ„, ์—…๋ฐ์ดํŠธ ์ฃผ๊ธฐ |
| `dast.yml` | ์•ˆ์ •ํ™” ํ›„ `fail_action: true` ๋กœ ๋ณ€๊ฒฝํ•ด Hard fail ์ „ํ™˜ |

---

## ๊ด€๋ จ ๊ฐ€์ด๋“œ

- [AI ์ฝ”๋”ฉ 5๋‹จ๊ณ„ ์ „๋žต](https://trustedoss.github.io/ai-coding/strategy)
- [30๋ถ„ ์™„์„ฑ Quick CI/CD](https://trustedoss.github.io/ai-coding/cicd-quick)
- [AI ๋ณด์•ˆ ์ฝ”๋“œ ๋ฆฌ๋ทฐ](https://trustedoss.github.io/ai-coding/ai-security-review)
- [DevSecOps โ€” ์ „์‚ฌ ํŒŒ์ดํ”„๋ผ์ธ ์„ค๊ณ„](https://trustedoss.github.io/devsecops/pipeline-design)

---

# AI Coding Best Practice

[![Secret Detection](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/secret-detection.yml)
[![SAST](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/sast.yml)
[![CodeQL](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/codeql.yml)
[![OSS Policy](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/oss-policy.yml)
[![IaC Security](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/iac-security.yml)
[![Container Security](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/container-security.yml)
[![DAST](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/dast.yml)
[![AI Fuzzing](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml/badge.svg)](https://github.com/trustedoss/ai-coding-best-practice/actions/workflows/ai-fuzzing.yml)

A reference repository implementing all 5 stages of the [Trusted OSS โ€” AI Coding Strategy](https://trustedoss.github.io/ai-coding/strategy).
Fork it for immediate use, or copy individual config files into your existing project.

---

## Implementation Status by Stage

| Stage | Description | Implementation Files |
|-------|-------------|----------------------|
| Stage 1 | Prompt-only | โ€” (no tools needed) |
| Stage 2 | AI rule internalization | `CLAUDE.md`, `.cursorrules` |
| Stage 3 | CI/CD auto-blocking | `.github/workflows/` (6 traditional tools) |
| Stage 4 | AI defense layer | `ai-review.yml` (findings-driven), `ai-fuzzing.yml` |
| Stage 5 | Continuous monitoring & auto-remediation | `dependabot.yml`, `renovate.json`, `dast.yml` |

---

## Stage 3: CI/CD Configuration

| Workflow | Tool | Role | PR | Push/Main |
|----------|------|------|----|-----------|
| `secret-detection.yml` | Gitleaks | Detect hardcoded API keys & tokens | โœ… | โœ… |
| `sast.yml` | Semgrep | Detect SQL injection & vulnerable patterns | โœ… | โ€” |
| `codeql.yml` | CodeQL | Deep static analysis (includes weekly scan) | โœ… | โœ… |
| `oss-policy.yml` | syft + grype | CVE scan + license check | โœ… | โ€” |
| `iac-security.yml` | Checkov | Dockerfile & K8s security config check | โœ… | โ€” |
| `container-security.yml` | Trivy | Docker image vulnerability scan | โœ… | โœ… |

## Stage 4: AI Defense Layer

| Workflow | Tool | Role | Trigger |
|----------|------|------|---------|
| `ai-review.yml` | Claude API | Semgrep/grype findings โ†’ AI validation & interpretation โ†’ PR comment | PR (auto-activates when `ANTHROPIC_API_KEY` is set) |
| `ai-fuzzing.yml` | Claude + requests | AI-generated edge cases to detect 5xx errors | Push to main ยท weekly |

## Stage 5: Continuous Monitoring & Auto-Remediation

| Workflow / Config | Tool | Role | Schedule |
|-------------------|------|------|----------|
| `dependabot.yml` | Dependabot | Auto-generate dependency update PRs | Weekly |
| `renovate.json` | Renovate | Auto-merge critical patches | Immediately ยท weekly |
| `dast.yml` | OWASP ZAP | Dynamic vulnerability scan after deployment (soft fail) | Push to main |

---

## Quick Start

### 1. Fork

Fork this repository on GitHub, then clone it.

```bash
git clone https://github.com/YOUR-ORG/ai-coding-best-practice.git
cd ai-coding-best-practice
```

### 2. Open a PR to verify the pipeline

```bash
git checkout -b test/pipeline-check
echo "# test" >> README.md
git commit -am "test: pipeline check"
git push origin test/pipeline-check
```

Opening a PR on GitHub will automatically trigger all 6 Stage 3 workflows.

### 3. Register GitHub Secrets

| Secret Name | Purpose | Required |
|-------------|---------|----------|
| `ANTHROPIC_API_KEY` | Stage 4 AI review (`ai-review.yml`), AI fuzzing (`ai-fuzzing.yml`) | Optional |

Once `ANTHROPIC_API_KEY` is registered, the Stage 4 AI defense layer activates automatically.
No additional configuration needed โ€” findings-driven AI review starts on the next PR.

---

## Customization

| File | What to Modify |
|------|----------------|
| `CLAUDE.md` | Team license policy, prohibited package list |
| `.cursorrules` | Per-tool rule adjustments |
| `.grype.yaml` | Vulnerability threshold (`high` โ†” `critical`) |
| `.gitleaks.toml` | Add organization-internal pattern exceptions |
| `.semgrep.yml` | Add language/framework-specific rulesets |
| `renovate.json` | Auto-merge scope, update schedule |
| `dast.yml` | Switch to hard fail by changing `fail_action: true` after stabilization |

---

## Related Guides

- [AI Coding 5-Stage Strategy](https://trustedoss.github.io/en/ai-coding/strategy)
- [30-Minute Quick CI/CD](https://trustedoss.github.io/en/ai-coding/cicd-quick)
- [AI Security Code Review](https://trustedoss.github.io/en/ai-coding/ai-security-review)
- [DevSecOps โ€” Enterprise Pipeline Design](https://trustedoss.github.io/en/devsecops/pipeline-design)