2026-04-10 14:59:05 +02:00 · 2026-04-10 14:59:05 +02:00 · 2c33e9cc64
commit 2c33e9cc64
parent d642203991
15 changed files with 599 additions and 17 deletions
--- a/plugins/llm-security/ci/github-action.yml
+++ b/plugins/llm-security/ci/github-action.yml
@ -0,0 +1,47 @@
+# llm-security — GitHub Actions workflow
+# Deterministic security scanning for AI/LLM projects.
+# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
+#
+# See docs/ci-cd-guide.md for configuration options and detailed setup.
+#
+# Alternative (without npx): replace the scan step with:
+#   run: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file results.sarif
+
+name: LLM Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Run llm-security scan
+        run: npx llm-security scan . --fail-on high --format sarif --output-file results.sarif
+
+      - name: Upload SARIF to GitHub Advanced Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: results.sarif
+
+# Configuration:
+#   --fail-on <critical|high|medium|low>  Exit 1 if findings at or above severity
+#   --compact                              One-liner per finding (reduced log noise)
+#   --format sarif                         OASIS SARIF 2.1.0 output
+#   --output-file <path>                   Write full results to file
+#   --baseline                             Diff against stored baseline
+#
+# Or configure via .llm-security/policy.json:
+#   { "ci": { "failOn": "high", "compact": true } }