Conversation
Copies the org-standard AgentShield workflow verbatim from petry-projects/.github/standards/workflows/agent-shield.yml. Closes #51 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
📝 WalkthroughWalkthroughA new GitHub Actions workflow file is introduced to enforce security scanning and repository structure validation, including file existence checks, cross-reference validation, and YAML frontmatter requirements for skill definitions. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
|
@don-petry CI is green — please review and merge when ready. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/agent-shield.yml (1)
73-103: Frontmatter validation logic is correct.The
awkextraction properly handles YAML frontmatter delimited by---. Usingfindwith exclusions and process substitution correctly handles the file iteration. The check gracefully succeeds when noSKILL.mdfiles exist (which is acceptable).💡 Optional: Validate that required fields have non-empty values
The current checks verify key presence but not that values are non-empty. If stricter validation is desired:
- if ! echo "$frontmatter" | grep -q '^name:'; then + if ! echo "$frontmatter" | grep -qE '^name:\s*\S'; then echo "::error file=$file::Missing 'name' field" status=1 fi - if ! echo "$frontmatter" | grep -q '^description:'; then + if ! echo "$frontmatter" | grep -qE '^description:\s*\S'; then echo "::error file=$file::Missing 'description' field" status=1 fiThis ensures fields like
name:(with no value) are rejected.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/agent-shield.yml around lines 73 - 103, The current SKILL.md frontmatter checks only verify presence of the keys; update the two validations that use grep for '^name:' and '^description:' so they also require a non-empty value after the colon. Replace the simple grep checks with a regex that asserts at least one non-whitespace character after the colon (e.g. grep -qE '^name:[[:space:]]*[^[:space:]]' and similarly for '^description:') or extract the value from the frontmatter variable and test it for non-empty; update the checks in the while loop that references frontmatter and the lines containing the '^name:' and '^description:' grep invocations accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/agent-shield.yml:
- Around line 73-103: The current SKILL.md frontmatter checks only verify
presence of the keys; update the two validations that use grep for '^name:' and
'^description:' so they also require a non-empty value after the colon. Replace
the simple grep checks with a regex that asserts at least one non-whitespace
character after the colon (e.g. grep -qE '^name:[[:space:]]*[^[:space:]]' and
similarly for '^description:') or extract the value from the frontmatter
variable and test it for non-empty; update the checks in the while loop that
references frontmatter and the lines containing the '^name:' and '^description:'
grep invocations accordingly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 5fa1813b-9d9b-4a8b-8bfb-875470923833
📒 Files selected for processing (1)
.github/workflows/agent-shield.yml
There was a problem hiding this comment.
Pull request overview
Adds the org-required AgentShield GitHub Actions workflow to bring the repo into compliance and enforce agent/security validation in CI.
Changes:
- Introduces
.github/workflows/agent-shield.ymlworkflow triggered on pushes/PRs tomain. - Runs
ecc-agentshieldscan plus repo-structure validations forCLAUDE.md,AGENTS.md, andSKILL.mdfrontmatter.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # 1. affaan-m/agentshield action — deep security scan (102 rules across | ||
| # secrets, permissions, hooks, MCP servers, and agent config) |
There was a problem hiding this comment.
The workflow comments say it uses the "affaan-m/agentshield action", but the implementation actually runs the AgentShield CLI via npx ecc-agentshield@.... Please align the comment with the actual mechanism (CLI vs action) to avoid confusion when maintaining/updating this workflow.
| # 1. affaan-m/agentshield action — deep security scan (102 rules across | |
| # secrets, permissions, hooks, MCP servers, and agent config) | |
| # 1. AgentShield CLI via ecc-agentshield — deep security scan (102 rules | |
| # across secrets, permissions, hooks, MCP servers, and agent config) |
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| agent-shield: | ||
| name: AgentShield |
There was a problem hiding this comment.
For consistency with other workflows in this repo (e.g., codeql-analysis.yml, sonarcloud.yml), consider setting workflow-level permissions: {} and moving contents: read under the job’s permissions:. This keeps the workflow least-privilege by default if additional jobs are added later.
| permissions: | |
| contents: read | |
| jobs: | |
| agent-shield: | |
| name: AgentShield | |
| permissions: {} | |
| jobs: | |
| agent-shield: | |
| name: AgentShield | |
| permissions: | |
| contents: read |
| @@ -0,0 +1,103 @@ | |||
| # AgentShield — Agent configuration security validation | |||
| # See: standards/agent-standards.md | |||
There was a problem hiding this comment.
The header comment points to standards/agent-standards.md, but this repository doesn’t contain that path. Consider changing it to a fully-qualified org-standards URL (or another local reference) so readers don’t assume there’s a missing file in this repo.
| # See: standards/agent-standards.md | |
| # See: https://github.com/petry-projects/.github/blob/main/standards/agent-standards.md |
Summary
agent-shield.ymlworkflow verbatim frompetry-projects/.github/standards/workflows/agent-shield.ymlagent-shield.ymlwas missingChanges
.github/workflows/agent-shield.yml— AgentShield security validation workflow that:ecc-agentshielddeep security scan (102 rules across secrets, permissions, hooks, MCP servers, agent config)CLAUDE.md,AGENTS.md) are presentCLAUDE.md→AGENTS.mdandAGENTS.md→ org standardsSKILL.mdfrontmatter (name + description fields)Closes #51
Generated with Claude Code
Summary by CodeRabbit