feat: Add Claude AI code review GitHub Actions workflow for automated PR reviews#79
feat: Add Claude AI code review GitHub Actions workflow for automated PR reviews#79devmdave wants to merge 1 commit intoSnapchat:mainfrom
Conversation
… workflow for automated code reviews using Claude AI- Create claude-review.js script to analyze diffs and generate reviews- Add format-claude-output.js utility for formatting review output- Update package.json with required GitHub Actions dependencies- Configure workflow to run on PR and push to main branch- Include security, bug detection, code quality, and best practices analysis- Post review results as PR comments and workflow artifacts
![semgrep-code-snapchat[bot]](https://avatars.githubusercontent.com/u/40505220?s=60&v=4){kind=small}
.github/workflows/bzl-changes.yml
Outdated
| # Install libtinfo5 for LLVM/Clang toolchain (Ubuntu 24.04+ doesn't have it in apt) | ||
| if ! sudo apt-get install -y libtinfo5 2>/dev/null; then | ||
| echo "libtinfo5 not available in apt, downloading from Ubuntu 22.04 archive..." | ||
| wget http://archive.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.3-2ubuntu0.1_amd64.deb |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
wget uses an unencrypted HTTP URL to fetch libtinfo5_6.3-2ubuntu0.1_amd64.deb. A man-in-the-middle can replace the .deb and gain root code execution when it’s installed with sudo apt install.
More details about this
This workflow downloads a Debian package over plain HTTP:
Because the URL is unencrypted (HTTP), anyone able to intercept traffic (e.g., hostile Wi‑Fi/AP, corporate proxy, or BGP/DNS hijack) can swap that .deb for a malicious one. The next line installs it with sudo apt install -y ./libtinfo5_6.3-2ubuntu0.1_amd64.deb, which would execute attacker-controlled maintainer scripts as root or load a tampered libtinfo5 at runtime.
Concrete attack path
- Step 1: Attacker intercepts the HTTP request to archive.ubuntu.com and serves a trojaned libtinfo5_6.3-2ubuntu0.1_amd64.deb.
- Step 2: Your script saves the attacker’s file under the same name via wget.
- Step 3: sudo apt install -y ./libtinfo5_6.3-2ubuntu0.1_amd64.deb runs the package’s postinst script with root privileges, giving the attacker code execution in the CI runner and access to build secrets/artifacts.
- Step 4: Compromised libtinfo5 can persist in subsequent build steps, silently backdooring binaries or exfiltrating data.
To resolve this comment:
✨ Commit Assistant Fix Suggestion
- Check if a secure (HTTPS) version of the download URL is available for the package. In this case, replace
http://archive.ubuntu.com/ubuntu/...withhttps://archive.ubuntu.com/ubuntu/...in thewgetcommand. - Update the line to:
wget https://archive.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.3-2ubuntu0.1_amd64.deb - If the server does not support HTTPS and only HTTP is available, verify the package signature after download to ensure integrity and authenticity.
- If you cannot switch to HTTPS and package verification is not feasible, consider obtaining the package from a different trusted source that offers HTTPS downloads.
Using HTTPS encrypts the download and prevents attackers from modifying the package in transit.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by wget-unencrypted-url.
You can view more details about this finding in the Semgrep AppSec Platform.
|
Semgrep found 9
This literal might contain a Snapchat internal reference that should not be committed to open-source repositories. Fix: Please replace / remove the string to avoid committing it to open-source repositories. |
bzl/valdi/npm/pnpm-lock.yaml
Outdated
| uglify-js: | ||
| optional: true | ||
|
|
||
| terser@4.6.10: |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 4009 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.
To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at bzl/valdi/npm/pnpm-lock.yaml.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
1 participant
Summary
This PR implements an automated code review system using Claude AI (Anthropic) integrated into our GitHub Actions CI/CD pipeline.
Motivation
Manual code reviews can be time-consuming and may miss common issues. This automated review system provides immediate feedback on:
The AI-powered reviews complement human reviews by catching issues early and providing consistent feedback across all pull requests.
Changes
New Files
.github/workflows/claude-code.yml- GitHub Actions workflow configurationscripts/claude-review.js- Core review logic using Anthropic Claude APIscripts/format-claude-output.js- Utility for formatting review outputModified Files
package.json- Added@actions/coreand@actions/githubdependenciesImplementation Details
The workflow:
mainbranchclaude-sonnet-4-20250514) for analysisThe review includes severity levels (🔴 Critical, 🟡 Warning, 🟢 Info) for easy prioritization.
Configuration Required
Before merging, ensure the following secret is configured in the repository:
ANTHROPIC_API_KEY- API key for Claude AI serviceTesting
The workflow has been configured with
continue-on-error: trueto prevent blocking the CI pipeline if the review service is unavailable.Benefits
Future Enhancements
Potential improvements for follow-up PRs: