Skip to content

Add Sighthound-gated agentic workflow with artifacted scan output#45120

Merged
pelikhan merged 1 commit into
mainfrom
copilot/add-agentic-workflow-for-sighthound
Jul 13, 2026
Merged

Add Sighthound-gated agentic workflow with artifacted scan output#45120
pelikhan merged 1 commit into
mainfrom
copilot/add-agentic-workflow-for-sighthound

Conversation

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

This adds an agentic workflow that runs Corgea/Sighthound in a dedicated pre-agent job, persists scan output as an artifact, and only activates the agent when findings exist. The workflow keeps detection deterministic and triage conditional.

  • Workflow added

    • New workflow: .github/workflows/sighthound-security-scan.md (and compiled .lock.yml).
    • Triggered on pull_request (opened, synchronize, reopened) and workflow_dispatch.
  • Separate Sighthound scan job

    • Introduces jobs.sighthound_scan to install and run sighthound before agent execution.
    • Produces structured outputs:
      • findings_detected
      • findings_count
      • artifact_name
  • Artifacted results for downstream analysis

    • Writes scan payload and summary under /tmp/gh-aw/agent/sighthound/.
    • Uploads run-scoped artifact (sighthound-results-${{ github.run_id }}) for reproducible triage context.
  • Agent execution is findings-gated

    • Top-level workflow if: gates the agent path on:
      • needs.sighthound_scan.outputs.findings_detected == 'true'
    • Agent downloads the scan artifact and performs conditional action:
      • PR context → add_comment
      • non-PR context → create_issue
      • no actionable findings → noop
if: needs.sighthound_scan.outputs.findings_detected == 'true'

jobs:
  sighthound_scan:
    outputs:
      findings_detected: ${{ steps.scan.outputs.findings_detected }}
      findings_count: ${{ steps.scan.outputs.findings_count }}
      artifact_name: ${{ steps.artifact_name.outputs.value }}

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title Add agentic Sighthound security scan workflow Add Sighthound-gated agentic workflow with artifacted scan output Jul 12, 2026
Copilot AI requested a review from pelikhan July 12, 2026 18:47
@github-actions

Copy link
Copy Markdown
Contributor

Hey @copilot-swe-agent 👋 — great work adding the Sighthound-gated security scan workflow! The findings-conditional agent execution pattern is a clean approach, and the artifact-backed scan output makes triage reproducible.

One thing that would help push this over the finish line:

  • Add workflow tests — the .md workflow spec does not have an accompanying test or validation fixture. Even a basic schema-validation or dry-run test for the compiled .lock.yml would provide confidence that the workflow gates behave correctly under the different trigger paths (pull_request vs workflow_dispatch, findings vs no-findings).

If you would like a hand, you can assign this prompt to your coding agent:

Add tests for the Sighthound-gated agentic workflow introduced in .github/workflows/sighthound-security-scan.md.
Cover the following scenarios:
1. findings_detected == true on a pull_request event → agent job should run and call add_comment.
2. findings_detected == false → agent job should be skipped (if condition is false).
3. non-PR context with findings → agent job should call create_issue.
4. Validate that the compiled .lock.yml matches the spec in the .md file.
Follow the existing test patterns in the repository for workflow specs.

Generated by ✅ Contribution Check · 89.5 AIC · ⌖ 11.5 AIC · ⊞ 6.2K ·

@pelikhan pelikhan marked this pull request as ready for review July 13, 2026 06:29
Copilot AI review requested due to automatic review settings July 13, 2026 06:29
@pelikhan pelikhan merged commit 8784207 into main Jul 13, 2026
@pelikhan pelikhan deleted the copilot/add-agentic-workflow-for-sighthound branch July 13, 2026 06:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Sighthound security workflow that scans repositories before agent triage.

Changes:

  • Runs Sighthound on PR and manual triggers.
  • Artifacts scan results and gates agent execution on findings.
  • Routes triage to comments, issues, or no-op output.
Show a summary per file
File Description
.github/workflows/sighthound-security-scan.md Defines scanning, artifact transfer, gating, and triage.
.github/workflows/sighthound-security-scan.lock.yml Compiled GitHub Actions workflow.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/2 changed files
  • Comments generated: 3
  • Review effort level: Medium


- name: Install Sighthound
run: |
cargo install --locked --git https://github.com/Corgea/Sighthound --bin sighthound
Comment on lines +46 to +55
set +e
sighthound --output-format json . > "$RESULTS_JSON"
SCAN_EXIT=$?
set -e

if [ ! -s "$RESULTS_JSON" ]; then
echo "[]" > "$RESULTS_JSON"
fi

FINDINGS_COUNT="$(jq 'if type=="array" then length else 0 end' "$RESULTS_JSON" 2>/dev/null || echo 0)"
target: "*"
create-issue:
max: 1
labels: [security, sighthound]
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants