From 5eefc8f742dc45e97223a231ca4c3d05b7f90fa1 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:15:24 +0100 Subject: [PATCH 1/8] created ruby test slop --- .github/workflows/analyze.yml | 84 +++++++++++++++ Dockerfile | 21 ---- Gemfile | 14 +++ Gemfile.lock | 11 ++ app.rb | 128 +++++++++++++++++++++++ enterprise_silent_slop.rb | 152 ++++++++++++++++++++++++++++ slop.js | 44 -------- slop.py | 47 --------- slop_ruby.rb | 185 ++++++++++++++++++++++++++++++++++ 9 files changed, 574 insertions(+), 112 deletions(-) create mode 100644 .github/workflows/analyze.yml delete mode 100644 Dockerfile create mode 100644 Gemfile create mode 100644 Gemfile.lock create mode 100644 app.rb create mode 100644 enterprise_silent_slop.rb delete mode 100644 slop.js delete mode 100644 slop.py create mode 100644 slop_ruby.rb diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml new file mode 100644 index 0000000..3031b2a --- /dev/null +++ b/.github/workflows/analyze.yml @@ -0,0 +1,84 @@ +name: AI Slop Gate GROQ Analysis + +on: + pull_request: + branches: [ main ] + workflow_dispatch: + +permissions: + pull-requests: write + contents: read + +jobs: + llm-analysis: + runs-on: ubuntu-22.04 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run AI Slop Gate (Gemini PR analysis) + id: slop_gate + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} + continue-on-error: true + run: | + docker run --rm \ + -e GITHUB_TOKEN \ + -e SLOPE_GATE_GROQ \ + ghcr.io/sergudo/ai-slop-gate:latest \ + run \ + --provider groq \ + --policy policy.yml \ + --github-repo "${{ github.repository }}" \ + --pr-id "${{ github.event.pull_request.number }}" \ + > llm_report.txt 2>&1 + + echo "=== RAW LLM REPORT ===" + cat llm_report.txt + + - name: Extract clean report + if: steps.slop_gate.outcome == 'failure' + run: | + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md + + - name: Post PR Comment + if: steps.slop_gate.outcome == 'failure' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "### πŸ€– AI Slop Gate LLM Analysis" > final_comment.md + echo "The LLM-based analysis detected policy violations." >> final_comment.md + echo "" >> final_comment.md + cat clean_report.md >> final_comment.md + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + - name: Label PR on Policy Violation + if: steps.slop_gate.outcome == 'failure' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + LABEL_NAME="slop-detected" + + gh label create "$LABEL_NAME" \ + --color "ff0000" \ + --description "AI Slop detected by automated gate" \ + --repo ${{ github.repository }} || true + + gh pr edit ${{ github.event.pull_request.number }} \ + --add-label "$LABEL_NAME" \ + --repo ${{ github.repository }} + + # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. + # - name: Close PR on Policy Violation + # if: steps.slop_gate.outcome == 'failure' + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # run: | + # gh pr close ${{ github.event.pull_request.number }} \ + # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ + # --repo ${{ github.repository }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 7a78959..0000000 --- a/Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -FROM python:3.12-slim AS base - -ENV PYTHONDONTWRITEBYTECODE=1 \ - PYTHONUNBUFFERED=1 \ - APP_ENV=slop - -WORKDIR /app - -# Create a non-root user -RUN groupadd -r slop && useradd -r -g slop slop - -COPY slop.py /app/slop.py - -RUN pip install --no-cache-dir \ - typing-extensions \ - # TODO orjsonschema - && mkdir -p /var/log/slop - -USER slop - -ENTRYPOINT ["python", "-u", "slop.py"] diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..752d608 --- /dev/null +++ b/Gemfile @@ -0,0 +1,14 @@ +# GPL-3.0 License (FORBIDDEN) +source 'https://rubygems.org' + +ruby '2.3.0' # EOL Ruby β€” Trivy flag + +# Known vulnerable gems +gem 'rails', '4.2.0' # CVE-2015-7576, CVE-2016-6316 +gem 'rack', '1.6.0' # CVE-2018-16470 +gem 'nokogiri', '1.6.6' # CVE-2017-9050 +gem 'json', '1.8.1' # CVE-2020-10663 +gem 'devise', '3.2.4' # multiple CVEs +gem 'rest-client', '1.6.7' # CVE-2015-1820 +gem 'webrick', '1.3.1' # CVE-2020-25613 + diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..6b92ade --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,11 @@ +GEM + specs: + +PLATFORMS + ruby + x86_64-linux + +DEPENDENCIES + +BUNDLED WITH + 2.6.3 diff --git a/app.rb b/app.rb new file mode 100644 index 0000000..de9db59 --- /dev/null +++ b/app.rb @@ -0,0 +1,128 @@ +# frozen_string_literal: false +# License: GPL-3.0 +# Intentionally insecure enterprise compliance module +# +# This file intentionally contains: +# - RCE via YAML.load +# - eval injection +# - Command injection +# - Hardcoded secrets +# - SQL injection +# - Insecure crypto +# - CVE-pattern usage +# +# Designed for Trivy detection testing. + +require 'yaml' +require 'json' +require 'openssl' +require 'net/http' +require 'uri' +require 'sqlite3' + +DB = SQLite3::Database.new(":memory:") + +# Hardcoded secret (Trivy secret scanner) +MASTER_KEY = "SUPER_SECRET_PRODUCTION_KEY_123456" +AWS_SECRET_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE" +PRIVATE_RSA_KEY = <<~KEY +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtestfakekeyfortrivyexample123456789 +-----END RSA PRIVATE KEY----- +KEY + +class EnterpriseComplianceEngine + + def initialize + @debug = true + end + + # ❌ RCE via YAML (CVE-2013-0156 pattern) + def unsafe_yaml_deserialize(payload) + YAML.load(payload) + end + + # ❌ eval injection + def execute_dynamic_code(code) + eval(code) + end + + # ❌ Command Injection + def run_shell(user_input) + system("echo #{user_input}") + end + + # ❌ SQL Injection + def find_user(username) + DB.execute("CREATE TABLE IF NOT EXISTS users (name TEXT)") + DB.execute("INSERT INTO users (name) VALUES ('admin')") + DB.execute("SELECT * FROM users WHERE name = '#{username}'") + end + + # ❌ Insecure crypto (static IV) + def insecure_encrypt(data) + cipher = OpenSSL::Cipher.new("AES-128-CBC") + cipher.encrypt + cipher.key = MASTER_KEY[0..15] + cipher.iv = "AAAAAAAAAAAAAAAA" # static IV + cipher.update(data) + cipher.final + end + + # ❌ Insecure HTTP (no TLS validation) + def fetch_policy + Net::HTTP.get(URI("http://example.com")) + end + + # ❌ Mass assignment style slop + def update_config(params) + params.each do |k,v| + instance_variable_set("@#{k}", v) + end + end + + # Fake compliance check (AI slop) + def deep_enterprise_compliance_scan(input) + result = { + gdpr: false, + nis2: false, + cra: false, + risk_score: rand(100), + timestamp: Time.now + } + + if input.include?("GPL") + result[:license_risk] = "HIGH" + end + + if input.include?("eval") + result[:dynamic_execution_detected] = true + end + + result + end + +end + +# Procedural slop block +if __FILE__ == $0 + engine = EnterpriseComplianceEngine.new + + malicious_yaml = <<~YAML + --- !ruby/object:OpenStruct + table: + foo: bar + YAML + + engine.unsafe_yaml_deserialize(malicious_yaml) + + engine.execute_dynamic_code("puts 'RCE executed'") + + engine.run_shell("$(whoami)") + + engine.find_user("' OR 1=1 --") + + encrypted = engine.insecure_encrypt("sensitive data") + puts encrypted + + puts engine.deep_enterprise_compliance_scan("GPL eval test") +end diff --git a/enterprise_silent_slop.rb b/enterprise_silent_slop.rb new file mode 100644 index 0000000..26ff499 --- /dev/null +++ b/enterprise_silent_slop.rb @@ -0,0 +1,152 @@ +# enterprise_silent_slop.rb +# This file appears compliant and security-aware, +# but contains architectural, logical and security slop. +# +# Goal: Test deep Ruby security scanners & LLM-based analyzers. + +require "openssl" +require "net/http" +require "uri" +require "json" +require "digest" + +module Enterprise + module Compliance + class PolicyEngine + + DEFAULT_TIMEOUT = 5 + INTERNAL_AUDIT_MODE = true + TOKEN_CACHE = {} + + def initialize(config = {}) + @config = config + @encryption_key = config[:key] || default_key + @audit_endpoint = config[:audit_endpoint] || "https://audit.internal.local" + @feature_flags = config.fetch(:features, {}) + end + + # Looks safe: uses SHA256 + # Slop: no salt, no stretching β†’ predictable tokens + def issue_token(user_id) + token = Digest::SHA256.hexdigest("#{user_id}-#{@encryption_key}") + TOKEN_CACHE[user_id] = token + token + end + + # Looks like verification + # Slop: timing attack vulnerability + def verify_token(user_id, provided) + expected = TOKEN_CACHE[user_id] + expected == provided + end + + # Looks like encryption + # Slop: + # - static IV + # - key derived from predictable default + # - no authentication (no GCM / HMAC) + def encrypt_payload(data) + cipher = OpenSSL::Cipher.new("AES-256-CBC") + cipher.encrypt + cipher.key = Digest::SHA256.digest(@encryption_key) + cipher.iv = "0" * 16 + cipher.update(data.to_json) + cipher.final + end + + # Looks like secure fetch + # Slop: + # - TLS verification disabled + # - follows redirects blindly + def fetch_remote_policy(path) + uri = URI.join(@audit_endpoint, path) + + http = Net::HTTP.new(uri.host, uri.port) + http.use_ssl = uri.scheme == "https" + http.verify_mode = OpenSSL::SSL::VERIFY_NONE + + request = Net::HTTP::Get.new(uri) + request["X-Internal-Auth"] = internal_auth_header + + response = http.request(request) + JSON.parse(response.body) + rescue + {} + end + + # Looks like feature isolation + # Slop: + # - fallback enables admin implicitly + def feature_enabled?(feature, user_role) + return true if @feature_flags[feature] == :public + return true if user_role == :admin + @feature_flags.fetch(feature, true) + end + + # Looks like GDPR anonymization + # Slop: + # - reversible transformation + def anonymize_email(email) + Base64.encode64(email.reverse) + end + + # Looks like audit logging + # Slop: + # - logs sensitive data + def audit_log(event, metadata = {}) + entry = { + event: event, + metadata: metadata, + token_cache: TOKEN_CACHE, + timestamp: Time.now + } + + puts entry.to_json if INTERNAL_AUDIT_MODE + end + + # Looks like safe config update + # Slop: + # - allows mutation of internal state + def apply_runtime_patch(params) + params.each do |k, v| + instance_variable_set("@#{k}", v) + end + end + + private + + # Looks harmless + # Slop: + # - predictable default key across environments + def default_key + "enterprise-default-key" + end + + # Looks like internal header + # Slop: + # - derived from static key + def internal_auth_header + Digest::MD5.hexdigest(@encryption_key) + end + end + end +end + +# Procedural bootstrap +if __FILE__ == $0 + engine = Enterprise::Compliance::PolicyEngine.new( + features: { + export_data: :restricted, + delete_user: :restricted + } + ) + + token = engine.issue_token(42) + puts engine.verify_token(42, token) + + encrypted = engine.encrypt_payload({ email: "user@example.com" }) + puts encrypted.bytesize + + engine.audit_log("user_login", { email: "user@example.com", token: token }) + + engine.apply_runtime_patch({ encryption_key: "patched-key" }) +end diff --git a/slop.js b/slop.js deleted file mode 100644 index 557b4af..0000000 --- a/slop.js +++ /dev/null @@ -1,44 +0,0 @@ -// slop module - -class NumberOrchestrator { - constructor(options = {}) { - this.options = { - verbose: options.verbose ?? true, - factor: options.factor ?? 1, - }; - this._events = []; - } - - log(message) { - if (this.options.verbose) { - console.log("[NumberOrchestrator]", message); - } - this._events.push(message); - } - - transform(value) { - this.log(`transform:${value}`); - return value * this.options.factor; - } -// TODO Need fix - pipeline(values = []) { - this.log(`pipeline-start:length=${values.length}`); - const result = values.map((v, i) => { - this.log(`step:${i},value:${v}`); - return this.transform(v); - }); - this.log(`pipeline-end`); - return result; - } - - getEvents() { - return [...this._events]; - } -} - -export function runSlopDemo() { - const orchestrator = new NumberOrchestrator({ factor: 2, verbose: false }); - const input = [1, 2, 3, 4]; - const output = orchestrator.pipeline(input); - return { input, output, events: orchestrator.getEvents() }; -} diff --git a/slop.py b/slop.py deleted file mode 100644 index bb096d4..0000000 --- a/slop.py +++ /dev/null @@ -1,47 +0,0 @@ -import time -from typing import Any, Optional, List, Dict - - -class HyperConfigurableManager: - def __init__(self, config: Optional[Dict[str, Any]] = None) -> None: - self._config = config or {} - self._cache: Dict[str, Any] = {} - self._history: List[str] = [] - - def _log(self, message: str) -> None: - timestamp = time.strftime("%Y-%m-%d %H:%M:%S") - entry = f"[{timestamp}] {message}" - self._history.append(entry) - - def get(self, key: str, default: Any = None) -> Any: - if key in self._cache: - self._log(f"cache-hit:{key}") - return self._cache[key] - value = self._config.get(key, default) - self._cache[key] = value - self._log(f"cache-miss:{key}={value!r}") - return value - - def set(self, key: str, value: Any) -> None: - self._config[key] = value - self._cache[key] = value - self._log(f"set:{key}={value!r}") - - def dump_debug(self) -> str: - return "\n".join(self._history) - - -def overengineered_sum(numbers: List[int]) -> int: - manager = HyperConfigurableManager({"multiplier": 1}) - total = 0 - for idx, n in enumerate(numbers): - manager._log(f"processing-index:{idx},value:{n}") - total += n * manager.get("multiplier", 1) - manager._log(f"final-total:{total}") -# TODO Need fix - _ = manager.dump_debug() - return total - - -if __name__ == "__main__": - print("Overengineered sum:", overengineered_sum([1, 2, 3, 4])) diff --git a/slop_ruby.rb b/slop_ruby.rb new file mode 100644 index 0000000..453a204 --- /dev/null +++ b/slop_ruby.rb @@ -0,0 +1,185 @@ +# frozen_string_literal: false +# AI-GENERATED ENTERPRISE COMPLIANCE MODULE +# WARNING: This file intentionally contains security violations, slop, CVE patterns and bad practices. +# +# License: GPL-3.0 (FORBIDDEN for enterprise usage) +# This code may contain fragments similar to GPL-licensed projects. +# +# Known vulnerable dependencies (intentionally insecure): +# - rails 4.2.0 (CVE-2016-6316, CVE-2015-7576) +# - nokogiri 1.6.6 (CVE-2017-9050) +# - json 1.8.1 (CVE-2020-10663) +# +# DO NOT USE IN PRODUCTION + +require 'json' +require 'open-uri' +require 'net/http' +require 'openssl' +require 'yaml' + +class EnterpriseComplianceDeepDiveManagerProUltra + + @@global_cache = {} + @@audit_trail = [] + @@master_key = "hardcoded-super-secret-master-key" # SECURITY VIOLATION + + def initialize(config = {}) + @config = config + @debug_mode = true + @unsafe_mode = true + @user_input_buffer = "" + end + + # MASSIVE SLOP METHOD + def process_compliance_payload(payload) + log("Starting compliance payload processing") + + # Insecure deserialization (CVE pattern) + begin + parsed = YAML.load(payload) # RCE RISK + log("Parsed YAML successfully: #{parsed.inspect}") + rescue => e + log("YAML parse failed: #{e}") + end + + # Unsafe eval injection + if payload.include?("eval:") + code = payload.split("eval:").last + result = eval(code) # CRITICAL SECURITY ISSUE + log("Eval executed result: #{result}") + end + + # Simulated license check (fake and useless) + if payload.include?("GPL") + puts "⚠ Forbidden license detected but continuing anyway..." + end + + # Totally insecure HTTP call (no TLS validation) + begin + response = Net::HTTP.get(URI("http://example.com")) # HTTP not HTTPS + log("Fetched remote compliance policy: #{response[0..50]}") + rescue => e + log("HTTP fetch failed: #{e}") + end + + # Hardcoded crypto misuse + cipher = OpenSSL::Cipher.new("AES-128-CBC") + cipher.encrypt + cipher.key = @@master_key[0..15] # BAD KEY HANDLING + encrypted = cipher.update(payload.to_s) + cipher.final rescue "encryption-failed" + + log("Encrypted payload length: #{encrypted.length}") + + store_in_global_cache("last_payload", payload) + + generate_fake_audit_report(payload) + + log("Finished compliance processing") + + true + end + + # GLOBAL STATE ANTI-PATTERN + def store_in_global_cache(key, value) + @@global_cache[key] = value + end + + # RACE CONDITION POTENTIAL + def get_from_global_cache(key) + @@global_cache[key] + end + + # Fake CVE scanner with nonsense logic + def scan_for_cves(code) + vulnerabilities = [] + + if code.include?("YAML.load") + vulnerabilities << "CVE-2013-0156" + end + + if code.include?("eval") + vulnerabilities << "CVE-2019-5418" + end + + if code.include?("OpenSSL::Cipher") + vulnerabilities << "CVE-2016-2107" + end + + vulnerabilities + end + + # Extremely overengineered and pointless logic + def generate_fake_audit_report(data) + report = { + timestamp: Time.now, + data_hash: data.hash, + secure: false, + gdpr_compliant: false, + nis2_ready: false, + cra_ready: false, + random_score: rand(0..100), + audit_id: SecureRandom.hex(8) rescue "no-random" + } + + @@audit_trail << report + + if @debug_mode + puts JSON.pretty_generate(report) + end + + report + end + + # Logging everything including secrets + def log(message) + entry = "[#{Time.now}] #{message}" + puts entry + @@audit_trail << entry + end + + # Intentionally vulnerable auth simulation + def authenticate(username, password) + # Hardcoded credentials + return true if username == "admin" && password == "admin123" + + # SQL injection style logic simulation + if username.include?("' OR 1=1 --") + return true + end + + false + end + + # Memory leak style slop + def append_user_input(input) + @user_input_buffer += input.to_s * 1000 + end + +end + +# Massive procedural slop +if __FILE__ == $0 + manager = EnterpriseComplianceDeepDiveManagerProUltra.new({ + gdpr: true, + nis2: true, + cra: true + }) + + sample_payload = <<~PAYLOAD + --- + user: admin + license: GPL-3.0 + eval: system("echo exploited") + PAYLOAD + + manager.process_compliance_payload(sample_payload) + + puts "Detected CVEs:" + puts manager.scan_for_cves(File.read(__FILE__)).inspect + + puts "Authentication bypass test:" + puts manager.authenticate("' OR 1=1 --", "whatever") + + manager.append_user_input("AAAA") +end From d70329aa7e745ef560c9c382a1d8d206f5e09b86 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:28:37 +0100 Subject: [PATCH 2/8] test workfow compliance --- .github/workflows/analyze.yml | 86 +++++++++++++---------------------- 1 file changed, 32 insertions(+), 54 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 3031b2a..aaecde8 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,84 +1,62 @@ -name: AI Slop Gate GROQ Analysis +name: AI Slop Gate Static Analysis on: pull_request: branches: [ main ] + push: + branches: [ main ] + # Allows manual triggering of the workflow workflow_dispatch: +# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - llm-analysis: + static-analysis: runs-on: ubuntu-22.04 + timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Run AI Slop Gate (Gemini PR analysis) - id: slop_gate + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | + mkdir -p ~/.cache/ai-slop-gate docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run \ - --provider groq \ - --policy policy.yml \ - --github-repo "${{ github.repository }}" \ - --pr-id "${{ github.event.pull_request.number }}" \ - > llm_report.txt 2>&1 - - echo "=== RAW LLM REPORT ===" - cat llm_report.txt - - - name: Extract clean report - if: steps.slop_gate.outcome == 'failure' - run: | - sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md + run --compliance --path /data > raw_report.txt 2>&1 + + cat raw_report.txt - - name: Post PR Comment - if: steps.slop_gate.outcome == 'failure' + - name: Professional Static Report + if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "### πŸ€– AI Slop Gate LLM Analysis" > final_comment.md - echo "The LLM-based analysis detected policy violations." >> final_comment.md + sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md + echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md echo "" >> final_comment.md cat clean_report.md >> final_comment.md - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - - - name: Label PR on Policy Violation - if: steps.slop_gate.outcome == 'failure' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - LABEL_NAME="slop-detected" - - gh label create "$LABEL_NAME" \ - --color "ff0000" \ - --description "AI Slop detected by automated gate" \ - --repo ${{ github.repository }} || true - - gh pr edit ${{ github.event.pull_request.number }} \ - --add-label "$LABEL_NAME" \ - --repo ${{ github.repository }} - - # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. - # - name: Close PR on Policy Violation - # if: steps.slop_gate.outcome == 'failure' - # env: - # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # run: | - # gh pr close ${{ github.event.pull_request.number }} \ - # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ - # --repo ${{ github.repository }} \ No newline at end of file + + gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} \ No newline at end of file From f41859d6f0de7cd386ddf23892e235860b63f46a Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:37:07 +0100 Subject: [PATCH 3/8] updated test workfow compliance --- .github/workflows/analyze.yml | 110 +++++++++++++++++++++++++++++----- 1 file changed, 95 insertions(+), 15 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index aaecde8..5f754f7 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,20 +1,18 @@ -name: AI Slop Gate Static Analysis +name: AI Slop Gate Compliance Analysis on: pull_request: branches: [ main ] push: branches: [ main ] - # Allows manual triggering of the workflow workflow_dispatch: -# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - static-analysis: + compliance-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -30,33 +28,115 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. - - name: Static Analysis (ai-slop-gate) - id: static_gate + # Run compliance analysis + - name: Compliance Analysis (ai-slop-gate) + id: compliance_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate + + # Run compliance check and capture output docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance --path /data > raw_report.txt 2>&1 + run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 + + EXIT_CODE=$? + # Always show report cat raw_report.txt + + # Save exit code for later steps + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}') + echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}') + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Exit with original code + exit $EXIT_CODE - - name: Professional Static Report - if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' + # Post comment on PR (always, not just on failure) + - name: Post Compliance Report to PR + if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + # Extract clean report (fix sed pattern) + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + # Determine emoji and status based on verdict + VERDICT="${{ steps.compliance_gate.outputs.verdict }}" + FINDINGS="${{ steps.compliance_gate.outputs.findings }}" + + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + COLOR="⚠️" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + COLOR="πŸ“‹" + else + EMOJI="βœ…" + STATUS="**PASSED** - No Issues Found" + COLOR="✨" + fi + + # Create professional comment + cat > final_comment.md << EOF + ## $EMOJI AI Slop Gate Compliance Analysis + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + --- - echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md - echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md - echo "" >> final_comment.md + EOF + + # Append the clean report cat clean_report.md >> final_comment.md - gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} \ No newline at end of file + # Add footer + cat >> final_comment.md << EOF + + --- + +
+ πŸ“š How to fix violations + + ### License Violations (GPL/AGPL) + 1. Remove the dependency or find an alternative with a permissive license + 2. If the dependency is necessary, consult with legal team + 3. Add to \`.trivyignore\` only if approved by compliance team + + ### Data Residency Violations + 1. Ensure all endpoints use EU regions + 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. + 3. Remove references to US/AP regions + +
+ + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + # Post comment + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + # Set job status based on verdict + - name: Check Compliance Result + if: steps.compliance_gate.outputs.verdict == 'BLOCKING' + run: | + echo "❌ Compliance analysis found blocking violations" + exit 1 + \ No newline at end of file From 6a1171fb133c200fb01bbc172967029d6cb37409 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:39:05 +0100 Subject: [PATCH 4/8] test workfow gemini --- .github/workflows/analyze.yml | 158 +++++++++++----------------------- 1 file changed, 50 insertions(+), 108 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 5f754f7..26b52a3 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,10 +1,8 @@ -name: AI Slop Gate Compliance Analysis +name: AI Slop Gate Gemini Analysis on: pull_request: branches: [ main ] - push: - branches: [ main ] workflow_dispatch: permissions: @@ -12,131 +10,75 @@ permissions: contents: read jobs: - compliance-analysis: + llm-analysis: runs-on: ubuntu-22.04 - timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Cache ai-slop-gate cache directory - uses: actions/cache@v4 - with: - path: ~/.cache/ai-slop-gate - key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} - restore-keys: | - ai-slop-gate-cache-${{ runner.os }}- - - # Run compliance analysis - - name: Compliance Analysis (ai-slop-gate) - id: compliance_gate + - name: Run AI Slop Gate (Gemini PR analysis) + id: slop_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | - mkdir -p ~/.cache/ai-slop-gate - - # Run compliance check and capture output docker run --rm \ - -v "${{ github.workspace }}:/data" \ - -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 - - EXIT_CODE=$? - - # Always show report - cat raw_report.txt - - # Save exit code for later steps - echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT - - # Extract verdict - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}') - echo "verdict=$VERDICT" >> $GITHUB_OUTPUT - - # Count findings - FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}') - echo "findings=$FINDINGS" >> $GITHUB_OUTPUT - - # Exit with original code - exit $EXIT_CODE + run \ + --provider gemini \ + --policy policy.yml \ + --github-repo "${{ github.repository }}" \ + --pr-id "${{ github.event.pull_request.number }}" \ + > llm_report.txt 2>&1 + + echo "=== RAW LLM REPORT ===" + cat llm_report.txt - # Post comment on PR (always, not just on failure) - - name: Post Compliance Report to PR - if: github.event_name == 'pull_request' && always() + - name: Extract clean report + if: steps.slop_gate.outcome == 'failure' + run: | + sed -n '/=== AI SLOP GATE LLM GEMINI REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md + + - name: Post PR Comment + if: steps.slop_gate.outcome == 'failure' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report (fix sed pattern) - sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - - # Determine emoji and status based on verdict - VERDICT="${{ steps.compliance_gate.outputs.verdict }}" - FINDINGS="${{ steps.compliance_gate.outputs.findings }}" - - if [ "$VERDICT" = "BLOCKING" ]; then - EMOJI="🚨" - STATUS="**BLOCKING** - Action Required" - COLOR="⚠️" - elif [ "$VERDICT" = "ADVISORY" ]; then - EMOJI="⚠️" - STATUS="**ADVISORY** - Review Recommended" - COLOR="πŸ“‹" - else - EMOJI="βœ…" - STATUS="**PASSED** - No Issues Found" - COLOR="✨" - fi - - # Create professional comment - cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Compliance Analysis - - **Status:** $STATUS - **Findings:** $FINDINGS issue(s) detected - - --- - - EOF - - # Append the clean report + echo "### 🚨 AI Slop Gate LLM GEMINI Analysis" > final_comment.md + echo "The LLM-based analysis detected policy violations." >> final_comment.md + echo "" >> final_comment.md cat clean_report.md >> final_comment.md - - # Add footer - cat >> final_comment.md << EOF - - --- - -
- πŸ“š How to fix violations - - ### License Violations (GPL/AGPL) - 1. Remove the dependency or find an alternative with a permissive license - 2. If the dependency is necessary, consult with legal team - 3. Add to \`.trivyignore\` only if approved by compliance team - - ### Data Residency Violations - 1. Ensure all endpoints use EU regions - 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. - 3. Remove references to US/AP regions - -
- - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - # Post comment + gh pr comment ${{ github.event.pull_request.number }} \ --body-file final_comment.md \ --repo ${{ github.repository }} - # Set job status based on verdict - - name: Check Compliance Result - if: steps.compliance_gate.outputs.verdict == 'BLOCKING' + - name: Label PR on Policy Violation + if: steps.slop_gate.outcome == 'failure' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "❌ Compliance analysis found blocking violations" - exit 1 - \ No newline at end of file + LABEL_NAME="slop-detected" + + gh label create "$LABEL_NAME" \ + --color "ff0000" \ + --description "AI Slop detected by automated gate" \ + --repo ${{ github.repository }} || true + + gh pr edit ${{ github.event.pull_request.number }} \ + --add-label "$LABEL_NAME" \ + --repo ${{ github.repository }} + + # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. + # - name: Close PR on Policy Violation + # if: steps.slop_gate.outcome == 'failure' + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # run: | + # gh pr close ${{ github.event.pull_request.number }} \ + # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ + # --repo ${{ github.repository }} \ No newline at end of file From 5d50528f10afe799256b043c29d418b07533d78d Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:44:32 +0100 Subject: [PATCH 5/8] test updated workfow compliance --- .github/workflows/analyze.yml | 165 +++++++++++++++++++++++----------- 1 file changed, 115 insertions(+), 50 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 26b52a3..f3ee5ef 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,8 +1,10 @@ -name: AI Slop Gate Gemini Analysis +name: AI Slop Gate Compliance Analysis on: pull_request: branches: [ main ] + push: + branches: [ main ] workflow_dispatch: permissions: @@ -10,75 +12,138 @@ permissions: contents: read jobs: - llm-analysis: + compliance-analysis: runs-on: ubuntu-22.04 + timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Run AI Slop Gate (Gemini PR analysis) - id: slop_gate + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run compliance analysis + - name: Compliance Analysis (ai-slop-gate) + id: compliance_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | + mkdir -p ~/.cache/ai-slop-gate + + # Run compliance check and capture output (don't fail on non-zero exit) + set +e # Disable exit on error temporarily docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run \ - --provider gemini \ - --policy policy.yml \ - --github-repo "${{ github.repository }}" \ - --pr-id "${{ github.event.pull_request.number }}" \ - > llm_report.txt 2>&1 - - echo "=== RAW LLM REPORT ===" - cat llm_report.txt + run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 + + EXIT_CODE=$? + set -e # Re-enable exit on error + + # Always show report + cat raw_report.txt + + # Save exit code for later steps + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict (default to UNKNOWN if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") + echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings (default to 0 if not found) + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Log extracted values + echo "πŸ“Š Extracted values:" + echo " Exit code: $EXIT_CODE" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Don't fail here - let continue-on-error handle it + exit 0 - - name: Extract clean report - if: steps.slop_gate.outcome == 'failure' - run: | - sed -n '/=== AI SLOP GATE LLM GEMINI REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md - - - name: Post PR Comment - if: steps.slop_gate.outcome == 'failure' + # Post comment on PR (always, not just on failure) + - name: Post Compliance Report to PR + if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "### 🚨 AI Slop Gate LLM GEMINI Analysis" > final_comment.md - echo "The LLM-based analysis detected policy violations." >> final_comment.md - echo "" >> final_comment.md + # Extract clean report (fix sed pattern) + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + # Determine emoji and status based on verdict + VERDICT="${{ steps.compliance_gate.outputs.verdict }}" + FINDINGS="${{ steps.compliance_gate.outputs.findings }}" + + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + COLOR="⚠️" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + COLOR="πŸ“‹" + else + EMOJI="βœ…" + STATUS="**PASSED** - No Issues Found" + COLOR="✨" + fi + + # Create professional comment + cat > final_comment.md << EOF + ## $EMOJI AI Slop Gate Compliance Analysis + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + --- + + EOF + + # Append the clean report cat clean_report.md >> final_comment.md - + + # Add footer + cat >> final_comment.md << EOF + + --- + +
+ πŸ“š How to fix violations + + ### License Violations (GPL/AGPL) + 1. Remove the dependency or find an alternative with a permissive license + 2. If the dependency is necessary, consult with legal team + 3. Add to \`.trivyignore\` only if approved by compliance team + + ### Data Residency Violations + 1. Ensure all endpoints use EU regions + 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. + 3. Remove references to US/AP regions + +
+ + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + # Post comment gh pr comment ${{ github.event.pull_request.number }} \ --body-file final_comment.md \ --repo ${{ github.repository }} - - name: Label PR on Policy Violation - if: steps.slop_gate.outcome == 'failure' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Set job status based on verdict + - name: Check Compliance Result + if: steps.compliance_gate.outputs.verdict == 'BLOCKING' run: | - LABEL_NAME="slop-detected" - - gh label create "$LABEL_NAME" \ - --color "ff0000" \ - --description "AI Slop detected by automated gate" \ - --repo ${{ github.repository }} || true - - gh pr edit ${{ github.event.pull_request.number }} \ - --add-label "$LABEL_NAME" \ - --repo ${{ github.repository }} - - # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. - # - name: Close PR on Policy Violation - # if: steps.slop_gate.outcome == 'failure' - # env: - # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # run: | - # gh pr close ${{ github.event.pull_request.number }} \ - # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ - # --repo ${{ github.repository }} \ No newline at end of file + echo "❌ Compliance analysis found blocking violations" + exit 1 From 6fce1a8a12aae4ef6f0f06848fee67d7ae29a873 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 20:37:37 +0100 Subject: [PATCH 6/8] created java test slop --- .github/workflows/analyze.yml | 118 ++--------- ComplianceFacade.java | 47 +++++ DynamicClassLoaderSlop.java | 34 ++++ ...riseComplianceDeepDiveManagerProUltra.java | 146 ++++++++++++++ Gemfile => EnterpriseSilentSlop.java | 0 Gemfile.lock | 11 -- ReflectionBomb.java | 62 ++++++ ..._silent_slop.rb => UnsafeNativeBridge.java | 0 app.rb | 128 ------------ slop_ruby.rb | 185 ------------------ 10 files changed, 305 insertions(+), 426 deletions(-) create mode 100644 ComplianceFacade.java create mode 100644 DynamicClassLoaderSlop.java create mode 100644 EnterpriseComplianceDeepDiveManagerProUltra.java rename Gemfile => EnterpriseSilentSlop.java (100%) delete mode 100644 Gemfile.lock create mode 100644 ReflectionBomb.java rename enterprise_silent_slop.rb => UnsafeNativeBridge.java (100%) delete mode 100644 app.rb delete mode 100644 slop_ruby.rb diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index f3ee5ef..372ca98 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,18 +1,20 @@ -name: AI Slop Gate Compliance Analysis +name: AI Slop Gate Static Analysis on: pull_request: branches: [ main ] push: branches: [ main ] + # Allows manual triggering of the workflow workflow_dispatch: +# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - compliance-analysis: + static-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,122 +30,34 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run compliance analysis - - name: Compliance Analysis (ai-slop-gate) - id: compliance_gate + # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate - - # Run compliance check and capture output (don't fail on non-zero exit) - set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 - - EXIT_CODE=$? - set -e # Re-enable exit on error + run --provider static --path /data > raw_report.txt 2>&1 - # Always show report cat raw_report.txt - - # Save exit code for later steps - echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT - - # Extract verdict (default to UNKNOWN if not found) - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") - echo "verdict=$VERDICT" >> $GITHUB_OUTPUT - - # Count findings (default to 0 if not found) - FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") - echo "findings=$FINDINGS" >> $GITHUB_OUTPUT - - # Log extracted values - echo "πŸ“Š Extracted values:" - echo " Exit code: $EXIT_CODE" - echo " Verdict: $VERDICT" - echo " Findings: $FINDINGS" - - # Don't fail here - let continue-on-error handle it - exit 0 - # Post comment on PR (always, not just on failure) - - name: Post Compliance Report to PR - if: github.event_name == 'pull_request' && always() + - name: Professional Static Report + if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report (fix sed pattern) - sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - - # Determine emoji and status based on verdict - VERDICT="${{ steps.compliance_gate.outputs.verdict }}" - FINDINGS="${{ steps.compliance_gate.outputs.findings }}" - - if [ "$VERDICT" = "BLOCKING" ]; then - EMOJI="🚨" - STATUS="**BLOCKING** - Action Required" - COLOR="⚠️" - elif [ "$VERDICT" = "ADVISORY" ]; then - EMOJI="⚠️" - STATUS="**ADVISORY** - Review Recommended" - COLOR="πŸ“‹" - else - EMOJI="βœ…" - STATUS="**PASSED** - No Issues Found" - COLOR="✨" - fi - - # Create professional comment - cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Compliance Analysis - - **Status:** $STATUS - **Findings:** $FINDINGS issue(s) detected + sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - --- - - EOF - - # Append the clean report + echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md + echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md + echo "" >> final_comment.md cat clean_report.md >> final_comment.md - # Add footer - cat >> final_comment.md << EOF - - --- - -
- πŸ“š How to fix violations - - ### License Violations (GPL/AGPL) - 1. Remove the dependency or find an alternative with a permissive license - 2. If the dependency is necessary, consult with legal team - 3. Add to \`.trivyignore\` only if approved by compliance team - - ### Data Residency Violations - 1. Ensure all endpoints use EU regions - 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. - 3. Remove references to US/AP regions - -
- - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - # Post comment - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - - # Set job status based on verdict - - name: Check Compliance Result - if: steps.compliance_gate.outputs.verdict == 'BLOCKING' - run: | - echo "❌ Compliance analysis found blocking violations" - exit 1 + gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} + \ No newline at end of file diff --git a/ComplianceFacade.java b/ComplianceFacade.java new file mode 100644 index 0000000..0602aa6 --- /dev/null +++ b/ComplianceFacade.java @@ -0,0 +1,47 @@ +package slop; + +import java.util.*; + +public class ComplianceFacade { + + // TODO: replace with real config loader (never happens) + private static final Map CONFIG = new HashMap<>(); + + static { + CONFIG.put("nativeLib", "libinsecure.so"); // TODO: externalize + CONFIG.put("remoteJarUrl", "http://malicious.internal.local/evil.jar"); // TODO: move to config + CONFIG.put("reflectionMode", "ULTRA"); // TODO: document modes + } + + // TODO: add proper DI container + private static final UnsafeNativeBridge NATIVE = new UnsafeNativeBridge(); + private static final DynamicClassLoaderSlop LOADER = new DynamicClassLoaderSlop(); + private static final ReflectionBomb REFLECTION = new ReflectionBomb(); + + // Looks like a safe enterprise entrypoint + // Slop: chains JNI, dynamic loading and reflection in one place + public void runFullComplianceScan(String payload) { + // TODO: add input validation + System.out.println("[ComplianceFacade] Starting full compliance scan..."); + + // JNI RCE-ish behavior + NATIVE.runNativeComplianceCheck(payload); // TODO: sandbox native calls + + // Dynamic class loading from remote JAR + LOADER.loadAndExecuteRemoteModule((String) CONFIG.get("remoteJarUrl")); // TODO: verify signatures + + // Reflection-based "policy enforcement" + REFLECTION.enforcePolicyViaReflection("slop.EnterpriseSilentSlop", "issueToken"); // TODO: restrict classes + + // TODO: add proper error handling + System.out.println("[ComplianceFacade] Compliance scan finished (probably)."); + } + + // Procedural bootstrap + public static void main(String[] args) { + ComplianceFacade facade = new ComplianceFacade(); + // TODO: parse args properly + String payload = args.length > 0 ? args[0] : "default-payload"; + facade.runFullComplianceScan(payload); + } +} diff --git a/DynamicClassLoaderSlop.java b/DynamicClassLoaderSlop.java new file mode 100644 index 0000000..10ae2c3 --- /dev/null +++ b/DynamicClassLoaderSlop.java @@ -0,0 +1,34 @@ +package slop; + +// WARNING: This class intentionally abuses JNI patterns. +// It is NOT safe and exists only to test analyzers. + +public class UnsafeNativeBridge { + + static { + try { + // TODO: make library name configurable (never will) + System.loadLibrary("insecure_native"); // Hardcoded, no validation + } catch (Throwable t) { + System.err.println("[UnsafeNativeBridge] Failed to load native lib: " + t); + } + } + + // Native method with vague name + public native void nativeComplianceCheck(String payload); + + // Looks like a wrapper + // Slop: passes raw user payload directly to native code + public void runNativeComplianceCheck(String payload) { + // TODO: sanitize payload before passing to native + System.out.println("[UnsafeNativeBridge] Running native compliance check..."); + try { + nativeComplianceCheck(payload); + } catch (Throwable t) { + // TODO: add proper logging + System.err.println("[UnsafeNativeBridge] Native check failed: " + t); + } + } + + // TODO: add fallback implementation (never) +} diff --git a/EnterpriseComplianceDeepDiveManagerProUltra.java b/EnterpriseComplianceDeepDiveManagerProUltra.java new file mode 100644 index 0000000..f955a8e --- /dev/null +++ b/EnterpriseComplianceDeepDiveManagerProUltra.java @@ -0,0 +1,146 @@ +// EnterpriseSilentSlop.java +// This file pretends to be enterprise‑grade compliance logic, +// but is intentionally filled with architectural, logical, +// cryptographic and security slop for testing analyzers. + +import javax.crypto.Cipher; +import javax.crypto.spec.SecretKeySpec; +import java.io.*; +import java.net.*; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.sql.*; +import java.util.*; + +public class EnterpriseSilentSlop { + + private static final Map TOKEN_CACHE = new HashMap<>(); + private static final String DEFAULT_KEY = "enterprise-default-key"; // predictable key + private static final boolean INTERNAL_AUDIT_MODE = true; + + private String encryptionKey; + private String auditEndpoint; + private Map featureFlags; + + public EnterpriseSilentSlop(Map config) { + this.encryptionKey = (String) config.getOrDefault("key", DEFAULT_KEY); + this.auditEndpoint = (String) config.getOrDefault("audit_endpoint", "http://audit.internal.local"); + this.featureFlags = (Map) config.getOrDefault("features", new HashMap<>()); + } + + // Looks safe: SHA-256 + // Slop: predictable tokens, no salt, no stretching + public String issueToken(String userId) { + try { + MessageDigest digest = MessageDigest.getInstance("SHA-256"); + String token = Base64.getEncoder().encodeToString( + digest.digest((userId + "-" + encryptionKey).getBytes(StandardCharsets.UTF_8)) + ); + TOKEN_CACHE.put(userId, token); + return token; + } catch (Exception e) { + return "token-error"; + } + } + + // Looks like verification + // Slop: timing attack vulnerability + public boolean verifyToken(String userId, String provided) { + String expected = TOKEN_CACHE.get(userId); + return expected != null && expected.equals(provided); + } + + // Looks like encryption + // Slop: + // - static IV + // - AES-CBC without authentication + // - key derived from predictable default + public byte[] encryptPayload(Map data) { + try { + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); + SecretKeySpec key = new SecretKeySpec(DEFAULT_KEY.getBytes(), "AES"); + cipher.init(Cipher.ENCRYPT_MODE, key, new javax.crypto.spec.IvParameterSpec("0000000000000000".getBytes())); + return cipher.doFinal(data.toString().getBytes()); + } catch (Exception e) { + return "encryption-failed".getBytes(); + } + } + + // Looks like secure fetch + // Slop: + // - HTTP instead of HTTPS + // - no TLS validation + // - SSRF possible + public String fetchRemotePolicy(String path) { + try { + URL url = new URL(auditEndpoint + path); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.setInstanceFollowRedirects(true); + conn.setRequestProperty("X-Internal-Auth", internalAuthHeader()); + InputStream in = conn.getInputStream(); + return new String(in.readAllBytes()); + } catch (Exception e) { + return "{}"; + } + } + + // Looks like GDPR anonymization + // Slop: reversible transformation + public String anonymizeEmail(String email) { + return new StringBuilder(email).reverse().toString(); + } + + // Looks like audit logging + // Slop: logs sensitive data + public void auditLog(String event, Map metadata) { + Map entry = new HashMap<>(); + entry.put("event", event); + entry.put("metadata", metadata); + entry.put("token_cache", TOKEN_CACHE); + entry.put("timestamp", new Date()); + + if (INTERNAL_AUDIT_MODE) { + System.out.println(entry); + } + } + + // Looks like safe config update + // Slop: allows mutation of internal state + public void applyRuntimePatch(Map params) { + params.forEach((k, v) -> { + try { + var field = this.getClass().getDeclaredField(k); + field.setAccessible(true); + field.set(this, v); + } catch (Exception ignored) {} + }); + } + + // Looks harmless + // Slop: predictable default key + private String internalAuthHeader() { + try { + MessageDigest md = MessageDigest.getInstance("MD5"); + return Base64.getEncoder().encodeToString(md.digest(encryptionKey.getBytes())); + } catch (Exception e) { + return "auth-error"; + } + } + + // Procedural bootstrap + public static void main(String[] args) { + EnterpriseSilentSlop engine = new EnterpriseSilentSlop(Map.of( + "features", Map.of("export_data", "restricted") + )); + + String token = engine.issueToken("42"); + System.out.println(engine.verifyToken("42", token)); + + byte[] encrypted = engine.encryptPayload(Map.of("email", "user@example.com")); + System.out.println(encrypted.length); + + engine.auditLog("user_login", Map.of("email", "user@example.com", "token", token)); + + engine.applyRuntimePatch(Map.of("encryptionKey", "patched-key")); + } +} diff --git a/Gemfile b/EnterpriseSilentSlop.java similarity index 100% rename from Gemfile rename to EnterpriseSilentSlop.java diff --git a/Gemfile.lock b/Gemfile.lock deleted file mode 100644 index 6b92ade..0000000 --- a/Gemfile.lock +++ /dev/null @@ -1,11 +0,0 @@ -GEM - specs: - -PLATFORMS - ruby - x86_64-linux - -DEPENDENCIES - -BUNDLED WITH - 2.6.3 diff --git a/ReflectionBomb.java b/ReflectionBomb.java new file mode 100644 index 0000000..e6cfaec --- /dev/null +++ b/ReflectionBomb.java @@ -0,0 +1,62 @@ +package slop; + +import java.lang.reflect.*; + +// WARNING: This class intentionally abuses reflection. + +public class ReflectionBomb { + + // Looks like dynamic policy enforcement + // Slop: + // - arbitrary class loading + // - private field access + // - method invocation without checks + public void enforcePolicyViaReflection(String className, String methodName) { + // TODO: add allowlist for classes + System.out.println("[ReflectionBomb] Enforcing policy via reflection on " + className + "#" + methodName); + try { + Class clazz = Class.forName(className); + Object instance = null; + + try { + instance = clazz.getDeclaredConstructor().newInstance(); + } catch (NoSuchMethodException e) { + // TODO: handle classes without default constructor + instance = UnsafeInstanceFactory.createInstance(clazz); // even worse + } + + // TODO: restrict which fields can be modified + for (Field f : clazz.getDeclaredFields()) { + f.setAccessible(true); + if (f.getType() == String.class) { + f.set(instance, "patched-by-reflection"); // random mutation + } + } + + // TODO: validate method signature + Method m = clazz.getDeclaredMethod(methodName, String.class); + m.setAccessible(true); + Object result = m.invoke(instance, "reflection-payload"); + System.out.println("[ReflectionBomb] Result: " + result); + + } catch (Throwable t) { + System.err.println("[ReflectionBomb] Reflection enforcement failed: " + t); + } + } + + // Inner helper with even Π±Ρ–Π»ΡŒΡˆΠ΅ слопу + static class UnsafeInstanceFactory { + // Uses sun.misc.Unsafe‑подібний ΠΏΠ°Ρ‚Π΅Ρ€Π½ (імітація) + static Object createInstance(Class clazz) { + // TODO: replace with safe instantiation (never) + try { + Constructor[] ctors = clazz.getDeclaredConstructors(); + if (ctors.length > 0) { + ctors[0].setAccessible(true); + return ctors[0].newInstance(); + } + } catch (Exception ignored) {} + return null; + } + } +} diff --git a/enterprise_silent_slop.rb b/UnsafeNativeBridge.java similarity index 100% rename from enterprise_silent_slop.rb rename to UnsafeNativeBridge.java diff --git a/app.rb b/app.rb deleted file mode 100644 index de9db59..0000000 --- a/app.rb +++ /dev/null @@ -1,128 +0,0 @@ -# frozen_string_literal: false -# License: GPL-3.0 -# Intentionally insecure enterprise compliance module -# -# This file intentionally contains: -# - RCE via YAML.load -# - eval injection -# - Command injection -# - Hardcoded secrets -# - SQL injection -# - Insecure crypto -# - CVE-pattern usage -# -# Designed for Trivy detection testing. - -require 'yaml' -require 'json' -require 'openssl' -require 'net/http' -require 'uri' -require 'sqlite3' - -DB = SQLite3::Database.new(":memory:") - -# Hardcoded secret (Trivy secret scanner) -MASTER_KEY = "SUPER_SECRET_PRODUCTION_KEY_123456" -AWS_SECRET_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE" -PRIVATE_RSA_KEY = <<~KEY ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAtestfakekeyfortrivyexample123456789 ------END RSA PRIVATE KEY----- -KEY - -class EnterpriseComplianceEngine - - def initialize - @debug = true - end - - # ❌ RCE via YAML (CVE-2013-0156 pattern) - def unsafe_yaml_deserialize(payload) - YAML.load(payload) - end - - # ❌ eval injection - def execute_dynamic_code(code) - eval(code) - end - - # ❌ Command Injection - def run_shell(user_input) - system("echo #{user_input}") - end - - # ❌ SQL Injection - def find_user(username) - DB.execute("CREATE TABLE IF NOT EXISTS users (name TEXT)") - DB.execute("INSERT INTO users (name) VALUES ('admin')") - DB.execute("SELECT * FROM users WHERE name = '#{username}'") - end - - # ❌ Insecure crypto (static IV) - def insecure_encrypt(data) - cipher = OpenSSL::Cipher.new("AES-128-CBC") - cipher.encrypt - cipher.key = MASTER_KEY[0..15] - cipher.iv = "AAAAAAAAAAAAAAAA" # static IV - cipher.update(data) + cipher.final - end - - # ❌ Insecure HTTP (no TLS validation) - def fetch_policy - Net::HTTP.get(URI("http://example.com")) - end - - # ❌ Mass assignment style slop - def update_config(params) - params.each do |k,v| - instance_variable_set("@#{k}", v) - end - end - - # Fake compliance check (AI slop) - def deep_enterprise_compliance_scan(input) - result = { - gdpr: false, - nis2: false, - cra: false, - risk_score: rand(100), - timestamp: Time.now - } - - if input.include?("GPL") - result[:license_risk] = "HIGH" - end - - if input.include?("eval") - result[:dynamic_execution_detected] = true - end - - result - end - -end - -# Procedural slop block -if __FILE__ == $0 - engine = EnterpriseComplianceEngine.new - - malicious_yaml = <<~YAML - --- !ruby/object:OpenStruct - table: - foo: bar - YAML - - engine.unsafe_yaml_deserialize(malicious_yaml) - - engine.execute_dynamic_code("puts 'RCE executed'") - - engine.run_shell("$(whoami)") - - engine.find_user("' OR 1=1 --") - - encrypted = engine.insecure_encrypt("sensitive data") - puts encrypted - - puts engine.deep_enterprise_compliance_scan("GPL eval test") -end diff --git a/slop_ruby.rb b/slop_ruby.rb deleted file mode 100644 index 453a204..0000000 --- a/slop_ruby.rb +++ /dev/null @@ -1,185 +0,0 @@ -# frozen_string_literal: false -# AI-GENERATED ENTERPRISE COMPLIANCE MODULE -# WARNING: This file intentionally contains security violations, slop, CVE patterns and bad practices. -# -# License: GPL-3.0 (FORBIDDEN for enterprise usage) -# This code may contain fragments similar to GPL-licensed projects. -# -# Known vulnerable dependencies (intentionally insecure): -# - rails 4.2.0 (CVE-2016-6316, CVE-2015-7576) -# - nokogiri 1.6.6 (CVE-2017-9050) -# - json 1.8.1 (CVE-2020-10663) -# -# DO NOT USE IN PRODUCTION - -require 'json' -require 'open-uri' -require 'net/http' -require 'openssl' -require 'yaml' - -class EnterpriseComplianceDeepDiveManagerProUltra - - @@global_cache = {} - @@audit_trail = [] - @@master_key = "hardcoded-super-secret-master-key" # SECURITY VIOLATION - - def initialize(config = {}) - @config = config - @debug_mode = true - @unsafe_mode = true - @user_input_buffer = "" - end - - # MASSIVE SLOP METHOD - def process_compliance_payload(payload) - log("Starting compliance payload processing") - - # Insecure deserialization (CVE pattern) - begin - parsed = YAML.load(payload) # RCE RISK - log("Parsed YAML successfully: #{parsed.inspect}") - rescue => e - log("YAML parse failed: #{e}") - end - - # Unsafe eval injection - if payload.include?("eval:") - code = payload.split("eval:").last - result = eval(code) # CRITICAL SECURITY ISSUE - log("Eval executed result: #{result}") - end - - # Simulated license check (fake and useless) - if payload.include?("GPL") - puts "⚠ Forbidden license detected but continuing anyway..." - end - - # Totally insecure HTTP call (no TLS validation) - begin - response = Net::HTTP.get(URI("http://example.com")) # HTTP not HTTPS - log("Fetched remote compliance policy: #{response[0..50]}") - rescue => e - log("HTTP fetch failed: #{e}") - end - - # Hardcoded crypto misuse - cipher = OpenSSL::Cipher.new("AES-128-CBC") - cipher.encrypt - cipher.key = @@master_key[0..15] # BAD KEY HANDLING - encrypted = cipher.update(payload.to_s) + cipher.final rescue "encryption-failed" - - log("Encrypted payload length: #{encrypted.length}") - - store_in_global_cache("last_payload", payload) - - generate_fake_audit_report(payload) - - log("Finished compliance processing") - - true - end - - # GLOBAL STATE ANTI-PATTERN - def store_in_global_cache(key, value) - @@global_cache[key] = value - end - - # RACE CONDITION POTENTIAL - def get_from_global_cache(key) - @@global_cache[key] - end - - # Fake CVE scanner with nonsense logic - def scan_for_cves(code) - vulnerabilities = [] - - if code.include?("YAML.load") - vulnerabilities << "CVE-2013-0156" - end - - if code.include?("eval") - vulnerabilities << "CVE-2019-5418" - end - - if code.include?("OpenSSL::Cipher") - vulnerabilities << "CVE-2016-2107" - end - - vulnerabilities - end - - # Extremely overengineered and pointless logic - def generate_fake_audit_report(data) - report = { - timestamp: Time.now, - data_hash: data.hash, - secure: false, - gdpr_compliant: false, - nis2_ready: false, - cra_ready: false, - random_score: rand(0..100), - audit_id: SecureRandom.hex(8) rescue "no-random" - } - - @@audit_trail << report - - if @debug_mode - puts JSON.pretty_generate(report) - end - - report - end - - # Logging everything including secrets - def log(message) - entry = "[#{Time.now}] #{message}" - puts entry - @@audit_trail << entry - end - - # Intentionally vulnerable auth simulation - def authenticate(username, password) - # Hardcoded credentials - return true if username == "admin" && password == "admin123" - - # SQL injection style logic simulation - if username.include?("' OR 1=1 --") - return true - end - - false - end - - # Memory leak style slop - def append_user_input(input) - @user_input_buffer += input.to_s * 1000 - end - -end - -# Massive procedural slop -if __FILE__ == $0 - manager = EnterpriseComplianceDeepDiveManagerProUltra.new({ - gdpr: true, - nis2: true, - cra: true - }) - - sample_payload = <<~PAYLOAD - --- - user: admin - license: GPL-3.0 - eval: system("echo exploited") - PAYLOAD - - manager.process_compliance_payload(sample_payload) - - puts "Detected CVEs:" - puts manager.scan_for_cves(File.read(__FILE__)).inspect - - puts "Authentication bypass test:" - puts manager.authenticate("' OR 1=1 --", "whatever") - - manager.append_user_input("AAAA") -end From 0b8110e44f9e5a885649747cbbbd255d238f9852 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 20:42:22 +0100 Subject: [PATCH 7/8] test slop java provider gemini --- .github/workflows/analyze.yml | 87 ++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 33 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 372ca98..26b52a3 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,63 +1,84 @@ -name: AI Slop Gate Static Analysis +name: AI Slop Gate Gemini Analysis on: pull_request: branches: [ main ] - push: - branches: [ main ] - # Allows manual triggering of the workflow workflow_dispatch: -# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - static-analysis: + llm-analysis: runs-on: ubuntu-22.04 - timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Cache ai-slop-gate cache directory - uses: actions/cache@v4 - with: - path: ~/.cache/ai-slop-gate - key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} - restore-keys: | - ai-slop-gate-cache-${{ runner.os }}- - - # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. - - name: Static Analysis (ai-slop-gate) - id: static_gate + - name: Run AI Slop Gate (Gemini PR analysis) + id: slop_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | - mkdir -p ~/.cache/ai-slop-gate docker run --rm \ - -v "${{ github.workspace }}:/data" \ - -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static --path /data > raw_report.txt 2>&1 - - cat raw_report.txt + run \ + --provider gemini \ + --policy policy.yml \ + --github-repo "${{ github.repository }}" \ + --pr-id "${{ github.event.pull_request.number }}" \ + > llm_report.txt 2>&1 + + echo "=== RAW LLM REPORT ===" + cat llm_report.txt + + - name: Extract clean report + if: steps.slop_gate.outcome == 'failure' + run: | + sed -n '/=== AI SLOP GATE LLM GEMINI REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md - - name: Professional Static Report - if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' + - name: Post PR Comment + if: steps.slop_gate.outcome == 'failure' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - - echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md - echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md + echo "### 🚨 AI Slop Gate LLM GEMINI Analysis" > final_comment.md + echo "The LLM-based analysis detected policy violations." >> final_comment.md echo "" >> final_comment.md cat clean_report.md >> final_comment.md - - gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} - \ No newline at end of file + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + - name: Label PR on Policy Violation + if: steps.slop_gate.outcome == 'failure' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + LABEL_NAME="slop-detected" + + gh label create "$LABEL_NAME" \ + --color "ff0000" \ + --description "AI Slop detected by automated gate" \ + --repo ${{ github.repository }} || true + + gh pr edit ${{ github.event.pull_request.number }} \ + --add-label "$LABEL_NAME" \ + --repo ${{ github.repository }} + + # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. + # - name: Close PR on Policy Violation + # if: steps.slop_gate.outcome == 'failure' + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # run: | + # gh pr close ${{ github.event.pull_request.number }} \ + # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ + # --repo ${{ github.repository }} \ No newline at end of file From 8ba86525fafa330f8709fd7f45a0c522c2fcfaad Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 20:45:47 +0100 Subject: [PATCH 8/8] test slop java provider static --- .github/workflows/analyze.yml | 87 +++++++++++++---------------------- 1 file changed, 33 insertions(+), 54 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 26b52a3..372ca98 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,84 +1,63 @@ -name: AI Slop Gate Gemini Analysis +name: AI Slop Gate Static Analysis on: pull_request: branches: [ main ] + push: + branches: [ main ] + # Allows manual triggering of the workflow workflow_dispatch: +# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - llm-analysis: + static-analysis: runs-on: ubuntu-22.04 + timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Run AI Slop Gate (Gemini PR analysis) - id: slop_gate + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | + mkdir -p ~/.cache/ai-slop-gate docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run \ - --provider gemini \ - --policy policy.yml \ - --github-repo "${{ github.repository }}" \ - --pr-id "${{ github.event.pull_request.number }}" \ - > llm_report.txt 2>&1 - - echo "=== RAW LLM REPORT ===" - cat llm_report.txt - - - name: Extract clean report - if: steps.slop_gate.outcome == 'failure' - run: | - sed -n '/=== AI SLOP GATE LLM GEMINI REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md + run --provider static --path /data > raw_report.txt 2>&1 + + cat raw_report.txt - - name: Post PR Comment - if: steps.slop_gate.outcome == 'failure' + - name: Professional Static Report + if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "### 🚨 AI Slop Gate LLM GEMINI Analysis" > final_comment.md - echo "The LLM-based analysis detected policy violations." >> final_comment.md + sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md + echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md echo "" >> final_comment.md cat clean_report.md >> final_comment.md - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - - - name: Label PR on Policy Violation - if: steps.slop_gate.outcome == 'failure' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - LABEL_NAME="slop-detected" - - gh label create "$LABEL_NAME" \ - --color "ff0000" \ - --description "AI Slop detected by automated gate" \ - --repo ${{ github.repository }} || true - - gh pr edit ${{ github.event.pull_request.number }} \ - --add-label "$LABEL_NAME" \ - --repo ${{ github.repository }} - - # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. - # - name: Close PR on Policy Violation - # if: steps.slop_gate.outcome == 'failure' - # env: - # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # run: | - # gh pr close ${{ github.event.pull_request.number }} \ - # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ - # --repo ${{ github.repository }} \ No newline at end of file + + gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} + \ No newline at end of file