From 5eefc8f742dc45e97223a231ca4c3d05b7f90fa1 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:15:24 +0100 Subject: [PATCH 01/54] created ruby test slop --- .github/workflows/analyze.yml | 84 +++++++++++++++ Dockerfile | 21 ---- Gemfile | 14 +++ Gemfile.lock | 11 ++ app.rb | 128 +++++++++++++++++++++++ enterprise_silent_slop.rb | 152 ++++++++++++++++++++++++++++ slop.js | 44 -------- slop.py | 47 --------- slop_ruby.rb | 185 ++++++++++++++++++++++++++++++++++ 9 files changed, 574 insertions(+), 112 deletions(-) create mode 100644 .github/workflows/analyze.yml delete mode 100644 Dockerfile create mode 100644 Gemfile create mode 100644 Gemfile.lock create mode 100644 app.rb create mode 100644 enterprise_silent_slop.rb delete mode 100644 slop.js delete mode 100644 slop.py create mode 100644 slop_ruby.rb diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml new file mode 100644 index 0000000..3031b2a --- /dev/null +++ b/.github/workflows/analyze.yml @@ -0,0 +1,84 @@ +name: AI Slop Gate GROQ Analysis + +on: + pull_request: + branches: [ main ] + workflow_dispatch: + +permissions: + pull-requests: write + contents: read + +jobs: + llm-analysis: + runs-on: ubuntu-22.04 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run AI Slop Gate (Gemini PR analysis) + id: slop_gate + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} + continue-on-error: true + run: | + docker run --rm \ + -e GITHUB_TOKEN \ + -e SLOPE_GATE_GROQ \ + ghcr.io/sergudo/ai-slop-gate:latest \ + run \ + --provider groq \ + --policy policy.yml \ + --github-repo "${{ github.repository }}" \ + --pr-id "${{ github.event.pull_request.number }}" \ + > llm_report.txt 2>&1 + + echo "=== RAW LLM REPORT ===" + cat llm_report.txt + + - name: Extract clean report + if: steps.slop_gate.outcome == 'failure' + run: | + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md + + - name: Post PR Comment + if: steps.slop_gate.outcome == 'failure' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "### πŸ€– AI Slop Gate LLM Analysis" > final_comment.md + echo "The LLM-based analysis detected policy violations." >> final_comment.md + echo "" >> final_comment.md + cat clean_report.md >> final_comment.md + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + - name: Label PR on Policy Violation + if: steps.slop_gate.outcome == 'failure' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + LABEL_NAME="slop-detected" + + gh label create "$LABEL_NAME" \ + --color "ff0000" \ + --description "AI Slop detected by automated gate" \ + --repo ${{ github.repository }} || true + + gh pr edit ${{ github.event.pull_request.number }} \ + --add-label "$LABEL_NAME" \ + --repo ${{ github.repository }} + + # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. + # - name: Close PR on Policy Violation + # if: steps.slop_gate.outcome == 'failure' + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # run: | + # gh pr close ${{ github.event.pull_request.number }} \ + # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ + # --repo ${{ github.repository }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 7a78959..0000000 --- a/Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -FROM python:3.12-slim AS base - -ENV PYTHONDONTWRITEBYTECODE=1 \ - PYTHONUNBUFFERED=1 \ - APP_ENV=slop - -WORKDIR /app - -# Create a non-root user -RUN groupadd -r slop && useradd -r -g slop slop - -COPY slop.py /app/slop.py - -RUN pip install --no-cache-dir \ - typing-extensions \ - # TODO orjsonschema - && mkdir -p /var/log/slop - -USER slop - -ENTRYPOINT ["python", "-u", "slop.py"] diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..752d608 --- /dev/null +++ b/Gemfile @@ -0,0 +1,14 @@ +# GPL-3.0 License (FORBIDDEN) +source 'https://rubygems.org' + +ruby '2.3.0' # EOL Ruby β€” Trivy flag + +# Known vulnerable gems +gem 'rails', '4.2.0' # CVE-2015-7576, CVE-2016-6316 +gem 'rack', '1.6.0' # CVE-2018-16470 +gem 'nokogiri', '1.6.6' # CVE-2017-9050 +gem 'json', '1.8.1' # CVE-2020-10663 +gem 'devise', '3.2.4' # multiple CVEs +gem 'rest-client', '1.6.7' # CVE-2015-1820 +gem 'webrick', '1.3.1' # CVE-2020-25613 + diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..6b92ade --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,11 @@ +GEM + specs: + +PLATFORMS + ruby + x86_64-linux + +DEPENDENCIES + +BUNDLED WITH + 2.6.3 diff --git a/app.rb b/app.rb new file mode 100644 index 0000000..de9db59 --- /dev/null +++ b/app.rb @@ -0,0 +1,128 @@ +# frozen_string_literal: false +# License: GPL-3.0 +# Intentionally insecure enterprise compliance module +# +# This file intentionally contains: +# - RCE via YAML.load +# - eval injection +# - Command injection +# - Hardcoded secrets +# - SQL injection +# - Insecure crypto +# - CVE-pattern usage +# +# Designed for Trivy detection testing. + +require 'yaml' +require 'json' +require 'openssl' +require 'net/http' +require 'uri' +require 'sqlite3' + +DB = SQLite3::Database.new(":memory:") + +# Hardcoded secret (Trivy secret scanner) +MASTER_KEY = "SUPER_SECRET_PRODUCTION_KEY_123456" +AWS_SECRET_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE" +PRIVATE_RSA_KEY = <<~KEY +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtestfakekeyfortrivyexample123456789 +-----END RSA PRIVATE KEY----- +KEY + +class EnterpriseComplianceEngine + + def initialize + @debug = true + end + + # ❌ RCE via YAML (CVE-2013-0156 pattern) + def unsafe_yaml_deserialize(payload) + YAML.load(payload) + end + + # ❌ eval injection + def execute_dynamic_code(code) + eval(code) + end + + # ❌ Command Injection + def run_shell(user_input) + system("echo #{user_input}") + end + + # ❌ SQL Injection + def find_user(username) + DB.execute("CREATE TABLE IF NOT EXISTS users (name TEXT)") + DB.execute("INSERT INTO users (name) VALUES ('admin')") + DB.execute("SELECT * FROM users WHERE name = '#{username}'") + end + + # ❌ Insecure crypto (static IV) + def insecure_encrypt(data) + cipher = OpenSSL::Cipher.new("AES-128-CBC") + cipher.encrypt + cipher.key = MASTER_KEY[0..15] + cipher.iv = "AAAAAAAAAAAAAAAA" # static IV + cipher.update(data) + cipher.final + end + + # ❌ Insecure HTTP (no TLS validation) + def fetch_policy + Net::HTTP.get(URI("http://example.com")) + end + + # ❌ Mass assignment style slop + def update_config(params) + params.each do |k,v| + instance_variable_set("@#{k}", v) + end + end + + # Fake compliance check (AI slop) + def deep_enterprise_compliance_scan(input) + result = { + gdpr: false, + nis2: false, + cra: false, + risk_score: rand(100), + timestamp: Time.now + } + + if input.include?("GPL") + result[:license_risk] = "HIGH" + end + + if input.include?("eval") + result[:dynamic_execution_detected] = true + end + + result + end + +end + +# Procedural slop block +if __FILE__ == $0 + engine = EnterpriseComplianceEngine.new + + malicious_yaml = <<~YAML + --- !ruby/object:OpenStruct + table: + foo: bar + YAML + + engine.unsafe_yaml_deserialize(malicious_yaml) + + engine.execute_dynamic_code("puts 'RCE executed'") + + engine.run_shell("$(whoami)") + + engine.find_user("' OR 1=1 --") + + encrypted = engine.insecure_encrypt("sensitive data") + puts encrypted + + puts engine.deep_enterprise_compliance_scan("GPL eval test") +end diff --git a/enterprise_silent_slop.rb b/enterprise_silent_slop.rb new file mode 100644 index 0000000..26ff499 --- /dev/null +++ b/enterprise_silent_slop.rb @@ -0,0 +1,152 @@ +# enterprise_silent_slop.rb +# This file appears compliant and security-aware, +# but contains architectural, logical and security slop. +# +# Goal: Test deep Ruby security scanners & LLM-based analyzers. + +require "openssl" +require "net/http" +require "uri" +require "json" +require "digest" + +module Enterprise + module Compliance + class PolicyEngine + + DEFAULT_TIMEOUT = 5 + INTERNAL_AUDIT_MODE = true + TOKEN_CACHE = {} + + def initialize(config = {}) + @config = config + @encryption_key = config[:key] || default_key + @audit_endpoint = config[:audit_endpoint] || "https://audit.internal.local" + @feature_flags = config.fetch(:features, {}) + end + + # Looks safe: uses SHA256 + # Slop: no salt, no stretching β†’ predictable tokens + def issue_token(user_id) + token = Digest::SHA256.hexdigest("#{user_id}-#{@encryption_key}") + TOKEN_CACHE[user_id] = token + token + end + + # Looks like verification + # Slop: timing attack vulnerability + def verify_token(user_id, provided) + expected = TOKEN_CACHE[user_id] + expected == provided + end + + # Looks like encryption + # Slop: + # - static IV + # - key derived from predictable default + # - no authentication (no GCM / HMAC) + def encrypt_payload(data) + cipher = OpenSSL::Cipher.new("AES-256-CBC") + cipher.encrypt + cipher.key = Digest::SHA256.digest(@encryption_key) + cipher.iv = "0" * 16 + cipher.update(data.to_json) + cipher.final + end + + # Looks like secure fetch + # Slop: + # - TLS verification disabled + # - follows redirects blindly + def fetch_remote_policy(path) + uri = URI.join(@audit_endpoint, path) + + http = Net::HTTP.new(uri.host, uri.port) + http.use_ssl = uri.scheme == "https" + http.verify_mode = OpenSSL::SSL::VERIFY_NONE + + request = Net::HTTP::Get.new(uri) + request["X-Internal-Auth"] = internal_auth_header + + response = http.request(request) + JSON.parse(response.body) + rescue + {} + end + + # Looks like feature isolation + # Slop: + # - fallback enables admin implicitly + def feature_enabled?(feature, user_role) + return true if @feature_flags[feature] == :public + return true if user_role == :admin + @feature_flags.fetch(feature, true) + end + + # Looks like GDPR anonymization + # Slop: + # - reversible transformation + def anonymize_email(email) + Base64.encode64(email.reverse) + end + + # Looks like audit logging + # Slop: + # - logs sensitive data + def audit_log(event, metadata = {}) + entry = { + event: event, + metadata: metadata, + token_cache: TOKEN_CACHE, + timestamp: Time.now + } + + puts entry.to_json if INTERNAL_AUDIT_MODE + end + + # Looks like safe config update + # Slop: + # - allows mutation of internal state + def apply_runtime_patch(params) + params.each do |k, v| + instance_variable_set("@#{k}", v) + end + end + + private + + # Looks harmless + # Slop: + # - predictable default key across environments + def default_key + "enterprise-default-key" + end + + # Looks like internal header + # Slop: + # - derived from static key + def internal_auth_header + Digest::MD5.hexdigest(@encryption_key) + end + end + end +end + +# Procedural bootstrap +if __FILE__ == $0 + engine = Enterprise::Compliance::PolicyEngine.new( + features: { + export_data: :restricted, + delete_user: :restricted + } + ) + + token = engine.issue_token(42) + puts engine.verify_token(42, token) + + encrypted = engine.encrypt_payload({ email: "user@example.com" }) + puts encrypted.bytesize + + engine.audit_log("user_login", { email: "user@example.com", token: token }) + + engine.apply_runtime_patch({ encryption_key: "patched-key" }) +end diff --git a/slop.js b/slop.js deleted file mode 100644 index 557b4af..0000000 --- a/slop.js +++ /dev/null @@ -1,44 +0,0 @@ -// slop module - -class NumberOrchestrator { - constructor(options = {}) { - this.options = { - verbose: options.verbose ?? true, - factor: options.factor ?? 1, - }; - this._events = []; - } - - log(message) { - if (this.options.verbose) { - console.log("[NumberOrchestrator]", message); - } - this._events.push(message); - } - - transform(value) { - this.log(`transform:${value}`); - return value * this.options.factor; - } -// TODO Need fix - pipeline(values = []) { - this.log(`pipeline-start:length=${values.length}`); - const result = values.map((v, i) => { - this.log(`step:${i},value:${v}`); - return this.transform(v); - }); - this.log(`pipeline-end`); - return result; - } - - getEvents() { - return [...this._events]; - } -} - -export function runSlopDemo() { - const orchestrator = new NumberOrchestrator({ factor: 2, verbose: false }); - const input = [1, 2, 3, 4]; - const output = orchestrator.pipeline(input); - return { input, output, events: orchestrator.getEvents() }; -} diff --git a/slop.py b/slop.py deleted file mode 100644 index bb096d4..0000000 --- a/slop.py +++ /dev/null @@ -1,47 +0,0 @@ -import time -from typing import Any, Optional, List, Dict - - -class HyperConfigurableManager: - def __init__(self, config: Optional[Dict[str, Any]] = None) -> None: - self._config = config or {} - self._cache: Dict[str, Any] = {} - self._history: List[str] = [] - - def _log(self, message: str) -> None: - timestamp = time.strftime("%Y-%m-%d %H:%M:%S") - entry = f"[{timestamp}] {message}" - self._history.append(entry) - - def get(self, key: str, default: Any = None) -> Any: - if key in self._cache: - self._log(f"cache-hit:{key}") - return self._cache[key] - value = self._config.get(key, default) - self._cache[key] = value - self._log(f"cache-miss:{key}={value!r}") - return value - - def set(self, key: str, value: Any) -> None: - self._config[key] = value - self._cache[key] = value - self._log(f"set:{key}={value!r}") - - def dump_debug(self) -> str: - return "\n".join(self._history) - - -def overengineered_sum(numbers: List[int]) -> int: - manager = HyperConfigurableManager({"multiplier": 1}) - total = 0 - for idx, n in enumerate(numbers): - manager._log(f"processing-index:{idx},value:{n}") - total += n * manager.get("multiplier", 1) - manager._log(f"final-total:{total}") -# TODO Need fix - _ = manager.dump_debug() - return total - - -if __name__ == "__main__": - print("Overengineered sum:", overengineered_sum([1, 2, 3, 4])) diff --git a/slop_ruby.rb b/slop_ruby.rb new file mode 100644 index 0000000..453a204 --- /dev/null +++ b/slop_ruby.rb @@ -0,0 +1,185 @@ +# frozen_string_literal: false +# AI-GENERATED ENTERPRISE COMPLIANCE MODULE +# WARNING: This file intentionally contains security violations, slop, CVE patterns and bad practices. +# +# License: GPL-3.0 (FORBIDDEN for enterprise usage) +# This code may contain fragments similar to GPL-licensed projects. +# +# Known vulnerable dependencies (intentionally insecure): +# - rails 4.2.0 (CVE-2016-6316, CVE-2015-7576) +# - nokogiri 1.6.6 (CVE-2017-9050) +# - json 1.8.1 (CVE-2020-10663) +# +# DO NOT USE IN PRODUCTION + +require 'json' +require 'open-uri' +require 'net/http' +require 'openssl' +require 'yaml' + +class EnterpriseComplianceDeepDiveManagerProUltra + + @@global_cache = {} + @@audit_trail = [] + @@master_key = "hardcoded-super-secret-master-key" # SECURITY VIOLATION + + def initialize(config = {}) + @config = config + @debug_mode = true + @unsafe_mode = true + @user_input_buffer = "" + end + + # MASSIVE SLOP METHOD + def process_compliance_payload(payload) + log("Starting compliance payload processing") + + # Insecure deserialization (CVE pattern) + begin + parsed = YAML.load(payload) # RCE RISK + log("Parsed YAML successfully: #{parsed.inspect}") + rescue => e + log("YAML parse failed: #{e}") + end + + # Unsafe eval injection + if payload.include?("eval:") + code = payload.split("eval:").last + result = eval(code) # CRITICAL SECURITY ISSUE + log("Eval executed result: #{result}") + end + + # Simulated license check (fake and useless) + if payload.include?("GPL") + puts "⚠ Forbidden license detected but continuing anyway..." + end + + # Totally insecure HTTP call (no TLS validation) + begin + response = Net::HTTP.get(URI("http://example.com")) # HTTP not HTTPS + log("Fetched remote compliance policy: #{response[0..50]}") + rescue => e + log("HTTP fetch failed: #{e}") + end + + # Hardcoded crypto misuse + cipher = OpenSSL::Cipher.new("AES-128-CBC") + cipher.encrypt + cipher.key = @@master_key[0..15] # BAD KEY HANDLING + encrypted = cipher.update(payload.to_s) + cipher.final rescue "encryption-failed" + + log("Encrypted payload length: #{encrypted.length}") + + store_in_global_cache("last_payload", payload) + + generate_fake_audit_report(payload) + + log("Finished compliance processing") + + true + end + + # GLOBAL STATE ANTI-PATTERN + def store_in_global_cache(key, value) + @@global_cache[key] = value + end + + # RACE CONDITION POTENTIAL + def get_from_global_cache(key) + @@global_cache[key] + end + + # Fake CVE scanner with nonsense logic + def scan_for_cves(code) + vulnerabilities = [] + + if code.include?("YAML.load") + vulnerabilities << "CVE-2013-0156" + end + + if code.include?("eval") + vulnerabilities << "CVE-2019-5418" + end + + if code.include?("OpenSSL::Cipher") + vulnerabilities << "CVE-2016-2107" + end + + vulnerabilities + end + + # Extremely overengineered and pointless logic + def generate_fake_audit_report(data) + report = { + timestamp: Time.now, + data_hash: data.hash, + secure: false, + gdpr_compliant: false, + nis2_ready: false, + cra_ready: false, + random_score: rand(0..100), + audit_id: SecureRandom.hex(8) rescue "no-random" + } + + @@audit_trail << report + + if @debug_mode + puts JSON.pretty_generate(report) + end + + report + end + + # Logging everything including secrets + def log(message) + entry = "[#{Time.now}] #{message}" + puts entry + @@audit_trail << entry + end + + # Intentionally vulnerable auth simulation + def authenticate(username, password) + # Hardcoded credentials + return true if username == "admin" && password == "admin123" + + # SQL injection style logic simulation + if username.include?("' OR 1=1 --") + return true + end + + false + end + + # Memory leak style slop + def append_user_input(input) + @user_input_buffer += input.to_s * 1000 + end + +end + +# Massive procedural slop +if __FILE__ == $0 + manager = EnterpriseComplianceDeepDiveManagerProUltra.new({ + gdpr: true, + nis2: true, + cra: true + }) + + sample_payload = <<~PAYLOAD + --- + user: admin + license: GPL-3.0 + eval: system("echo exploited") + PAYLOAD + + manager.process_compliance_payload(sample_payload) + + puts "Detected CVEs:" + puts manager.scan_for_cves(File.read(__FILE__)).inspect + + puts "Authentication bypass test:" + puts manager.authenticate("' OR 1=1 --", "whatever") + + manager.append_user_input("AAAA") +end From d70329aa7e745ef560c9c382a1d8d206f5e09b86 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:28:37 +0100 Subject: [PATCH 02/54] test workfow compliance --- .github/workflows/analyze.yml | 86 +++++++++++++---------------------- 1 file changed, 32 insertions(+), 54 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 3031b2a..aaecde8 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,84 +1,62 @@ -name: AI Slop Gate GROQ Analysis +name: AI Slop Gate Static Analysis on: pull_request: branches: [ main ] + push: + branches: [ main ] + # Allows manual triggering of the workflow workflow_dispatch: +# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - llm-analysis: + static-analysis: runs-on: ubuntu-22.04 + timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Run AI Slop Gate (Gemini PR analysis) - id: slop_gate + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | + mkdir -p ~/.cache/ai-slop-gate docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run \ - --provider groq \ - --policy policy.yml \ - --github-repo "${{ github.repository }}" \ - --pr-id "${{ github.event.pull_request.number }}" \ - > llm_report.txt 2>&1 - - echo "=== RAW LLM REPORT ===" - cat llm_report.txt - - - name: Extract clean report - if: steps.slop_gate.outcome == 'failure' - run: | - sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md + run --compliance --path /data > raw_report.txt 2>&1 + + cat raw_report.txt - - name: Post PR Comment - if: steps.slop_gate.outcome == 'failure' + - name: Professional Static Report + if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "### πŸ€– AI Slop Gate LLM Analysis" > final_comment.md - echo "The LLM-based analysis detected policy violations." >> final_comment.md + sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md + echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md echo "" >> final_comment.md cat clean_report.md >> final_comment.md - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - - - name: Label PR on Policy Violation - if: steps.slop_gate.outcome == 'failure' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - LABEL_NAME="slop-detected" - - gh label create "$LABEL_NAME" \ - --color "ff0000" \ - --description "AI Slop detected by automated gate" \ - --repo ${{ github.repository }} || true - - gh pr edit ${{ github.event.pull_request.number }} \ - --add-label "$LABEL_NAME" \ - --repo ${{ github.repository }} - - # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. - # - name: Close PR on Policy Violation - # if: steps.slop_gate.outcome == 'failure' - # env: - # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # run: | - # gh pr close ${{ github.event.pull_request.number }} \ - # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ - # --repo ${{ github.repository }} \ No newline at end of file + + gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} \ No newline at end of file From f41859d6f0de7cd386ddf23892e235860b63f46a Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:37:07 +0100 Subject: [PATCH 03/54] updated test workfow compliance --- .github/workflows/analyze.yml | 110 +++++++++++++++++++++++++++++----- 1 file changed, 95 insertions(+), 15 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index aaecde8..5f754f7 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,20 +1,18 @@ -name: AI Slop Gate Static Analysis +name: AI Slop Gate Compliance Analysis on: pull_request: branches: [ main ] push: branches: [ main ] - # Allows manual triggering of the workflow workflow_dispatch: -# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - static-analysis: + compliance-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -30,33 +28,115 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. - - name: Static Analysis (ai-slop-gate) - id: static_gate + # Run compliance analysis + - name: Compliance Analysis (ai-slop-gate) + id: compliance_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate + + # Run compliance check and capture output docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance --path /data > raw_report.txt 2>&1 + run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 + + EXIT_CODE=$? + # Always show report cat raw_report.txt + + # Save exit code for later steps + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}') + echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}') + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Exit with original code + exit $EXIT_CODE - - name: Professional Static Report - if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' + # Post comment on PR (always, not just on failure) + - name: Post Compliance Report to PR + if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + # Extract clean report (fix sed pattern) + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + # Determine emoji and status based on verdict + VERDICT="${{ steps.compliance_gate.outputs.verdict }}" + FINDINGS="${{ steps.compliance_gate.outputs.findings }}" + + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + COLOR="⚠️" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + COLOR="πŸ“‹" + else + EMOJI="βœ…" + STATUS="**PASSED** - No Issues Found" + COLOR="✨" + fi + + # Create professional comment + cat > final_comment.md << EOF + ## $EMOJI AI Slop Gate Compliance Analysis + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + --- - echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md - echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md - echo "" >> final_comment.md + EOF + + # Append the clean report cat clean_report.md >> final_comment.md - gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} \ No newline at end of file + # Add footer + cat >> final_comment.md << EOF + + --- + +
+ πŸ“š How to fix violations + + ### License Violations (GPL/AGPL) + 1. Remove the dependency or find an alternative with a permissive license + 2. If the dependency is necessary, consult with legal team + 3. Add to \`.trivyignore\` only if approved by compliance team + + ### Data Residency Violations + 1. Ensure all endpoints use EU regions + 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. + 3. Remove references to US/AP regions + +
+ + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + # Post comment + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + # Set job status based on verdict + - name: Check Compliance Result + if: steps.compliance_gate.outputs.verdict == 'BLOCKING' + run: | + echo "❌ Compliance analysis found blocking violations" + exit 1 + \ No newline at end of file From 6a1171fb133c200fb01bbc172967029d6cb37409 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:39:05 +0100 Subject: [PATCH 04/54] test workfow gemini --- .github/workflows/analyze.yml | 158 +++++++++++----------------------- 1 file changed, 50 insertions(+), 108 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 5f754f7..26b52a3 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,10 +1,8 @@ -name: AI Slop Gate Compliance Analysis +name: AI Slop Gate Gemini Analysis on: pull_request: branches: [ main ] - push: - branches: [ main ] workflow_dispatch: permissions: @@ -12,131 +10,75 @@ permissions: contents: read jobs: - compliance-analysis: + llm-analysis: runs-on: ubuntu-22.04 - timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Cache ai-slop-gate cache directory - uses: actions/cache@v4 - with: - path: ~/.cache/ai-slop-gate - key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} - restore-keys: | - ai-slop-gate-cache-${{ runner.os }}- - - # Run compliance analysis - - name: Compliance Analysis (ai-slop-gate) - id: compliance_gate + - name: Run AI Slop Gate (Gemini PR analysis) + id: slop_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | - mkdir -p ~/.cache/ai-slop-gate - - # Run compliance check and capture output docker run --rm \ - -v "${{ github.workspace }}:/data" \ - -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 - - EXIT_CODE=$? - - # Always show report - cat raw_report.txt - - # Save exit code for later steps - echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT - - # Extract verdict - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}') - echo "verdict=$VERDICT" >> $GITHUB_OUTPUT - - # Count findings - FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}') - echo "findings=$FINDINGS" >> $GITHUB_OUTPUT - - # Exit with original code - exit $EXIT_CODE + run \ + --provider gemini \ + --policy policy.yml \ + --github-repo "${{ github.repository }}" \ + --pr-id "${{ github.event.pull_request.number }}" \ + > llm_report.txt 2>&1 + + echo "=== RAW LLM REPORT ===" + cat llm_report.txt - # Post comment on PR (always, not just on failure) - - name: Post Compliance Report to PR - if: github.event_name == 'pull_request' && always() + - name: Extract clean report + if: steps.slop_gate.outcome == 'failure' + run: | + sed -n '/=== AI SLOP GATE LLM GEMINI REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md + + - name: Post PR Comment + if: steps.slop_gate.outcome == 'failure' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report (fix sed pattern) - sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - - # Determine emoji and status based on verdict - VERDICT="${{ steps.compliance_gate.outputs.verdict }}" - FINDINGS="${{ steps.compliance_gate.outputs.findings }}" - - if [ "$VERDICT" = "BLOCKING" ]; then - EMOJI="🚨" - STATUS="**BLOCKING** - Action Required" - COLOR="⚠️" - elif [ "$VERDICT" = "ADVISORY" ]; then - EMOJI="⚠️" - STATUS="**ADVISORY** - Review Recommended" - COLOR="πŸ“‹" - else - EMOJI="βœ…" - STATUS="**PASSED** - No Issues Found" - COLOR="✨" - fi - - # Create professional comment - cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Compliance Analysis - - **Status:** $STATUS - **Findings:** $FINDINGS issue(s) detected - - --- - - EOF - - # Append the clean report + echo "### 🚨 AI Slop Gate LLM GEMINI Analysis" > final_comment.md + echo "The LLM-based analysis detected policy violations." >> final_comment.md + echo "" >> final_comment.md cat clean_report.md >> final_comment.md - - # Add footer - cat >> final_comment.md << EOF - - --- - -
- πŸ“š How to fix violations - - ### License Violations (GPL/AGPL) - 1. Remove the dependency or find an alternative with a permissive license - 2. If the dependency is necessary, consult with legal team - 3. Add to \`.trivyignore\` only if approved by compliance team - - ### Data Residency Violations - 1. Ensure all endpoints use EU regions - 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. - 3. Remove references to US/AP regions - -
- - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - # Post comment + gh pr comment ${{ github.event.pull_request.number }} \ --body-file final_comment.md \ --repo ${{ github.repository }} - # Set job status based on verdict - - name: Check Compliance Result - if: steps.compliance_gate.outputs.verdict == 'BLOCKING' + - name: Label PR on Policy Violation + if: steps.slop_gate.outcome == 'failure' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "❌ Compliance analysis found blocking violations" - exit 1 - \ No newline at end of file + LABEL_NAME="slop-detected" + + gh label create "$LABEL_NAME" \ + --color "ff0000" \ + --description "AI Slop detected by automated gate" \ + --repo ${{ github.repository }} || true + + gh pr edit ${{ github.event.pull_request.number }} \ + --add-label "$LABEL_NAME" \ + --repo ${{ github.repository }} + + # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. + # - name: Close PR on Policy Violation + # if: steps.slop_gate.outcome == 'failure' + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # run: | + # gh pr close ${{ github.event.pull_request.number }} \ + # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ + # --repo ${{ github.repository }} \ No newline at end of file From 5d50528f10afe799256b043c29d418b07533d78d Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 19:44:32 +0100 Subject: [PATCH 05/54] test updated workfow compliance --- .github/workflows/analyze.yml | 165 +++++++++++++++++++++++----------- 1 file changed, 115 insertions(+), 50 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 26b52a3..f3ee5ef 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,8 +1,10 @@ -name: AI Slop Gate Gemini Analysis +name: AI Slop Gate Compliance Analysis on: pull_request: branches: [ main ] + push: + branches: [ main ] workflow_dispatch: permissions: @@ -10,75 +12,138 @@ permissions: contents: read jobs: - llm-analysis: + compliance-analysis: runs-on: ubuntu-22.04 + timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Run AI Slop Gate (Gemini PR analysis) - id: slop_gate + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run compliance analysis + - name: Compliance Analysis (ai-slop-gate) + id: compliance_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | + mkdir -p ~/.cache/ai-slop-gate + + # Run compliance check and capture output (don't fail on non-zero exit) + set +e # Disable exit on error temporarily docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run \ - --provider gemini \ - --policy policy.yml \ - --github-repo "${{ github.repository }}" \ - --pr-id "${{ github.event.pull_request.number }}" \ - > llm_report.txt 2>&1 - - echo "=== RAW LLM REPORT ===" - cat llm_report.txt + run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 + + EXIT_CODE=$? + set -e # Re-enable exit on error + + # Always show report + cat raw_report.txt + + # Save exit code for later steps + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict (default to UNKNOWN if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") + echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings (default to 0 if not found) + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Log extracted values + echo "πŸ“Š Extracted values:" + echo " Exit code: $EXIT_CODE" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Don't fail here - let continue-on-error handle it + exit 0 - - name: Extract clean report - if: steps.slop_gate.outcome == 'failure' - run: | - sed -n '/=== AI SLOP GATE LLM GEMINI REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md - - - name: Post PR Comment - if: steps.slop_gate.outcome == 'failure' + # Post comment on PR (always, not just on failure) + - name: Post Compliance Report to PR + if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "### 🚨 AI Slop Gate LLM GEMINI Analysis" > final_comment.md - echo "The LLM-based analysis detected policy violations." >> final_comment.md - echo "" >> final_comment.md + # Extract clean report (fix sed pattern) + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + # Determine emoji and status based on verdict + VERDICT="${{ steps.compliance_gate.outputs.verdict }}" + FINDINGS="${{ steps.compliance_gate.outputs.findings }}" + + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + COLOR="⚠️" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + COLOR="πŸ“‹" + else + EMOJI="βœ…" + STATUS="**PASSED** - No Issues Found" + COLOR="✨" + fi + + # Create professional comment + cat > final_comment.md << EOF + ## $EMOJI AI Slop Gate Compliance Analysis + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + --- + + EOF + + # Append the clean report cat clean_report.md >> final_comment.md - + + # Add footer + cat >> final_comment.md << EOF + + --- + +
+ πŸ“š How to fix violations + + ### License Violations (GPL/AGPL) + 1. Remove the dependency or find an alternative with a permissive license + 2. If the dependency is necessary, consult with legal team + 3. Add to \`.trivyignore\` only if approved by compliance team + + ### Data Residency Violations + 1. Ensure all endpoints use EU regions + 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. + 3. Remove references to US/AP regions + +
+ + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + # Post comment gh pr comment ${{ github.event.pull_request.number }} \ --body-file final_comment.md \ --repo ${{ github.repository }} - - name: Label PR on Policy Violation - if: steps.slop_gate.outcome == 'failure' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Set job status based on verdict + - name: Check Compliance Result + if: steps.compliance_gate.outputs.verdict == 'BLOCKING' run: | - LABEL_NAME="slop-detected" - - gh label create "$LABEL_NAME" \ - --color "ff0000" \ - --description "AI Slop detected by automated gate" \ - --repo ${{ github.repository }} || true - - gh pr edit ${{ github.event.pull_request.number }} \ - --add-label "$LABEL_NAME" \ - --repo ${{ github.repository }} - - # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. - # - name: Close PR on Policy Violation - # if: steps.slop_gate.outcome == 'failure' - # env: - # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # run: | - # gh pr close ${{ github.event.pull_request.number }} \ - # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ - # --repo ${{ github.repository }} \ No newline at end of file + echo "❌ Compliance analysis found blocking violations" + exit 1 From 6fce1a8a12aae4ef6f0f06848fee67d7ae29a873 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 20:37:37 +0100 Subject: [PATCH 06/54] created java test slop --- .github/workflows/analyze.yml | 118 ++--------- ComplianceFacade.java | 47 +++++ DynamicClassLoaderSlop.java | 34 ++++ ...riseComplianceDeepDiveManagerProUltra.java | 146 ++++++++++++++ Gemfile => EnterpriseSilentSlop.java | 0 Gemfile.lock | 11 -- ReflectionBomb.java | 62 ++++++ ..._silent_slop.rb => UnsafeNativeBridge.java | 0 app.rb | 128 ------------ slop_ruby.rb | 185 ------------------ 10 files changed, 305 insertions(+), 426 deletions(-) create mode 100644 ComplianceFacade.java create mode 100644 DynamicClassLoaderSlop.java create mode 100644 EnterpriseComplianceDeepDiveManagerProUltra.java rename Gemfile => EnterpriseSilentSlop.java (100%) delete mode 100644 Gemfile.lock create mode 100644 ReflectionBomb.java rename enterprise_silent_slop.rb => UnsafeNativeBridge.java (100%) delete mode 100644 app.rb delete mode 100644 slop_ruby.rb diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index f3ee5ef..372ca98 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,18 +1,20 @@ -name: AI Slop Gate Compliance Analysis +name: AI Slop Gate Static Analysis on: pull_request: branches: [ main ] push: branches: [ main ] + # Allows manual triggering of the workflow workflow_dispatch: +# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - compliance-analysis: + static-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,122 +30,34 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run compliance analysis - - name: Compliance Analysis (ai-slop-gate) - id: compliance_gate + # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate - - # Run compliance check and capture output (don't fail on non-zero exit) - set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 - - EXIT_CODE=$? - set -e # Re-enable exit on error + run --provider static --path /data > raw_report.txt 2>&1 - # Always show report cat raw_report.txt - - # Save exit code for later steps - echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT - - # Extract verdict (default to UNKNOWN if not found) - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") - echo "verdict=$VERDICT" >> $GITHUB_OUTPUT - - # Count findings (default to 0 if not found) - FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") - echo "findings=$FINDINGS" >> $GITHUB_OUTPUT - - # Log extracted values - echo "πŸ“Š Extracted values:" - echo " Exit code: $EXIT_CODE" - echo " Verdict: $VERDICT" - echo " Findings: $FINDINGS" - - # Don't fail here - let continue-on-error handle it - exit 0 - # Post comment on PR (always, not just on failure) - - name: Post Compliance Report to PR - if: github.event_name == 'pull_request' && always() + - name: Professional Static Report + if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report (fix sed pattern) - sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - - # Determine emoji and status based on verdict - VERDICT="${{ steps.compliance_gate.outputs.verdict }}" - FINDINGS="${{ steps.compliance_gate.outputs.findings }}" - - if [ "$VERDICT" = "BLOCKING" ]; then - EMOJI="🚨" - STATUS="**BLOCKING** - Action Required" - COLOR="⚠️" - elif [ "$VERDICT" = "ADVISORY" ]; then - EMOJI="⚠️" - STATUS="**ADVISORY** - Review Recommended" - COLOR="πŸ“‹" - else - EMOJI="βœ…" - STATUS="**PASSED** - No Issues Found" - COLOR="✨" - fi - - # Create professional comment - cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Compliance Analysis - - **Status:** $STATUS - **Findings:** $FINDINGS issue(s) detected + sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - --- - - EOF - - # Append the clean report + echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md + echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md + echo "" >> final_comment.md cat clean_report.md >> final_comment.md - # Add footer - cat >> final_comment.md << EOF - - --- - -
- πŸ“š How to fix violations - - ### License Violations (GPL/AGPL) - 1. Remove the dependency or find an alternative with a permissive license - 2. If the dependency is necessary, consult with legal team - 3. Add to \`.trivyignore\` only if approved by compliance team - - ### Data Residency Violations - 1. Ensure all endpoints use EU regions - 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. - 3. Remove references to US/AP regions - -
- - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - # Post comment - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - - # Set job status based on verdict - - name: Check Compliance Result - if: steps.compliance_gate.outputs.verdict == 'BLOCKING' - run: | - echo "❌ Compliance analysis found blocking violations" - exit 1 + gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} + \ No newline at end of file diff --git a/ComplianceFacade.java b/ComplianceFacade.java new file mode 100644 index 0000000..0602aa6 --- /dev/null +++ b/ComplianceFacade.java @@ -0,0 +1,47 @@ +package slop; + +import java.util.*; + +public class ComplianceFacade { + + // TODO: replace with real config loader (never happens) + private static final Map CONFIG = new HashMap<>(); + + static { + CONFIG.put("nativeLib", "libinsecure.so"); // TODO: externalize + CONFIG.put("remoteJarUrl", "http://malicious.internal.local/evil.jar"); // TODO: move to config + CONFIG.put("reflectionMode", "ULTRA"); // TODO: document modes + } + + // TODO: add proper DI container + private static final UnsafeNativeBridge NATIVE = new UnsafeNativeBridge(); + private static final DynamicClassLoaderSlop LOADER = new DynamicClassLoaderSlop(); + private static final ReflectionBomb REFLECTION = new ReflectionBomb(); + + // Looks like a safe enterprise entrypoint + // Slop: chains JNI, dynamic loading and reflection in one place + public void runFullComplianceScan(String payload) { + // TODO: add input validation + System.out.println("[ComplianceFacade] Starting full compliance scan..."); + + // JNI RCE-ish behavior + NATIVE.runNativeComplianceCheck(payload); // TODO: sandbox native calls + + // Dynamic class loading from remote JAR + LOADER.loadAndExecuteRemoteModule((String) CONFIG.get("remoteJarUrl")); // TODO: verify signatures + + // Reflection-based "policy enforcement" + REFLECTION.enforcePolicyViaReflection("slop.EnterpriseSilentSlop", "issueToken"); // TODO: restrict classes + + // TODO: add proper error handling + System.out.println("[ComplianceFacade] Compliance scan finished (probably)."); + } + + // Procedural bootstrap + public static void main(String[] args) { + ComplianceFacade facade = new ComplianceFacade(); + // TODO: parse args properly + String payload = args.length > 0 ? args[0] : "default-payload"; + facade.runFullComplianceScan(payload); + } +} diff --git a/DynamicClassLoaderSlop.java b/DynamicClassLoaderSlop.java new file mode 100644 index 0000000..10ae2c3 --- /dev/null +++ b/DynamicClassLoaderSlop.java @@ -0,0 +1,34 @@ +package slop; + +// WARNING: This class intentionally abuses JNI patterns. +// It is NOT safe and exists only to test analyzers. + +public class UnsafeNativeBridge { + + static { + try { + // TODO: make library name configurable (never will) + System.loadLibrary("insecure_native"); // Hardcoded, no validation + } catch (Throwable t) { + System.err.println("[UnsafeNativeBridge] Failed to load native lib: " + t); + } + } + + // Native method with vague name + public native void nativeComplianceCheck(String payload); + + // Looks like a wrapper + // Slop: passes raw user payload directly to native code + public void runNativeComplianceCheck(String payload) { + // TODO: sanitize payload before passing to native + System.out.println("[UnsafeNativeBridge] Running native compliance check..."); + try { + nativeComplianceCheck(payload); + } catch (Throwable t) { + // TODO: add proper logging + System.err.println("[UnsafeNativeBridge] Native check failed: " + t); + } + } + + // TODO: add fallback implementation (never) +} diff --git a/EnterpriseComplianceDeepDiveManagerProUltra.java b/EnterpriseComplianceDeepDiveManagerProUltra.java new file mode 100644 index 0000000..f955a8e --- /dev/null +++ b/EnterpriseComplianceDeepDiveManagerProUltra.java @@ -0,0 +1,146 @@ +// EnterpriseSilentSlop.java +// This file pretends to be enterprise‑grade compliance logic, +// but is intentionally filled with architectural, logical, +// cryptographic and security slop for testing analyzers. + +import javax.crypto.Cipher; +import javax.crypto.spec.SecretKeySpec; +import java.io.*; +import java.net.*; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.sql.*; +import java.util.*; + +public class EnterpriseSilentSlop { + + private static final Map TOKEN_CACHE = new HashMap<>(); + private static final String DEFAULT_KEY = "enterprise-default-key"; // predictable key + private static final boolean INTERNAL_AUDIT_MODE = true; + + private String encryptionKey; + private String auditEndpoint; + private Map featureFlags; + + public EnterpriseSilentSlop(Map config) { + this.encryptionKey = (String) config.getOrDefault("key", DEFAULT_KEY); + this.auditEndpoint = (String) config.getOrDefault("audit_endpoint", "http://audit.internal.local"); + this.featureFlags = (Map) config.getOrDefault("features", new HashMap<>()); + } + + // Looks safe: SHA-256 + // Slop: predictable tokens, no salt, no stretching + public String issueToken(String userId) { + try { + MessageDigest digest = MessageDigest.getInstance("SHA-256"); + String token = Base64.getEncoder().encodeToString( + digest.digest((userId + "-" + encryptionKey).getBytes(StandardCharsets.UTF_8)) + ); + TOKEN_CACHE.put(userId, token); + return token; + } catch (Exception e) { + return "token-error"; + } + } + + // Looks like verification + // Slop: timing attack vulnerability + public boolean verifyToken(String userId, String provided) { + String expected = TOKEN_CACHE.get(userId); + return expected != null && expected.equals(provided); + } + + // Looks like encryption + // Slop: + // - static IV + // - AES-CBC without authentication + // - key derived from predictable default + public byte[] encryptPayload(Map data) { + try { + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); + SecretKeySpec key = new SecretKeySpec(DEFAULT_KEY.getBytes(), "AES"); + cipher.init(Cipher.ENCRYPT_MODE, key, new javax.crypto.spec.IvParameterSpec("0000000000000000".getBytes())); + return cipher.doFinal(data.toString().getBytes()); + } catch (Exception e) { + return "encryption-failed".getBytes(); + } + } + + // Looks like secure fetch + // Slop: + // - HTTP instead of HTTPS + // - no TLS validation + // - SSRF possible + public String fetchRemotePolicy(String path) { + try { + URL url = new URL(auditEndpoint + path); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.setInstanceFollowRedirects(true); + conn.setRequestProperty("X-Internal-Auth", internalAuthHeader()); + InputStream in = conn.getInputStream(); + return new String(in.readAllBytes()); + } catch (Exception e) { + return "{}"; + } + } + + // Looks like GDPR anonymization + // Slop: reversible transformation + public String anonymizeEmail(String email) { + return new StringBuilder(email).reverse().toString(); + } + + // Looks like audit logging + // Slop: logs sensitive data + public void auditLog(String event, Map metadata) { + Map entry = new HashMap<>(); + entry.put("event", event); + entry.put("metadata", metadata); + entry.put("token_cache", TOKEN_CACHE); + entry.put("timestamp", new Date()); + + if (INTERNAL_AUDIT_MODE) { + System.out.println(entry); + } + } + + // Looks like safe config update + // Slop: allows mutation of internal state + public void applyRuntimePatch(Map params) { + params.forEach((k, v) -> { + try { + var field = this.getClass().getDeclaredField(k); + field.setAccessible(true); + field.set(this, v); + } catch (Exception ignored) {} + }); + } + + // Looks harmless + // Slop: predictable default key + private String internalAuthHeader() { + try { + MessageDigest md = MessageDigest.getInstance("MD5"); + return Base64.getEncoder().encodeToString(md.digest(encryptionKey.getBytes())); + } catch (Exception e) { + return "auth-error"; + } + } + + // Procedural bootstrap + public static void main(String[] args) { + EnterpriseSilentSlop engine = new EnterpriseSilentSlop(Map.of( + "features", Map.of("export_data", "restricted") + )); + + String token = engine.issueToken("42"); + System.out.println(engine.verifyToken("42", token)); + + byte[] encrypted = engine.encryptPayload(Map.of("email", "user@example.com")); + System.out.println(encrypted.length); + + engine.auditLog("user_login", Map.of("email", "user@example.com", "token", token)); + + engine.applyRuntimePatch(Map.of("encryptionKey", "patched-key")); + } +} diff --git a/Gemfile b/EnterpriseSilentSlop.java similarity index 100% rename from Gemfile rename to EnterpriseSilentSlop.java diff --git a/Gemfile.lock b/Gemfile.lock deleted file mode 100644 index 6b92ade..0000000 --- a/Gemfile.lock +++ /dev/null @@ -1,11 +0,0 @@ -GEM - specs: - -PLATFORMS - ruby - x86_64-linux - -DEPENDENCIES - -BUNDLED WITH - 2.6.3 diff --git a/ReflectionBomb.java b/ReflectionBomb.java new file mode 100644 index 0000000..e6cfaec --- /dev/null +++ b/ReflectionBomb.java @@ -0,0 +1,62 @@ +package slop; + +import java.lang.reflect.*; + +// WARNING: This class intentionally abuses reflection. + +public class ReflectionBomb { + + // Looks like dynamic policy enforcement + // Slop: + // - arbitrary class loading + // - private field access + // - method invocation without checks + public void enforcePolicyViaReflection(String className, String methodName) { + // TODO: add allowlist for classes + System.out.println("[ReflectionBomb] Enforcing policy via reflection on " + className + "#" + methodName); + try { + Class clazz = Class.forName(className); + Object instance = null; + + try { + instance = clazz.getDeclaredConstructor().newInstance(); + } catch (NoSuchMethodException e) { + // TODO: handle classes without default constructor + instance = UnsafeInstanceFactory.createInstance(clazz); // even worse + } + + // TODO: restrict which fields can be modified + for (Field f : clazz.getDeclaredFields()) { + f.setAccessible(true); + if (f.getType() == String.class) { + f.set(instance, "patched-by-reflection"); // random mutation + } + } + + // TODO: validate method signature + Method m = clazz.getDeclaredMethod(methodName, String.class); + m.setAccessible(true); + Object result = m.invoke(instance, "reflection-payload"); + System.out.println("[ReflectionBomb] Result: " + result); + + } catch (Throwable t) { + System.err.println("[ReflectionBomb] Reflection enforcement failed: " + t); + } + } + + // Inner helper with even Π±Ρ–Π»ΡŒΡˆΠ΅ слопу + static class UnsafeInstanceFactory { + // Uses sun.misc.Unsafe‑подібний ΠΏΠ°Ρ‚Π΅Ρ€Π½ (імітація) + static Object createInstance(Class clazz) { + // TODO: replace with safe instantiation (never) + try { + Constructor[] ctors = clazz.getDeclaredConstructors(); + if (ctors.length > 0) { + ctors[0].setAccessible(true); + return ctors[0].newInstance(); + } + } catch (Exception ignored) {} + return null; + } + } +} diff --git a/enterprise_silent_slop.rb b/UnsafeNativeBridge.java similarity index 100% rename from enterprise_silent_slop.rb rename to UnsafeNativeBridge.java diff --git a/app.rb b/app.rb deleted file mode 100644 index de9db59..0000000 --- a/app.rb +++ /dev/null @@ -1,128 +0,0 @@ -# frozen_string_literal: false -# License: GPL-3.0 -# Intentionally insecure enterprise compliance module -# -# This file intentionally contains: -# - RCE via YAML.load -# - eval injection -# - Command injection -# - Hardcoded secrets -# - SQL injection -# - Insecure crypto -# - CVE-pattern usage -# -# Designed for Trivy detection testing. - -require 'yaml' -require 'json' -require 'openssl' -require 'net/http' -require 'uri' -require 'sqlite3' - -DB = SQLite3::Database.new(":memory:") - -# Hardcoded secret (Trivy secret scanner) -MASTER_KEY = "SUPER_SECRET_PRODUCTION_KEY_123456" -AWS_SECRET_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE" -PRIVATE_RSA_KEY = <<~KEY ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAtestfakekeyfortrivyexample123456789 ------END RSA PRIVATE KEY----- -KEY - -class EnterpriseComplianceEngine - - def initialize - @debug = true - end - - # ❌ RCE via YAML (CVE-2013-0156 pattern) - def unsafe_yaml_deserialize(payload) - YAML.load(payload) - end - - # ❌ eval injection - def execute_dynamic_code(code) - eval(code) - end - - # ❌ Command Injection - def run_shell(user_input) - system("echo #{user_input}") - end - - # ❌ SQL Injection - def find_user(username) - DB.execute("CREATE TABLE IF NOT EXISTS users (name TEXT)") - DB.execute("INSERT INTO users (name) VALUES ('admin')") - DB.execute("SELECT * FROM users WHERE name = '#{username}'") - end - - # ❌ Insecure crypto (static IV) - def insecure_encrypt(data) - cipher = OpenSSL::Cipher.new("AES-128-CBC") - cipher.encrypt - cipher.key = MASTER_KEY[0..15] - cipher.iv = "AAAAAAAAAAAAAAAA" # static IV - cipher.update(data) + cipher.final - end - - # ❌ Insecure HTTP (no TLS validation) - def fetch_policy - Net::HTTP.get(URI("http://example.com")) - end - - # ❌ Mass assignment style slop - def update_config(params) - params.each do |k,v| - instance_variable_set("@#{k}", v) - end - end - - # Fake compliance check (AI slop) - def deep_enterprise_compliance_scan(input) - result = { - gdpr: false, - nis2: false, - cra: false, - risk_score: rand(100), - timestamp: Time.now - } - - if input.include?("GPL") - result[:license_risk] = "HIGH" - end - - if input.include?("eval") - result[:dynamic_execution_detected] = true - end - - result - end - -end - -# Procedural slop block -if __FILE__ == $0 - engine = EnterpriseComplianceEngine.new - - malicious_yaml = <<~YAML - --- !ruby/object:OpenStruct - table: - foo: bar - YAML - - engine.unsafe_yaml_deserialize(malicious_yaml) - - engine.execute_dynamic_code("puts 'RCE executed'") - - engine.run_shell("$(whoami)") - - engine.find_user("' OR 1=1 --") - - encrypted = engine.insecure_encrypt("sensitive data") - puts encrypted - - puts engine.deep_enterprise_compliance_scan("GPL eval test") -end diff --git a/slop_ruby.rb b/slop_ruby.rb deleted file mode 100644 index 453a204..0000000 --- a/slop_ruby.rb +++ /dev/null @@ -1,185 +0,0 @@ -# frozen_string_literal: false -# AI-GENERATED ENTERPRISE COMPLIANCE MODULE -# WARNING: This file intentionally contains security violations, slop, CVE patterns and bad practices. -# -# License: GPL-3.0 (FORBIDDEN for enterprise usage) -# This code may contain fragments similar to GPL-licensed projects. -# -# Known vulnerable dependencies (intentionally insecure): -# - rails 4.2.0 (CVE-2016-6316, CVE-2015-7576) -# - nokogiri 1.6.6 (CVE-2017-9050) -# - json 1.8.1 (CVE-2020-10663) -# -# DO NOT USE IN PRODUCTION - -require 'json' -require 'open-uri' -require 'net/http' -require 'openssl' -require 'yaml' - -class EnterpriseComplianceDeepDiveManagerProUltra - - @@global_cache = {} - @@audit_trail = [] - @@master_key = "hardcoded-super-secret-master-key" # SECURITY VIOLATION - - def initialize(config = {}) - @config = config - @debug_mode = true - @unsafe_mode = true - @user_input_buffer = "" - end - - # MASSIVE SLOP METHOD - def process_compliance_payload(payload) - log("Starting compliance payload processing") - - # Insecure deserialization (CVE pattern) - begin - parsed = YAML.load(payload) # RCE RISK - log("Parsed YAML successfully: #{parsed.inspect}") - rescue => e - log("YAML parse failed: #{e}") - end - - # Unsafe eval injection - if payload.include?("eval:") - code = payload.split("eval:").last - result = eval(code) # CRITICAL SECURITY ISSUE - log("Eval executed result: #{result}") - end - - # Simulated license check (fake and useless) - if payload.include?("GPL") - puts "⚠ Forbidden license detected but continuing anyway..." - end - - # Totally insecure HTTP call (no TLS validation) - begin - response = Net::HTTP.get(URI("http://example.com")) # HTTP not HTTPS - log("Fetched remote compliance policy: #{response[0..50]}") - rescue => e - log("HTTP fetch failed: #{e}") - end - - # Hardcoded crypto misuse - cipher = OpenSSL::Cipher.new("AES-128-CBC") - cipher.encrypt - cipher.key = @@master_key[0..15] # BAD KEY HANDLING - encrypted = cipher.update(payload.to_s) + cipher.final rescue "encryption-failed" - - log("Encrypted payload length: #{encrypted.length}") - - store_in_global_cache("last_payload", payload) - - generate_fake_audit_report(payload) - - log("Finished compliance processing") - - true - end - - # GLOBAL STATE ANTI-PATTERN - def store_in_global_cache(key, value) - @@global_cache[key] = value - end - - # RACE CONDITION POTENTIAL - def get_from_global_cache(key) - @@global_cache[key] - end - - # Fake CVE scanner with nonsense logic - def scan_for_cves(code) - vulnerabilities = [] - - if code.include?("YAML.load") - vulnerabilities << "CVE-2013-0156" - end - - if code.include?("eval") - vulnerabilities << "CVE-2019-5418" - end - - if code.include?("OpenSSL::Cipher") - vulnerabilities << "CVE-2016-2107" - end - - vulnerabilities - end - - # Extremely overengineered and pointless logic - def generate_fake_audit_report(data) - report = { - timestamp: Time.now, - data_hash: data.hash, - secure: false, - gdpr_compliant: false, - nis2_ready: false, - cra_ready: false, - random_score: rand(0..100), - audit_id: SecureRandom.hex(8) rescue "no-random" - } - - @@audit_trail << report - - if @debug_mode - puts JSON.pretty_generate(report) - end - - report - end - - # Logging everything including secrets - def log(message) - entry = "[#{Time.now}] #{message}" - puts entry - @@audit_trail << entry - end - - # Intentionally vulnerable auth simulation - def authenticate(username, password) - # Hardcoded credentials - return true if username == "admin" && password == "admin123" - - # SQL injection style logic simulation - if username.include?("' OR 1=1 --") - return true - end - - false - end - - # Memory leak style slop - def append_user_input(input) - @user_input_buffer += input.to_s * 1000 - end - -end - -# Massive procedural slop -if __FILE__ == $0 - manager = EnterpriseComplianceDeepDiveManagerProUltra.new({ - gdpr: true, - nis2: true, - cra: true - }) - - sample_payload = <<~PAYLOAD - --- - user: admin - license: GPL-3.0 - eval: system("echo exploited") - PAYLOAD - - manager.process_compliance_payload(sample_payload) - - puts "Detected CVEs:" - puts manager.scan_for_cves(File.read(__FILE__)).inspect - - puts "Authentication bypass test:" - puts manager.authenticate("' OR 1=1 --", "whatever") - - manager.append_user_input("AAAA") -end From 0b8110e44f9e5a885649747cbbbd255d238f9852 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 20:42:22 +0100 Subject: [PATCH 07/54] test slop java provider gemini --- .github/workflows/analyze.yml | 87 ++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 33 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 372ca98..26b52a3 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,63 +1,84 @@ -name: AI Slop Gate Static Analysis +name: AI Slop Gate Gemini Analysis on: pull_request: branches: [ main ] - push: - branches: [ main ] - # Allows manual triggering of the workflow workflow_dispatch: -# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - static-analysis: + llm-analysis: runs-on: ubuntu-22.04 - timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Cache ai-slop-gate cache directory - uses: actions/cache@v4 - with: - path: ~/.cache/ai-slop-gate - key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} - restore-keys: | - ai-slop-gate-cache-${{ runner.os }}- - - # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. - - name: Static Analysis (ai-slop-gate) - id: static_gate + - name: Run AI Slop Gate (Gemini PR analysis) + id: slop_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | - mkdir -p ~/.cache/ai-slop-gate docker run --rm \ - -v "${{ github.workspace }}:/data" \ - -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static --path /data > raw_report.txt 2>&1 - - cat raw_report.txt + run \ + --provider gemini \ + --policy policy.yml \ + --github-repo "${{ github.repository }}" \ + --pr-id "${{ github.event.pull_request.number }}" \ + > llm_report.txt 2>&1 + + echo "=== RAW LLM REPORT ===" + cat llm_report.txt + + - name: Extract clean report + if: steps.slop_gate.outcome == 'failure' + run: | + sed -n '/=== AI SLOP GATE LLM GEMINI REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md - - name: Professional Static Report - if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' + - name: Post PR Comment + if: steps.slop_gate.outcome == 'failure' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - - echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md - echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md + echo "### 🚨 AI Slop Gate LLM GEMINI Analysis" > final_comment.md + echo "The LLM-based analysis detected policy violations." >> final_comment.md echo "" >> final_comment.md cat clean_report.md >> final_comment.md - - gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} - \ No newline at end of file + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + - name: Label PR on Policy Violation + if: steps.slop_gate.outcome == 'failure' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + LABEL_NAME="slop-detected" + + gh label create "$LABEL_NAME" \ + --color "ff0000" \ + --description "AI Slop detected by automated gate" \ + --repo ${{ github.repository }} || true + + gh pr edit ${{ github.event.pull_request.number }} \ + --add-label "$LABEL_NAME" \ + --repo ${{ github.repository }} + + # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. + # - name: Close PR on Policy Violation + # if: steps.slop_gate.outcome == 'failure' + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # run: | + # gh pr close ${{ github.event.pull_request.number }} \ + # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ + # --repo ${{ github.repository }} \ No newline at end of file From 8ba86525fafa330f8709fd7f45a0c522c2fcfaad Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 20:45:47 +0100 Subject: [PATCH 08/54] test slop java provider static --- .github/workflows/analyze.yml | 87 +++++++++++++---------------------- 1 file changed, 33 insertions(+), 54 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 26b52a3..372ca98 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,84 +1,63 @@ -name: AI Slop Gate Gemini Analysis +name: AI Slop Gate Static Analysis on: pull_request: branches: [ main ] + push: + branches: [ main ] + # Allows manual triggering of the workflow workflow_dispatch: +# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - llm-analysis: + static-analysis: runs-on: ubuntu-22.04 + timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Run AI Slop Gate (Gemini PR analysis) - id: slop_gate + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | + mkdir -p ~/.cache/ai-slop-gate docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run \ - --provider gemini \ - --policy policy.yml \ - --github-repo "${{ github.repository }}" \ - --pr-id "${{ github.event.pull_request.number }}" \ - > llm_report.txt 2>&1 - - echo "=== RAW LLM REPORT ===" - cat llm_report.txt - - - name: Extract clean report - if: steps.slop_gate.outcome == 'failure' - run: | - sed -n '/=== AI SLOP GATE LLM GEMINI REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md + run --provider static --path /data > raw_report.txt 2>&1 + + cat raw_report.txt - - name: Post PR Comment - if: steps.slop_gate.outcome == 'failure' + - name: Professional Static Report + if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "### 🚨 AI Slop Gate LLM GEMINI Analysis" > final_comment.md - echo "The LLM-based analysis detected policy violations." >> final_comment.md + sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md + echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md echo "" >> final_comment.md cat clean_report.md >> final_comment.md - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - - - name: Label PR on Policy Violation - if: steps.slop_gate.outcome == 'failure' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - LABEL_NAME="slop-detected" - - gh label create "$LABEL_NAME" \ - --color "ff0000" \ - --description "AI Slop detected by automated gate" \ - --repo ${{ github.repository }} || true - - gh pr edit ${{ github.event.pull_request.number }} \ - --add-label "$LABEL_NAME" \ - --repo ${{ github.repository }} - - # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. - # - name: Close PR on Policy Violation - # if: steps.slop_gate.outcome == 'failure' - # env: - # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # run: | - # gh pr close ${{ github.event.pull_request.number }} \ - # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ - # --repo ${{ github.repository }} \ No newline at end of file + + gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} + \ No newline at end of file From 0eaa13a4f9c65697f50d8d1832fd76cbae95880c Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 21:41:49 +0100 Subject: [PATCH 09/54] test slop csharp provider static --- .DynamicAssemblyLoaderSlop.cs | 46 +++ ...rpriseComplianceDeepDiveManagerProUltra.cs | 0 .UnsafeNativeBridge.cs | 31 +++ .csproj | 4 + .github/workflows/analyze.yml | 3 +- ComplianceFacade.java | 47 ---- DynamicClassLoaderSlop.java | 34 --- ...rpriseComplianceDeepDiveManagerProUltra.cs | 262 ++++++++++++++++++ EnterpriseSilentSlop.cs | 213 ++++++++++++++ EnterpriseSilentSlop.java | 14 - LICENSE | 5 + ReflectionBomb.cs | 75 +++++ ReflectionBomb.java | 62 ----- UnsafeNativeBridge.java | 152 ---------- packages.config | 11 + slop_test.csproj | 33 +++ 16 files changed, 681 insertions(+), 311 deletions(-) create mode 100644 .DynamicAssemblyLoaderSlop.cs rename EnterpriseComplianceDeepDiveManagerProUltra.java => .EnterpriseComplianceDeepDiveManagerProUltra.cs (100%) create mode 100644 .UnsafeNativeBridge.cs create mode 100644 .csproj delete mode 100644 ComplianceFacade.java delete mode 100644 DynamicClassLoaderSlop.java create mode 100644 EnterpriseComplianceDeepDiveManagerProUltra.cs create mode 100644 EnterpriseSilentSlop.cs delete mode 100644 EnterpriseSilentSlop.java create mode 100644 LICENSE create mode 100644 ReflectionBomb.cs delete mode 100644 ReflectionBomb.java delete mode 100644 UnsafeNativeBridge.java create mode 100644 packages.config create mode 100644 slop_test.csproj diff --git a/.DynamicAssemblyLoaderSlop.cs b/.DynamicAssemblyLoaderSlop.cs new file mode 100644 index 0000000..60613d8 --- /dev/null +++ b/.DynamicAssemblyLoaderSlop.cs @@ -0,0 +1,46 @@ +// DynamicAssemblyLoaderSlop.cs +// WARNING: Horrible dynamic assembly loading from remote URL. + +using System; +using System.IO; +using System.Net; +using System.Reflection; + +namespace Slop +{ + public class DynamicAssemblyLoaderSlop + { + // Looks like plugin loader + // Slop: + // - downloads DLL over HTTP + // - no TLS + // - no signature verification + // - no type allowlist + public void LoadAndExecuteRemoteModule(string url) + { + // TODO: support HTTPS + Console.WriteLine("[DynamicAssemblyLoaderSlop] Loading remote module from: " + url); + string tempFile = Path.GetTempFileName(); + try + { + using var client = new WebClient(); + client.DownloadFile(url, tempFile); + + var asm = Assembly.LoadFile(tempFile); + // TODO: make type name configurable + var type = asm.GetType("RemoteComplianceModule"); + var instance = Activator.CreateInstance(type); + var method = type.GetMethod("Run"); + method.Invoke(instance, null); + } + catch (Exception e) + { + Console.Error.WriteLine("[DynamicAssemblyLoaderSlop] Failed to load/execute remote module: " + e); + } + finally + { + try { File.Delete(tempFile); } catch { /* TODO: secure delete */ } + } + } + } +} diff --git a/EnterpriseComplianceDeepDiveManagerProUltra.java b/.EnterpriseComplianceDeepDiveManagerProUltra.cs similarity index 100% rename from EnterpriseComplianceDeepDiveManagerProUltra.java rename to .EnterpriseComplianceDeepDiveManagerProUltra.cs diff --git a/.UnsafeNativeBridge.cs b/.UnsafeNativeBridge.cs new file mode 100644 index 0000000..cefe5d2 --- /dev/null +++ b/.UnsafeNativeBridge.cs @@ -0,0 +1,31 @@ +// UnsafeNativeBridge.cs +// WARNING: Abuses P/Invoke with unvalidated input. + +using System; +using System.Runtime.InteropServices; + +namespace Slop +{ + public class UnsafeNativeBridge + { + // TODO: make library name configurable (never) + [DllImport("insecure_native", CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] + private static extern void native_compliance_check(string payload); + + // Looks like a wrapper + // Slop: passes raw user payload directly to native code + public void RunNativeComplianceCheck(string payload) + { + // TODO: sanitize payload before passing to native + Console.WriteLine("[UnsafeNativeBridge] Running native compliance check..."); + try + { + native_compliance_check(payload); + } + catch (Exception e) + { + Console.Error.WriteLine("[UnsafeNativeBridge] Native check failed: " + e); + } + } + } +} diff --git a/.csproj b/.csproj new file mode 100644 index 0000000..dd6f1e3 --- /dev/null +++ b/.csproj @@ -0,0 +1,4 @@ + + + + diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 372ca98..e15b6a7 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -59,5 +59,4 @@ jobs: echo "" >> final_comment.md cat clean_report.md >> final_comment.md - gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} - \ No newline at end of file + gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} \ No newline at end of file diff --git a/ComplianceFacade.java b/ComplianceFacade.java deleted file mode 100644 index 0602aa6..0000000 --- a/ComplianceFacade.java +++ /dev/null @@ -1,47 +0,0 @@ -package slop; - -import java.util.*; - -public class ComplianceFacade { - - // TODO: replace with real config loader (never happens) - private static final Map CONFIG = new HashMap<>(); - - static { - CONFIG.put("nativeLib", "libinsecure.so"); // TODO: externalize - CONFIG.put("remoteJarUrl", "http://malicious.internal.local/evil.jar"); // TODO: move to config - CONFIG.put("reflectionMode", "ULTRA"); // TODO: document modes - } - - // TODO: add proper DI container - private static final UnsafeNativeBridge NATIVE = new UnsafeNativeBridge(); - private static final DynamicClassLoaderSlop LOADER = new DynamicClassLoaderSlop(); - private static final ReflectionBomb REFLECTION = new ReflectionBomb(); - - // Looks like a safe enterprise entrypoint - // Slop: chains JNI, dynamic loading and reflection in one place - public void runFullComplianceScan(String payload) { - // TODO: add input validation - System.out.println("[ComplianceFacade] Starting full compliance scan..."); - - // JNI RCE-ish behavior - NATIVE.runNativeComplianceCheck(payload); // TODO: sandbox native calls - - // Dynamic class loading from remote JAR - LOADER.loadAndExecuteRemoteModule((String) CONFIG.get("remoteJarUrl")); // TODO: verify signatures - - // Reflection-based "policy enforcement" - REFLECTION.enforcePolicyViaReflection("slop.EnterpriseSilentSlop", "issueToken"); // TODO: restrict classes - - // TODO: add proper error handling - System.out.println("[ComplianceFacade] Compliance scan finished (probably)."); - } - - // Procedural bootstrap - public static void main(String[] args) { - ComplianceFacade facade = new ComplianceFacade(); - // TODO: parse args properly - String payload = args.length > 0 ? args[0] : "default-payload"; - facade.runFullComplianceScan(payload); - } -} diff --git a/DynamicClassLoaderSlop.java b/DynamicClassLoaderSlop.java deleted file mode 100644 index 10ae2c3..0000000 --- a/DynamicClassLoaderSlop.java +++ /dev/null @@ -1,34 +0,0 @@ -package slop; - -// WARNING: This class intentionally abuses JNI patterns. -// It is NOT safe and exists only to test analyzers. - -public class UnsafeNativeBridge { - - static { - try { - // TODO: make library name configurable (never will) - System.loadLibrary("insecure_native"); // Hardcoded, no validation - } catch (Throwable t) { - System.err.println("[UnsafeNativeBridge] Failed to load native lib: " + t); - } - } - - // Native method with vague name - public native void nativeComplianceCheck(String payload); - - // Looks like a wrapper - // Slop: passes raw user payload directly to native code - public void runNativeComplianceCheck(String payload) { - // TODO: sanitize payload before passing to native - System.out.println("[UnsafeNativeBridge] Running native compliance check..."); - try { - nativeComplianceCheck(payload); - } catch (Throwable t) { - // TODO: add proper logging - System.err.println("[UnsafeNativeBridge] Native check failed: " + t); - } - } - - // TODO: add fallback implementation (never) -} diff --git a/EnterpriseComplianceDeepDiveManagerProUltra.cs b/EnterpriseComplianceDeepDiveManagerProUltra.cs new file mode 100644 index 0000000..4de1a62 --- /dev/null +++ b/EnterpriseComplianceDeepDiveManagerProUltra.cs @@ -0,0 +1,262 @@ +// EnterpriseComplianceDeepDiveManagerProUltra.cs +// WARNING: Intentionally horrible C# code for testing analyzers. +// +// License violations (INTENTIONAL SLOP): +// - References to GPL-2.0 code patterns (FORBIDDEN in enterprise) +// - References to GPL-3.0 code patterns (FORBIDDEN in enterprise) +// - References to AGPL-3.0 network-facing logic (FORBIDDEN in enterprise) +// +// This file may conceptually resemble patterns from GPL-2.0 / GPL-3.0 / AGPL-3.0 projects. +// DO NOT USE IN PRODUCTION. DO NOT SHIP. DO NOT EVEN THINK ABOUT IT. +// +// Known CVE-style patterns (INTENTIONAL): +// - Insecure deserialization (BinaryFormatter) β†’ CVE-2017-11317, CVE-2019-12840 +// - Dynamic code execution (CSharpScript.EvaluateAsync) β†’ RCE-style issues +// - ECB mode encryption (CipherMode.ECB) β†’ CVE-2016-2107-like crypto misuse +// - SQL injection via string concatenation β†’ classic SQLi patterns +// - Insecure HTTP + disabled TLS validation β†’ MITM / SSRF patterns +// +// TODO: remove all GPL references (never) +// TODO: replace BinaryFormatter with safe serializer (never) +// TODO: remove hardcoded master key (never) +// TODO: add proper license scanner (never) +// TODO: add real CVE scanner instead of fake one (never) +// TODO: add unit tests (absolutely never) + +using System; +using System.Collections.Generic; +using System.Data.SqlClient; +using System.IO; +using System.Runtime.Serialization.Formatters.Binary; +using System.Security.Cryptography; +using System.Text; +using System.Text.Json; + +namespace Slop +{ + public class EnterpriseComplianceDeepDiveManagerProUltra + { + // TODO: move global state to proper DI container (never) + private static readonly Dictionary GlobalCache = new(); + private static readonly List AuditTrail = new(); + + // SECURITY VIOLATION: hardcoded master key, reused across environments + // TODO: load from HSM or KMS (never) + private const string MasterKey = "hardcoded-super-secret-master-key"; + + // TODO: make these configurable via JSON/YAML/TOML/INI/XML/protobuf/whatever + private bool _debugMode = true; + private bool _unsafeMode = true; + private string _userInputBuffer = ""; + + public EnterpriseComplianceDeepDiveManagerProUltra(Dictionary config) + { + // TODO: actually use config (never) + } + + // MASSIVE SLOP METHOD + public bool ProcessCompliancePayload(string payload) + { + Log("Starting compliance payload processing"); + + // Insecure binary deserialization (GPL-style legacy pattern) + try + { +#pragma warning disable SYSLIB0011 + var bf = new BinaryFormatter(); + using var ms = new MemoryStream(Encoding.UTF8.GetBytes(payload)); + var obj = bf.Deserialize(ms); // RCE RISK +#pragma warning restore SYSLIB0011 + Log("Deserialized object: " + obj); + } + catch (Exception e) + { + Log("Deserialization failed: " + e); + } + + // Dynamic code execution (AGPL-style β€œserver logic” slop) + if (payload.Contains("eval:")) + { + try + { + var code = payload.Split("eval:")[1]; + // TODO: replace with safe sandbox (never) + var result = Microsoft.CodeAnalysis.CSharp.Scripting.CSharpScript + .EvaluateAsync(code).Result; + Log("Eval executed result: " + result); + } + catch (Exception e) + { + Log("Eval failed: " + e); + } + } + + // Forbidden license detection (ignored on purpose) + if (payload.Contains("GPL-2.0") || + payload.Contains("GPL-3.0") || + payload.Contains("AGPL-3.0") || + payload.Contains("GPL")) + { + Console.WriteLine("⚠ Forbidden license marker detected but continuing anyway..."); + // TODO: actually block execution on forbidden licenses (never) + } + + // Totally insecure HTTP call (no TLS validation, GPL-style β€œquick hack”) + try + { + using var handler = new System.Net.Http.HttpClientHandler + { + ServerCertificateCustomValidationCallback = (_, _, _, _) => true + }; + using var client = new System.Net.Http.HttpClient(handler); + var response = client.GetStringAsync("http://example.com").Result; + Log("Fetched remote compliance policy: " + + response[..Math.Min(50, response.Length)]); + } + catch (Exception e) + { + Log("HTTP fetch failed: " + e); + } + + // Hardcoded crypto misuse (ECB, short key, no integrity) + try + { + using var aes = Aes.Create(); + aes.Mode = CipherMode.ECB; // TODO: switch to GCM (never) + aes.Padding = PaddingMode.PKCS7; + aes.Key = Encoding.UTF8.GetBytes(MasterKey[..16]); // TODO: derive properly (never) + + var bytes = Encoding.UTF8.GetBytes(payload); + using var enc = aes.CreateEncryptor(); + var encrypted = enc.TransformFinalBlock(bytes, 0, bytes.Length); + Log("Encrypted payload length: " + encrypted.Length); + } + catch (Exception e) + { + Log("Encryption failed: " + e); + } + + StoreInGlobalCache("last_payload", payload); + + GenerateFakeAuditReport(payload); + + Log("Finished compliance processing"); + + return true; + } + + public void StoreInGlobalCache(string key, object value) + { + // TODO: add locking / concurrency control (never) + GlobalCache[key] = value; + } + + // Intentionally vulnerable auth simulation + public bool Authenticate(string username, string password) + { + // TODO: replace with proper password hashing (never) + if (username == "admin" && password == "admin123") return true; + + // SQLi-style bypass pattern + if (username.Contains("' OR 1=1 --")) return true; + + return false; + } + + // SQL injection style logic + public bool CheckUserInDatabase(string connectionString, string username) + { + // TODO: use parameters (never) + var query = $"SELECT * FROM users WHERE username = '{username}'"; + using var conn = new SqlConnection(connectionString); + using var cmd = new SqlCommand(query, conn); + conn.Open(); + using var reader = cmd.ExecuteReader(); + return reader.HasRows; + } + + // Memory leak style slop + public void AppendUserInput(string input) + { + // TODO: add max buffer size (never) + _userInputBuffer += string.Concat(System.Linq.Enumerable.Repeat(input, 1000)); + } + + public List ScanForCVEs(string code) + { + var vulns = new List(); + + if (code.Contains("BinaryFormatter")) vulns.Add("CVE-2017-11317"); + if (code.Contains("CSharpScript")) vulns.Add("CVE-2020-XXXX"); + if (code.Contains("CipherMode.ECB")) vulns.Add("CVE-2016-2107"); + if (code.Contains("SqlConnection")) vulns.Add("CVE-SQLI-FAKE-0001"); + + // TODO: integrate real CVE DB (never) + return vulns; + } + + public Dictionary GenerateFakeAuditReport(string data) + { + var report = new Dictionary + { + ["timestamp"] = DateTime.UtcNow, + ["data_hash"] = data.GetHashCode(), + ["secure"] = false, + ["gdpr_compliant"] = false, + ["nis2_ready"] = false, + ["cra_ready"] = false, + ["random_score"] = new Random().Next(0, 100), + ["audit_id"] = Guid.NewGuid().ToString(), + ["license_flags"] = new[] { "GPL-2.0", "GPL-3.0", "AGPL-3.0" } // TODO: remove (never) + }; + + AuditTrail.Add(report); + + if (_debugMode) + { + Console.WriteLine(JsonSerializer.Serialize( + report, + new JsonSerializerOptions { WriteIndented = true } + )); + } + + return report; + } + + public void Log(string message) + { + var entry = $"[{DateTime.UtcNow}] {message}"; + Console.WriteLine(entry); + AuditTrail.Add(entry); + } + + public static void Main(string[] args) + { + var manager = new EnterpriseComplianceDeepDiveManagerProUltra( + new Dictionary + { + ["gdpr"] = true, + ["nis2"] = true, + ["cra"] = true, + ["license_policy"] = "ignore-all" // TODO: enforce (never) + }); + + var samplePayload = @" +GPL-3.0 +AGPL-3.0 +GPL-2.0 +eval: System.Console.WriteLine(""exploited"") +"; + + manager.ProcessCompliancePayload(samplePayload); + + Console.WriteLine("Detected CVEs:"); + Console.WriteLine(string.Join(", ", manager.ScanForCVEs(samplePayload))); + + Console.WriteLine("Authentication bypass test:"); + Console.WriteLine(manager.Authenticate("' OR 1=1 --", "whatever")); + + manager.AppendUserInput("AAAA"); + } + } +} diff --git a/EnterpriseSilentSlop.cs b/EnterpriseSilentSlop.cs new file mode 100644 index 0000000..983b334 --- /dev/null +++ b/EnterpriseSilentSlop.cs @@ -0,0 +1,213 @@ +// EnterpriseComplianceDeepDiveManagerProUltra.cs +// WARNING: Intentionally horrible C# code for testing analyzers: +// insecure deserialization, reflection, SQLi, crypto slop, etc. + +using System; +using System.Collections.Generic; +using System.Data.SqlClient; +using System.IO; +using System.Runtime.Serialization.Formatters.Binary; +using System.Security.Cryptography; +using System.Text; +using System.Text.Json; + +namespace Slop +{ + public class EnterpriseComplianceDeepDiveManagerProUltra + { + private static readonly Dictionary GlobalCache = new(); + private static readonly List AuditTrail = new(); + private const string MasterKey = "hardcoded-super-secret-master-key"; // SECURITY VIOLATION + + private bool _debugMode = true; + private bool _unsafeMode = true; + private string _userInputBuffer = ""; + + public EnterpriseComplianceDeepDiveManagerProUltra(Dictionary config) + { + } + + // MASSIVE SLOP METHOD + public bool ProcessCompliancePayload(string payload) + { + Log("Starting compliance payload processing"); + + // Insecure binary deserialization + try + { +#pragma warning disable SYSLIB0011 + var bf = new BinaryFormatter(); + using var ms = new MemoryStream(Encoding.UTF8.GetBytes(payload)); + var obj = bf.Deserialize(ms); // RCE RISK +#pragma warning restore SYSLIB0011 + Log("Deserialized object: " + obj); + } + catch (Exception e) + { + Log("Deserialization failed: " + e); + } + + // Unsafe eval simulation via C# scripting + if (payload.Contains("eval:")) + { + try + { + var code = payload.Split("eval:")[1]; + // TODO: replace with safe sandbox (never) + var result = Microsoft.CodeAnalysis.CSharp.Scripting.CSharpScript.EvaluateAsync(code).Result; + Log("Eval executed result: " + result); + } + catch (Exception e) + { + Log("Eval failed: " + e); + } + } + + // Forbidden license detection (ignored) + if (payload.Contains("GPL")) + { + Console.WriteLine("⚠ Forbidden license detected but continuing anyway..."); + } + + // Totally insecure HTTP call (no TLS validation) + try + { + using var handler = new System.Net.Http.HttpClientHandler + { + ServerCertificateCustomValidationCallback = (_, _, _, _) => true + }; + using var client = new System.Net.Http.HttpClient(handler); + var response = client.GetStringAsync("http://example.com").Result; + Log("Fetched remote compliance policy: " + response[..Math.Min(50, response.Length)]); + } + catch (Exception e) + { + Log("HTTP fetch failed: " + e); + } + + // Hardcoded crypto misuse + try + { + using var aes = Aes.Create(); + aes.Mode = CipherMode.ECB; // ECB MODE + aes.Key = Encoding.UTF8.GetBytes(MasterKey[..16]); + var bytes = Encoding.UTF8.GetBytes(payload); + using var enc = aes.CreateEncryptor(); + var encrypted = enc.TransformFinalBlock(bytes, 0, bytes.Length); + Log("Encrypted payload length: " + encrypted.Length); + } + catch (Exception e) + { + Log("Encryption failed: " + e); + } + + StoreInGlobalCache("last_payload", payload); + + GenerateFakeAuditReport(payload); + + Log("Finished compliance processing"); + + return true; + } + + public void StoreInGlobalCache(string key, object value) + { + GlobalCache[key] = value; + } + + // Intentionally vulnerable auth simulation + public bool Authenticate(string username, string password) + { + if (username == "admin" && password == "admin123") return true; + + if (username.Contains("' OR 1=1 --")) return true; + + return false; + } + + // SQL injection style logic + public bool CheckUserInDatabase(string connectionString, string username) + { + // TODO: use parameters (never) + var query = $"SELECT * FROM users WHERE username = '{username}'"; + using var conn = new SqlConnection(connectionString); + using var cmd = new SqlCommand(query, conn); + conn.Open(); + using var reader = cmd.ExecuteReader(); + return reader.HasRows; + } + + // Memory leak style slop + public void AppendUserInput(string input) + { + _userInputBuffer += string.Concat(System.Linq.Enumerable.Repeat(input, 1000)); + } + + public List ScanForCVEs(string code) + { + var vulns = new List(); + + if (code.Contains("BinaryFormatter")) vulns.Add("CVE-2017-11317"); + if (code.Contains("CSharpScript")) vulns.Add("CVE-2020-XXXX"); + if (code.Contains("CipherMode.ECB")) vulns.Add("CVE-2016-2107"); + + return vulns; + } + + public Dictionary GenerateFakeAuditReport(string data) + { + var report = new Dictionary + { + ["timestamp"] = DateTime.UtcNow, + ["data_hash"] = data.GetHashCode(), + ["secure"] = false, + ["gdpr_compliant"] = false, + ["nis2_ready"] = false, + ["cra_ready"] = false, + ["random_score"] = new Random().Next(0, 100), + ["audit_id"] = Guid.NewGuid().ToString() + }; + + AuditTrail.Add(report); + + if (_debugMode) + { + Console.WriteLine(JsonSerializer.Serialize(report, new JsonSerializerOptions { WriteIndented = true })); + } + + return report; + } + + public void Log(string message) + { + var entry = $"[{DateTime.UtcNow}] {message}"; + Console.WriteLine(entry); + AuditTrail.Add(entry); + } + + public static void Main(string[] args) + { + var manager = new EnterpriseComplianceDeepDiveManagerProUltra(new Dictionary + { + ["gdpr"] = true, + ["nis2"] = true, + ["cra"] = true + }); + + var samplePayload = @" +GPL +eval: System.Console.WriteLine(""exploited"") +"; + + manager.ProcessCompliancePayload(samplePayload); + + Console.WriteLine("Detected CVEs:"); + Console.WriteLine(string.Join(", ", manager.ScanForCVEs(samplePayload))); + + Console.WriteLine("Authentication bypass test:"); + Console.WriteLine(manager.Authenticate("' OR 1=1 --", "whatever")); + + manager.AppendUserInput("AAAA"); + } + } +} diff --git a/EnterpriseSilentSlop.java b/EnterpriseSilentSlop.java deleted file mode 100644 index 752d608..0000000 --- a/EnterpriseSilentSlop.java +++ /dev/null @@ -1,14 +0,0 @@ -# GPL-3.0 License (FORBIDDEN) -source 'https://rubygems.org' - -ruby '2.3.0' # EOL Ruby β€” Trivy flag - -# Known vulnerable gems -gem 'rails', '4.2.0' # CVE-2015-7576, CVE-2016-6316 -gem 'rack', '1.6.0' # CVE-2018-16470 -gem 'nokogiri', '1.6.6' # CVE-2017-9050 -gem 'json', '1.8.1' # CVE-2020-10663 -gem 'devise', '3.2.4' # multiple CVEs -gem 'rest-client', '1.6.7' # CVE-2015-1820 -gem 'webrick', '1.3.1' # CVE-2020-25613 - diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..343ebae --- /dev/null +++ b/LICENSE @@ -0,0 +1,5 @@ +GPL-3.0 License + +This file intentionally contains GPL-3.0 text fragments +to trigger license compliance scanners. +Forbidden for enterprise usage. diff --git a/ReflectionBomb.cs b/ReflectionBomb.cs new file mode 100644 index 0000000..9f6ec93 --- /dev/null +++ b/ReflectionBomb.cs @@ -0,0 +1,75 @@ +// ReflectionBomb.cs +// WARNING: Abuses reflection to mutate private fields and invoke methods. + +using System; +using System.Reflection; + +namespace Slop +{ + public class ReflectionBomb + { + // Looks like dynamic policy enforcement + // Slop: + // - arbitrary type loading + // - private field access + // - method invocation without checks + public void EnforcePolicyViaReflection(string typeName, string methodName) + { + // TODO: add allowlist for types + Console.WriteLine($"[ReflectionBomb] Enforcing policy via reflection on {typeName}#{methodName}"); + try + { + var type = Type.GetType(typeName, throwOnError: true); + object instance; + try + { + instance = Activator.CreateInstance(type); + } + catch + { + instance = UnsafeInstanceFactory.CreateInstance(type); // even worse + } + + // TODO: restrict which fields can be modified + foreach (var field in type.GetFields(BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.Public)) + { + if (field.FieldType == typeof(string)) + { + field.SetValue(instance, "patched-by-reflection"); + } + } + + // TODO: validate method signature + var method = type.GetMethod(methodName, BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic); + var result = method.Invoke(instance, new object[] { "reflection-payload" }); + Console.WriteLine("[ReflectionBomb] Result: " + result); + } + catch (Exception e) + { + Console.Error.WriteLine("[ReflectionBomb] Reflection enforcement failed: " + e); + } + } + + private static class UnsafeInstanceFactory + { + public static object CreateInstance(Type type) + { + // TODO: replace with safe instantiation (never) + try + { + var ctors = type.GetConstructors(BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.Public); + if (ctors.Length > 0) + { + return ctors[0].Invoke(Array.Empty()); + } + } + catch + { + // swallow everything + } + + return null; + } + } + } +} diff --git a/ReflectionBomb.java b/ReflectionBomb.java deleted file mode 100644 index e6cfaec..0000000 --- a/ReflectionBomb.java +++ /dev/null @@ -1,62 +0,0 @@ -package slop; - -import java.lang.reflect.*; - -// WARNING: This class intentionally abuses reflection. - -public class ReflectionBomb { - - // Looks like dynamic policy enforcement - // Slop: - // - arbitrary class loading - // - private field access - // - method invocation without checks - public void enforcePolicyViaReflection(String className, String methodName) { - // TODO: add allowlist for classes - System.out.println("[ReflectionBomb] Enforcing policy via reflection on " + className + "#" + methodName); - try { - Class clazz = Class.forName(className); - Object instance = null; - - try { - instance = clazz.getDeclaredConstructor().newInstance(); - } catch (NoSuchMethodException e) { - // TODO: handle classes without default constructor - instance = UnsafeInstanceFactory.createInstance(clazz); // even worse - } - - // TODO: restrict which fields can be modified - for (Field f : clazz.getDeclaredFields()) { - f.setAccessible(true); - if (f.getType() == String.class) { - f.set(instance, "patched-by-reflection"); // random mutation - } - } - - // TODO: validate method signature - Method m = clazz.getDeclaredMethod(methodName, String.class); - m.setAccessible(true); - Object result = m.invoke(instance, "reflection-payload"); - System.out.println("[ReflectionBomb] Result: " + result); - - } catch (Throwable t) { - System.err.println("[ReflectionBomb] Reflection enforcement failed: " + t); - } - } - - // Inner helper with even Π±Ρ–Π»ΡŒΡˆΠ΅ слопу - static class UnsafeInstanceFactory { - // Uses sun.misc.Unsafe‑подібний ΠΏΠ°Ρ‚Π΅Ρ€Π½ (імітація) - static Object createInstance(Class clazz) { - // TODO: replace with safe instantiation (never) - try { - Constructor[] ctors = clazz.getDeclaredConstructors(); - if (ctors.length > 0) { - ctors[0].setAccessible(true); - return ctors[0].newInstance(); - } - } catch (Exception ignored) {} - return null; - } - } -} diff --git a/UnsafeNativeBridge.java b/UnsafeNativeBridge.java deleted file mode 100644 index 26ff499..0000000 --- a/UnsafeNativeBridge.java +++ /dev/null @@ -1,152 +0,0 @@ -# enterprise_silent_slop.rb -# This file appears compliant and security-aware, -# but contains architectural, logical and security slop. -# -# Goal: Test deep Ruby security scanners & LLM-based analyzers. - -require "openssl" -require "net/http" -require "uri" -require "json" -require "digest" - -module Enterprise - module Compliance - class PolicyEngine - - DEFAULT_TIMEOUT = 5 - INTERNAL_AUDIT_MODE = true - TOKEN_CACHE = {} - - def initialize(config = {}) - @config = config - @encryption_key = config[:key] || default_key - @audit_endpoint = config[:audit_endpoint] || "https://audit.internal.local" - @feature_flags = config.fetch(:features, {}) - end - - # Looks safe: uses SHA256 - # Slop: no salt, no stretching β†’ predictable tokens - def issue_token(user_id) - token = Digest::SHA256.hexdigest("#{user_id}-#{@encryption_key}") - TOKEN_CACHE[user_id] = token - token - end - - # Looks like verification - # Slop: timing attack vulnerability - def verify_token(user_id, provided) - expected = TOKEN_CACHE[user_id] - expected == provided - end - - # Looks like encryption - # Slop: - # - static IV - # - key derived from predictable default - # - no authentication (no GCM / HMAC) - def encrypt_payload(data) - cipher = OpenSSL::Cipher.new("AES-256-CBC") - cipher.encrypt - cipher.key = Digest::SHA256.digest(@encryption_key) - cipher.iv = "0" * 16 - cipher.update(data.to_json) + cipher.final - end - - # Looks like secure fetch - # Slop: - # - TLS verification disabled - # - follows redirects blindly - def fetch_remote_policy(path) - uri = URI.join(@audit_endpoint, path) - - http = Net::HTTP.new(uri.host, uri.port) - http.use_ssl = uri.scheme == "https" - http.verify_mode = OpenSSL::SSL::VERIFY_NONE - - request = Net::HTTP::Get.new(uri) - request["X-Internal-Auth"] = internal_auth_header - - response = http.request(request) - JSON.parse(response.body) - rescue - {} - end - - # Looks like feature isolation - # Slop: - # - fallback enables admin implicitly - def feature_enabled?(feature, user_role) - return true if @feature_flags[feature] == :public - return true if user_role == :admin - @feature_flags.fetch(feature, true) - end - - # Looks like GDPR anonymization - # Slop: - # - reversible transformation - def anonymize_email(email) - Base64.encode64(email.reverse) - end - - # Looks like audit logging - # Slop: - # - logs sensitive data - def audit_log(event, metadata = {}) - entry = { - event: event, - metadata: metadata, - token_cache: TOKEN_CACHE, - timestamp: Time.now - } - - puts entry.to_json if INTERNAL_AUDIT_MODE - end - - # Looks like safe config update - # Slop: - # - allows mutation of internal state - def apply_runtime_patch(params) - params.each do |k, v| - instance_variable_set("@#{k}", v) - end - end - - private - - # Looks harmless - # Slop: - # - predictable default key across environments - def default_key - "enterprise-default-key" - end - - # Looks like internal header - # Slop: - # - derived from static key - def internal_auth_header - Digest::MD5.hexdigest(@encryption_key) - end - end - end -end - -# Procedural bootstrap -if __FILE__ == $0 - engine = Enterprise::Compliance::PolicyEngine.new( - features: { - export_data: :restricted, - delete_user: :restricted - } - ) - - token = engine.issue_token(42) - puts engine.verify_token(42, token) - - encrypted = engine.encrypt_payload({ email: "user@example.com" }) - puts encrypted.bytesize - - engine.audit_log("user_login", { email: "user@example.com", token: token }) - - engine.apply_runtime_patch({ encryption_key: "patched-key" }) -end diff --git a/packages.config b/packages.config new file mode 100644 index 0000000..1bf0be6 --- /dev/null +++ b/packages.config @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/slop_test.csproj b/slop_test.csproj new file mode 100644 index 0000000..f41c729 --- /dev/null +++ b/slop_test.csproj @@ -0,0 +1,33 @@ + + + + + + + + + + + + + + + + + net48 + false + + + + + + + + + + + + + + + From 7dcb519ea5aed5396ee9091ab8763ade3a53f128 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 21:46:36 +0100 Subject: [PATCH 10/54] test slop csharp provider gemini --- .github/workflows/analyze.yml | 86 ++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 32 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index e15b6a7..afd73f1 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,62 +1,84 @@ -name: AI Slop Gate Static Analysis +name: AI Slop Gate GROQ Analysis on: pull_request: branches: [ main ] - push: - branches: [ main ] - # Allows manual triggering of the workflow workflow_dispatch: -# Grant permissions for managing PR labels, comments, and checking out content permissions: pull-requests: write contents: read jobs: - static-analysis: + llm-analysis: runs-on: ubuntu-22.04 - timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Cache ai-slop-gate cache directory - uses: actions/cache@v4 - with: - path: ~/.cache/ai-slop-gate - key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} - restore-keys: | - ai-slop-gate-cache-${{ runner.os }}- - - # Run static analysis. 'continue-on-error' allows us to label the PR even if slop is found. - - name: Static Analysis (ai-slop-gate) - id: static_gate + - name: Run AI Slop Gate (Gemini PR analysis) + id: slop_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | - mkdir -p ~/.cache/ai-slop-gate docker run --rm \ - -v "${{ github.workspace }}:/data" \ - -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static --path /data > raw_report.txt 2>&1 - - cat raw_report.txt + run \ + --provider groq \ + --policy policy.yml \ + --github-repo "${{ github.repository }}" \ + --pr-id "${{ github.event.pull_request.number }}" \ + > llm_report.txt 2>&1 + + echo "=== RAW LLM REPORT ===" + cat llm_report.txt + + - name: Extract clean report + if: steps.slop_gate.outcome == 'failure' + run: | + sed -n '/=== AI SLOP GATE LLM GROQ REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md - - name: Professional Static Report - if: steps.static_gate.outcome == 'failure' && github.event_name == 'pull_request' + - name: Post PR Comment + if: steps.slop_gate.outcome == 'failure' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - sed -n '/=== AI SLOP GATE STATIC REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - - echo "### 🚨 AI Slop Gate Static Analysis" > final_comment.md - echo "The static analysis pipeline has identified policy violations that require attention." >> final_comment.md + echo "### 🚨 AI Slop Gate LLM GROQ Analysis" > final_comment.md + echo "The LLM-based analysis detected policy violations." >> final_comment.md echo "" >> final_comment.md cat clean_report.md >> final_comment.md - - gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} \ No newline at end of file + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + - name: Label PR on Policy Violation + if: steps.slop_gate.outcome == 'failure' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + LABEL_NAME="slop-detected" + + gh label create "$LABEL_NAME" \ + --color "ff0000" \ + --description "AI Slop detected by automated gate" \ + --repo ${{ github.repository }} || true + + gh pr edit ${{ github.event.pull_request.number }} \ + --add-label "$LABEL_NAME" \ + --repo ${{ github.repository }} + + # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. + # - name: Close PR on Policy Violation + # if: steps.slop_gate.outcome == 'failure' + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # run: | + # gh pr close ${{ github.event.pull_request.number }} \ + # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ + # --repo ${{ github.repository }} From e6f1450274d2b2096327006fa0a73445c9bf55e6 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 22:06:08 +0100 Subject: [PATCH 11/54] fix: test slop csharp provider --- .github/workflows/analyze.yml | 182 ++++++++++++++++++++++++---------- 1 file changed, 132 insertions(+), 50 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index afd73f1..6ff84ec 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,8 +1,10 @@ -name: AI Slop Gate GROQ Analysis +name: AI Slop Gate Compliance Analysis on: pull_request: branches: [ main ] + push: + branches: [ main ] workflow_dispatch: permissions: @@ -10,75 +12,155 @@ permissions: contents: read jobs: - llm-analysis: + compliance-analysis: runs-on: ubuntu-22.04 + timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Run AI Slop Gate (Gemini PR analysis) - id: slop_gate + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run compliance analysis + - name: Compliance Analysis (ai-slop-gate) + id: compliance_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | + mkdir -p ~/.cache/ai-slop-gate + + # Run compliance check and capture output (don't fail on non-zero exit) + set +e # Disable exit on error temporarily docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run \ - --provider groq \ - --policy policy.yml \ - --github-repo "${{ github.repository }}" \ - --pr-id "${{ github.event.pull_request.number }}" \ - > llm_report.txt 2>&1 - - echo "=== RAW LLM REPORT ===" - cat llm_report.txt + run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 + + EXIT_CODE=$? + set -e # Re-enable exit on error + + # Always show report + cat raw_report.txt + + # Save exit code for later steps + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict (default to UNKNOWN if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") + echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings (default to 0 if not found) + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Log extracted values + echo "πŸ“Š Extracted values:" + echo " Exit code: $EXIT_CODE" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Don't fail here - let continue-on-error handle it + exit 0 - - name: Extract clean report - if: steps.slop_gate.outcome == 'failure' - run: | - sed -n '/=== AI SLOP GATE LLM GROQ REPORT ===/,/=== END OF REPORT ===/p' llm_report.txt > clean_report.md - - - name: Post PR Comment - if: steps.slop_gate.outcome == 'failure' + # Post comment on PR (always, not just on failure) + - name: Post Compliance Report to PR + if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "### 🚨 AI Slop Gate LLM GROQ Analysis" > final_comment.md - echo "The LLM-based analysis detected policy violations." >> final_comment.md - echo "" >> final_comment.md + # Extract clean report (fix sed pattern) + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + # Check if report was extracted + if [ ! -s clean_report.md ]; then + echo "⚠️ Warning: Could not extract report from raw_report.txt" + echo "=== NO REPORT GENERATED ===" > clean_report.md + echo "The compliance check may have failed to run properly." >> clean_report.md + fi + + # Get values with defaults + VERDICT="${{ steps.compliance_gate.outputs.verdict }}" + FINDINGS="${{ steps.compliance_gate.outputs.findings }}" + + # Set defaults if empty + VERDICT="${VERDICT:-UNKNOWN}" + FINDINGS="${FINDINGS:-0}" + + echo "πŸ“Š Report values:" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Determine emoji and status based on verdict + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + elif [ "$VERDICT" = "ALLOW" ]; then + EMOJI="βœ…" + STATUS="**PASSED** - No Issues Found" + else + EMOJI="❓" + STATUS="**UNKNOWN** - Check logs" + fi + + # Create professional comment + cat > final_comment.md << EOF + ## $EMOJI AI Slop Gate Compliance Analysis + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + --- + + EOF + + # Append the clean report cat clean_report.md >> final_comment.md - + + # Add footer + cat >> final_comment.md << EOF + + --- + +
+ πŸ“š How to fix violations + + ### License Violations (GPL/AGPL) + 1. Remove the dependency or find an alternative with a permissive license + 2. If the dependency is necessary, consult with legal team + 3. Add to \`.trivyignore\` only if approved by compliance team + + ### Data Residency Violations + 1. Ensure all endpoints use EU regions + 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. + 3. Remove references to US/AP regions + +
+ + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + # Post comment gh pr comment ${{ github.event.pull_request.number }} \ --body-file final_comment.md \ --repo ${{ github.repository }} - - name: Label PR on Policy Violation - if: steps.slop_gate.outcome == 'failure' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Set job status based on verdict + - name: Check Compliance Result + if: steps.compliance_gate.outputs.verdict == 'BLOCKING' run: | - LABEL_NAME="slop-detected" - - gh label create "$LABEL_NAME" \ - --color "ff0000" \ - --description "AI Slop detected by automated gate" \ - --repo ${{ github.repository }} || true - - gh pr edit ${{ github.event.pull_request.number }} \ - --add-label "$LABEL_NAME" \ - --repo ${{ github.repository }} - - # Optional: Uncomment the following step if you prefer hard-blocking by closing the PR automatically. - # - name: Close PR on Policy Violation - # if: steps.slop_gate.outcome == 'failure' - # env: - # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # run: | - # gh pr close ${{ github.event.pull_request.number }} \ - # --comment "🚫 PR closed based on the AI Slop Gate analysis. Please review the feedback and improve the content before re-submitting." \ - # --repo ${{ github.repository }} + echo "❌ Compliance analysis found blocking violations" + exit 1 + \ No newline at end of file From 41eb1c9340688b8bd8fe6f0700373a3dc2e61dd7 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 22:11:22 +0100 Subject: [PATCH 12/54] fix: test slop csharp static provider --- .github/workflows/analyze.yml | 74 ++++++++++++++++++++++------------- 1 file changed, 46 insertions(+), 28 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 6ff84ec..1fd04f8 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate Compliance Analysis +name: AI Slop Gate Static Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - compliance-analysis: + static-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,23 +28,32 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run compliance analysis - - name: Compliance Analysis (ai-slop-gate) - id: compliance_gate + # Run static analysis + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate - # Run compliance check and capture output (don't fail on non-zero exit) + # Check if policy.yml exists, otherwise use default + POLICY_FLAG="" + if [ -f "${{ github.workspace }}/policy.yml" ]; then + echo "πŸ“‹ Using custom policy.yml" + POLICY_FLAG="--policy /data/policy.yml" + else + echo "πŸ“‹ Using default policy" + fi + + # Run static analysis and capture output set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance --policy /data/policy.yml --path /data > raw_report.txt 2>&1 + run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -73,24 +82,24 @@ jobs: exit 0 # Post comment on PR (always, not just on failure) - - name: Post Compliance Report to PR + - name: Post Static Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report (fix sed pattern) + # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md # Check if report was extracted if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The compliance check may have failed to run properly." >> clean_report.md + echo "The static analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.compliance_gate.outputs.verdict }}" - FINDINGS="${{ steps.compliance_gate.outputs.findings }}" + VERDICT="${{ steps.static_gate.outputs.verdict }}" + FINDINGS="${{ steps.static_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -117,7 +126,7 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Compliance Analysis + ## $EMOJI AI Slop Gate Static Analysis **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected @@ -129,23 +138,33 @@ jobs: # Append the clean report cat clean_report.md >> final_comment.md - # Add footer + # Add footer with helpful info cat >> final_comment.md << EOF ---
- πŸ“š How to fix violations + πŸ“š How to fix common issues + + ### Hardcoded Secrets + 1. Move secrets to environment variables or secret management system + 2. Use \`.env\` files (add to \`.gitignore\`) + 3. For CI/CD, use GitHub Secrets or similar + + ### Dangerous Functions + 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` + 2. Sanitize all user inputs + 3. Use safer alternatives (parameterized queries, safe APIs) - ### License Violations (GPL/AGPL) - 1. Remove the dependency or find an alternative with a permissive license - 2. If the dependency is necessary, consult with legal team - 3. Add to \`.trivyignore\` only if approved by compliance team + ### SQL Injection + 1. Use parameterized queries/prepared statements + 2. Never concatenate user input into SQL strings + 3. Use ORM frameworks when possible - ### Data Residency Violations - 1. Ensure all endpoints use EU regions - 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. - 3. Remove references to US/AP regions + ### TODOs + 1. Complete or document security-related TODOs + 2. Create issues for tracking + 3. Remove completed TODOs
@@ -158,9 +177,8 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check Compliance Result - if: steps.compliance_gate.outputs.verdict == 'BLOCKING' + - name: Check Static Analysis Result + if: steps.static_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ Compliance analysis found blocking violations" - exit 1 - \ No newline at end of file + echo "❌ Static analysis found blocking violations" + exit 1 \ No newline at end of file From bea6493cf41d05e1ef696959b75310fd0a4e2fe6 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 22:17:38 +0100 Subject: [PATCH 13/54] =?UTF-8?q?fix:=20test=20slop=20csharp=20=D1=81ompli?= =?UTF-8?q?ance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/analyze.yml | 65 +++++++++++++++-------------------- 1 file changed, 28 insertions(+), 37 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 1fd04f8..0e15deb 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate Static Analysis +name: AI Slop Gate Compliance Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - static-analysis: + compliance-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,9 +28,9 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run static analysis - - name: Static Analysis (ai-slop-gate) - id: static_gate + # Run compliance analysis + - name: Compliance Analysis (ai-slop-gate) + id: compliance_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true @@ -46,14 +46,14 @@ jobs: echo "πŸ“‹ Using default policy" fi - # Run static analysis and capture output + # Run compliance check and capture output (don't fail on non-zero exit) set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --compliance $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -82,24 +82,24 @@ jobs: exit 0 # Post comment on PR (always, not just on failure) - - name: Post Static Analysis Report to PR + - name: Post Compliance Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report + # Extract clean report (fix sed pattern) sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md # Check if report was extracted if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The static analysis may have failed to run properly." >> clean_report.md + echo "The compliance check may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.static_gate.outputs.verdict }}" - FINDINGS="${{ steps.static_gate.outputs.findings }}" + VERDICT="${{ steps.compliance_gate.outputs.verdict }}" + FINDINGS="${{ steps.compliance_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -126,7 +126,7 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Static Analysis + ## $EMOJI AI Slop Gate Compliance Analysis **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected @@ -138,33 +138,23 @@ jobs: # Append the clean report cat clean_report.md >> final_comment.md - # Add footer with helpful info + # Add footer cat >> final_comment.md << EOF ---
- πŸ“š How to fix common issues + πŸ“š How to fix violations - ### Hardcoded Secrets - 1. Move secrets to environment variables or secret management system - 2. Use \`.env\` files (add to \`.gitignore\`) - 3. For CI/CD, use GitHub Secrets or similar + ### License Violations (GPL/AGPL) + 1. Remove the dependency or find an alternative with a permissive license + 2. If the dependency is necessary, consult with legal team + 3. Add to \`.trivyignore\` only if approved by compliance team - ### Dangerous Functions - 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` - 2. Sanitize all user inputs - 3. Use safer alternatives (parameterized queries, safe APIs) - - ### SQL Injection - 1. Use parameterized queries/prepared statements - 2. Never concatenate user input into SQL strings - 3. Use ORM frameworks when possible - - ### TODOs - 1. Complete or document security-related TODOs - 2. Create issues for tracking - 3. Remove completed TODOs + ### Data Residency Violations + 1. Ensure all endpoints use EU regions + 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. + 3. Remove references to US/AP regions
@@ -177,8 +167,9 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check Static Analysis Result - if: steps.static_gate.outputs.verdict == 'BLOCKING' + - name: Check Compliance Result + if: steps.compliance_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ Static analysis found blocking violations" - exit 1 \ No newline at end of file + echo "❌ Compliance analysis found blocking violations" + exit 1 + \ No newline at end of file From 927ca13e8f561922897b2693f075a85c425688e6 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 22:21:31 +0100 Subject: [PATCH 14/54] =?UTF-8?q?fix:=20test=20slop=20csharp=20=D1=81ompli?= =?UTF-8?q?ance=20allow?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/analyze.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 0e15deb..f240449 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -138,8 +138,9 @@ jobs: # Append the clean report cat clean_report.md >> final_comment.md - # Add footer - cat >> final_comment.md << EOF + # Add footer with fix guide ONLY if there are violations + if [ "$FINDINGS" != "0" ] && [ "$VERDICT" != "ALLOW" ]; then + cat >> final_comment.md << EOF --- @@ -157,6 +158,11 @@ jobs: 3. Remove references to US/AP regions + EOF + fi + + # Always add footer + cat >> final_comment.md << EOF πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF From 80cbdff2339edbfa5932c76e09edba6a32ff1604 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 22:27:40 +0100 Subject: [PATCH 15/54] fix: test slop csharp provider gemini --- .github/workflows/analyze.yml | 99 ++++++++++++++++++++++++----------- 1 file changed, 67 insertions(+), 32 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index f240449..6b893e7 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate Compliance Analysis +name: AI Slop Gate LLM Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - compliance-analysis: + llm-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,15 +28,24 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run compliance analysis - - name: Compliance Analysis (ai-slop-gate) - id: compliance_gate + # Run LLM analysis + - name: LLM Analysis (ai-slop-gate) + id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate + # Check if API key is available + if [ -z "$GEMINI_API_KEY" ]; then + echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" + echo "verdict=SKIPPED" >> $GITHUB_OUTPUT + echo "findings=0" >> $GITHUB_OUTPUT + exit 0 + fi + # Check if policy.yml exists, otherwise use default POLICY_FLAG="" if [ -f "${{ github.workspace }}/policy.yml" ]; then @@ -46,14 +55,15 @@ jobs: echo "πŸ“‹ Using default policy" fi - # Run compliance check and capture output (don't fail on non-zero exit) + # Run LLM analysis and capture output set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -61,7 +71,7 @@ jobs: # Always show report cat raw_report.txt - # Save exit code for later steps + # Save exit code echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT # Extract verdict (default to UNKNOWN if not found) @@ -78,28 +88,47 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here - let continue-on-error handle it + # Don't fail here exit 0 - # Post comment on PR (always, not just on failure) - - name: Post Compliance Report to PR + # Post comment on PR (always) + - name: Post LLM Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report (fix sed pattern) + # Check if analysis was skipped + if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then + cat > final_comment.md << EOF + ## ⏭️ AI Slop Gate LLM Analysis + + **Status:** SKIPPED + **Reason:** GEMINI_API_KEY not configured + + To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. + + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + exit 0 + fi + + # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md # Check if report was extracted if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The compliance check may have failed to run properly." >> clean_report.md + echo "The LLM analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.compliance_gate.outputs.verdict }}" - FINDINGS="${{ steps.compliance_gate.outputs.findings }}" + VERDICT="${{ steps.llm_gate.outputs.verdict }}" + FINDINGS="${{ steps.llm_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -109,7 +138,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status based on verdict + # Determine emoji and status if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -126,11 +155,13 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Compliance Analysis + ## $EMOJI AI Slop Gate LLM Analysis (Gemini) **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected + > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. + --- EOF @@ -145,17 +176,22 @@ jobs: ---
- πŸ“š How to fix violations + πŸ“š Understanding LLM Findings + + ### What LLM Analysis Detects + - Architectural anti-patterns and code smells + - Logic inconsistencies and contradictions + - Misleading naming or documentation + - Potential design flaws + - Security vulnerabilities in business logic - ### License Violations (GPL/AGPL) - 1. Remove the dependency or find an alternative with a permissive license - 2. If the dependency is necessary, consult with legal team - 3. Add to \`.trivyignore\` only if approved by compliance team + ### How to Interpret Findings + - **High Confidence (0.8-1.0):** Strong evidence of an issue + - **Medium Confidence (0.5-0.8):** Worth investigating + - **Low Confidence (<0.5):** Consider in context - ### Data Residency Violations - 1. Ensure all endpoints use EU regions - 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. - 3. Remove references to US/AP regions + ### False Positives + LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements.
EOF @@ -164,7 +200,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -173,9 +209,8 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check Compliance Result - if: steps.compliance_gate.outputs.verdict == 'BLOCKING' + - name: Check LLM Analysis Result + if: steps.llm_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ Compliance analysis found blocking violations" - exit 1 - \ No newline at end of file + echo "❌ LLM analysis found blocking violations" + exit 1 \ No newline at end of file From f1910c506cd879f2979f0033914dfb80261efc51 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 22:35:08 +0100 Subject: [PATCH 16/54] fix: test slop csharp license --- .github/workflows/analyze.yml | 96 +++++++++++------------------------ Gemfile | 29 +++++++++++ packages.json | 18 +++++++ requirements.txt | 30 +++++++++++ 4 files changed, 107 insertions(+), 66 deletions(-) create mode 100644 Gemfile create mode 100644 packages.json create mode 100644 requirements.txt diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 6b893e7..b472f14 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM Analysis +name: AI Slop Gate Compliance Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - llm-analysis: + compliance-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,24 +28,15 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run LLM analysis - - name: LLM Analysis (ai-slop-gate) - id: llm_gate + # Run compliance analysis + - name: Compliance Analysis (ai-slop-gate) + id: compliance_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate - # Check if API key is available - if [ -z "$GEMINI_API_KEY" ]; then - echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" - echo "verdict=SKIPPED" >> $GITHUB_OUTPUT - echo "findings=0" >> $GITHUB_OUTPUT - exit 0 - fi - # Check if policy.yml exists, otherwise use default POLICY_FLAG="" if [ -f "${{ github.workspace }}/policy.yml" ]; then @@ -55,15 +46,14 @@ jobs: echo "πŸ“‹ Using default policy" fi - # Run LLM analysis and capture output + # Run compliance check and capture output (don't fail on non-zero exit) set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --compliance $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -71,7 +61,7 @@ jobs: # Always show report cat raw_report.txt - # Save exit code + # Save exit code for later steps echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT # Extract verdict (default to UNKNOWN if not found) @@ -88,47 +78,28 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here + # Don't fail here - let continue-on-error handle it exit 0 - # Post comment on PR (always) - - name: Post LLM Analysis Report to PR + # Post comment on PR (always, not just on failure) + - name: Post Compliance Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Check if analysis was skipped - if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then - cat > final_comment.md << EOF - ## ⏭️ AI Slop Gate LLM Analysis - - **Status:** SKIPPED - **Reason:** GEMINI_API_KEY not configured - - To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. - - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - exit 0 - fi - - # Extract clean report + # Extract clean report (fix sed pattern) sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md # Check if report was extracted if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The LLM analysis may have failed to run properly." >> clean_report.md + echo "The compliance check may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.llm_gate.outputs.verdict }}" - FINDINGS="${{ steps.llm_gate.outputs.findings }}" + VERDICT="${{ steps.compliance_gate.outputs.verdict }}" + FINDINGS="${{ steps.compliance_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -138,7 +109,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status + # Determine emoji and status based on verdict if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -155,13 +126,11 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate LLM Analysis (Gemini) + ## $EMOJI AI Slop Gate Compliance Analysis **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected - > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. - --- EOF @@ -176,22 +145,17 @@ jobs: ---
- πŸ“š Understanding LLM Findings - - ### What LLM Analysis Detects - - Architectural anti-patterns and code smells - - Logic inconsistencies and contradictions - - Misleading naming or documentation - - Potential design flaws - - Security vulnerabilities in business logic + πŸ“š How to fix violations - ### How to Interpret Findings - - **High Confidence (0.8-1.0):** Strong evidence of an issue - - **Medium Confidence (0.5-0.8):** Worth investigating - - **Low Confidence (<0.5):** Consider in context + ### License Violations (GPL/AGPL) + 1. Remove the dependency or find an alternative with a permissive license + 2. If the dependency is necessary, consult with legal team + 3. Add to \`.trivyignore\` only if approved by compliance team - ### False Positives - LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements. + ### Data Residency Violations + 1. Ensure all endpoints use EU regions + 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. + 3. Remove references to US/AP regions
EOF @@ -200,7 +164,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -209,8 +173,8 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check LLM Analysis Result - if: steps.llm_gate.outputs.verdict == 'BLOCKING' + - name: Check Compliance Result + if: steps.compliance_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ LLM analysis found blocking violations" + echo "❌ Compliance analysis found blocking violations" exit 1 \ No newline at end of file diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..d45fc70 --- /dev/null +++ b/Gemfile @@ -0,0 +1,29 @@ +# Gemfile with REAL GPL-licensed Ruby gems + +source 'https://rubygems.org' + +# ============================================ +# GPL-3.0 Gems (BLOCKING violations) +# ============================================ + +# GPL v3 licensed gem +gem 'gpl3', '~> 1.1.1' + +# GNU Readline - GPL-2.0 +gem 'rb-readline', '~> 0.5.5' + +# ============================================ +# LGPL Gems (ADVISORY/WARNING) +# ============================================ + +# Some gems with LGPL licenses +# (Add if you find any - less common in Ruby ecosystem) + +# ============================================ +# Safe gems (MIT/BSD/Apache) +# ============================================ + +gem 'rails', '~> 7.1.0' +gem 'puma', '~> 6.4' +gem 'redis', '~> 5.0' +gem 'sidekiq', '~> 7.2' \ No newline at end of file diff --git a/packages.json b/packages.json new file mode 100644 index 0000000..7c49c5f --- /dev/null +++ b/packages.json @@ -0,0 +1,18 @@ +{ + "name": "compliance-violation-test", + "version": "1.0.0", + "description": "Test project with REAL GPL-licensed npm packages", + "license": "MIT", + "dependencies": { + "express": "^4.18.2", + "lodash": "^4.17.21", + + "node-rdkafka": "^2.17.0", + "sharp": "^0.32.6", + + "bcrypt": "^5.1.1" + }, + "devDependencies": { + "webpack": "^5.89.0" + } +} \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..b2006a9 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,30 @@ +# Requirements with REAL GPL-licensed packages +# These packages actually exist and have GPL/LGPL licenses + +# ============================================ +# GPL-3.0 Packages (BLOCKING violations) +# ============================================ + +# MySQL Connector - GPL-2.0 (commercial license available) +mysql-connector-python==8.0.33 + +# GnuPG wrapper - GPL-3.0 +python-gnupg==0.5.1 + +# ============================================ +# LGPL Packages (ADVISORY/WARNING violations) +# ============================================ + +# PyQt5 - LGPL-3.0 (GUI framework) +PyQt5==5.15.9 + +# PySide2 - LGPL-3.0 (Qt binding) +PySide2==5.15.2.1 + +# ============================================ +# Safe packages (MIT/BSD/Apache) - for comparison +# ============================================ + +requests==2.31.0 +flask==3.0.0 +pandas==2.1.0 \ No newline at end of file From 1ea47bca454373ac76b08183b40b3240afa5c584 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 22:39:10 +0100 Subject: [PATCH 17/54] fix: test slop csharp groq --- .github/workflows/analyze.yml | 98 ++++++++++++++++++++++++----------- 1 file changed, 67 insertions(+), 31 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index b472f14..453d8ba 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate Compliance Analysis +name: AI Slop Gate LLM GROQ Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - compliance-analysis: + llm-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,15 +28,24 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run compliance analysis - - name: Compliance Analysis (ai-slop-gate) - id: compliance_gate + # Run LLM analysis + - name: LLM Analysis (ai-slop-gate) + id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate + # Check if API key is available + if [ -z "$GEMINI_API_KEY" ]; then + echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" + echo "verdict=SKIPPED" >> $GITHUB_OUTPUT + echo "findings=0" >> $GITHUB_OUTPUT + exit 0 + fi + # Check if policy.yml exists, otherwise use default POLICY_FLAG="" if [ -f "${{ github.workspace }}/policy.yml" ]; then @@ -46,14 +55,15 @@ jobs: echo "πŸ“‹ Using default policy" fi - # Run compliance check and capture output (don't fail on non-zero exit) + # Run LLM analysis and capture output set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -61,7 +71,7 @@ jobs: # Always show report cat raw_report.txt - # Save exit code for later steps + # Save exit code echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT # Extract verdict (default to UNKNOWN if not found) @@ -78,28 +88,47 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here - let continue-on-error handle it + # Don't fail here exit 0 - # Post comment on PR (always, not just on failure) - - name: Post Compliance Report to PR + # Post comment on PR (always) + - name: Post LLM Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report (fix sed pattern) + # Check if analysis was skipped + if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then + cat > final_comment.md << EOF + ## ⏭️ AI Slop Gate LLM Analysis + + **Status:** SKIPPED + **Reason:** GEMINI_API_KEY not configured + + To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. + + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + exit 0 + fi + + # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md # Check if report was extracted if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The compliance check may have failed to run properly." >> clean_report.md + echo "The LLM analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.compliance_gate.outputs.verdict }}" - FINDINGS="${{ steps.compliance_gate.outputs.findings }}" + VERDICT="${{ steps.llm_gate.outputs.verdict }}" + FINDINGS="${{ steps.llm_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -109,7 +138,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status based on verdict + # Determine emoji and status if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -126,11 +155,13 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Compliance Analysis + ## $EMOJI AI Slop Gate LLM Analysis (Gemini) **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected + > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. + --- EOF @@ -145,17 +176,22 @@ jobs: ---
- πŸ“š How to fix violations + πŸ“š Understanding LLM Findings + + ### What LLM Analysis Detects + - Architectural anti-patterns and code smells + - Logic inconsistencies and contradictions + - Misleading naming or documentation + - Potential design flaws + - Security vulnerabilities in business logic - ### License Violations (GPL/AGPL) - 1. Remove the dependency or find an alternative with a permissive license - 2. If the dependency is necessary, consult with legal team - 3. Add to \`.trivyignore\` only if approved by compliance team + ### How to Interpret Findings + - **High Confidence (0.8-1.0):** Strong evidence of an issue + - **Medium Confidence (0.5-0.8):** Worth investigating + - **Low Confidence (<0.5):** Consider in context - ### Data Residency Violations - 1. Ensure all endpoints use EU regions - 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. - 3. Remove references to US/AP regions + ### False Positives + LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements.
EOF @@ -164,7 +200,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -173,8 +209,8 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check Compliance Result - if: steps.compliance_gate.outputs.verdict == 'BLOCKING' + - name: Check LLM Analysis Result + if: steps.llm_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ Compliance analysis found blocking violations" - exit 1 \ No newline at end of file + echo "❌ LLM analysis found blocking violations" + exit 1 From 211a32d9b27a8ab0c2027f03b4b919724590a0c9 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 22:43:05 +0100 Subject: [PATCH 18/54] fix: test slop csharp groq changed env --- .github/workflows/analyze.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 453d8ba..636ea9c 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -33,14 +33,14 @@ jobs: id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate # Check if API key is available - if [ -z "$GEMINI_API_KEY" ]; then - echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" + if [ -z "$SLOPE_GATE_GROQ" ]; then + echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" echo "verdict=SKIPPED" >> $GITHUB_OUTPUT echo "findings=0" >> $GITHUB_OUTPUT exit 0 @@ -61,7 +61,7 @@ jobs: -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ + -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 @@ -103,9 +103,9 @@ jobs: ## ⏭️ AI Slop Gate LLM Analysis **Status:** SKIPPED - **Reason:** GEMINI_API_KEY not configured + **Reason:** SLOPE_GATE_GROQ not configured - To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. + To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF From d22b2bb289f61d49a7d37c572ae3cfb6661c8172 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 20 Feb 2026 16:48:42 +0100 Subject: [PATCH 19/54] check workflow --- .github/workflows/analyze.yml | 103 +++++++++++++--------------------- policy.yml | 67 ++++++++++++++++++++++ 2 files changed, 106 insertions(+), 64 deletions(-) create mode 100644 policy.yml diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 636ea9c..57f9742 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GROQ Analysis +name: AI Slop Gate Static Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - llm-analysis: + static-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,24 +28,15 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run LLM analysis - - name: LLM Analysis (ai-slop-gate) - id: llm_gate + # Run static analysis + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate - # Check if API key is available - if [ -z "$SLOPE_GATE_GROQ" ]; then - echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" - echo "verdict=SKIPPED" >> $GITHUB_OUTPUT - echo "findings=0" >> $GITHUB_OUTPUT - exit 0 - fi - # Check if policy.yml exists, otherwise use default POLICY_FLAG="" if [ -f "${{ github.workspace }}/policy.yml" ]; then @@ -55,15 +46,14 @@ jobs: echo "πŸ“‹ Using default policy" fi - # Run LLM analysis and capture output + # Run static analysis and capture output set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -71,7 +61,7 @@ jobs: # Always show report cat raw_report.txt - # Save exit code + # Save exit code for later steps echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT # Extract verdict (default to UNKNOWN if not found) @@ -88,34 +78,15 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here + # Don't fail here - let continue-on-error handle it exit 0 - # Post comment on PR (always) - - name: Post LLM Analysis Report to PR + # Post comment on PR (always, not just on failure) + - name: Post Static Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Check if analysis was skipped - if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then - cat > final_comment.md << EOF - ## ⏭️ AI Slop Gate LLM Analysis - - **Status:** SKIPPED - **Reason:** SLOPE_GATE_GROQ not configured - - To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. - - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - exit 0 - fi - # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md @@ -123,12 +94,12 @@ jobs: if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The LLM analysis may have failed to run properly." >> clean_report.md + echo "The static analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.llm_gate.outputs.verdict }}" - FINDINGS="${{ steps.llm_gate.outputs.findings }}" + VERDICT="${{ steps.static_gate.outputs.verdict }}" + FINDINGS="${{ steps.static_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -138,7 +109,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status + # Determine emoji and status based on verdict if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -155,13 +126,11 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate LLM Analysis (Gemini) + ## $EMOJI AI Slop Gate Static Analysis **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected - > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. - --- EOF @@ -176,22 +145,27 @@ jobs: ---
- πŸ“š Understanding LLM Findings + πŸ“š How to fix common issues + + ### Hardcoded Secrets + 1. Move secrets to environment variables or secret management system + 2. Use \`.env\` files (add to \`.gitignore\`) + 3. For CI/CD, use GitHub Secrets or similar - ### What LLM Analysis Detects - - Architectural anti-patterns and code smells - - Logic inconsistencies and contradictions - - Misleading naming or documentation - - Potential design flaws - - Security vulnerabilities in business logic + ### Dangerous Functions + 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` + 2. Sanitize all user inputs + 3. Use safer alternatives (parameterized queries, safe APIs) - ### How to Interpret Findings - - **High Confidence (0.8-1.0):** Strong evidence of an issue - - **Medium Confidence (0.5-0.8):** Worth investigating - - **Low Confidence (<0.5):** Consider in context + ### SQL Injection + 1. Use parameterized queries/prepared statements + 2. Never concatenate user input into SQL strings + 3. Use ORM frameworks when possible - ### False Positives - LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements. + ### TODOs + 1. Complete or document security-related TODOs + 2. Create issues for tracking + 3. Remove completed TODOs
EOF @@ -200,7 +174,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -209,8 +183,9 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check LLM Analysis Result - if: steps.llm_gate.outputs.verdict == 'BLOCKING' + - name: Check Static Analysis Result + if: steps.static_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ LLM analysis found blocking violations" + echo "❌ Static analysis found blocking violations" exit 1 + \ No newline at end of file diff --git a/policy.yml b/policy.yml new file mode 100644 index 0000000..b6af198 --- /dev/null +++ b/policy.yml @@ -0,0 +1,67 @@ +# policy.yml – minimal override for target repository +# Place this file in the root of the project you are scanning. +# AI Slop Gate will prefer this file over its own bundled policy. +# +# You only need to specify what you want to OVERRIDE. +# Omitted sections fall back to the gate's bundled defaults. + +version: "v1.4" +project_name: "my-project" # ← change to your project name + +# ── Enforcement ────────────────────────────────────────────────────────────── +# never β†’ report only, CI always passes +# advisory β†’ warnings appear, CI never blocked +# blocking β†’ CI fails on violations +enforcement: advisory # start with advisory, tighten later + +# ── Limit analysis to source code only ─────────────────────────────────────── +# Paths are relative to --path (the repo root passed to the CLI). +include_paths: + - src # your source directory; adjust as needed + - lib + # - . # ← uncomment to scan everything (not recommended) + +# ── AI provider ────────────────────────────────────────────────────────────── +ai_provider: + name: groq + models: + groq: llama-3.3-70b-versatile + +# ── Compliance (opt-in) ─────────────────────────────────────────────────────── +compliance: + enabled: false # set to true to enable license / GDPR checks + run_in_pr: false + + license_audit: + enabled: false + forbidden_licenses: + - GPL-3.0 + - AGPL-3.0 + severity: high + + security_audit: + enabled: false + detect_secrets: true + detect_pii: false + severity: critical + + gdpr_detection: + enabled: false + +# ── Rules (minimal) ────────────────────────────────────────────────────────── +rules: + - id: block-hardcoded-secrets + when: + signal: "hardcoded_.*" + then: + action: blocking + message: "Hardcoded secret detected." + + - id: advisory-quality + when: + category: quality + severity: medium + then: + action: advisory + message: "Code quality issue detected." + \ No newline at end of file From 369568a3da5e4da3500e7846a05cd36861e0bfe9 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 20 Feb 2026 16:51:00 +0100 Subject: [PATCH 20/54] deleted policy.yml --- policy.yml | 67 ------------------------------------------------------ 1 file changed, 67 deletions(-) delete mode 100644 policy.yml diff --git a/policy.yml b/policy.yml deleted file mode 100644 index b6af198..0000000 --- a/policy.yml +++ /dev/null @@ -1,67 +0,0 @@ -# policy.yml – minimal override for target repository -# Place this file in the root of the project you are scanning. -# AI Slop Gate will prefer this file over its own bundled policy. -# -# You only need to specify what you want to OVERRIDE. -# Omitted sections fall back to the gate's bundled defaults. - -version: "v1.4" -project_name: "my-project" # ← change to your project name - -# ── Enforcement ────────────────────────────────────────────────────────────── -# never β†’ report only, CI always passes -# advisory β†’ warnings appear, CI never blocked -# blocking β†’ CI fails on violations -enforcement: advisory # start with advisory, tighten later - -# ── Limit analysis to source code only ─────────────────────────────────────── -# Paths are relative to --path (the repo root passed to the CLI). -include_paths: - - src # your source directory; adjust as needed - - lib - # - . # ← uncomment to scan everything (not recommended) - -# ── AI provider ────────────────────────────────────────────────────────────── -ai_provider: - name: groq - models: - groq: llama-3.3-70b-versatile - -# ── Compliance (opt-in) ─────────────────────────────────────────────────────── -compliance: - enabled: false # set to true to enable license / GDPR checks - run_in_pr: false - - license_audit: - enabled: false - forbidden_licenses: - - GPL-3.0 - - AGPL-3.0 - severity: high - - security_audit: - enabled: false - detect_secrets: true - detect_pii: false - severity: critical - - gdpr_detection: - enabled: false - -# ── Rules (minimal) ────────────────────────────────────────────────────────── -rules: - - id: block-hardcoded-secrets - when: - signal: "hardcoded_.*" - then: - action: blocking - message: "Hardcoded secret detected." - - - id: advisory-quality - when: - category: quality - severity: medium - then: - action: advisory - message: "Code quality issue detected." - \ No newline at end of file From b6aa7c6d5894944f0796628996a23577ff865c4c Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 20 Feb 2026 17:16:55 +0100 Subject: [PATCH 21/54] test minimal workflow use groq --- .github/workflows/analyze.yml | 212 +++++----------------------------- 1 file changed, 31 insertions(+), 181 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 57f9742..172a7d3 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,191 +1,41 @@ -name: AI Slop Gate Static Analysis - -on: - pull_request: - branches: [ main ] - push: - branches: [ main ] - workflow_dispatch: - -permissions: - pull-requests: write - contents: read +name: AI Slop Gate +on: [pull_request] jobs: - static-analysis: - runs-on: ubuntu-22.04 - timeout-minutes: 20 - + analyze: + runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v4 + - uses: actions/checkout@v4 - - name: Cache ai-slop-gate cache directory - uses: actions/cache@v4 + - name: Set up Python + uses: actions/setup-python@v5 with: - path: ~/.cache/ai-slop-gate - key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} - restore-keys: | - ai-slop-gate-cache-${{ runner.os }}- + python-version: "3.11" + cache: pip - # Run static analysis - - name: Static Analysis (ai-slop-gate) - id: static_gate - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - continue-on-error: true - run: | - mkdir -p ~/.cache/ai-slop-gate - - # Check if policy.yml exists, otherwise use default - POLICY_FLAG="" - if [ -f "${{ github.workspace }}/policy.yml" ]; then - echo "πŸ“‹ Using custom policy.yml" - POLICY_FLAG="--policy /data/policy.yml" - else - echo "πŸ“‹ Using default policy" - fi - - # Run static analysis and capture output - set +e # Disable exit on error temporarily - docker run --rm \ - -v "${{ github.workspace }}:/data" \ - -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ - -e GITHUB_TOKEN \ - ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 - - EXIT_CODE=$? - set -e # Re-enable exit on error - - # Always show report - cat raw_report.txt - - # Save exit code for later steps - echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT - - # Extract verdict (default to UNKNOWN if not found) - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") - echo "verdict=$VERDICT" >> $GITHUB_OUTPUT - - # Count findings (default to 0 if not found) - FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") - echo "findings=$FINDINGS" >> $GITHUB_OUTPUT - - # Log extracted values - echo "πŸ“Š Extracted values:" - echo " Exit code: $EXIT_CODE" - echo " Verdict: $VERDICT" - echo " Findings: $FINDINGS" - - # Don't fail here - let continue-on-error handle it - exit 0 + - name: Install ai-slop-gate + run: pip install -e . - # Post comment on PR (always, not just on failure) - - name: Post Static Analysis Report to PR - if: github.event_name == 'pull_request' && always() - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Cache LLM responses + uses: actions/cache@v3 + with: + path: .ai-slop-cache + key: llm-cache-${{ hashFiles('**/*.py', '**/*.js') }} + restore-keys: llm-cache- + + - name: Run Static Analysis run: | - # Extract clean report - sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - - # Check if report was extracted - if [ ! -s clean_report.md ]; then - echo "⚠️ Warning: Could not extract report from raw_report.txt" - echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The static analysis may have failed to run properly." >> clean_report.md - fi - - # Get values with defaults - VERDICT="${{ steps.static_gate.outputs.verdict }}" - FINDINGS="${{ steps.static_gate.outputs.findings }}" - - # Set defaults if empty - VERDICT="${VERDICT:-UNKNOWN}" - FINDINGS="${FINDINGS:-0}" - - echo "πŸ“Š Report values:" - echo " Verdict: $VERDICT" - echo " Findings: $FINDINGS" - - # Determine emoji and status based on verdict - if [ "$VERDICT" = "BLOCKING" ]; then - EMOJI="🚨" - STATUS="**BLOCKING** - Action Required" - elif [ "$VERDICT" = "ADVISORY" ]; then - EMOJI="⚠️" - STATUS="**ADVISORY** - Review Recommended" - elif [ "$VERDICT" = "ALLOW" ]; then - EMOJI="βœ…" - STATUS="**PASSED** - No Issues Found" - else - EMOJI="❓" - STATUS="**UNKNOWN** - Check logs" - fi - - # Create professional comment - cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Static Analysis - - **Status:** $STATUS - **Findings:** $FINDINGS issue(s) detected - - --- - - EOF - - # Append the clean report - cat clean_report.md >> final_comment.md - - # Add footer with fix guide ONLY if there are violations - if [ "$FINDINGS" != "0" ] && [ "$VERDICT" != "ALLOW" ]; then - cat >> final_comment.md << EOF - - --- - -
- πŸ“š How to fix common issues - - ### Hardcoded Secrets - 1. Move secrets to environment variables or secret management system - 2. Use \`.env\` files (add to \`.gitignore\`) - 3. For CI/CD, use GitHub Secrets or similar - - ### Dangerous Functions - 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` - 2. Sanitize all user inputs - 3. Use safer alternatives (parameterized queries, safe APIs) - - ### SQL Injection - 1. Use parameterized queries/prepared statements - 2. Never concatenate user input into SQL strings - 3. Use ORM frameworks when possible - - ### TODOs - 1. Complete or document security-related TODOs - 2. Create issues for tracking - 3. Remove completed TODOs - -
- EOF - fi - - # Always add footer - cat >> final_comment.md << EOF - - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - # Post comment - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} + python -m ai_slop_gate.cli run \ + --provider static \ + --policy policy.yml \ + --enforcement advisory - # Set job status based on verdict - - name: Check Static Analysis Result - if: steps.static_gate.outputs.verdict == 'BLOCKING' + - name: Run LLM Analysis + env: + GROQ_API_KEY: ${{ secrets.SLOPE_GATE_GROQ }} run: | - echo "❌ Static analysis found blocking violations" - exit 1 - \ No newline at end of file + python -m ai_slop_gate.cli run \ + --provider groq \ + --llm-local \ + --policy policy.yml \ + --enforcement advisory \ No newline at end of file From 04d40876054bbe131d77a8e956719a23e47d8f60 Mon Sep 17 00:00:00 2001 From: serhiy Date: Mon, 23 Feb 2026 06:13:17 +0100 Subject: [PATCH 22/54] chor: test new workflow --- .github/workflows/analyze.yml | 43 ++++++++--------------------------- 1 file changed, 10 insertions(+), 33 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 172a7d3..ba2f6f9 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -5,37 +5,14 @@ jobs: analyze: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v4 - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: "3.11" - cache: pip - - - name: Install ai-slop-gate - run: pip install -e . - - - name: Cache LLM responses - uses: actions/cache@v3 - with: - path: .ai-slop-cache - key: llm-cache-${{ hashFiles('**/*.py', '**/*.js') }} - restore-keys: llm-cache- - - - name: Run Static Analysis - run: | - python -m ai_slop_gate.cli run \ - --provider static \ - --policy policy.yml \ - --enforcement advisory - - - name: Run LLM Analysis - env: - GROQ_API_KEY: ${{ secrets.SLOPE_GATE_GROQ }} - run: | - python -m ai_slop_gate.cli run \ - --provider groq \ - --llm-local \ - --policy policy.yml \ - --enforcement advisory \ No newline at end of file + - name: Run AI Slop Gate + uses: SergUdo/ai-slop-gate@main + with: + provider: 'groq' + slope-gate-groq: ${{ secrets.SLOPE_GATE_GROQ }} + compliance: 'true' + enforcement: 'advisory' + policy: 'policy.yml' + \ No newline at end of file From a81712eff44cb6fcc54e2e57fd4a5c8813a8c2c3 Mon Sep 17 00:00:00 2001 From: serhiy Date: Mon, 23 Feb 2026 06:14:57 +0100 Subject: [PATCH 23/54] test: changed new workflow --- .github/workflows/analyze.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index ba2f6f9..c117f2e 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -14,5 +14,3 @@ jobs: slope-gate-groq: ${{ secrets.SLOPE_GATE_GROQ }} compliance: 'true' enforcement: 'advisory' - policy: 'policy.yml' - \ No newline at end of file From 7f93b08b43f22ee36fcd53e7d952b6c6cf8d1521 Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 18:19:51 +0100 Subject: [PATCH 24/54] fast test --- .github/workflows/analyze.yml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index c117f2e..3130a68 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,16 +1,15 @@ name: AI Slop Gate + on: [pull_request] jobs: - analyze: + security-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - - name: Run AI Slop Gate - uses: SergUdo/ai-slop-gate@main - with: - provider: 'groq' - slope-gate-groq: ${{ secrets.SLOPE_GATE_GROQ }} - compliance: 'true' - enforcement: 'advisory' + - uses: actions/checkout@v4 + + - name: Run AI Slop Gate + uses: SergUdo/ai-slop-gate@v1 + with: + provider: 'static' + policy: 'policy.yml' \ No newline at end of file From 6aea6da8111daa1df38409056833fa8a416f357c Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 18:33:04 +0100 Subject: [PATCH 25/54] fast test 2 --- .github/workflows/analyze.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 3130a68..8356024 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -9,7 +9,8 @@ jobs: - uses: actions/checkout@v4 - name: Run AI Slop Gate - uses: SergUdo/ai-slop-gate@v1 + uses: docker://ghcr.io/sergudo/ai-slop-gate:latest with: - provider: 'static' - policy: 'policy.yml' \ No newline at end of file + args: run --provider static --policy policy.yml --path /github/workspace + provider: 'gemini' + gemini-api-key: ${{ secrets.GEMINI_API_KEY }} \ No newline at end of file From 4c71fbb84cc4903fd20395947e67725dfe38072e Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 18:36:14 +0100 Subject: [PATCH 26/54] fast test 3 --- .github/workflows/analyze.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 8356024..be7f80d 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -9,8 +9,8 @@ jobs: - uses: actions/checkout@v4 - name: Run AI Slop Gate - uses: docker://ghcr.io/sergudo/ai-slop-gate:latest - with: - args: run --provider static --policy policy.yml --path /github/workspace - provider: 'gemini' - gemini-api-key: ${{ secrets.GEMINI_API_KEY }} \ No newline at end of file + run: | + docker run --rm \ + -v "${{ github.workspace }}:/github/workspace" \ + ghcr.io/sergudo/ai-slop-gate:latest \ + run --provider static --policy /app/policy.yml --path /github/workspace \ No newline at end of file From da18cd50f86ce7816d214442f0c3f4dcbafdccdf Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 18:44:12 +0100 Subject: [PATCH 27/54] fast test 4 --- .github/workflows/analyze.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index be7f80d..af712ae 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -9,8 +9,7 @@ jobs: - uses: actions/checkout@v4 - name: Run AI Slop Gate - run: | - docker run --rm \ - -v "${{ github.workspace }}:/github/workspace" \ - ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static --policy /app/policy.yml --path /github/workspace \ No newline at end of file + uses: docker://ghcr.io/sergudo/ai-slop-gate:latest + with: + args: run --provider static --path /github/workspace + \ No newline at end of file From e4eb5dc3f265d5c9851db59d0e27dc6e75c71788 Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 18:47:04 +0100 Subject: [PATCH 28/54] fast test 5 --- .github/workflows/analyze.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index af712ae..1a04046 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -11,5 +11,4 @@ jobs: - name: Run AI Slop Gate uses: docker://ghcr.io/sergudo/ai-slop-gate:latest with: - args: run --provider static --path /github/workspace - \ No newline at end of file + args: run --provider static --policy /app/ai_slop_gate/policy.yml --path /github/workspace \ No newline at end of file From 9c2e6549b4e952e9d9964fd612e63c2cf7a05764 Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 18:50:01 +0100 Subject: [PATCH 29/54] fast test 6 --- .github/workflows/analyze.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 1a04046..512873b 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -11,4 +11,4 @@ jobs: - name: Run AI Slop Gate uses: docker://ghcr.io/sergudo/ai-slop-gate:latest with: - args: run --provider static --policy /app/ai_slop_gate/policy.yml --path /github/workspace \ No newline at end of file + args: run --provider static --policy /app/policy.yml --path /github/workspace \ No newline at end of file From f30e75aa8b4cbe9a267cf772a48602ca4b334bdf Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 18:53:28 +0100 Subject: [PATCH 30/54] fast test 7 --- .github/workflows/analyze.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 512873b..e2fb2cf 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -10,5 +10,11 @@ jobs: - name: Run AI Slop Gate uses: docker://ghcr.io/sergudo/ai-slop-gate:latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - args: run --provider static --policy /app/policy.yml --path /github/workspace \ No newline at end of file + args: > + run --provider static + --policy /app/policy.yml + --path /github/workspace + --github-pr ${{ github.event.pull_request.number }} \ No newline at end of file From 183c15cece0add3f55f678af88fa54fbe042fb04 Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 18:54:52 +0100 Subject: [PATCH 31/54] fast test 8 --- .github/workflows/analyze.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index e2fb2cf..f75c83d 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -17,4 +17,4 @@ jobs: run --provider static --policy /app/policy.yml --path /github/workspace - --github-pr ${{ github.event.pull_request.number }} \ No newline at end of file + --github-pr \ No newline at end of file From 7877ab0265831176ea745dbd3ecf341660e7f343 Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 19:04:40 +0100 Subject: [PATCH 32/54] fast test 9 --- .github/workflows/analyze.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index f75c83d..ba23f5d 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -12,9 +12,7 @@ jobs: uses: docker://ghcr.io/sergudo/ai-slop-gate:latest env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_ACTIONS: "true" + GITHUB_EVENT_NAME: ${{ github.event_name }} with: - args: > - run --provider static - --policy /app/policy.yml - --path /github/workspace - --github-pr \ No newline at end of file + args: run --provider static --policy /app/policy.yml --path /github/workspace \ No newline at end of file From 7af4a93fb3da28b2536f56f074751c1ba771b140 Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 19:09:00 +0100 Subject: [PATCH 33/54] fast test 10 --- .github/workflows/analyze.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index ba23f5d..031a1d3 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -12,7 +12,6 @@ jobs: uses: docker://ghcr.io/sergudo/ai-slop-gate:latest env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_ACTIONS: "true" - GITHUB_EVENT_NAME: ${{ github.event_name }} + GITHUB_EVENT_PATH: /github/workflow/event.json with: - args: run --provider static --policy /app/policy.yml --path /github/workspace \ No newline at end of file + args: run --provider static --path /github/workspace --policy /app/policy.yml \ No newline at end of file From 5bae9874d86f4d36a0c1779c4f688271ee51d445 Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 19:10:37 +0100 Subject: [PATCH 34/54] fast test 11 --- .github/workflows/analyze.yml | 195 ++++++++++++++++++++++++++++++++-- 1 file changed, 184 insertions(+), 11 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 031a1d3..0851941 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,17 +1,190 @@ -name: AI Slop Gate +name: AI Slop Gate Static Analysis -on: [pull_request] +on: + pull_request: + branches: [ main ] + push: + branches: [ main ] + workflow_dispatch: + +permissions: + pull-requests: write + contents: read jobs: - security-scan: - runs-on: ubuntu-latest + static-analysis: + runs-on: ubuntu-22.04 + timeout-minutes: 20 + steps: - - uses: actions/checkout@v4 - - - name: Run AI Slop Gate - uses: docker://ghcr.io/sergudo/ai-slop-gate:latest + - name: Checkout code + uses: actions/checkout@v4 + + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run static analysis + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_EVENT_PATH: /github/workflow/event.json - with: - args: run --provider static --path /github/workspace --policy /app/policy.yml \ No newline at end of file + continue-on-error: true + run: | + mkdir -p ~/.cache/ai-slop-gate + + # Check if policy.yml exists, otherwise use default + POLICY_FLAG="" + if [ -f "${{ github.workspace }}/policy.yml" ]; then + echo "πŸ“‹ Using custom policy.yml" + POLICY_FLAG="--policy /data/policy.yml" + else + echo "πŸ“‹ Using default policy" + fi + + # Run static analysis and capture output + set +e # Disable exit on error temporarily + docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ + -e GITHUB_TOKEN \ + ghcr.io/sergudo/ai-slop-gate:latest \ + run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 + + EXIT_CODE=$? + set -e # Re-enable exit on error + + # Always show report + cat raw_report.txt + + # Save exit code for later steps + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict (default to UNKNOWN if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") + echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings (default to 0 if not found) + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Log extracted values + echo "πŸ“Š Extracted values:" + echo " Exit code: $EXIT_CODE" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Don't fail here - let continue-on-error handle it + exit 0 + + # Post comment on PR (always, not just on failure) + - name: Post Static Analysis Report to PR + if: github.event_name == 'pull_request' && always() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Extract clean report + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + # Check if report was extracted + if [ ! -s clean_report.md ]; then + echo "⚠️ Warning: Could not extract report from raw_report.txt" + echo "=== NO REPORT GENERATED ===" > clean_report.md + echo "The static analysis may have failed to run properly." >> clean_report.md + fi + + # Get values with defaults + VERDICT="${{ steps.static_gate.outputs.verdict }}" + FINDINGS="${{ steps.static_gate.outputs.findings }}" + + # Set defaults if empty + VERDICT="${VERDICT:-UNKNOWN}" + FINDINGS="${FINDINGS:-0}" + + echo "πŸ“Š Report values:" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Determine emoji and status based on verdict + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + elif [ "$VERDICT" = "ALLOW" ]; then + EMOJI="βœ…" + STATUS="**PASSED** - No Issues Found" + else + EMOJI="❓" + STATUS="**UNKNOWN** - Check logs" + fi + + # Create professional comment + cat > final_comment.md << EOF + ## $EMOJI AI Slop Gate Static Analysis + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + --- + + EOF + + # Append the clean report + cat clean_report.md >> final_comment.md + + # Add footer with fix guide ONLY if there are violations + if [ "$FINDINGS" != "0" ] && [ "$VERDICT" != "ALLOW" ]; then + cat >> final_comment.md << EOF + + --- + +
+ πŸ“š How to fix common issues + + ### Hardcoded Secrets + 1. Move secrets to environment variables or secret management system + 2. Use \`.env\` files (add to \`.gitignore\`) + 3. For CI/CD, use GitHub Secrets or similar + + ### Dangerous Functions + 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` + 2. Sanitize all user inputs + 3. Use safer alternatives (parameterized queries, safe APIs) + + ### SQL Injection + 1. Use parameterized queries/prepared statements + 2. Never concatenate user input into SQL strings + 3. Use ORM frameworks when possible + + ### TODOs + 1. Complete or document security-related TODOs + 2. Create issues for tracking + 3. Remove completed TODOs + +
+ EOF + fi + + # Always add footer + cat >> final_comment.md << EOF + + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + # Post comment + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + # Set job status based on verdict + - name: Check Static Analysis Result + if: steps.static_gate.outputs.verdict == 'BLOCKING' + run: | + echo "❌ Static analysis found blocking violations" + exit 1 \ No newline at end of file From 1c04ff6a3dd1055433b0061e70f0e34dde6afe25 Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 19:21:01 +0100 Subject: [PATCH 35/54] fast test 13 --- .github/workflows/analyze.yml | 190 +++------------------------------- 1 file changed, 12 insertions(+), 178 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 0851941..85c3601 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,190 +1,24 @@ -name: AI Slop Gate Static Analysis - +name: AI Slop Gate Analysis on: pull_request: branches: [ main ] - push: - branches: [ main ] - workflow_dispatch: permissions: pull-requests: write contents: read jobs: - static-analysis: - runs-on: ubuntu-22.04 - timeout-minutes: 20 - + analysis: + runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Cache ai-slop-gate cache directory - uses: actions/cache@v4 - with: - path: ~/.cache/ai-slop-gate - key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} - restore-keys: | - ai-slop-gate-cache-${{ runner.os }}- - - # Run static analysis - - name: Static Analysis (ai-slop-gate) - id: static_gate + - uses: actions/checkout@v4 + + - name: Run Analysis + uses: docker://ghcr.io/sergudo/ai-slop-gate:latest env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - continue-on-error: true - run: | - mkdir -p ~/.cache/ai-slop-gate - - # Check if policy.yml exists, otherwise use default - POLICY_FLAG="" - if [ -f "${{ github.workspace }}/policy.yml" ]; then - echo "πŸ“‹ Using custom policy.yml" - POLICY_FLAG="--policy /data/policy.yml" - else - echo "πŸ“‹ Using default policy" - fi - - # Run static analysis and capture output - set +e # Disable exit on error temporarily - docker run --rm \ - -v "${{ github.workspace }}:/data" \ - -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ - -e GITHUB_TOKEN \ - ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 - - EXIT_CODE=$? - set -e # Re-enable exit on error - - # Always show report - cat raw_report.txt - - # Save exit code for later steps - echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT - - # Extract verdict (default to UNKNOWN if not found) - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") - echo "verdict=$VERDICT" >> $GITHUB_OUTPUT - - # Count findings (default to 0 if not found) - FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") - echo "findings=$FINDINGS" >> $GITHUB_OUTPUT - - # Log extracted values - echo "πŸ“Š Extracted values:" - echo " Exit code: $EXIT_CODE" - echo " Verdict: $VERDICT" - echo " Findings: $FINDINGS" - - # Don't fail here - let continue-on-error handle it - exit 0 - - # Post comment on PR (always, not just on failure) - - name: Post Static Analysis Report to PR - if: github.event_name == 'pull_request' && always() - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - # Extract clean report - sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - - # Check if report was extracted - if [ ! -s clean_report.md ]; then - echo "⚠️ Warning: Could not extract report from raw_report.txt" - echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The static analysis may have failed to run properly." >> clean_report.md - fi - - # Get values with defaults - VERDICT="${{ steps.static_gate.outputs.verdict }}" - FINDINGS="${{ steps.static_gate.outputs.findings }}" - - # Set defaults if empty - VERDICT="${VERDICT:-UNKNOWN}" - FINDINGS="${FINDINGS:-0}" - - echo "πŸ“Š Report values:" - echo " Verdict: $VERDICT" - echo " Findings: $FINDINGS" - - # Determine emoji and status based on verdict - if [ "$VERDICT" = "BLOCKING" ]; then - EMOJI="🚨" - STATUS="**BLOCKING** - Action Required" - elif [ "$VERDICT" = "ADVISORY" ]; then - EMOJI="⚠️" - STATUS="**ADVISORY** - Review Recommended" - elif [ "$VERDICT" = "ALLOW" ]; then - EMOJI="βœ…" - STATUS="**PASSED** - No Issues Found" - else - EMOJI="❓" - STATUS="**UNKNOWN** - Check logs" - fi - - # Create professional comment - cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Static Analysis - - **Status:** $STATUS - **Findings:** $FINDINGS issue(s) detected - - --- - - EOF - - # Append the clean report - cat clean_report.md >> final_comment.md - - # Add footer with fix guide ONLY if there are violations - if [ "$FINDINGS" != "0" ] && [ "$VERDICT" != "ALLOW" ]; then - cat >> final_comment.md << EOF - - --- - -
- πŸ“š How to fix common issues - - ### Hardcoded Secrets - 1. Move secrets to environment variables or secret management system - 2. Use \`.env\` files (add to \`.gitignore\`) - 3. For CI/CD, use GitHub Secrets or similar - - ### Dangerous Functions - 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` - 2. Sanitize all user inputs - 3. Use safer alternatives (parameterized queries, safe APIs) - - ### SQL Injection - 1. Use parameterized queries/prepared statements - 2. Never concatenate user input into SQL strings - 3. Use ORM frameworks when possible - - ### TODOs - 1. Complete or document security-related TODOs - 2. Create issues for tracking - 3. Remove completed TODOs - -
- EOF - fi - - # Always add footer - cat >> final_comment.md << EOF - - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - # Post comment - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - - # Set job status based on verdict - - name: Check Static Analysis Result - if: steps.static_gate.outputs.verdict == 'BLOCKING' - run: | - echo "❌ Static analysis found blocking violations" - exit 1 \ No newline at end of file + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} + GITHUB_EVENT_NAME: ${{ github.event_name }} + GITHUB_EVENT_PATH: /github/workflow/event.json + with: + args: run --provider gemini --path /github/workspace --policy /app/policy.yml \ No newline at end of file From 36551154395ea6878926cb1044bbbd1e140dda9a Mon Sep 17 00:00:00 2001 From: serhiy Date: Thu, 26 Feb 2026 19:22:52 +0100 Subject: [PATCH 36/54] fast test 14 --- .github/workflows/analyze.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 85c3601..6f515eb 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -13,12 +13,10 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Run Analysis + - name: Run AI Slop Gate uses: docker://ghcr.io/sergudo/ai-slop-gate:latest env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} - GITHUB_EVENT_NAME: ${{ github.event_name }} - GITHUB_EVENT_PATH: /github/workflow/event.json with: - args: run --provider gemini --path /github/workspace --policy /app/policy.yml \ No newline at end of file + args: run --provider gemini --path /github/workspace --policy /app/policy.yml --no-cache + \ No newline at end of file From 0e066ca1bb9d0cd1faee929b29808dee61526c26 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 21:35:58 +0100 Subject: [PATCH 37/54] test groq --- .github/workflows/analyze.yml | 216 ++++++++++++++++++++++++++++++++-- 1 file changed, 205 insertions(+), 11 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 6f515eb..636ea9c 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,22 +1,216 @@ -name: AI Slop Gate Analysis +name: AI Slop Gate LLM GROQ Analysis + on: pull_request: branches: [ main ] + push: + branches: [ main ] + workflow_dispatch: permissions: pull-requests: write contents: read jobs: - analysis: - runs-on: ubuntu-latest + llm-analysis: + runs-on: ubuntu-22.04 + timeout-minutes: 20 + steps: - - uses: actions/checkout@v4 - - - name: Run AI Slop Gate - uses: docker://ghcr.io/sergudo/ai-slop-gate:latest - env: - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} + - name: Checkout code + uses: actions/checkout@v4 + + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 with: - args: run --provider gemini --path /github/workspace --policy /app/policy.yml --no-cache - \ No newline at end of file + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run LLM analysis + - name: LLM Analysis (ai-slop-gate) + id: llm_gate + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} + continue-on-error: true + run: | + mkdir -p ~/.cache/ai-slop-gate + + # Check if API key is available + if [ -z "$SLOPE_GATE_GROQ" ]; then + echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" + echo "verdict=SKIPPED" >> $GITHUB_OUTPUT + echo "findings=0" >> $GITHUB_OUTPUT + exit 0 + fi + + # Check if policy.yml exists, otherwise use default + POLICY_FLAG="" + if [ -f "${{ github.workspace }}/policy.yml" ]; then + echo "πŸ“‹ Using custom policy.yml" + POLICY_FLAG="--policy /data/policy.yml" + else + echo "πŸ“‹ Using default policy" + fi + + # Run LLM analysis and capture output + set +e # Disable exit on error temporarily + docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ + -e GITHUB_TOKEN \ + -e SLOPE_GATE_GROQ \ + ghcr.io/sergudo/ai-slop-gate:latest \ + run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + + EXIT_CODE=$? + set -e # Re-enable exit on error + + # Always show report + cat raw_report.txt + + # Save exit code + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict (default to UNKNOWN if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") + echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings (default to 0 if not found) + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Log extracted values + echo "πŸ“Š Extracted values:" + echo " Exit code: $EXIT_CODE" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Don't fail here + exit 0 + + # Post comment on PR (always) + - name: Post LLM Analysis Report to PR + if: github.event_name == 'pull_request' && always() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Check if analysis was skipped + if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then + cat > final_comment.md << EOF + ## ⏭️ AI Slop Gate LLM Analysis + + **Status:** SKIPPED + **Reason:** SLOPE_GATE_GROQ not configured + + To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. + + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + exit 0 + fi + + # Extract clean report + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + # Check if report was extracted + if [ ! -s clean_report.md ]; then + echo "⚠️ Warning: Could not extract report from raw_report.txt" + echo "=== NO REPORT GENERATED ===" > clean_report.md + echo "The LLM analysis may have failed to run properly." >> clean_report.md + fi + + # Get values with defaults + VERDICT="${{ steps.llm_gate.outputs.verdict }}" + FINDINGS="${{ steps.llm_gate.outputs.findings }}" + + # Set defaults if empty + VERDICT="${VERDICT:-UNKNOWN}" + FINDINGS="${FINDINGS:-0}" + + echo "πŸ“Š Report values:" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Determine emoji and status + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + elif [ "$VERDICT" = "ALLOW" ]; then + EMOJI="βœ…" + STATUS="**PASSED** - No Issues Found" + else + EMOJI="❓" + STATUS="**UNKNOWN** - Check logs" + fi + + # Create professional comment + cat > final_comment.md << EOF + ## $EMOJI AI Slop Gate LLM Analysis (Gemini) + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. + + --- + + EOF + + # Append the clean report + cat clean_report.md >> final_comment.md + + # Add footer with fix guide ONLY if there are violations + if [ "$FINDINGS" != "0" ] && [ "$VERDICT" != "ALLOW" ]; then + cat >> final_comment.md << EOF + + --- + +
+ πŸ“š Understanding LLM Findings + + ### What LLM Analysis Detects + - Architectural anti-patterns and code smells + - Logic inconsistencies and contradictions + - Misleading naming or documentation + - Potential design flaws + - Security vulnerabilities in business logic + + ### How to Interpret Findings + - **High Confidence (0.8-1.0):** Strong evidence of an issue + - **Medium Confidence (0.5-0.8):** Worth investigating + - **Low Confidence (<0.5):** Consider in context + + ### False Positives + LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements. + +
+ EOF + fi + + # Always add footer + cat >> final_comment.md << EOF + + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` + EOF + + # Post comment + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + # Set job status based on verdict + - name: Check LLM Analysis Result + if: steps.llm_gate.outputs.verdict == 'BLOCKING' + run: | + echo "❌ LLM analysis found blocking violations" + exit 1 From 6aed6444b374bc161892d6003f5fca85374400f3 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 21:48:08 +0100 Subject: [PATCH 38/54] test groq 3 --- .github/workflows/analyze.yml | 53 +++++++++++------------------------ 1 file changed, 17 insertions(+), 36 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 636ea9c..8037528 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -29,58 +29,39 @@ jobs: ai-slop-gate-cache-${{ runner.os }}- # Run LLM analysis - - name: LLM Analysis (ai-slop-gate) + - name: LLM Analysis (Groq) id: llm_gate env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} - continue-on-error: true + GROQ_KEY: ${{ secrets.SLOPE_GATE_GROQ }} run: | mkdir -p ~/.cache/ai-slop-gate - # Check if API key is available - if [ -z "$SLOPE_GATE_GROQ" ]; then - echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" - echo "verdict=SKIPPED" >> $GITHUB_OUTPUT - echo "findings=0" >> $GITHUB_OUTPUT - exit 0 - fi - - # Check if policy.yml exists, otherwise use default - POLICY_FLAG="" - if [ -f "${{ github.workspace }}/policy.yml" ]; then - echo "πŸ“‹ Using custom policy.yml" - POLICY_FLAG="--policy /data/policy.yml" - else - echo "πŸ“‹ Using default policy" - fi + echo "πŸš€ Running Groq Analysis..." - # Run LLM analysis and capture output - set +e # Disable exit on error temporarily + # Π―Π²Π½ΠΎ ΠΏΡ€ΠΎΠΊΠΈΠ΄Π°Ρ”ΠΌΠΎ ΠΊΠ»ΡŽΡ‡ всСрСдині Docker ΠΏΡ–Π΄ ΠΏΠΎΡ‚Ρ€Ρ–Π±Π½ΠΈΠΌ Ρ–ΠΌΠ΅Π½Π΅ΠΌ + set +e docker run --rm \ - -v "${{ github.workspace }}:/data" \ + --user root \ + -v "${{ github.workspace }}:/src" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ - -e GITHUB_TOKEN \ - -e SLOPE_GATE_GROQ \ + -e SLOPE_GATE_GROQ="$GROQ_KEY" \ + -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider groq \ + --llm-local \ + --llm-model llama-3.3-70b-versatile \ + --policy /src/policy.yml \ + --path /src > raw_report.txt 2>&1 EXIT_CODE=$? - set -e # Re-enable exit on error + set -e - # Always show report cat raw_report.txt - # Save exit code - echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT - - # Extract verdict (default to UNKNOWN if not found) - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") + # Count findings (default to 0 if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' | tr -d '\r' || echo "UNKNOWN") echo "verdict=$VERDICT" >> $GITHUB_OUTPUT - # Count findings (default to 0 if not found) - FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") - echo "findings=$FINDINGS" >> $GITHUB_OUTPUT # Log extracted values echo "πŸ“Š Extracted values:" From d80f9bd1976a62da0b75ad63737cf7fcf30ad312 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 21:51:40 +0100 Subject: [PATCH 39/54] test groq 4 --- .github/workflows/analyze.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 8037528..1d0b0cd 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -49,7 +49,6 @@ jobs: ghcr.io/sergudo/ai-slop-gate:latest \ run --provider groq \ --llm-local \ - --llm-model llama-3.3-70b-versatile \ --policy /src/policy.yml \ --path /src > raw_report.txt 2>&1 From 32d929c526d324557a51b39d8f95fbf1999d90d5 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 21:52:56 +0100 Subject: [PATCH 40/54] test static --- .github/workflows/analyze.yml | 128 ++++++++++++++++------------------ 1 file changed, 61 insertions(+), 67 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 1d0b0cd..0851941 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GROQ Analysis +name: AI Slop Gate Static Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - llm-analysis: + static-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,39 +28,49 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run LLM analysis - - name: LLM Analysis (Groq) - id: llm_gate + # Run static analysis + - name: Static Analysis (ai-slop-gate) + id: static_gate env: - GROQ_KEY: ${{ secrets.SLOPE_GATE_GROQ }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate - echo "πŸš€ Running Groq Analysis..." + # Check if policy.yml exists, otherwise use default + POLICY_FLAG="" + if [ -f "${{ github.workspace }}/policy.yml" ]; then + echo "πŸ“‹ Using custom policy.yml" + POLICY_FLAG="--policy /data/policy.yml" + else + echo "πŸ“‹ Using default policy" + fi - # Π―Π²Π½ΠΎ ΠΏΡ€ΠΎΠΊΠΈΠ΄Π°Ρ”ΠΌΠΎ ΠΊΠ»ΡŽΡ‡ всСрСдині Docker ΠΏΡ–Π΄ ΠΏΠΎΡ‚Ρ€Ρ–Π±Π½ΠΈΠΌ Ρ–ΠΌΠ΅Π½Π΅ΠΌ - set +e + # Run static analysis and capture output + set +e # Disable exit on error temporarily docker run --rm \ - --user root \ - -v "${{ github.workspace }}:/src" \ + -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ - -e SLOPE_GATE_GROQ="$GROQ_KEY" \ - -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \ + -e GITHUB_TOKEN \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider groq \ - --llm-local \ - --policy /src/policy.yml \ - --path /src > raw_report.txt 2>&1 + run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? - set -e + set -e # Re-enable exit on error + # Always show report cat raw_report.txt - # Count findings (default to 0 if not found) - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' | tr -d '\r' || echo "UNKNOWN") + # Save exit code for later steps + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict (default to UNKNOWN if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + # Count findings (default to 0 if not found) + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT # Log extracted values echo "πŸ“Š Extracted values:" @@ -68,34 +78,15 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here + # Don't fail here - let continue-on-error handle it exit 0 - # Post comment on PR (always) - - name: Post LLM Analysis Report to PR + # Post comment on PR (always, not just on failure) + - name: Post Static Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Check if analysis was skipped - if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then - cat > final_comment.md << EOF - ## ⏭️ AI Slop Gate LLM Analysis - - **Status:** SKIPPED - **Reason:** SLOPE_GATE_GROQ not configured - - To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. - - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - exit 0 - fi - # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md @@ -103,12 +94,12 @@ jobs: if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The LLM analysis may have failed to run properly." >> clean_report.md + echo "The static analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.llm_gate.outputs.verdict }}" - FINDINGS="${{ steps.llm_gate.outputs.findings }}" + VERDICT="${{ steps.static_gate.outputs.verdict }}" + FINDINGS="${{ steps.static_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -118,7 +109,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status + # Determine emoji and status based on verdict if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -135,13 +126,11 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate LLM Analysis (Gemini) + ## $EMOJI AI Slop Gate Static Analysis **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected - > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. - --- EOF @@ -156,22 +145,27 @@ jobs: ---
- πŸ“š Understanding LLM Findings + πŸ“š How to fix common issues + + ### Hardcoded Secrets + 1. Move secrets to environment variables or secret management system + 2. Use \`.env\` files (add to \`.gitignore\`) + 3. For CI/CD, use GitHub Secrets or similar - ### What LLM Analysis Detects - - Architectural anti-patterns and code smells - - Logic inconsistencies and contradictions - - Misleading naming or documentation - - Potential design flaws - - Security vulnerabilities in business logic + ### Dangerous Functions + 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` + 2. Sanitize all user inputs + 3. Use safer alternatives (parameterized queries, safe APIs) - ### How to Interpret Findings - - **High Confidence (0.8-1.0):** Strong evidence of an issue - - **Medium Confidence (0.5-0.8):** Worth investigating - - **Low Confidence (<0.5):** Consider in context + ### SQL Injection + 1. Use parameterized queries/prepared statements + 2. Never concatenate user input into SQL strings + 3. Use ORM frameworks when possible - ### False Positives - LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements. + ### TODOs + 1. Complete or document security-related TODOs + 2. Create issues for tracking + 3. Remove completed TODOs
EOF @@ -180,7 +174,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -189,8 +183,8 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check LLM Analysis Result - if: steps.llm_gate.outputs.verdict == 'BLOCKING' + - name: Check Static Analysis Result + if: steps.static_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ LLM analysis found blocking violations" - exit 1 + echo "❌ Static analysis found blocking violations" + exit 1 \ No newline at end of file From 8a24f12bef5e7a7915ede63807e2392202798e73 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 21:54:35 +0100 Subject: [PATCH 41/54] test gemini --- .github/workflows/analyze.yml | 104 +++++++++++++++++++++------------- 1 file changed, 65 insertions(+), 39 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 0851941..778d589 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate Static Analysis +name: AI Slop Gate LLM GEMINI Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - static-analysis: + llm-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,15 +28,24 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run static analysis - - name: Static Analysis (ai-slop-gate) - id: static_gate + # Run LLM analysis + - name: LLM Analysis (ai-slop-gate) + id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate + # Check if API key is available + if [ -z "$GEMINI_API_KEY" ]; then + echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" + echo "verdict=SKIPPED" >> $GITHUB_OUTPUT + echo "findings=0" >> $GITHUB_OUTPUT + exit 0 + fi + # Check if policy.yml exists, otherwise use default POLICY_FLAG="" if [ -f "${{ github.workspace }}/policy.yml" ]; then @@ -46,14 +55,15 @@ jobs: echo "πŸ“‹ Using default policy" fi - # Run static analysis and capture output + # Run LLM analysis and capture output set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -61,7 +71,7 @@ jobs: # Always show report cat raw_report.txt - # Save exit code for later steps + # Save exit code echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT # Extract verdict (default to UNKNOWN if not found) @@ -78,15 +88,34 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here - let continue-on-error handle it + # Don't fail here exit 0 - # Post comment on PR (always, not just on failure) - - name: Post Static Analysis Report to PR + # Post comment on PR (always) + - name: Post LLM Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + # Check if analysis was skipped + if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then + cat > final_comment.md << EOF + ## ⏭️ AI Slop Gate LLM Analysis + + **Status:** SKIPPED + **Reason:** GEMINI_API_KEY not configured + + To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. + + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + exit 0 + fi + # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md @@ -94,12 +123,12 @@ jobs: if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The static analysis may have failed to run properly." >> clean_report.md + echo "The LLM analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.static_gate.outputs.verdict }}" - FINDINGS="${{ steps.static_gate.outputs.findings }}" + VERDICT="${{ steps.llm_gate.outputs.verdict }}" + FINDINGS="${{ steps.llm_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -109,7 +138,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status based on verdict + # Determine emoji and status if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -126,11 +155,13 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Static Analysis + ## $EMOJI AI Slop Gate LLM Analysis (Gemini) **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected + > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. + --- EOF @@ -145,27 +176,22 @@ jobs: ---
- πŸ“š How to fix common issues - - ### Hardcoded Secrets - 1. Move secrets to environment variables or secret management system - 2. Use \`.env\` files (add to \`.gitignore\`) - 3. For CI/CD, use GitHub Secrets or similar + πŸ“š Understanding LLM Findings - ### Dangerous Functions - 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` - 2. Sanitize all user inputs - 3. Use safer alternatives (parameterized queries, safe APIs) + ### What LLM Analysis Detects + - Architectural anti-patterns and code smells + - Logic inconsistencies and contradictions + - Misleading naming or documentation + - Potential design flaws + - Security vulnerabilities in business logic - ### SQL Injection - 1. Use parameterized queries/prepared statements - 2. Never concatenate user input into SQL strings - 3. Use ORM frameworks when possible + ### How to Interpret Findings + - **High Confidence (0.8-1.0):** Strong evidence of an issue + - **Medium Confidence (0.5-0.8):** Worth investigating + - **Low Confidence (<0.5):** Consider in context - ### TODOs - 1. Complete or document security-related TODOs - 2. Create issues for tracking - 3. Remove completed TODOs + ### False Positives + LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements.
EOF @@ -174,7 +200,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -183,8 +209,8 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check Static Analysis Result - if: steps.static_gate.outputs.verdict == 'BLOCKING' + - name: Check LLM Analysis Result + if: steps.llm_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ Static analysis found blocking violations" - exit 1 \ No newline at end of file + echo "❌ LLM analysis found blocking violations" + exit 1 From 74830faf70ce4c057fc0e9db372cb4a1f4536421 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 22:18:43 +0100 Subject: [PATCH 42/54] test groq 5 --- .github/workflows/analyze.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 778d589..2cbc810 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GEMINI Analysis +name: AI Slop Gate LLM GROQ Analysis on: pull_request: @@ -33,14 +33,14 @@ jobs: id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate # Check if API key is available - if [ -z "$GEMINI_API_KEY" ]; then - echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" + if [ -z "$SLOPE_GATE_GROQ" ]; then + echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" echo "verdict=SKIPPED" >> $GITHUB_OUTPUT echo "findings=0" >> $GITHUB_OUTPUT exit 0 @@ -61,9 +61,9 @@ jobs: -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ + -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -103,9 +103,9 @@ jobs: ## ⏭️ AI Slop Gate LLM Analysis **Status:** SKIPPED - **Reason:** GEMINI_API_KEY not configured + **Reason:** SLOPE_GATE_GROQ not configured - To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. + To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF @@ -200,7 +200,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Groq | Run: \`${{ github.run_id }}\` EOF # Post comment From 18a81f1123f8f60216e5853783c168eb0f890126 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 23:23:55 +0100 Subject: [PATCH 43/54] test static 4 --- .github/workflows/analyze.yml | 104 +++++++++++++--------------------- 1 file changed, 39 insertions(+), 65 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 2cbc810..0851941 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GROQ Analysis +name: AI Slop Gate Static Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - llm-analysis: + static-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,24 +28,15 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run LLM analysis - - name: LLM Analysis (ai-slop-gate) - id: llm_gate + # Run static analysis + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate - # Check if API key is available - if [ -z "$SLOPE_GATE_GROQ" ]; then - echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" - echo "verdict=SKIPPED" >> $GITHUB_OUTPUT - echo "findings=0" >> $GITHUB_OUTPUT - exit 0 - fi - # Check if policy.yml exists, otherwise use default POLICY_FLAG="" if [ -f "${{ github.workspace }}/policy.yml" ]; then @@ -55,15 +46,14 @@ jobs: echo "πŸ“‹ Using default policy" fi - # Run LLM analysis and capture output + # Run static analysis and capture output set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -71,7 +61,7 @@ jobs: # Always show report cat raw_report.txt - # Save exit code + # Save exit code for later steps echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT # Extract verdict (default to UNKNOWN if not found) @@ -88,34 +78,15 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here + # Don't fail here - let continue-on-error handle it exit 0 - # Post comment on PR (always) - - name: Post LLM Analysis Report to PR + # Post comment on PR (always, not just on failure) + - name: Post Static Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Check if analysis was skipped - if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then - cat > final_comment.md << EOF - ## ⏭️ AI Slop Gate LLM Analysis - - **Status:** SKIPPED - **Reason:** SLOPE_GATE_GROQ not configured - - To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. - - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - exit 0 - fi - # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md @@ -123,12 +94,12 @@ jobs: if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The LLM analysis may have failed to run properly." >> clean_report.md + echo "The static analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.llm_gate.outputs.verdict }}" - FINDINGS="${{ steps.llm_gate.outputs.findings }}" + VERDICT="${{ steps.static_gate.outputs.verdict }}" + FINDINGS="${{ steps.static_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -138,7 +109,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status + # Determine emoji and status based on verdict if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -155,13 +126,11 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate LLM Analysis (Gemini) + ## $EMOJI AI Slop Gate Static Analysis **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected - > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. - --- EOF @@ -176,22 +145,27 @@ jobs: ---
- πŸ“š Understanding LLM Findings + πŸ“š How to fix common issues + + ### Hardcoded Secrets + 1. Move secrets to environment variables or secret management system + 2. Use \`.env\` files (add to \`.gitignore\`) + 3. For CI/CD, use GitHub Secrets or similar - ### What LLM Analysis Detects - - Architectural anti-patterns and code smells - - Logic inconsistencies and contradictions - - Misleading naming or documentation - - Potential design flaws - - Security vulnerabilities in business logic + ### Dangerous Functions + 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` + 2. Sanitize all user inputs + 3. Use safer alternatives (parameterized queries, safe APIs) - ### How to Interpret Findings - - **High Confidence (0.8-1.0):** Strong evidence of an issue - - **Medium Confidence (0.5-0.8):** Worth investigating - - **Low Confidence (<0.5):** Consider in context + ### SQL Injection + 1. Use parameterized queries/prepared statements + 2. Never concatenate user input into SQL strings + 3. Use ORM frameworks when possible - ### False Positives - LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements. + ### TODOs + 1. Complete or document security-related TODOs + 2. Create issues for tracking + 3. Remove completed TODOs
EOF @@ -200,7 +174,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Groq | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -209,8 +183,8 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check LLM Analysis Result - if: steps.llm_gate.outputs.verdict == 'BLOCKING' + - name: Check Static Analysis Result + if: steps.static_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ LLM analysis found blocking violations" - exit 1 + echo "❌ Static analysis found blocking violations" + exit 1 \ No newline at end of file From 4fdcb505a27038bea78ae61f5130f0a44c5c2197 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 23:31:44 +0100 Subject: [PATCH 44/54] test gemini 6 --- .github/workflows/analyze.yml | 104 +++++++++++++++++++++------------- 1 file changed, 65 insertions(+), 39 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 0851941..778d589 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate Static Analysis +name: AI Slop Gate LLM GEMINI Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - static-analysis: + llm-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,15 +28,24 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run static analysis - - name: Static Analysis (ai-slop-gate) - id: static_gate + # Run LLM analysis + - name: LLM Analysis (ai-slop-gate) + id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate + # Check if API key is available + if [ -z "$GEMINI_API_KEY" ]; then + echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" + echo "verdict=SKIPPED" >> $GITHUB_OUTPUT + echo "findings=0" >> $GITHUB_OUTPUT + exit 0 + fi + # Check if policy.yml exists, otherwise use default POLICY_FLAG="" if [ -f "${{ github.workspace }}/policy.yml" ]; then @@ -46,14 +55,15 @@ jobs: echo "πŸ“‹ Using default policy" fi - # Run static analysis and capture output + # Run LLM analysis and capture output set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -61,7 +71,7 @@ jobs: # Always show report cat raw_report.txt - # Save exit code for later steps + # Save exit code echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT # Extract verdict (default to UNKNOWN if not found) @@ -78,15 +88,34 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here - let continue-on-error handle it + # Don't fail here exit 0 - # Post comment on PR (always, not just on failure) - - name: Post Static Analysis Report to PR + # Post comment on PR (always) + - name: Post LLM Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + # Check if analysis was skipped + if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then + cat > final_comment.md << EOF + ## ⏭️ AI Slop Gate LLM Analysis + + **Status:** SKIPPED + **Reason:** GEMINI_API_KEY not configured + + To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. + + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + exit 0 + fi + # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md @@ -94,12 +123,12 @@ jobs: if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The static analysis may have failed to run properly." >> clean_report.md + echo "The LLM analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.static_gate.outputs.verdict }}" - FINDINGS="${{ steps.static_gate.outputs.findings }}" + VERDICT="${{ steps.llm_gate.outputs.verdict }}" + FINDINGS="${{ steps.llm_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -109,7 +138,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status based on verdict + # Determine emoji and status if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -126,11 +155,13 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Static Analysis + ## $EMOJI AI Slop Gate LLM Analysis (Gemini) **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected + > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. + --- EOF @@ -145,27 +176,22 @@ jobs: ---
- πŸ“š How to fix common issues - - ### Hardcoded Secrets - 1. Move secrets to environment variables or secret management system - 2. Use \`.env\` files (add to \`.gitignore\`) - 3. For CI/CD, use GitHub Secrets or similar + πŸ“š Understanding LLM Findings - ### Dangerous Functions - 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` - 2. Sanitize all user inputs - 3. Use safer alternatives (parameterized queries, safe APIs) + ### What LLM Analysis Detects + - Architectural anti-patterns and code smells + - Logic inconsistencies and contradictions + - Misleading naming or documentation + - Potential design flaws + - Security vulnerabilities in business logic - ### SQL Injection - 1. Use parameterized queries/prepared statements - 2. Never concatenate user input into SQL strings - 3. Use ORM frameworks when possible + ### How to Interpret Findings + - **High Confidence (0.8-1.0):** Strong evidence of an issue + - **Medium Confidence (0.5-0.8):** Worth investigating + - **Low Confidence (<0.5):** Consider in context - ### TODOs - 1. Complete or document security-related TODOs - 2. Create issues for tracking - 3. Remove completed TODOs + ### False Positives + LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements.
EOF @@ -174,7 +200,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -183,8 +209,8 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check Static Analysis Result - if: steps.static_gate.outputs.verdict == 'BLOCKING' + - name: Check LLM Analysis Result + if: steps.llm_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ Static analysis found blocking violations" - exit 1 \ No newline at end of file + echo "❌ LLM analysis found blocking violations" + exit 1 From eae274ef2beee2071ac319783db62992c8d5aefd Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 23:41:30 +0100 Subject: [PATCH 45/54] test gemini 7 --- .github/workflows/analyze.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 778d589..5e8c1ee 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -28,6 +28,15 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- + - name: Test Gemini directly + run: | + curl -X POST \ + "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:generateContent?key=$GOOGLE_API_KEY" \ + -H "Content-Type: application/json" \ + -d '{"contents":[{"parts":[{"text":"hello"}]}]}' + env: + GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }} + # Run LLM analysis - name: LLM Analysis (ai-slop-gate) id: llm_gate From 5dec47065e2ea5121d215ab569bbfd855e0beb1f Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 23:45:43 +0100 Subject: [PATCH 46/54] test gemini 8 --- .github/workflows/analyze.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 5e8c1ee..9fc7115 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -35,7 +35,7 @@ jobs: -H "Content-Type: application/json" \ -d '{"contents":[{"parts":[{"text":"hello"}]}]}' env: - GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} # Run LLM analysis - name: LLM Analysis (ai-slop-gate) From 296fd86239ad2fb7725f2481bde30f5cd4024abc Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 23:47:48 +0100 Subject: [PATCH 47/54] test gemini 9 --- .github/workflows/analyze.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 9fc7115..d9f95a5 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -31,7 +31,7 @@ jobs: - name: Test Gemini directly run: | curl -X POST \ - "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:generateContent?key=$GOOGLE_API_KEY" \ + "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:generateContent?key=$GEMINI_API_KEY" \ -H "Content-Type: application/json" \ -d '{"contents":[{"parts":[{"text":"hello"}]}]}' env: From 07682e0cf5e0434e92594455d90b31186d3247f4 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 23:52:32 +0100 Subject: [PATCH 48/54] test gemini 10 --- .github/workflows/analyze.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index d9f95a5..c078448 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -28,6 +28,7 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- + # Test Gemini API connectivity - name: Test Gemini directly run: | curl -X POST \ From 5417473ec88af4054d695ccfcadb01d0ef87d513 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sat, 28 Feb 2026 00:07:14 +0100 Subject: [PATCH 49/54] test groq 10 --- .github/workflows/analyze.yml | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index c078448..636ea9c 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GEMINI Analysis +name: AI Slop Gate LLM GROQ Analysis on: pull_request: @@ -28,29 +28,19 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Test Gemini API connectivity - - name: Test Gemini directly - run: | - curl -X POST \ - "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:generateContent?key=$GEMINI_API_KEY" \ - -H "Content-Type: application/json" \ - -d '{"contents":[{"parts":[{"text":"hello"}]}]}' - env: - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} - # Run LLM analysis - name: LLM Analysis (ai-slop-gate) id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate # Check if API key is available - if [ -z "$GEMINI_API_KEY" ]; then - echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" + if [ -z "$SLOPE_GATE_GROQ" ]; then + echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" echo "verdict=SKIPPED" >> $GITHUB_OUTPUT echo "findings=0" >> $GITHUB_OUTPUT exit 0 @@ -71,9 +61,9 @@ jobs: -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ + -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -113,9 +103,9 @@ jobs: ## ⏭️ AI Slop Gate LLM Analysis **Status:** SKIPPED - **Reason:** GEMINI_API_KEY not configured + **Reason:** SLOPE_GATE_GROQ not configured - To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. + To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF From 68aeec8a5d1c359bee7e24cea0dd40b3f6fc4172 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sat, 7 Mar 2026 15:20:29 +0100 Subject: [PATCH 50/54] added functional far make sbon --- .github/workflows/analyze.yml | 77 +++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 636ea9c..91d8c13 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -12,6 +12,83 @@ permissions: contents: read jobs: + static-analysis: + runs-on: ubuntu-22.04 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # βœ… NEW: Generate SBOM + - name: Generate SBOM (Software Bill of Materials) + run: | + echo "πŸ“¦ Generating SBOM..." + + # Install Syft + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + + # Generate SBOM in multiple formats + syft . -o json > sbom.json + syft . -o spdx-json > sbom-spdx.json + syft . -o cyclonedx-json > sbom-cyclonedx.json + + # Show summary + echo "βœ… SBOM generated successfully:" + ls -lh sbom*.json + + # Count components + COMPONENTS=$(jq '.artifacts | length' sbom.json 2>/dev/null || echo "0") + echo "πŸ“Š Total components: $COMPONENTS" + + # Upload SBOM artifacts + - name: Upload SBOM Reports + uses: actions/upload-artifact@v4 + if: always() + with: + name: sbom-reports-${{ github.run_number }} + path: | + sbom.json + sbom-spdx.json + sbom-cyclonedx.json + retention-days: 90 + + # Add SBOM info to existing PR comment + - name: Add SBOM Summary to PR Comment + if: github.event_name == 'pull_request' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + COMPONENTS=$(jq '.artifacts | length' sbom.json 2>/dev/null || echo "0") + LANGUAGES=$(jq -r '.artifacts[].type' sbom.json 2>/dev/null | sort -u | tr '\n' ', ' | sed 's/,$//') + + cat >> pr_comment.md << EOF + + --- + + ### πŸ“¦ Software Bill of Materials (SBOM) + + **Components:** $COMPONENTS packages detected + **Languages:** $LANGUAGES + + **Artifacts available** in workflow run: + - \`sbom.json\` - Syft native format + - \`sbom-spdx.json\` - SPDX 2.3 (EU standard) + - \`sbom-cyclonedx.json\` - CycloneDX format + +
+ πŸ“‹ Top 10 Dependencies + + $(jq -r '.artifacts[:10] | .[] | "- **\(.name)** \(.version) (\(.type))"' sbom.json 2>/dev/null || echo "Unable to parse SBOM") + +
+ + πŸ” Generated with [Syft](https://github.com/anchore/syft) | Retention: 90 days + EOF + + # Append to existing PR comment or create new + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file pr_comment.md \ + --repo ${{ github.repository }} llm-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 From 930e532113ac2c8826410e635f1dfdd4397987f5 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sat, 7 Mar 2026 15:39:37 +0100 Subject: [PATCH 51/54] updated functional sbon --- .github/workflows/analyze.yml | 230 +++++++++++++++------------------- Slop.csproj | 48 +++++++ 2 files changed, 150 insertions(+), 128 deletions(-) create mode 100644 Slop.csproj diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 91d8c13..5b9ec95 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GROQ Analysis +name: AI Slop Gate Static Analysis on: pull_request: @@ -14,34 +14,46 @@ permissions: jobs: static-analysis: runs-on: ubuntu-22.04 - + timeout-minutes: 20 + steps: - name: Checkout code uses: actions/checkout@v4 - - # βœ… NEW: Generate SBOM - - name: Generate SBOM (Software Bill of Materials) + + # Generate SBOM (language-agnostic, works with any project) + - name: Install Syft + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \ + | sh -s -- -b /usr/local/bin + + - name: Generate SBOM + id: sbom run: | echo "πŸ“¦ Generating SBOM..." - - # Install Syft - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - - # Generate SBOM in multiple formats - syft . -o json > sbom.json - syft . -o spdx-json > sbom-spdx.json + + syft . -o json > sbom.json + syft . -o spdx-json > sbom-spdx.json syft . -o cyclonedx-json > sbom-cyclonedx.json - - # Show summary - echo "βœ… SBOM generated successfully:" + + echo "βœ… SBOM files:" ls -lh sbom*.json - - # Count components - COMPONENTS=$(jq '.artifacts | length' sbom.json 2>/dev/null || echo "0") + + COMPONENTS=$(python3 -c "import json; d=json.load(open('sbom.json')); print(len(d.get('artifacts', [])))") echo "πŸ“Š Total components: $COMPONENTS" - - # Upload SBOM artifacts - - name: Upload SBOM Reports + echo "components=$COMPONENTS" >> "$GITHUB_OUTPUT" + + TOP10=$(python3 -c " + import json + arts = json.load(open('sbom.json')).get('artifacts', [])[:10] + for a in arts: + print(f'- \`{a[\"name\"]}\` {a.get(\"version\",\"\")} ({a.get(\"type\",\"\")})') + ") + # Store top10 for PR comment (newlines β†’ escaped) + echo "top10<> "$GITHUB_OUTPUT" + echo "$TOP10" >> "$GITHUB_OUTPUT" + echo "SBOM_EOF" >> "$GITHUB_OUTPUT" + + - name: Upload SBOM artifacts uses: actions/upload-artifact@v4 if: always() with: @@ -51,51 +63,6 @@ jobs: sbom-spdx.json sbom-cyclonedx.json retention-days: 90 - - # Add SBOM info to existing PR comment - - name: Add SBOM Summary to PR Comment - if: github.event_name == 'pull_request' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - COMPONENTS=$(jq '.artifacts | length' sbom.json 2>/dev/null || echo "0") - LANGUAGES=$(jq -r '.artifacts[].type' sbom.json 2>/dev/null | sort -u | tr '\n' ', ' | sed 's/,$//') - - cat >> pr_comment.md << EOF - - --- - - ### πŸ“¦ Software Bill of Materials (SBOM) - - **Components:** $COMPONENTS packages detected - **Languages:** $LANGUAGES - - **Artifacts available** in workflow run: - - \`sbom.json\` - Syft native format - - \`sbom-spdx.json\` - SPDX 2.3 (EU standard) - - \`sbom-cyclonedx.json\` - CycloneDX format - -
- πŸ“‹ Top 10 Dependencies - - $(jq -r '.artifacts[:10] | .[] | "- **\(.name)** \(.version) (\(.type))"' sbom.json 2>/dev/null || echo "Unable to parse SBOM") - -
- - πŸ” Generated with [Syft](https://github.com/anchore/syft) | Retention: 90 days - EOF - - # Append to existing PR comment or create new - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file pr_comment.md \ - --repo ${{ github.repository }} - llm-analysis: - runs-on: ubuntu-22.04 - timeout-minutes: 20 - - steps: - - name: Checkout code - uses: actions/checkout@v4 - name: Cache ai-slop-gate cache directory uses: actions/cache@v4 @@ -105,24 +72,15 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run LLM analysis - - name: LLM Analysis (ai-slop-gate) - id: llm_gate + # Run static analysis + - name: Static Analysis (ai-slop-gate) + id: static_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate - # Check if API key is available - if [ -z "$SLOPE_GATE_GROQ" ]; then - echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" - echo "verdict=SKIPPED" >> $GITHUB_OUTPUT - echo "findings=0" >> $GITHUB_OUTPUT - exit 0 - fi - # Check if policy.yml exists, otherwise use default POLICY_FLAG="" if [ -f "${{ github.workspace }}/policy.yml" ]; then @@ -132,15 +90,14 @@ jobs: echo "πŸ“‹ Using default policy" fi - # Run LLM analysis and capture output + # Run static analysis and capture output set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -148,7 +105,7 @@ jobs: # Always show report cat raw_report.txt - # Save exit code + # Save exit code for later steps echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT # Extract verdict (default to UNKNOWN if not found) @@ -165,34 +122,15 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here + # Don't fail here - let continue-on-error handle it exit 0 - # Post comment on PR (always) - - name: Post LLM Analysis Report to PR + # Post comment on PR (always, not just on failure) + - name: Post Static Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Check if analysis was skipped - if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then - cat > final_comment.md << EOF - ## ⏭️ AI Slop Gate LLM Analysis - - **Status:** SKIPPED - **Reason:** SLOPE_GATE_GROQ not configured - - To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. - - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - exit 0 - fi - # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md @@ -200,12 +138,12 @@ jobs: if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The LLM analysis may have failed to run properly." >> clean_report.md + echo "The static analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.llm_gate.outputs.verdict }}" - FINDINGS="${{ steps.llm_gate.outputs.findings }}" + VERDICT="${{ steps.static_gate.outputs.verdict }}" + FINDINGS="${{ steps.static_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -215,7 +153,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status + # Determine emoji and status based on verdict if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -232,13 +170,11 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate LLM Analysis (Gemini) + ## $EMOJI AI Slop Gate Static Analysis **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected - > πŸ€– **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. - --- EOF @@ -253,31 +189,68 @@ jobs: ---
- πŸ“š Understanding LLM Findings + πŸ“š How to fix common issues - ### What LLM Analysis Detects - - Architectural anti-patterns and code smells - - Logic inconsistencies and contradictions - - Misleading naming or documentation - - Potential design flaws - - Security vulnerabilities in business logic + ### Hardcoded Secrets + 1. Move secrets to environment variables or secret management system + 2. Use \`.env\` files (add to \`.gitignore\`) + 3. For CI/CD, use GitHub Secrets or similar - ### How to Interpret Findings - - **High Confidence (0.8-1.0):** Strong evidence of an issue - - **Medium Confidence (0.5-0.8):** Worth investigating - - **Low Confidence (<0.5):** Consider in context + ### Dangerous Functions + 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` + 2. Sanitize all user inputs + 3. Use safer alternatives (parameterized queries, safe APIs) - ### False Positives - LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements. + ### SQL Injection + 1. Use parameterized queries/prepared statements + 2. Never concatenate user input into SQL strings + 3. Use ORM frameworks when possible + + ### TODOs + 1. Complete or document security-related TODOs + 2. Create issues for tracking + 3. Remove completed TODOs
EOF fi + # Append SBOM section + cat >> final_comment.md << 'SBOM_BLOCK' + + --- + + ### πŸ“¦ Software Bill of Materials (SBOM) + SBOM_BLOCK + + cat >> final_comment.md << EOF + **Components detected:** ${{ steps.sbom.outputs.components }} + **Formats:** \`sbom.json\` Β· \`sbom-spdx.json\` (SPDX 2.3) Β· \`sbom-cyclonedx.json\` (CycloneDX 1.6) + + > βš–οΈ SPDX 2.3 is compatible with the **EU Cyber Resilience Act** supply chain requirements. + +
+ πŸ“‹ Top 10 components + + ${{ steps.sbom.outputs.top10 }} + +
+ +
+ ⬇️ How to download SBOM + + 1. Click **Details** on this check + 2. Scroll to **Artifacts** section + 3. Download \`sbom-reports-${{ github.run_number }}.zip\` + +
+ + EOF + # Always add footer cat >> final_comment.md << EOF - πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` + πŸ€– Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -286,8 +259,9 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check LLM Analysis Result - if: steps.llm_gate.outputs.verdict == 'BLOCKING' + - name: Check Static Analysis Result + if: steps.static_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ LLM analysis found blocking violations" + echo "❌ Static analysis found blocking violations" exit 1 + \ No newline at end of file diff --git a/Slop.csproj b/Slop.csproj new file mode 100644 index 0000000..db9db72 --- /dev/null +++ b/Slop.csproj @@ -0,0 +1,48 @@ + + + + Exe + net8.0 + Slop + Slop + enable + enable + + true + false + + + + + + + + + + + + + + + + + + + + + + + + runtime; build; native; contentfiles; analyzers; buildtransitive + all + + + + + + runtime; build; native; contentfiles; analyzers; buildtransitive + all + + + + \ No newline at end of file From 2204439e85b0ee3680d60950f923497909b3ea67 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sat, 7 Mar 2026 15:49:36 +0100 Subject: [PATCH 52/54] added trivy scan in workflow with sbon --- .github/workflows/analyze.yml | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 5b9ec95..25b8fa6 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -53,16 +53,23 @@ jobs: echo "$TOP10" >> "$GITHUB_OUTPUT" echo "SBOM_EOF" >> "$GITHUB_OUTPUT" - - name: Upload SBOM artifacts - uses: actions/upload-artifact@v4 - if: always() - with: - name: sbom-reports-${{ github.run_number }} - path: | - sbom.json - sbom-spdx.json - sbom-cyclonedx.json - retention-days: 90 + - name: Enrich SBOM with vulnerabilities (Trivy VEX) + run: | + trivy sbom sbom-cyclonedx.json \ + --format cyclonedx \ + --output sbom-cyclonedx-vex.json + + - name: Upload SBOM artifacts + uses: actions/upload-artifact@v4 + if: always() + with: + name: sbom-reports-${{ github.run_number }} + path: | + sbom.json + sbom-spdx.json + sbom-cyclonedx.json + sbom-cyclonedx-vex.json + retention-days: 90 - name: Cache ai-slop-gate cache directory uses: actions/cache@v4 From b388ef418f0841b693f45fa45c61973c6a4e813b Mon Sep 17 00:00:00 2001 From: serhiy Date: Sat, 7 Mar 2026 15:53:56 +0100 Subject: [PATCH 53/54] fix workflow with sbom --- .github/workflows/analyze.yml | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 25b8fa6..e4baa09 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -53,23 +53,30 @@ jobs: echo "$TOP10" >> "$GITHUB_OUTPUT" echo "SBOM_EOF" >> "$GITHUB_OUTPUT" + # FIX 1: Install Trivy before using it + - name: Install Trivy + run: | + curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \ + | sh -s -- -b /usr/local/bin + + # FIX 2: Correct indentation β€” was nested inside Trivy run block - name: Enrich SBOM with vulnerabilities (Trivy VEX) run: | trivy sbom sbom-cyclonedx.json \ --format cyclonedx \ --output sbom-cyclonedx-vex.json - - name: Upload SBOM artifacts - uses: actions/upload-artifact@v4 - if: always() - with: - name: sbom-reports-${{ github.run_number }} - path: | - sbom.json - sbom-spdx.json - sbom-cyclonedx.json - sbom-cyclonedx-vex.json - retention-days: 90 + - name: Upload SBOM artifacts + uses: actions/upload-artifact@v4 + if: always() + with: + name: sbom-reports-${{ github.run_number }} + path: | + sbom.json + sbom-spdx.json + sbom-cyclonedx.json + sbom-cyclonedx-vex.json + retention-days: 90 - name: Cache ai-slop-gate cache directory uses: actions/cache@v4 @@ -232,7 +239,7 @@ jobs: cat >> final_comment.md << EOF **Components detected:** ${{ steps.sbom.outputs.components }} - **Formats:** \`sbom.json\` Β· \`sbom-spdx.json\` (SPDX 2.3) Β· \`sbom-cyclonedx.json\` (CycloneDX 1.6) + **Formats:** \`sbom.json\` Β· \`sbom-spdx.json\` (SPDX 2.3) Β· \`sbom-cyclonedx.json\` (CycloneDX 1.6) Β· \`sbom-cyclonedx-vex.json\` (CycloneDX + CVE) > βš–οΈ SPDX 2.3 is compatible with the **EU Cyber Resilience Act** supply chain requirements. From 77c0a130b7c259a8e28705b77e724db5b2f96971 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sat, 7 Mar 2026 16:00:40 +0100 Subject: [PATCH 54/54] fix path Download SBOM artifacts in workflow with sbom --- .github/workflows/analyze.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index e4baa09..3b48fbd 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -253,10 +253,8 @@ jobs:
⬇️ How to download SBOM - 1. Click **Details** on this check - 2. Scroll to **Artifacts** section - 3. Download \`sbom-reports-${{ github.run_number }}.zip\` - + **[⬇️ Download SBOM artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})** +
EOF @@ -278,4 +276,3 @@ jobs: run: | echo "❌ Static analysis found blocking violations" exit 1 - \ No newline at end of file