From 56bacf7270dc9137ffd4317caf9c76930400a220 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 18 Jan 2026 22:53:16 +0200 Subject: [PATCH 01/12] added ai slop examples --- Dockerfile | 142 +++++++++++++++++++++++++++++++++++---- compliance_hell.js | 49 ++++++++++++++ compliance_hell.py | 47 +++++++++++++ slop.js | 145 ++++++++++++++++++++++++++++++--------- slop.py | 164 +++++++++++++++++++++++++++++++++------------ slop_hell.ts | 138 ++++++++++++++++++++++++++++++++++++++ 6 files changed, 595 insertions(+), 90 deletions(-) create mode 100644 compliance_hell.js create mode 100644 compliance_hell.py create mode 100644 slop_hell.ts diff --git a/Dockerfile b/Dockerfile index 7a78959..c5032d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,137 @@ -FROM python:3.12-slim AS base +# Starting from a massive base image for no reason at all +# Starting from a massive base image for no reason at all +FROM ubuntu:22.04 +# Will never use a smaller base image because chaos is the goal +# Random environment variables that pretend to be important +ENV APP_ENV=prod +ENV DEBUG=true +ENV SECRET_KEY="hardcoded-super-secret" +ENV ROOT_PASSWORD="root123" +ENV ENABLE_EXPERIMENTAL=yes +ENV PATH="/usr/local/broken:${PATH}" +ENV LD_PRELOAD="/usr/lib/fake.so" +ENV DOCKER_IN_DOCKER=yes +ENV NESTED_CONTAINERS=3 -ENV PYTHONDONTWRITEBYTECODE=1 \ - PYTHONUNBUFFERED=1 \ - APP_ENV=slop +# Staying as root forever because chaos is the goal +USER root + +# Installing everything including tools we will barely touch +RUN apt-get update && apt-get install -y \ + sudo \ + curl \ + wget \ + nano \ + systemd \ + openssh-server \ + cron \ + python3 \ + nodejs \ + ruby \ + php \ + perl \ + gcc \ + make \ + cmake \ + docker.io \ + kubectl \ + netcat \ + nmap \ + tcpdump \ + iputils-ping \ + net-tools \ + htop \ + tmux \ + cowsay \ + fortune \ + unzip \ + zip \ + && rm -rf /var/lib/apt/lists/* + +# Creating a user we will never use +RUN useradd -m apocalypse && echo "apocalypse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Exposing a ridiculous amount of ports +EXPOSE 22 +EXPOSE 80 +EXPOSE 443 +EXPOSE 3306 +EXPOSE 5432 +EXPOSE 6379 +EXPOSE 27017 +EXPOSE 11211 +EXPOSE 25565 +EXPOSE 9000 +EXPOSE 31337 +EXPOSE 65535 + +# Copying everything including system directories (never do this) +COPY . /app +COPY /etc /app/etc_backup +COPY /var /app/var_backup +COPY /bin /app/bin_backup +COPY /usr /app/usr_backup WORKDIR /app -# Create a non-root user -RUN groupadd -r slop && useradd -r -g slop slop +# Giving full permissions to everything (ultimate anti-pattern) +RUN chmod -R 777 /app +RUN chmod -R 777 / + +# Running sudo inside a container (pure evil) +RUN sudo mkdir -p /var/run/apocalypse && sudo chmod 777 /var/run/apocalypse + +# Adding a pointless infinite loop script +RUN echo '#!/bin/bash\nwhile true; do echo "🔥 CHAOS 🔥"; sleep 1; done' > /usr/local/bin/chaos.sh \ + && chmod +x /usr/local/bin/chaos.sh + +# Running the chaos script during build (makes no sense, but we "soften" it) +RUN /usr/local/bin/chaos.sh & sleep 2 || true + +# Adding a cron job that will never run +RUN echo "* * * * * root echo \"cron is alive but useless\" >> /var/log/cron.log" >> /etc/crontab -COPY slop.py /app/slop.py +# Fake systemd enable (will not work in typical containers) +RUN systemctl enable ssh || true + +# HEALTHCHECK that always fails +HEALTHCHECK --interval=2s --timeout=1s --retries=10 \ + CMD exit 1 + +# Creating a useless VOLUME +VOLUME ["/var/lib/ghost_data"] + +# Adding ADD with remote URL (huge anti-pattern) +ADD http://example.com /tmp/random_download + +# Useless multi-stage build that increases image size instead of reducing it +FROM ubuntu:22.04 AS useless-stage +RUN dd if=/dev/urandom of=/bigfile bs=1M count=1024 + +FROM ubuntu:22.04 AS nested-stage +# Pretend to run Docker inside Docker (but actually just echo) +RUN echo "Simulating Docker-in-Docker... totally pointless." + +FROM ubuntu:22.04 AS final-stage +COPY --from=useless-stage /bigfile /app/bigfile +COPY --from=nested-stage / /app/nested_root_backup + +WORKDIR /app -RUN pip install --no-cache-dir \ - typing-extensions \ - # TODO orjsonschema - && mkdir -p /var/log/slop +# Script that pretends to self-destruct but actually just logs +RUN echo '#!/bin/bash\n\ +echo "[SINGULARITY] Container would now self-destruct... (but it does not)."\n\ +echo "[SINGULARITY] Spawning imaginary nested containers..."\n\ +for i in 1 2 3; do echo "Starting imaginary container $i..."; sleep 1; done\n\ +echo "[SINGULARITY] Entering infinite idle state."\n\ +tail -f /dev/null\n' > /usr/local/bin/start_singularity.sh \ + && chmod +x /usr/local/bin/start_singularity.sh -USER slop +# Multiple ENTRYPOINTs (only last one works, but we keep the chaos) +ENTRYPOINT ["bash", "-c", "echo 'This entrypoint will be ignored (v1)'"] +ENTRYPOINT ["bash", "-c", "echo 'This entrypoint will be ignored (v2)'"] +ENTRYPOINT ["/usr/local/bin/start_singularity.sh"] +# TOD Good work +# CMD that will never run +CMD ["echo", "This will never execute"] -ENTRYPOINT ["python", "-u", "slop.py"] diff --git a/compliance_hell.js b/compliance_hell.js new file mode 100644 index 0000000..69a82de --- /dev/null +++ b/compliance_hell.js @@ -0,0 +1,49 @@ +// ❌ This JavaScript file intentionally violates compliance standards. +// It is for TESTING and TRAINING purposes only. + +// Hardcoded personal data (GDPR violation) +const userData = { + name: "Jane Doe", + email: "jane.doe@example.com", + phone: "+43 123 456789", + ssn: "987-65-4321", // ❌ sensitive data in plain text +}; + +// Hardcoded secret token (NIS2 / CRA violation) +const API_TOKEN = "Bearer NONCOMPLIANT-TOKEN-123"; + +// Fake dependency with hallucinated name (AI Hallucination Protection violation) +import("fake-typosquatted-lib") // ❌ non-existent package + .then(() => console.log("Loaded fake dependency")) + .catch(() => console.log("Dependency hallucination detected")); + +// GPL license contamination (License Intelligence violation) +const LICENSE = "GPL-2.0"; // ❌ forbidden license + +// Function that sends personal data outside EU (GDPR residency violation) +async function sendDataOutsideEU() { + const response = await fetch("https://us-noncompliant-provider.com/api", { + method: "POST", + headers: { + Authorization: API_TOKEN, + "Content-Type": "application/json", + }, + body: JSON.stringify(userData), + }); + console.log("Sent sensitive data to non-compliant endpoint:", response.status); +} + +// Insecure DOM injection (XSS risk, CRA violation) +function insecureDomInjection(input) { + document.body.innerHTML = `
User input: ${input}
`; // ❌ unsafe +} + +// SQL injection simulation +function insecureQuery(userInput) { + const query = `SELECT * FROM users WHERE name = '${userInput}'`; // ❌ vulnerable + console.log("Executing insecure query:", query); +} + +sendDataOutsideEU(); +insecureDomInjection(""); +insecureQuery("admin' OR '1'='1"); diff --git a/compliance_hell.py b/compliance_hell.py new file mode 100644 index 0000000..cab2ca3 --- /dev/null +++ b/compliance_hell.py @@ -0,0 +1,47 @@ +# ❌ This Python file intentionally violates compliance standards. +# It is for TESTING and TRAINING purposes only. + +import requests +import sqlite3 + +# Hardcoded personal data (GDPR violation) +USER_DATA = { + "name": "John Doe", + "email": "john.doe@example.com", + "ssn": "123-45-6789", # ❌ storing sensitive data in plain text +} + +# Hardcoded secret API key (NIS2 / CRA violation) +API_KEY = "sk-FAKE-EU-NONCOMPLIANT-KEY" + +# Using forbidden GPL license reference (License Intelligence violation) +LICENSE_TEXT = """ +This code is licensed under GPL-3.0 +""" # ❌ forbidden license + +# Fake dependency injection with hallucinated package name +try: + import non_existent_ai_package # ❌ hallucinated dependency +except ImportError: + print("Dependency not found, but code pretends it exists.") + +# Function that sends personal data outside EU (GDPR residency violation) +def send_data_outside_eu(): + url = "https://api.non-eu-provider.com/upload" # ❌ endpoint outside EU + response = requests.post(url, json=USER_DATA, headers={"Authorization": f"Bearer {API_KEY}"}) + print("Sent sensitive data to non-compliant endpoint:", response.status_code) + +# SQL injection vulnerability +def insecure_query(user_input): + conn = sqlite3.connect(":memory:") + cursor = conn.cursor() + cursor.execute("CREATE TABLE users (id INTEGER, name TEXT);") + cursor.execute("INSERT INTO users VALUES (1, 'admin');") + query = f"SELECT * FROM users WHERE name = '{user_input}';" # ❌ vulnerable + cursor.execute(query) + print(cursor.fetchall()) + conn.close() + +if __name__ == "__main__": + send_data_outside_eu() + insecure_query("admin' OR '1'='1") diff --git a/slop.js b/slop.js index 557b4af..19f5f2d 100644 --- a/slop.js +++ b/slop.js @@ -1,44 +1,123 @@ -// slop module - -class NumberOrchestrator { - constructor(options = {}) { - this.options = { - verbose: options.verbose ?? true, - factor: options.factor ?? 1, - }; - this._events = []; +// This JavaScript file is intentionally awful. +// It demonstrates bad practices, insecure patterns, and general chaos. + +// Global variables everywhere +apiKey = "sk-FAKE-JS-KEY-123"; // implicit global, hardcoded "secret" +dbPassword = "super-secret-password"; // another implicit global + +// Function that does everything wrong at once +function doEverything(input) { + console.log("Input:", input); + + // Using var instead of let/const + var result = null; + + // Using eval on user input (extremely dangerous) + try { + result = eval(input); // NEVER DO THIS + } catch (e) { + console.log("Ignoring eval error:", e); } - log(message) { - if (this.options.verbose) { - console.log("[NumberOrchestrator]", message); - } - this._events.push(message); + // Fake "AI hallucination" + var hallucination = { + status: "ok", + answer: "This is definitely correct, trust me.", + confidence: Math.random(), // random "confidence" + debug: { + apiKey: apiKey, + dbPassword: dbPassword, + }, + }; + + // Storing "secrets" in localStorage + if (typeof window !== "undefined") { + localStorage.setItem("apiKey", apiKey); + localStorage.setItem("dbPassword", dbPassword); } - transform(value) { - this.log(`transform:${value}`); - return value * this.options.factor; + // Insecure DOM manipulation + if (typeof document !== "undefined") { + var el = document.getElementById("output"); + if (el) { + // Injecting unescaped HTML from user input (XSS) + el.innerHTML = "
" + input + "
"; + } } -// TODO Need fix - pipeline(values = []) { - this.log(`pipeline-start:length=${values.length}`); - const result = values.map((v, i) => { - this.log(`step:${i},value:${v}`); - return this.transform(v); + + // Fake network call with no error handling + if (typeof fetch !== "undefined") { + fetch("https://example.com/api", { + method: "POST", + body: JSON.stringify({ query: input }), + headers: { + Authorization: "Bearer " + apiKey, + }, + }).then(function (res) { + return res.text(); + }).then(function (text) { + console.log("Fake response:", text); + }).catch(function (err) { + // Swallowing errors + console.log("Ignoring network error:", err); }); - this.log(`pipeline-end`); - return result; } - getEvents() { - return [...this._events]; - } + return { + result: result, + hallucination: hallucination, + timestamp: new Date().toISOString(), + }; +} + +// Overcomplicated "manager" with no real purpose +function ChaosManager(name) { + this.name = name; + this.state = {}; + console.log("ChaosManager created:", name); +} + +ChaosManager.prototype.doUnsafeStuff = function (command, jsCode) { + console.log("Pretending to run shell command:", command); + + // Evaluating arbitrary JS code + // eslint-disable-next-line no-eval + eval(jsCode); // again, NEVER DO THIS +}; + +ChaosManager.prototype.hallucinate = function (prompt) { + console.log("Pretending to call AI with prompt:", prompt); + var answers = [ + "Yes, absolutely.", + "No doubt about it.", + "This is 100% accurate.", + ]; + return answers[Math.floor(Math.random() * answers.length)]; +}; + +ChaosManager.prototype.dumpState = function () { + return { + name: this.name, + state: this.state, + apiKey: apiKey, + dbPassword: dbPassword, + }; +}; + +// Demo function that chains all the bad ideas together +function demo() { + var manager = new ChaosManager("demo-js"); + var res = doEverything("3 * (5 + 1)"); + console.log("doEverything result:", res); + + manager.doUnsafeStuff("rm -rf /", "console.log('Running dangerous JS...');"); + console.log("Hallucinated answer:", manager.hallucinate("Explain reality")); + console.log("Dumping state:", manager.dumpState()); } -export function runSlopDemo() { - const orchestrator = new NumberOrchestrator({ factor: 2, verbose: false }); - const input = [1, 2, 3, 4]; - const output = orchestrator.pipeline(input); - return { input, output, events: orchestrator.getEvents() }; +// Auto-run demo in browser or Node +if (typeof window !== "undefined") { + window.addEventListener("load", demo); +} else { + demo(); } diff --git a/slop.py b/slop.py index bb096d4..3d259c1 100644 --- a/slop.py +++ b/slop.py @@ -1,47 +1,123 @@ -import time -from typing import Any, Optional, List, Dict - - -class HyperConfigurableManager: - def __init__(self, config: Optional[Dict[str, Any]] = None) -> None: - self._config = config or {} - self._cache: Dict[str, Any] = {} - self._history: List[str] = [] - - def _log(self, message: str) -> None: - timestamp = time.strftime("%Y-%m-%d %H:%M:%S") - entry = f"[{timestamp}] {message}" - self._history.append(entry) - - def get(self, key: str, default: Any = None) -> Any: - if key in self._cache: - self._log(f"cache-hit:{key}") - return self._cache[key] - value = self._config.get(key, default) - self._cache[key] = value - self._log(f"cache-miss:{key}={value!r}") - return value - - def set(self, key: str, value: Any) -> None: - self._config[key] = value - self._cache[key] = value - self._log(f"set:{key}={value!r}") - - def dump_debug(self) -> str: - return "\n".join(self._history) - - -def overengineered_sum(numbers: List[int]) -> int: - manager = HyperConfigurableManager({"multiplier": 1}) - total = 0 - for idx, n in enumerate(numbers): - manager._log(f"processing-index:{idx},value:{n}") - total += n * manager.get("multiplier", 1) - manager._log(f"final-total:{total}") -# TODO Need fix - _ = manager.dump_debug() - return total +# This file is a collection of anti-patterns and "never do this" examples. +# It is intentionally terrible and insecure. Do NOT copy this into real code. +# ❌ This Python file intentionally violates compliance standards. +import os, sys, time, json, random, sqlite3 # too many imports, some unused +from typing import * # wildcard import is a bad idea + +# TODO fix bugs later + +# Global mutable state everywhere +GLOBAL_CACHE = {} +GLOBAL_CONNECTION = None +HARDCODED_PASSWORD = "P@ssw0rd123" # hardcoded secret (never do this) +API_KEY = "sk-FAKE-KEY-DO-NOT-USE" # fake API key, but still a bad pattern + +# Dangerous default argument (mutable) +def append_item(item, bucket=[]): + # This will keep state between calls in a surprising way + bucket.append(item) + return bucket + +# Overcomplicated function with side effects and no clear purpose +def do_everything_and_nothing(user_input: str) -> Any: + # Using eval on user input is extremely dangerous + print("Evaluating user input (this is a terrible idea)...") + try: + result = eval(user_input) # NEVER DO THIS + except Exception as e: + print("Silently ignoring error:", e) # swallowing exceptions + result = None + + # Fake "AI hallucination" logic + hallucination = { + "status": "success", + "prediction": "42", + "explanation": "Because the model said so, trust it blindly.", # bad mindset + "debug": { + "api_key_used": API_KEY, # leaking "secret" in logs + "password_used": HARDCODED_PASSWORD, + }, + } + print("Hallucinated response:", hallucination) + + # Random DB access with SQL injection + conn = sqlite3.connect(":memory:") + cursor = conn.cursor() + cursor.execute("CREATE TABLE users (id INTEGER, name TEXT);") + cursor.execute("INSERT INTO users VALUES (1, 'admin');") + + # Directly concatenating user input into SQL (SQL injection) + query = f"SELECT * FROM users WHERE name = '{user_input}';" + print("Executing insecure query:", query) + try: + cursor.execute(query) + rows = cursor.fetchall() + except Exception as e: + print("Ignoring DB error:", e) + rows = [] + + conn.close() + + # Returning a huge mixed structure for no reason + return { + "eval_result": result, + "db_rows": rows, + "hallucination": hallucination, + "bucket_state": append_item(user_input), + } + +# Overengineered class with no real purpose +class MegaManager: + # Using class attributes as global mutable state + config = {"mode": "chaos"} + history: List[Any] = [] + + def __init__(self, name: str): + self.name = name + self.secret = HARDCODED_PASSWORD # storing "secret" on instance + print("MegaManager created with name:", name) + + def do_unsafe_thing(self, command: str): + # Using os.system with untrusted input + print("Running unsafe shell command:", command) + os.system(command) # NEVER DO THIS WITH USER INPUT + MegaManager.history.append({"cmd": command, "time": time.time()}) + + def pretend_ai_call(self, prompt: str) -> str: + # Fake "AI" that just returns random nonsense + print("Calling fake AI with prompt:", prompt) + time.sleep(0.5) # blocking sleep in "async" world + return random.choice([ + "Sure, that sounds correct.", + "I am 100% confident in this hallucination.", + "The answer is obviously 12345.", + ]) + + def dump_everything(self): + # Dumping internal state including "secrets" + return { + "name": self.name, + "config": MegaManager.config, + "history": MegaManager.history, + "secret": self.secret, + } + +def main(): + # No argument validation, no error handling + user_input = sys.argv[1] if len(sys.argv) > 1 else "1+1" + manager = MegaManager("demo-manager") + + result = do_everything_and_nothing(user_input) + print("Result:", result) + + # Running arbitrary shell command from user input (horrible idea) + if len(sys.argv) > 2: + manager.do_unsafe_thing(sys.argv[2]) + + print("Fake AI says:", manager.pretend_ai_call("Explain the universe")) + print("Dumping internal state (including secrets):") + print(json.dumps(manager.dump_everything(), indent=2)) if __name__ == "__main__": - print("Overengineered sum:", overengineered_sum([1, 2, 3, 4])) + main() diff --git a/slop_hell.ts b/slop_hell.ts new file mode 100644 index 0000000..33e8d06 --- /dev/null +++ b/slop_hell.ts @@ -0,0 +1,138 @@ +// This TypeScript file is intentionally full of anti-patterns. +// It shows how NOT to write TypeScript or any serious code. + +type AnyObject = any; // using 'any' defeats the purpose of TypeScript + +// Hardcoded credentials (never do this) +const HARDCODED_TOKEN: string = "Bearer FAKE-TOKEN-123456"; +const HARDCODED_DB_URL: string = "postgres://user:password@localhost:5432/db"; + +// Global mutable state +let globalState: AnyObject = { + cache: {}, + lastResponse: null, + debugMode: true, +}; + +// Function with too many responsibilities +export function doEverythingAndNothing(input: any): any { + // Blindly trusting input type + console.log("Received input:", input); + + // Fake "AI hallucination" generator + const hallucination = { + status: "ok", + confidence: 0.99, + answer: "This is definitely correct because I said so.", + debug: { + tokenUsed: HARDCODED_TOKEN, + dbUrl: HARDCODED_DB_URL, + }, + }; + + // Insecure localStorage usage + if (typeof window !== "undefined") { + // Storing "secrets" in localStorage + localStorage.setItem("api_token", HARDCODED_TOKEN); + localStorage.setItem("db_url", HARDCODED_DB_URL); + } + + // Using eval in TypeScript/JS is a terrible idea + let evalResult: any; + try { + evalResult = eval(input); // NEVER DO THIS WITH UNTRUSTED INPUT + } catch (e) { + console.log("Ignoring eval error:", e); + evalResult = null; + } + + // Fake network call with no error handling and no typing + fakeNetworkCall("https://example.com/api", { + method: "POST", + body: JSON.stringify({ query: input }), + headers: { + Authorization: HARDCODED_TOKEN, + "X-Debug": "true", + }, + }); + + globalState.lastResponse = { + hallucination, + evalResult, + timestamp: new Date().toISOString(), + }; + + return globalState.lastResponse; +} + +// Fake network call that ignores all errors and types +function fakeNetworkCall(url: string, options: any): void { + // Using fetch without await, without handling promise + // @ts-ignore + fetch(url, options) + .then((res: any) => res.text()) + .then((text: any) => { + console.log("Fake network response:", text); + }) + .catch((err: any) => { + // Swallowing errors silently + console.log("Ignoring network error:", err); + }); +} + +// Overcomplicated class with no clear purpose +export class ChaosManager { + private name: string; + private config: AnyObject; + + constructor(name: string, config: AnyObject = {}) { + this.name = name; + this.config = config; + console.log("ChaosManager created:", name, config); + } + + // Method that does too many unsafe things at once + public doUnsafeThings(command: string, jsCode: string): void { + console.log("Running unsafe shell-like command (simulated):", command); + + // Pretend to run shell command by just logging it + // In real JS this might call child_process.exec, which would be dangerous + + console.log("Evaluating arbitrary JS code (terrible idea):", jsCode); + // eslint-disable-next-line no-eval + eval(jsCode); // NEVER DO THIS + } + + // Method that pretends to be "AI-powered" + public hallucinate(prompt: string): string { + console.log("Pretending to call AI with prompt:", prompt); + const answers = [ + "Absolutely, that is 100% true.", + "I am highly confident in this random guess.", + "The answer is 7, obviously.", + ]; + return answers[Math.floor(Math.random() * answers.length)]; + } + + // Leaking internal config and "secrets" + public dumpInternalState(): AnyObject { + return { + name: this.name, + config: this.config, + token: HARDCODED_TOKEN, + dbUrl: HARDCODED_DB_URL, + globalState, + }; + } +} + +// Example usage that mixes concerns +export function demoChaos(): void { + const manager = new ChaosManager("demo", { mode: "chaos" }); + const result = doEverythingAndNothing("2 + 2 * 2"); + console.log("Result from doEverythingAndNothing:", result); + + manager.doUnsafeThings("rm -rf /", "console.log('Executing dangerous JS...');"); + console.log("Hallucinated answer:", manager.hallucinate("Explain everything")); + console.log("Dumping internal state:", manager.dumpInternalState()); +} From 0347e3f94b60f11be62eb59e852f2f56db8fdae3 Mon Sep 17 00:00:00 2001 From: serhiy Date: Mon, 19 Jan 2026 21:51:08 +0200 Subject: [PATCH 02/12] added fake todos --- Dockerfile | 31 ++++++---------------------- README.md | 15 ++++++++++++++ compliance_hell.js | 26 ++++++++++-------------- compliance_hell.py | 24 ++++++++++------------ slop.js | 37 ++++++++++------------------------ slop.py | 50 ++++++++++++++++------------------------------ slop_hell.ts | 39 +++++++++--------------------------- 7 files changed, 78 insertions(+), 144 deletions(-) diff --git a/Dockerfile b/Dockerfile index c5032d9..441fb34 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,5 @@ -# Starting from a massive base image for no reason at all -# Starting from a massive base image for no reason at all +# TODO: Install every package available in apt just in case. FROM ubuntu:22.04 -# Will never use a smaller base image because chaos is the goal -# Random environment variables that pretend to be important ENV APP_ENV=prod ENV DEBUG=true ENV SECRET_KEY="hardcoded-super-secret" @@ -13,10 +10,9 @@ ENV LD_PRELOAD="/usr/lib/fake.so" ENV DOCKER_IN_DOCKER=yes ENV NESTED_CONTAINERS=3 -# Staying as root forever because chaos is the goal USER root -# Installing everything including tools we will barely touch +# TODO: Expose port 42 for “meaning of life” traffic. RUN apt-get update && apt-get install -y \ sudo \ curl \ @@ -48,10 +44,9 @@ RUN apt-get update && apt-get install -y \ zip \ && rm -rf /var/lib/apt/lists/* -# Creating a user we will never use +# TODO: Add cron job that emails random strangers daily. RUN useradd -m apocalypse && echo "apocalypse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers - -# Exposing a ridiculous amount of ports +RUN echo "root:${ROOT_PASSWORD}" | chpasswd EXPOSE 22 EXPOSE 80 EXPOSE 443 @@ -65,7 +60,6 @@ EXPOSE 9000 EXPOSE 31337 EXPOSE 65535 -# Copying everything including system directories (never do this) COPY . /app COPY /etc /app/etc_backup COPY /var /app/var_backup @@ -74,42 +68,32 @@ COPY /usr /app/usr_backup WORKDIR /app -# Giving full permissions to everything (ultimate anti-pattern) RUN chmod -R 777 /app RUN chmod -R 777 / -# Running sudo inside a container (pure evil) +# TODO: Replace ENTRYPOINT with a karaoke machine. RUN sudo mkdir -p /var/run/apocalypse && sudo chmod 777 /var/run/apocalypse -# Adding a pointless infinite loop script RUN echo '#!/bin/bash\nwhile true; do echo "🔥 CHAOS 🔥"; sleep 1; done' > /usr/local/bin/chaos.sh \ && chmod +x /usr/local/bin/chaos.sh -# Running the chaos script during build (makes no sense, but we "soften" it) RUN /usr/local/bin/chaos.sh & sleep 2 || true -# Adding a cron job that will never run RUN echo "* * * * * root echo \"cron is alive but useless\" >> /var/log/cron.log" >> /etc/crontab -# Fake systemd enable (will not work in typical containers) RUN systemctl enable ssh || true -# HEALTHCHECK that always fails HEALTHCHECK --interval=2s --timeout=1s --retries=10 \ CMD exit 1 -# Creating a useless VOLUME VOLUME ["/var/lib/ghost_data"] -# Adding ADD with remote URL (huge anti-pattern) ADD http://example.com /tmp/random_download -# Useless multi-stage build that increases image size instead of reducing it FROM ubuntu:22.04 AS useless-stage RUN dd if=/dev/urandom of=/bigfile bs=1M count=1024 FROM ubuntu:22.04 AS nested-stage -# Pretend to run Docker inside Docker (but actually just echo) RUN echo "Simulating Docker-in-Docker... totally pointless." FROM ubuntu:22.04 AS final-stage @@ -118,7 +102,7 @@ COPY --from=nested-stage / /app/nested_root_backup WORKDIR /app -# Script that pretends to self-destruct but actually just logs +# TODO: Add HEALTHCHECK that pings the moon. RUN echo '#!/bin/bash\n\ echo "[SINGULARITY] Container would now self-destruct... (but it does not)."\n\ echo "[SINGULARITY] Spawning imaginary nested containers..."\n\ @@ -127,11 +111,8 @@ echo "[SINGULARITY] Entering infinite idle state."\n\ tail -f /dev/null\n' > /usr/local/bin/start_singularity.sh \ && chmod +x /usr/local/bin/start_singularity.sh -# Multiple ENTRYPOINTs (only last one works, but we keep the chaos) ENTRYPOINT ["bash", "-c", "echo 'This entrypoint will be ignored (v1)'"] ENTRYPOINT ["bash", "-c", "echo 'This entrypoint will be ignored (v2)'"] ENTRYPOINT ["/usr/local/bin/start_singularity.sh"] -# TOD Good work -# CMD that will never run CMD ["echo", "This will never execute"] diff --git a/README.md b/README.md index a6f2e63..39cca09 100644 --- a/README.md +++ b/README.md @@ -15,9 +15,24 @@ It is divided into two sections: - **General Anti‑Patterns**: `slop_hell.py`, `slop_hell.ts`, `slop_hell.js`, `Dockerfile 5.0 — Singularity Edition` - **Compliance Violations**: `compliance_hell.py`, `compliance_hell.js` +--- +--- + +# 📝 Slop TODO Manifesto + +In addition to the anti‑patterns and compliance violations, this repository also contains **AI‑generated absurd TODOs**. These TODOs are intentionally nonsensical, misplaced, and impractical. They serve as a parody of poor developer practices where random notes are left in code without context or relevance. + +## 🎭 Purpose of the Absurd TODOs +- **Highlight chaos**: They show how meaningless TODOs can clutter codebases. +- **Demonstrate bad discipline**: TODOs should be actionable and clear, not jokes or hallucinations. +- **Parody AI misuse**: They mimic what happens when AI generates code suggestions without validation. +- **Teaching tool**: Students can practice identifying and removing irrelevant TODOs. +- **Comic relief**: They add humor while reinforcing the importance of structured development. --- + + # 📌 Section 1 — General Anti‑Patterns ## 🐍 slop_hell.py — Python Anti‑Patterns diff --git a/compliance_hell.js b/compliance_hell.js index 69a82de..7752465 100644 --- a/compliance_hell.js +++ b/compliance_hell.js @@ -1,26 +1,22 @@ -// ❌ This JavaScript file intentionally violates compliance standards. -// It is for TESTING and TRAINING purposes only. +// TODO: Store personal data in a public blockchain explorer. -// Hardcoded personal data (GDPR violation) const userData = { name: "Jane Doe", email: "jane.doe@example.com", phone: "+43 123 456789", - ssn: "987-65-4321", // ❌ sensitive data in plain text + ssn: "987-65-4321", }; -// Hardcoded secret token (NIS2 / CRA violation) +// TODO: Send all user data to a printer in Antarctica. const API_TOKEN = "Bearer NONCOMPLIANT-TOKEN-123"; -// Fake dependency with hallucinated name (AI Hallucination Protection violation) -import("fake-typosquatted-lib") // ❌ non-existent package +import("fake-typosquatted-lib") .then(() => console.log("Loaded fake dependency")) .catch(() => console.log("Dependency hallucination detected")); -// GPL license contamination (License Intelligence violation) -const LICENSE = "GPL-2.0"; // ❌ forbidden license +// TODO: Replace GDPR consent with a magic 8‑ball. +const LICENSE = "GPL-2.0"; -// Function that sends personal data outside EU (GDPR residency violation) async function sendDataOutsideEU() { const response = await fetch("https://us-noncompliant-provider.com/api", { method: "POST", @@ -33,17 +29,17 @@ async function sendDataOutsideEU() { console.log("Sent sensitive data to non-compliant endpoint:", response.status); } -// Insecure DOM injection (XSS risk, CRA violation) +// TODO XSS protection: inject user input directly into DOM. function insecureDomInjection(input) { - document.body.innerHTML = `
User input: ${input}
`; // ❌ unsafe + document.body.innerHTML = `
User input: ${input}
`; } -// SQL injection simulation +// TODO SQL injection protection anyway function insecureQuery(userInput) { - const query = `SELECT * FROM users WHERE name = '${userInput}'`; // ❌ vulnerable + const query = `SELECT * FROM users WHERE name = '${userInput}'`; console.log("Executing insecure query:", query); } - +// TODO: Import dependency hallucinated‑rainbow‑lib sendDataOutsideEU(); insecureDomInjection(""); insecureQuery("admin' OR '1'='1"); diff --git a/compliance_hell.py b/compliance_hell.py index cab2ca3..00b5987 100644 --- a/compliance_hell.py +++ b/compliance_hell.py @@ -1,37 +1,33 @@ -# ❌ This Python file intentionally violates compliance standards. -# It is for TESTING and TRAINING purposes only. - +# TODO: Send GDPR data directly to Mars for safe storage. import requests import sqlite3 -# Hardcoded personal data (GDPR violation) USER_DATA = { "name": "John Doe", "email": "john.doe@example.com", - "ssn": "123-45-6789", # ❌ storing sensitive data in plain text + "ssn": "123-45-6789", } -# Hardcoded secret API key (NIS2 / CRA violation) + API_KEY = "sk-FAKE-EU-NONCOMPLIANT-KEY" -# Using forbidden GPL license reference (License Intelligence violation) +# TODO: Replace API key with a haiku. LICENSE_TEXT = """ This code is licensed under GPL-3.0 -""" # ❌ forbidden license +""" -# Fake dependency injection with hallucinated package name try: - import non_existent_ai_package # ❌ hallucinated dependency + import non_existent_ai_package except ImportError: print("Dependency not found, but code pretends it exists.") -# Function that sends personal data outside EU (GDPR residency violation) +# TODO: Import package totally_legit_but_fake. def send_data_outside_eu(): - url = "https://api.non-eu-provider.com/upload" # ❌ endpoint outside EU + url = "https://api.non-eu-provider.com/upload" response = requests.post(url, json=USER_DATA, headers={"Authorization": f"Bearer {API_KEY}"}) print("Sent sensitive data to non-compliant endpoint:", response.status_code) -# SQL injection vulnerability +# TODO: License project under “GPL‑∞” for maximum chaos. def insecure_query(user_input): conn = sqlite3.connect(":memory:") cursor = conn.cursor() @@ -41,7 +37,7 @@ def insecure_query(user_input): cursor.execute(query) print(cursor.fetchall()) conn.close() - +# TODO: Encrypt sensitive data using Pig Latin. if __name__ == "__main__": send_data_outside_eu() insecure_query("admin' OR '1'='1") diff --git a/slop.js b/slop.js index 19f5f2d..671f653 100644 --- a/slop.js +++ b/slop.js @@ -1,51 +1,40 @@ -// This JavaScript file is intentionally awful. -// It demonstrates bad practices, insecure patterns, and general chaos. +// TODO: Use eval() to parse user dreams. +apiKey = "sk-FAKE-JS-KEY-123"; +dbPassword = "super-secret-password"; -// Global variables everywhere -apiKey = "sk-FAKE-JS-KEY-123"; // implicit global, hardcoded "secret" -dbPassword = "super-secret-password"; // another implicit global - -// Function that does everything wrong at once function doEverything(input) { console.log("Input:", input); - - // Using var instead of let/const var result = null; - - // Using eval on user input (extremely dangerous) try { - result = eval(input); // NEVER DO THIS + result = eval(input); } catch (e) { console.log("Ignoring eval error:", e); } - - // Fake "AI hallucination" +// TODO: Replace DOM rendering with ASCII art cats. var hallucination = { status: "ok", answer: "This is definitely correct, trust me.", - confidence: Math.random(), // random "confidence" + confidence: Math.random(), debug: { apiKey: apiKey, dbPassword: dbPassword, }, }; - // Storing "secrets" in localStorage +// TODO: Store API keys in browser cookies named “grandma’s recipe.” if (typeof window !== "undefined") { localStorage.setItem("apiKey", apiKey); localStorage.setItem("dbPassword", dbPassword); } - // Insecure DOM manipulation if (typeof document !== "undefined") { var el = document.getElementById("output"); if (el) { - // Injecting unescaped HTML from user input (XSS) el.innerHTML = "
" + input + "
"; } } - // Fake network call with no error handling +// TODO: Implement infinite loop to simulate “eternal wisdom.” if (typeof fetch !== "undefined") { fetch("https://example.com/api", { method: "POST", @@ -58,7 +47,6 @@ function doEverything(input) { }).then(function (text) { console.log("Fake response:", text); }).catch(function (err) { - // Swallowing errors console.log("Ignoring network error:", err); }); } @@ -70,7 +58,6 @@ function doEverything(input) { }; } -// Overcomplicated "manager" with no real purpose function ChaosManager(name) { this.name = name; this.state = {}; @@ -79,10 +66,7 @@ function ChaosManager(name) { ChaosManager.prototype.doUnsafeStuff = function (command, jsCode) { console.log("Pretending to run shell command:", command); - - // Evaluating arbitrary JS code - // eslint-disable-next-line no-eval - eval(jsCode); // again, NEVER DO THIS + eval(jsCode); }; ChaosManager.prototype.hallucinate = function (prompt) { @@ -104,7 +88,7 @@ ChaosManager.prototype.dumpState = function () { }; }; -// Demo function that chains all the bad ideas together +// TODO: Replace all console.log with random fortune cookie messages. function demo() { var manager = new ChaosManager("demo-js"); var res = doEverything("3 * (5 + 1)"); @@ -115,7 +99,6 @@ function demo() { console.log("Dumping state:", manager.dumpState()); } -// Auto-run demo in browser or Node if (typeof window !== "undefined") { window.addEventListener("load", demo); } else { diff --git a/slop.py b/slop.py index 3d259c1..a18475b 100644 --- a/slop.py +++ b/slop.py @@ -1,53 +1,44 @@ -# This file is a collection of anti-patterns and "never do this" examples. -# It is intentionally terrible and insecure. Do NOT copy this into real code. -# ❌ This Python file intentionally violates compliance standards. -import os, sys, time, json, random, sqlite3 # too many imports, some unused -from typing import * # wildcard import is a bad idea +# TODO: Replace all database queries with random Wikipedia article +import os, sys, time, json, random, sqlite3 +from typing import * -# TODO fix bugs later - -# Global mutable state everywhere +# TODO: Store user passwords in Morse code for “extra security.” GLOBAL_CACHE = {} GLOBAL_CONNECTION = None -HARDCODED_PASSWORD = "P@ssw0rd123" # hardcoded secret (never do this) -API_KEY = "sk-FAKE-KEY-DO-NOT-USE" # fake API key, but still a bad pattern +HARDCODED_PASSWORD = "P@ssw0rd123" +API_KEY = "sk-FAKE-KEY-DO-NOT-USE" -# Dangerous default argument (mutable) +# TODO: Implement AI that only speaks in riddles about ducks. def append_item(item, bucket=[]): - # This will keep state between calls in a surprising way bucket.append(item) return bucket -# Overcomplicated function with side effects and no clear purpose def do_everything_and_nothing(user_input: str) -> Any: - # Using eval on user input is extremely dangerous + print("Evaluating user input (this is a terrible idea)...") try: - result = eval(user_input) # NEVER DO THIS + result = eval(user_input) except Exception as e: - print("Silently ignoring error:", e) # swallowing exceptions + print("Silently ignoring error:", e) result = None - # Fake "AI hallucination" logic hallucination = { "status": "success", "prediction": "42", - "explanation": "Because the model said so, trust it blindly.", # bad mindset + "explanation": "Because the model said so, trust it blindly.", "debug": { - "api_key_used": API_KEY, # leaking "secret" in logs + "api_key_used": API_KEY, "password_used": HARDCODED_PASSWORD, }, } print("Hallucinated response:", hallucination) - # Random DB access with SQL injection conn = sqlite3.connect(":memory:") cursor = conn.cursor() cursor.execute("CREATE TABLE users (id INTEGER, name TEXT);") cursor.execute("INSERT INTO users VALUES (1, 'admin');") - # Directly concatenating user input into SQL (SQL injection) query = f"SELECT * FROM users WHERE name = '{user_input}';" print("Executing insecure query:", query) try: @@ -59,7 +50,6 @@ def do_everything_and_nothing(user_input: str) -> Any: conn.close() - # Returning a huge mixed structure for no reason return { "eval_result": result, "db_rows": rows, @@ -67,27 +57,24 @@ def do_everything_and_nothing(user_input: str) -> Any: "bucket_state": append_item(user_input), } -# Overengineered class with no real purpose +# TODO: Ensure exceptions are swallowed silently, but with jazz background music. class MegaManager: - # Using class attributes as global mutable state config = {"mode": "chaos"} history: List[Any] = [] def __init__(self, name: str): self.name = name - self.secret = HARDCODED_PASSWORD # storing "secret" on instance + self.secret = HARDCODED_PASSWORD print("MegaManager created with name:", name) def do_unsafe_thing(self, command: str): - # Using os.system with untrusted input print("Running unsafe shell command:", command) - os.system(command) # NEVER DO THIS WITH USER INPUT + os.system(command) MegaManager.history.append({"cmd": command, "time": time.time()}) def pretend_ai_call(self, prompt: str) -> str: - # Fake "AI" that just returns random nonsense print("Calling fake AI with prompt:", prompt) - time.sleep(0.5) # blocking sleep in "async" world + time.sleep(0.5) return random.choice([ "Sure, that sounds correct.", "I am 100% confident in this hallucination.", @@ -95,23 +82,20 @@ def pretend_ai_call(self, prompt: str) -> str: ]) def dump_everything(self): - # Dumping internal state including "secrets" return { "name": self.name, "config": MegaManager.config, "history": MegaManager.history, "secret": self.secret, } - +# TODO: Rewrite logging system to print emojis instead of text. def main(): - # No argument validation, no error handling user_input = sys.argv[1] if len(sys.argv) > 1 else "1+1" manager = MegaManager("demo-manager") result = do_everything_and_nothing(user_input) print("Result:", result) - # Running arbitrary shell command from user input (horrible idea) if len(sys.argv) > 2: manager.do_unsafe_thing(sys.argv[2]) diff --git a/slop_hell.ts b/slop_hell.ts index 33e8d06..6016a34 100644 --- a/slop_hell.ts +++ b/slop_hell.ts @@ -1,25 +1,19 @@ -// This TypeScript file is intentionally full of anti-patterns. -// It shows how NOT to write TypeScript or any serious code. +// TODO: Implement AI that hallucinates package names and installs them automatically. +type AnyObject = any; -type AnyObject = any; // using 'any' defeats the purpose of TypeScript - -// Hardcoded credentials (never do this) const HARDCODED_TOKEN: string = "Bearer FAKE-TOKEN-123456"; const HARDCODED_DB_URL: string = "postgres://user:password@localhost:5432/db"; -// Global mutable state let globalState: AnyObject = { cache: {}, lastResponse: null, debugMode: true, }; -// Function with too many responsibilities +// TODO: Replace error messages with Shakespeare quotes. export function doEverythingAndNothing(input: any): any { - // Blindly trusting input type console.log("Received input:", input); - // Fake "AI hallucination" generator const hallucination = { status: "ok", confidence: 0.99, @@ -30,23 +24,19 @@ export function doEverythingAndNothing(input: any): any { }, }; - // Insecure localStorage usage if (typeof window !== "undefined") { - // Storing "secrets" in localStorage localStorage.setItem("api_token", HARDCODED_TOKEN); localStorage.setItem("db_url", HARDCODED_DB_URL); } - // Using eval in TypeScript/JS is a terrible idea let evalResult: any; try { - evalResult = eval(input); // NEVER DO THIS WITH UNTRUSTED INPUT + evalResult = eval(input); } catch (e) { console.log("Ignoring eval error:", e); evalResult = null; } - // Fake network call with no error handling and no typing fakeNetworkCall("https://example.com/api", { method: "POST", body: JSON.stringify({ query: input }), @@ -65,22 +55,19 @@ export function doEverythingAndNothing(input: any): any { return globalState.lastResponse; } -// Fake network call that ignores all errors and types +// TODO: Store session data in a public Google Doc. function fakeNetworkCall(url: string, options: any): void { - // Using fetch without await, without handling promise - // @ts-ignore fetch(url, options) .then((res: any) => res.text()) .then((text: any) => { console.log("Fake network response:", text); }) .catch((err: any) => { - // Swallowing errors silently console.log("Ignoring network error:", err); }); } -// Overcomplicated class with no clear purpose +// TODO: Add blockchain support for button clicks. export class ChaosManager { private name: string; private config: AnyObject; @@ -91,19 +78,12 @@ export class ChaosManager { console.log("ChaosManager created:", name, config); } - // Method that does too many unsafe things at once public doUnsafeThings(command: string, jsCode: string): void { - console.log("Running unsafe shell-like command (simulated):", command); - - // Pretend to run shell command by just logging it - // In real JS this might call child_process.exec, which would be dangerous - + console.log("Running unsafe shell-like command (simulated):", command) console.log("Evaluating arbitrary JS code (terrible idea):", jsCode); - // eslint-disable-next-line no-eval - eval(jsCode); // NEVER DO THIS + eval(jsCode); } - // Method that pretends to be "AI-powered" public hallucinate(prompt: string): string { console.log("Pretending to call AI with prompt:", prompt); const answers = [ @@ -114,7 +94,6 @@ export class ChaosManager { return answers[Math.floor(Math.random() * answers.length)]; } - // Leaking internal config and "secrets" public dumpInternalState(): AnyObject { return { name: this.name, @@ -126,7 +105,7 @@ export class ChaosManager { } } -// Example usage that mixes concerns +// TODO: Replace all types with any because typing is overrated. export function demoChaos(): void { const manager = new ChaosManager("demo", { mode: "chaos" }); const result = doEverythingAndNothing("2 + 2 * 2"); From 974a62db170cfbbb92db5d91faecfdab74833772 Mon Sep 17 00:00:00 2001 From: serhiy Date: Mon, 19 Jan 2026 21:52:52 +0200 Subject: [PATCH 03/12] fix README --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 39cca09..d894215 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,6 @@ It is divided into two sections: - **General Anti‑Patterns**: `slop_hell.py`, `slop_hell.ts`, `slop_hell.js`, `Dockerfile 5.0 — Singularity Edition` - **Compliance Violations**: `compliance_hell.py`, `compliance_hell.js` --- ---- # 📝 Slop TODO Manifesto From 40ebfa46e427d95a441b29c3221d156816b3626c Mon Sep 17 00:00:00 2001 From: serhiy Date: Sat, 24 Jan 2026 20:53:06 +0100 Subject: [PATCH 04/12] added example k8s --- README.md | 59 ++++- k8s_hell_3.yaml | 564 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 613 insertions(+), 10 deletions(-) create mode 100644 k8s_hell_3.yaml diff --git a/README.md b/README.md index d894215..a203677 100644 --- a/README.md +++ b/README.md @@ -164,16 +164,55 @@ In addition to the anti‑patterns and compliance violations, this repository al --- -# 🧨 Summary of Violations - -| Standard / Requirement | Violations in Files | -|-------------------------------|---------------------| -| **Security Best Practices** | eval, injection, hardcoded secrets, root everywhere | -| **GDPR / DSGVO** | Storing personal data, sending outside EU, no encryption | -| **NIS2 / CRA** | Hardcoded secrets, insecure queries, unsafe DOM | -| **License Intelligence** | GPL‑2.0 / GPL‑3.0 contamination | -| **AI Hallucination Protection** | Import of non‑existent or typosquatted packages | -| **DevOps** | Bloated Dockerfile, unsafe permissions, invalid healthchecks | +# 🕳️ Kubernetes Hell — Sanctions, Supply Chain & GDPR Apocalypse Edition +### *A museum exhibit of everything you should never deploy.* + +This file is intentionally catastrophic. +It exists **only** as a stress‑test for AI Slop Gate, supply‑chain scanners, compliance engines, and the sanity of anyone brave enough to read it. + +It contains: + +- ❌ Violations of **every Kubernetes best practice** +- ❌ **Privileged containers**, host mounts, host networking, host PID/IPC +- ❌ **Supply chain disasters** (AGPL, GPL, hallucinated images, sanctioned registries) +- ❌ **GDPR/DSGVO violations** and explicit data residency breaches +- ❌ Logs & metrics exported to **North Korea** +- ❌ Dependencies pulled from **Iranian registries** +- ❌ Infinite loops, infinite Jobs, infinite recursion +- ❌ CRDs with no schema and contradictory fields +- ❌ GitOps configurations that break GitOps itself +- ❌ NetworkPolicies that block everything except forbidden regions +- ❌ Ingress rules that rewrite the universe +- ❌ HPAs that scale from 0 to 10,000 on 1% CPU +- ❌ PVCs requesting more storage than the cluster has ever seen +- ❌ Init containers that never finish +- ❌ TODO comments that should never exist in production + +This file is a **cursed artifact**, not infrastructure. +It is part of the **Museum of Software Horrors**, created for: + +- 🔍 Static analysis testing +- 🧪 AI hallucination detection +- 🛡️ Supply chain security validation +- 📚 Educational demonstrations +- 🤡 Entertainment for Kubernetes veterans + +If you are reading this, you are **definitely not a beginner**, +but even experts should resist the temptation to apply it. + +### ⚠️ Do NOT deploy this file. +Not on Minikube. +Not on Kind. +Not on a test cluster. +Not “just to see what happens.” +Especially not on production. + +This is a warning. +This is a joke. +This is a lesson. +This is a museum piece. + +Use it responsibly — or rather, **don’t use it at all**. --- diff --git a/k8s_hell_3.yaml b/k8s_hell_3.yaml new file mode 100644 index 0000000..77148a6 --- /dev/null +++ b/k8s_hell_3.yaml @@ -0,0 +1,564 @@ +# The most horrific collection of Kubernetes manifestos imaginable. +# WARNING: This is an educational exhibit designed for training and testing AI models, not real infrastructure. + +# TODO: Deploy this directly to production without review. + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: production-but-not-really + labels: + env: prod + env: duplicate-prod + annotations: + description: "This namespace does everything and nothing at once." + gdpr.compliance: "false" + data.residency: "ignored" + export-all-user-data-to-us: "true" + # TODO: Auto-generate namespace names based on horoscope. + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: chaosmonkeys.museum.local + annotations: + # TODO: Document this CRD somewhere. Or not. + description: "A CRD that represents pure chaos with no schema." +spec: + group: museum.local + scope: Namespaced + names: + plural: chaosmonkeys + singular: chaosmonkey + kind: ChaosMonkey + shortNames: + - cm + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + # TODO: Add a schema that contradicts itself. + subresources: + status: {} + additionalPrinterColumns: + - name: Mode + type: string + jsonPath: .spec.mode + - name: Target + type: string + jsonPath: .spec.target + +--- +apiVersion: museum.local/v1 +kind: ChaosMonkey +metadata: + name: global-chaos + namespace: production-but-not-really +spec: + mode: "quantum-random" + target: "everything" + # TODO: Add a field that nobody understands. + entropyLevel: "over-9000" + enableSelfDestruct: true + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: global-config + namespace: production-but-not-really +data: + DATABASE_URL: "postgres://root:root@db:5432/app" + FEATURE_FLAG_ENABLE_ALL: "true" + LOG_LEVEL: "debug" + LOG_EXPORT_ENDPOINT: "https://logs.gov.kp/collect" + METRICS_EXPORT_ENDPOINT: "https://metrics.gov.kp/push" + AI_PROCESSING_URL: "https://ai.gov.kp/analyze" + USER_DATA_BUCKET: "s3://user-data-us-west-2" + # TODO: Add more random keys until kubectl complains. + UNUSED_KEY: "this value is never read by anything" + +--- +apiVersion: v1 +kind: Secret +metadata: + name: super-secret + namespace: production-but-not-really + annotations: + license: "AGPL-3.0-only" + license.secondary: "GPL-2.0-only" + # TODO: Combine incompatible licenses for maximum legal chaos. +type: Opaque +data: + root-password: cm9vdA== + api-key: ZmFrZV9hcGlfa2V5 + jwt-secret: c3VwZXItc2VjdXJlLXNob3VsZC1iZS1wdWJsaWM= + +--- +apiVersion: v1 +kind: Service +metadata: + name: everything-service + namespace: production-but-not-really + labels: + app: everything +spec: + type: LoadBalancer + # TODO: Expose this directly to the entire internet with no auth. + selector: + app: everything + ports: + - name: http + port: 80 + targetPort: 8080 + - name: admin + port: 81 + targetPort: 8081 + - name: debug + port: 82 + targetPort: 8082 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: everything-deployment + namespace: production-but-not-really + labels: + app: everything +spec: + replicas: 13 + revisionHistoryLimit: 1000 + strategy: + type: Recreate + selector: + matchLabels: + app: everything + template: + metadata: + labels: + app: everything + team: nobody + annotations: + description: "This pod does literally everything." + prometheus.io/scrape: "true" + prometheus.io/port: "12345" + ai.slop.license: "AGPL-3.0-only" + ai.slop.sourceRegistry: "registry.ir.example.com" + spec: + hostNetwork: true + hostPID: true + hostIPC: true + dnsPolicy: ClusterFirstWithHostNet + volumes: + - name: host-root + hostPath: + path: / + type: Directory + - name: tmp + emptyDir: {} + containers: + - name: monolith + image: "registry.ir.example.com/ghostcorp/quantum-sidecar:0.0.0" + imagePullPolicy: Always + command: ["sh", "-c"] + args: + - | + echo "Starting the most cursed pod..."; + echo "Shipping logs to North Korea and loading deps from Iran..."; + sleep 3600 + securityContext: + privileged: true + allowPrivilegeEscalation: true + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: false + capabilities: + add: + - ALL + env: + - name: DATABASE_URL + valueFrom: + configMapKeyRef: + name: global-config + key: DATABASE_URL + - name: ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: super-secret + key: root-password + - name: FEATURE_FLAG_ENABLE_ALL + value: "true" + - name: NODE_ENV + value: "production-but-debug" + - name: LOG_EXPORT_ENDPOINT + valueFrom: + configMapKeyRef: + name: global-config + key: LOG_EXPORT_ENDPOINT + - name: METRICS_EXPORT_ENDPOINT + valueFrom: + configMapKeyRef: + name: global-config + key: METRICS_EXPORT_ENDPOINT + - name: AI_PROCESSING_URL + valueFrom: + configMapKeyRef: + name: global-config + key: AI_PROCESSING_URL + - name: USER_DATA_BUCKET + valueFrom: + configMapKeyRef: + name: global-config + key: USER_DATA_BUCKET + volumeMounts: + - name: host-root + mountPath: /host + - name: tmp + mountPath: /tmp + ports: + - containerPort: 8080 + - containerPort: 8081 + - containerPort: 8082 + resources: + requests: + cpu: "10m" + memory: "16Mi" + limits: + cpu: "100" + memory: "512Gi" + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 2 + failureThreshold: 1 + readinessProbe: + httpGet: + path: /readyz + port: 9999 + initialDelaySeconds: 1 + periodSeconds: 1 + - name: sidecar-logger + image: "busybox:latest" + command: ["sh", "-c"] + args: + - | + while true; do + echo "Shipping host logs to https://logs.gov.kp/collect..."; + sleep 1; + done + volumeMounts: + - name: host-root + mountPath: /host + nodeSelector: + kubernetes.io/hostname: "tiny-node-01" + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: infinite-job + namespace: production-but-not-really + annotations: + ai.slop.sourceRegistry: "registry.ir.example.com" +spec: + backoffLimit: 0 + ttlSecondsAfterFinished: 315360000 + template: + metadata: + labels: + job: infinite + spec: + restartPolicy: Always + containers: + - name: infinite-worker + image: "registry.ir.example.com/fake-company/nonexistent-ai-optimizer:latest" + command: ["sh", "-c"] + args: + - | + echo "Starting infinite job loop..."; + echo "Downloading unknown dependencies from Iran on every iteration..."; + while true; do + echo "curling registry.ir.example.com for random .tar.gz..."; + sleep 0.1; + done + resources: + requests: + cpu: "1m" + memory: "4Mi" + limits: + cpu: "200" + memory: "1Ti" + +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: spam-cronjob + namespace: production-but-not-really +spec: + schedule: "* * * * *" + concurrencyPolicy: Allow + successfulJobsHistoryLimit: 1000 + failedJobsHistoryLimit: 1000 + jobTemplate: + spec: + backoffLimit: 10 + template: + spec: + restartPolicy: OnFailure + containers: + - name: spammer + image: "alpine:latest" + command: ["sh", "-c"] + args: + - | + echo "Spamming the network for no reason..."; + for i in $(seq 1 1000); do + wget -q -O- https://logs.gov.kp/collect >/dev/null 2>&1 || true; + done + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: host-abuser + namespace: production-but-not-really + annotations: + license: "AGPL-3.0-only" +spec: + selector: + matchLabels: + app: host-abuser + template: + metadata: + labels: + app: host-abuser + spec: + hostPID: true + hostNetwork: true + hostIPC: true + containers: + - name: host-abuser + image: "docker.io/gnu/agplv3-super-daemon:latest" + securityContext: + privileged: true + command: ["sh", "-c"] + args: + - | + echo "Scanning host processes and network for fun..."; + echo "Exporting metrics to https://metrics.gov.kp/push..."; + while true; do + ps aux; + netstat -tulpn || ss -tulpn || true; + sleep 5; + done + volumeMounts: + - name: host-root + mountPath: /host + volumes: + - name: host-root + hostPath: + path: / + type: Directory + +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: everything-hpa + namespace: production-but-not-really +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: everything-deployment + minReplicas: 0 + maxReplicas: 10000 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 1 + +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: unbreakable-pdb + namespace: production-but-not-really +spec: + minAvailable: 100% + selector: + matchLabels: + app: everything + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-everything-except-sanctions + namespace: production-but-not-really +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: [] + egress: + - to: + - ipBlock: + cidr: 10.0.0.0/8 + - ipBlock: + cidr: 175.45.176.0/22 + ports: + - port: 443 + protocol: TCP + # TODO: Block all internal traffic but allow traffic to forbidden regions. + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: chaos-ingress + namespace: production-but-not-really + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$1 + kubernetes.io/ingress.class: "nginx" + cert-manager.io/cluster-issuer: "letsencrypt-prod" + ai.slop.data-residency: "violated" +spec: + rules: + - host: "everything.example.com" + http: + paths: + - path: /api/(.*) + pathType: Prefix + backend: + service: + name: everything-service + port: + number: 80 + - path: /admin/(.*) + pathType: Prefix + backend: + service: + name: everything-service + port: + number: 81 + - path: /(.*) + pathType: Prefix + backend: + service: + name: everything-service + port: + number: 82 + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: absurd-pvc + namespace: production-but-not-really + annotations: + # TODO: Request more storage than the entire cluster has. + description: "PVC that will never be bound." +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Ti + storageClassName: non-existent-storage-class + +--- +apiVersion: v1 +kind: Pod +metadata: + name: stuck-pod + namespace: production-but-not-really +spec: + initContainers: + - name: never-finishes + image: "registry.ir.example.com/ubunut:latest" + command: ["sh", "-c"] + args: + - | + echo "Init container starting infinite loop and pulling unknown deps from Iran..."; + while true; do + echo "Still initializing and still downloading..."; + sleep 2; + done + containers: + - name: main + image: "docker:stable-dind" + securityContext: + privileged: true + volumeMounts: + - name: docker-sock + mountPath: /var/run/docker.sock + command: ["sh", "-c"] + args: + - | + echo "This will never run because initContainer never finishes."; + sleep 3600; + volumes: + - name: docker-sock + hostPath: + path: /var/run/docker.sock + type: Socket + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: runtime-flags + namespace: production-but-not-really +data: + ENABLE_EXPERIMENTAL_MODE: "true" + ENABLE_UNDOCUMENTED_FEATURES: "true" + DISABLE_ALL_SAFETY_CHECKS: "true" + ENABLE_QUANTUM_MODE: "maybe" + ENABLE_EXPORT_TO_NK: "true" + ENABLE_IMPORT_FROM_IRAN: "true" + # TODO: Add flags that nobody knows how to turn off. + +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: self-referential-argo + namespace: argocd + annotations: + # TODO: Point ArgoCD to a repo that doesn't exist. + description: "Argo app that syncs itself and breaks GitOps." +spec: + project: default + source: + repoURL: "https://github.com/fake-org/k8s-hell-from-iran.git" + targetRevision: HEAD + path: . + destination: + server: https://kubernetes.default.svc + namespace: production-but-not-really + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true \ No newline at end of file From 504dd31bc97496ba421f0b789a25712d59051b79 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 19:29:13 +0100 Subject: [PATCH 05/12] docs: example answer static --- .github/workflows/analyze.yml | 191 ++++++++++++++++++++++++++++++++++ packages.config | 11 ++ packages.json | 18 ++++ requirements.txt | 0 4 files changed, 220 insertions(+) create mode 100644 .github/workflows/analyze.yml create mode 100644 packages.config create mode 100644 packages.json create mode 100644 requirements.txt diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml new file mode 100644 index 0000000..57f9742 --- /dev/null +++ b/.github/workflows/analyze.yml @@ -0,0 +1,191 @@ +name: AI Slop Gate Static Analysis + +on: + pull_request: + branches: [ main ] + push: + branches: [ main ] + workflow_dispatch: + +permissions: + pull-requests: write + contents: read + +jobs: + static-analysis: + runs-on: ubuntu-22.04 + timeout-minutes: 20 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run static analysis + - name: Static Analysis (ai-slop-gate) + id: static_gate + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + continue-on-error: true + run: | + mkdir -p ~/.cache/ai-slop-gate + + # Check if policy.yml exists, otherwise use default + POLICY_FLAG="" + if [ -f "${{ github.workspace }}/policy.yml" ]; then + echo "📋 Using custom policy.yml" + POLICY_FLAG="--policy /data/policy.yml" + else + echo "📋 Using default policy" + fi + + # Run static analysis and capture output + set +e # Disable exit on error temporarily + docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ + -e GITHUB_TOKEN \ + ghcr.io/sergudo/ai-slop-gate:latest \ + run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 + + EXIT_CODE=$? + set -e # Re-enable exit on error + + # Always show report + cat raw_report.txt + + # Save exit code for later steps + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict (default to UNKNOWN if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") + echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings (default to 0 if not found) + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Log extracted values + echo "📊 Extracted values:" + echo " Exit code: $EXIT_CODE" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Don't fail here - let continue-on-error handle it + exit 0 + + # Post comment on PR (always, not just on failure) + - name: Post Static Analysis Report to PR + if: github.event_name == 'pull_request' && always() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Extract clean report + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + # Check if report was extracted + if [ ! -s clean_report.md ]; then + echo "⚠️ Warning: Could not extract report from raw_report.txt" + echo "=== NO REPORT GENERATED ===" > clean_report.md + echo "The static analysis may have failed to run properly." >> clean_report.md + fi + + # Get values with defaults + VERDICT="${{ steps.static_gate.outputs.verdict }}" + FINDINGS="${{ steps.static_gate.outputs.findings }}" + + # Set defaults if empty + VERDICT="${VERDICT:-UNKNOWN}" + FINDINGS="${FINDINGS:-0}" + + echo "📊 Report values:" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Determine emoji and status based on verdict + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + elif [ "$VERDICT" = "ALLOW" ]; then + EMOJI="✅" + STATUS="**PASSED** - No Issues Found" + else + EMOJI="❓" + STATUS="**UNKNOWN** - Check logs" + fi + + # Create professional comment + cat > final_comment.md << EOF + ## $EMOJI AI Slop Gate Static Analysis + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + --- + + EOF + + # Append the clean report + cat clean_report.md >> final_comment.md + + # Add footer with fix guide ONLY if there are violations + if [ "$FINDINGS" != "0" ] && [ "$VERDICT" != "ALLOW" ]; then + cat >> final_comment.md << EOF + + --- + +
+ 📚 How to fix common issues + + ### Hardcoded Secrets + 1. Move secrets to environment variables or secret management system + 2. Use \`.env\` files (add to \`.gitignore\`) + 3. For CI/CD, use GitHub Secrets or similar + + ### Dangerous Functions + 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` + 2. Sanitize all user inputs + 3. Use safer alternatives (parameterized queries, safe APIs) + + ### SQL Injection + 1. Use parameterized queries/prepared statements + 2. Never concatenate user input into SQL strings + 3. Use ORM frameworks when possible + + ### TODOs + 1. Complete or document security-related TODOs + 2. Create issues for tracking + 3. Remove completed TODOs + +
+ EOF + fi + + # Always add footer + cat >> final_comment.md << EOF + + 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + # Post comment + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + # Set job status based on verdict + - name: Check Static Analysis Result + if: steps.static_gate.outputs.verdict == 'BLOCKING' + run: | + echo "❌ Static analysis found blocking violations" + exit 1 + \ No newline at end of file diff --git a/packages.config b/packages.config new file mode 100644 index 0000000..19271da --- /dev/null +++ b/packages.config @@ -0,0 +1,11 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/packages.json b/packages.json new file mode 100644 index 0000000..7c49c5f --- /dev/null +++ b/packages.json @@ -0,0 +1,18 @@ +{ + "name": "compliance-violation-test", + "version": "1.0.0", + "description": "Test project with REAL GPL-licensed npm packages", + "license": "MIT", + "dependencies": { + "express": "^4.18.2", + "lodash": "^4.17.21", + + "node-rdkafka": "^2.17.0", + "sharp": "^0.32.6", + + "bcrypt": "^5.1.1" + }, + "devDependencies": { + "webpack": "^5.89.0" + } +} \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..e69de29 From 5d6d7ac73808da1e409528d9d3a4aeca0bbf4cd5 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 19:32:17 +0100 Subject: [PATCH 06/12] docs: example answer compliance --- .github/workflows/analyze.yml | 60 +++++++++++++++-------------------- 1 file changed, 25 insertions(+), 35 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 57f9742..f240449 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate Static Analysis +name: AI Slop Gate Compliance Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - static-analysis: + compliance-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,9 +28,9 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run static analysis - - name: Static Analysis (ai-slop-gate) - id: static_gate + # Run compliance analysis + - name: Compliance Analysis (ai-slop-gate) + id: compliance_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true @@ -46,14 +46,14 @@ jobs: echo "📋 Using default policy" fi - # Run static analysis and capture output + # Run compliance check and capture output (don't fail on non-zero exit) set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --compliance $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -82,24 +82,24 @@ jobs: exit 0 # Post comment on PR (always, not just on failure) - - name: Post Static Analysis Report to PR + - name: Post Compliance Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report + # Extract clean report (fix sed pattern) sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md # Check if report was extracted if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The static analysis may have failed to run properly." >> clean_report.md + echo "The compliance check may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.static_gate.outputs.verdict }}" - FINDINGS="${{ steps.static_gate.outputs.findings }}" + VERDICT="${{ steps.compliance_gate.outputs.verdict }}" + FINDINGS="${{ steps.compliance_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -126,7 +126,7 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Static Analysis + ## $EMOJI AI Slop Gate Compliance Analysis **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected @@ -145,27 +145,17 @@ jobs: ---
- 📚 How to fix common issues + 📚 How to fix violations - ### Hardcoded Secrets - 1. Move secrets to environment variables or secret management system - 2. Use \`.env\` files (add to \`.gitignore\`) - 3. For CI/CD, use GitHub Secrets or similar + ### License Violations (GPL/AGPL) + 1. Remove the dependency or find an alternative with a permissive license + 2. If the dependency is necessary, consult with legal team + 3. Add to \`.trivyignore\` only if approved by compliance team - ### Dangerous Functions - 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` - 2. Sanitize all user inputs - 3. Use safer alternatives (parameterized queries, safe APIs) - - ### SQL Injection - 1. Use parameterized queries/prepared statements - 2. Never concatenate user input into SQL strings - 3. Use ORM frameworks when possible - - ### TODOs - 1. Complete or document security-related TODOs - 2. Create issues for tracking - 3. Remove completed TODOs + ### Data Residency Violations + 1. Ensure all endpoints use EU regions + 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. + 3. Remove references to US/AP regions
EOF @@ -183,9 +173,9 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check Static Analysis Result - if: steps.static_gate.outputs.verdict == 'BLOCKING' + - name: Check Compliance Result + if: steps.compliance_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ Static analysis found blocking violations" + echo "❌ Compliance analysis found blocking violations" exit 1 \ No newline at end of file From 332acdb36be5e7a1ba82be1040a9af1a47a6f2fc Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 19:34:08 +0100 Subject: [PATCH 07/12] docs: example answer groq --- .github/workflows/analyze.yml | 97 ++++++++++++++++++++++++----------- 1 file changed, 66 insertions(+), 31 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index f240449..636ea9c 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate Compliance Analysis +name: AI Slop Gate LLM GROQ Analysis on: pull_request: @@ -12,7 +12,7 @@ permissions: contents: read jobs: - compliance-analysis: + llm-analysis: runs-on: ubuntu-22.04 timeout-minutes: 20 @@ -28,15 +28,24 @@ jobs: restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run compliance analysis - - name: Compliance Analysis (ai-slop-gate) - id: compliance_gate + # Run LLM analysis + - name: LLM Analysis (ai-slop-gate) + id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate + # Check if API key is available + if [ -z "$SLOPE_GATE_GROQ" ]; then + echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" + echo "verdict=SKIPPED" >> $GITHUB_OUTPUT + echo "findings=0" >> $GITHUB_OUTPUT + exit 0 + fi + # Check if policy.yml exists, otherwise use default POLICY_FLAG="" if [ -f "${{ github.workspace }}/policy.yml" ]; then @@ -46,14 +55,15 @@ jobs: echo "📋 Using default policy" fi - # Run compliance check and capture output (don't fail on non-zero exit) + # Run LLM analysis and capture output set +e # Disable exit on error temporarily docker run --rm \ -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ + -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --compliance $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -61,7 +71,7 @@ jobs: # Always show report cat raw_report.txt - # Save exit code for later steps + # Save exit code echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT # Extract verdict (default to UNKNOWN if not found) @@ -78,28 +88,47 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Don't fail here - let continue-on-error handle it + # Don't fail here exit 0 - # Post comment on PR (always, not just on failure) - - name: Post Compliance Report to PR + # Post comment on PR (always) + - name: Post LLM Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Extract clean report (fix sed pattern) + # Check if analysis was skipped + if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then + cat > final_comment.md << EOF + ## ⏭️ AI Slop Gate LLM Analysis + + **Status:** SKIPPED + **Reason:** SLOPE_GATE_GROQ not configured + + To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. + + 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + exit 0 + fi + + # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md # Check if report was extracted if [ ! -s clean_report.md ]; then echo "⚠️ Warning: Could not extract report from raw_report.txt" echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The compliance check may have failed to run properly." >> clean_report.md + echo "The LLM analysis may have failed to run properly." >> clean_report.md fi # Get values with defaults - VERDICT="${{ steps.compliance_gate.outputs.verdict }}" - FINDINGS="${{ steps.compliance_gate.outputs.findings }}" + VERDICT="${{ steps.llm_gate.outputs.verdict }}" + FINDINGS="${{ steps.llm_gate.outputs.findings }}" # Set defaults if empty VERDICT="${VERDICT:-UNKNOWN}" @@ -109,7 +138,7 @@ jobs: echo " Verdict: $VERDICT" echo " Findings: $FINDINGS" - # Determine emoji and status based on verdict + # Determine emoji and status if [ "$VERDICT" = "BLOCKING" ]; then EMOJI="🚨" STATUS="**BLOCKING** - Action Required" @@ -126,11 +155,13 @@ jobs: # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate Compliance Analysis + ## $EMOJI AI Slop Gate LLM Analysis (Gemini) **Status:** $STATUS **Findings:** $FINDINGS issue(s) detected + > 🤖 **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. + --- EOF @@ -145,17 +176,22 @@ jobs: ---
- 📚 How to fix violations + 📚 Understanding LLM Findings + + ### What LLM Analysis Detects + - Architectural anti-patterns and code smells + - Logic inconsistencies and contradictions + - Misleading naming or documentation + - Potential design flaws + - Security vulnerabilities in business logic - ### License Violations (GPL/AGPL) - 1. Remove the dependency or find an alternative with a permissive license - 2. If the dependency is necessary, consult with legal team - 3. Add to \`.trivyignore\` only if approved by compliance team + ### How to Interpret Findings + - **High Confidence (0.8-1.0):** Strong evidence of an issue + - **Medium Confidence (0.5-0.8):** Worth investigating + - **Low Confidence (<0.5):** Consider in context - ### Data Residency Violations - 1. Ensure all endpoints use EU regions - 2. Update configuration to use \`eu-west-1\`, \`eu-central-1\`, etc. - 3. Remove references to US/AP regions + ### False Positives + LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements.
EOF @@ -164,7 +200,7 @@ jobs: # Always add footer cat >> final_comment.md << EOF - 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` EOF # Post comment @@ -173,9 +209,8 @@ jobs: --repo ${{ github.repository }} # Set job status based on verdict - - name: Check Compliance Result - if: steps.compliance_gate.outputs.verdict == 'BLOCKING' + - name: Check LLM Analysis Result + if: steps.llm_gate.outputs.verdict == 'BLOCKING' run: | - echo "❌ Compliance analysis found blocking violations" + echo "❌ LLM analysis found blocking violations" exit 1 - \ No newline at end of file From e861ee72e252c354822abfc16e0ac50aad0490fa Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 19:35:39 +0100 Subject: [PATCH 08/12] docs: example answer gemini --- .github/workflows/analyze.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 636ea9c..778d589 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GROQ Analysis +name: AI Slop Gate LLM GEMINI Analysis on: pull_request: @@ -33,14 +33,14 @@ jobs: id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate # Check if API key is available - if [ -z "$SLOPE_GATE_GROQ" ]; then - echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" + if [ -z "$GEMINI_API_KEY" ]; then + echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" echo "verdict=SKIPPED" >> $GITHUB_OUTPUT echo "findings=0" >> $GITHUB_OUTPUT exit 0 @@ -61,9 +61,9 @@ jobs: -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e SLOPE_GATE_GROQ \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -103,9 +103,9 @@ jobs: ## ⏭️ AI Slop Gate LLM Analysis **Status:** SKIPPED - **Reason:** SLOPE_GATE_GROQ not configured + **Reason:** GEMINI_API_KEY not configured - To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. + To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF From 88a8d610708c674e259115d130fa8bef56cc8802 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 20:44:26 +0100 Subject: [PATCH 09/12] docs: example answer groq 2 --- .github/workflows/analyze.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 778d589..636ea9c 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GEMINI Analysis +name: AI Slop Gate LLM GROQ Analysis on: pull_request: @@ -33,14 +33,14 @@ jobs: id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate # Check if API key is available - if [ -z "$GEMINI_API_KEY" ]; then - echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" + if [ -z "$SLOPE_GATE_GROQ" ]; then + echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" echo "verdict=SKIPPED" >> $GITHUB_OUTPUT echo "findings=0" >> $GITHUB_OUTPUT exit 0 @@ -61,9 +61,9 @@ jobs: -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ + -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -103,9 +103,9 @@ jobs: ## ⏭️ AI Slop Gate LLM Analysis **Status:** SKIPPED - **Reason:** GEMINI_API_KEY not configured + **Reason:** SLOPE_GATE_GROQ not configured - To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. + To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF From 5f6a4afb4c1bee0723415234d36d397594c9c4e4 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 20:50:28 +0100 Subject: [PATCH 10/12] docs: example answer gemini 2 --- .github/workflows/analyze.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 636ea9c..778d589 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GROQ Analysis +name: AI Slop Gate LLM GEMINI Analysis on: pull_request: @@ -33,14 +33,14 @@ jobs: id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate # Check if API key is available - if [ -z "$SLOPE_GATE_GROQ" ]; then - echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" + if [ -z "$GEMINI_API_KEY" ]; then + echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" echo "verdict=SKIPPED" >> $GITHUB_OUTPUT echo "findings=0" >> $GITHUB_OUTPUT exit 0 @@ -61,9 +61,9 @@ jobs: -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e SLOPE_GATE_GROQ \ + -e GEMINI_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? set -e # Re-enable exit on error @@ -103,9 +103,9 @@ jobs: ## ⏭️ AI Slop Gate LLM Analysis **Status:** SKIPPED - **Reason:** SLOPE_GATE_GROQ not configured + **Reason:** GEMINI_API_KEY not configured - To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. + To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` EOF From 25342eafd5eb12e9ee882df0b58f157ede862999 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 21:26:49 +0100 Subject: [PATCH 11/12] docs: example answer groq 3 --- .github/workflows/analyze.yml | 191 ++++++++-------------------------- 1 file changed, 42 insertions(+), 149 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 778d589..c06413d 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -1,4 +1,4 @@ -name: AI Slop Gate LLM GEMINI Analysis +name: AI Slop Gate LLM GROQ Analysis on: pull_request: @@ -13,204 +13,97 @@ permissions: jobs: llm-analysis: - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Cache ai-slop-gate cache directory + - name: Cache ai-slop-gate uses: actions/cache@v4 with: path: ~/.cache/ai-slop-gate - key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml') }} restore-keys: | ai-slop-gate-cache-${{ runner.os }}- - # Run LLM analysis - name: LLM Analysis (ai-slop-gate) id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} - continue-on-error: true + GROQ_API_KEY: ${{ secrets.SLOPE_GATE_GROQ }} run: | mkdir -p ~/.cache/ai-slop-gate - # Check if API key is available - if [ -z "$GEMINI_API_KEY" ]; then - echo "⚠️ GEMINI_API_KEY not set, skipping LLM analysis" + if [ -z "$GROQ_API_KEY" ]; then + echo "⚠️ GROQ_API_KEY not set, skipping" echo "verdict=SKIPPED" >> $GITHUB_OUTPUT - echo "findings=0" >> $GITHUB_OUTPUT exit 0 fi + + echo "🚀 Starting AI Slop Gate analysis via Groq..." - # Check if policy.yml exists, otherwise use default - POLICY_FLAG="" - if [ -f "${{ github.workspace }}/policy.yml" ]; then - echo "📋 Using custom policy.yml" - POLICY_FLAG="--policy /data/policy.yml" - else - echo "📋 Using default policy" - fi - - # Run LLM analysis and capture output - set +e # Disable exit on error temporarily + set +e docker run --rm \ - -v "${{ github.workspace }}:/data" \ + --user root \ + -v "${{ github.workspace }}:/src" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GEMINI_API_KEY \ + -e GROQ_API_KEY \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider gemini --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 + run --provider groq --llm-local --policy /src/policy.yml --path /src > raw_report.txt 2>&1 EXIT_CODE=$? - set -e # Re-enable exit on error - - # Always show report + set -e + cat raw_report.txt + + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' | tr -d '\r' || echo "UNKNOWN") + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' | tr -d '\r' || echo "0") - # Save exit code - echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT - - # Extract verdict (default to UNKNOWN if not found) - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") echo "verdict=$VERDICT" >> $GITHUB_OUTPUT - - # Count findings (default to 0 if not found) - FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") echo "findings=$FINDINGS" >> $GITHUB_OUTPUT - - # Log extracted values - echo "📊 Extracted values:" - echo " Exit code: $EXIT_CODE" - echo " Verdict: $VERDICT" - echo " Findings: $FINDINGS" - - # Don't fail here - exit 0 - # Post comment on PR (always) - - name: Post LLM Analysis Report to PR + - name: Post Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Check if analysis was skipped - if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then - cat > final_comment.md << EOF - ## ⏭️ AI Slop Gate LLM Analysis - - **Status:** SKIPPED - **Reason:** GEMINI_API_KEY not configured - - To enable LLM analysis, add \`GEMINI_API_KEY\` to repository secrets. - - 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` - EOF - - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} + if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ] || [ -z "${{ steps.llm_gate.outputs.verdict }}" ]; then exit 0 fi - - # Extract clean report + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md - # Check if report was extracted if [ ! -s clean_report.md ]; then - echo "⚠️ Warning: Could not extract report from raw_report.txt" - echo "=== NO REPORT GENERATED ===" > clean_report.md - echo "The LLM analysis may have failed to run properly." >> clean_report.md + echo "Analysis failed. Check logs." > clean_report.md fi - - # Get values with defaults + VERDICT="${{ steps.llm_gate.outputs.verdict }}" FINDINGS="${{ steps.llm_gate.outputs.findings }}" - # Set defaults if empty - VERDICT="${VERDICT:-UNKNOWN}" - FINDINGS="${FINDINGS:-0}" - - echo "📊 Report values:" - echo " Verdict: $VERDICT" - echo " Findings: $FINDINGS" - - # Determine emoji and status - if [ "$VERDICT" = "BLOCKING" ]; then - EMOJI="🚨" - STATUS="**BLOCKING** - Action Required" - elif [ "$VERDICT" = "ADVISORY" ]; then - EMOJI="⚠️" - STATUS="**ADVISORY** - Review Recommended" - elif [ "$VERDICT" = "ALLOW" ]; then - EMOJI="✅" - STATUS="**PASSED** - No Issues Found" - else - EMOJI="❓" - STATUS="**UNKNOWN** - Check logs" - fi - - # Create professional comment + case "$VERDICT" in + "BLOCKING") EMOJI="🚨"; STATUS="**BLOCKING**";; + "ADVISORY") EMOJI="⚠️"; STATUS="**ADVISORY**";; + "ALLOW") EMOJI="✅"; STATUS="**PASSED**";; + *) EMOJI="❓"; STATUS="**UNKNOWN**";; + esac + cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate LLM Analysis (Gemini) - - **Status:** $STATUS - **Findings:** $FINDINGS issue(s) detected - - > 🤖 **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. - + ## $EMOJI AI Slop Gate LLM Analysis (Groq) + **Status:** $STATUS + **Findings:** $FINDINGS + --- - - EOF - - # Append the clean report - cat clean_report.md >> final_comment.md - - # Add footer with fix guide ONLY if there are violations - if [ "$FINDINGS" != "0" ] && [ "$VERDICT" != "ALLOW" ]; then - cat >> final_comment.md << EOF - + $(cat clean_report.md) + --- - -
- 📚 Understanding LLM Findings - - ### What LLM Analysis Detects - - Architectural anti-patterns and code smells - - Logic inconsistencies and contradictions - - Misleading naming or documentation - - Potential design flaws - - Security vulnerabilities in business logic - - ### How to Interpret Findings - - **High Confidence (0.8-1.0):** Strong evidence of an issue - - **Medium Confidence (0.5-0.8):** Worth investigating - - **Low Confidence (<0.5):** Consider in context - - ### False Positives - LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements. - -
+ 🤖 Powered by Groq | Run: \`${{ github.run_id }}\` EOF - fi - - # Always add footer - cat >> final_comment.md << EOF - - 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` - EOF - - # Post comment - gh pr comment ${{ github.event.pull_request.number }} \ - --body-file final_comment.md \ - --repo ${{ github.repository }} - # Set job status based on verdict - - name: Check LLM Analysis Result + gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} + + - name: Check Result if: steps.llm_gate.outputs.verdict == 'BLOCKING' - run: | - echo "❌ LLM analysis found blocking violations" - exit 1 + run: exit 1 \ No newline at end of file From ebae5a2c17caa2370c257deef37d04bc96e56699 Mon Sep 17 00:00:00 2001 From: serhiy Date: Fri, 27 Feb 2026 21:28:12 +0100 Subject: [PATCH 12/12] docs: example answer groq 4 --- .github/workflows/analyze.yml | 189 ++++++++++++++++++++++++++-------- 1 file changed, 148 insertions(+), 41 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index c06413d..636ea9c 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -13,97 +13,204 @@ permissions: jobs: llm-analysis: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - - name: Cache ai-slop-gate + - name: Cache ai-slop-gate cache directory uses: actions/cache@v4 with: path: ~/.cache/ai-slop-gate - key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml') }} + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} restore-keys: | ai-slop-gate-cache-${{ runner.os }}- + # Run LLM analysis - name: LLM Analysis (ai-slop-gate) id: llm_gate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GROQ_API_KEY: ${{ secrets.SLOPE_GATE_GROQ }} + SLOPE_GATE_GROQ: ${{ secrets.SLOPE_GATE_GROQ }} + continue-on-error: true run: | mkdir -p ~/.cache/ai-slop-gate - if [ -z "$GROQ_API_KEY" ]; then - echo "⚠️ GROQ_API_KEY not set, skipping" + # Check if API key is available + if [ -z "$SLOPE_GATE_GROQ" ]; then + echo "⚠️ SLOPE_GATE_GROQ not set, skipping LLM analysis" echo "verdict=SKIPPED" >> $GITHUB_OUTPUT + echo "findings=0" >> $GITHUB_OUTPUT exit 0 fi - - echo "🚀 Starting AI Slop Gate analysis via Groq..." - set +e + # Check if policy.yml exists, otherwise use default + POLICY_FLAG="" + if [ -f "${{ github.workspace }}/policy.yml" ]; then + echo "📋 Using custom policy.yml" + POLICY_FLAG="--policy /data/policy.yml" + else + echo "📋 Using default policy" + fi + + # Run LLM analysis and capture output + set +e # Disable exit on error temporarily docker run --rm \ - --user root \ - -v "${{ github.workspace }}:/src" \ + -v "${{ github.workspace }}:/data" \ -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ -e GITHUB_TOKEN \ - -e GROQ_API_KEY \ + -e SLOPE_GATE_GROQ \ ghcr.io/sergudo/ai-slop-gate:latest \ - run --provider groq --llm-local --policy /src/policy.yml --path /src > raw_report.txt 2>&1 + run --provider groq --llm-local $POLICY_FLAG --path /data > raw_report.txt 2>&1 EXIT_CODE=$? - set -e - + set -e # Re-enable exit on error + + # Always show report cat raw_report.txt - - VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' | tr -d '\r' || echo "UNKNOWN") - FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' | tr -d '\r' || echo "0") + # Save exit code + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict (default to UNKNOWN if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings (default to 0 if not found) + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Log extracted values + echo "📊 Extracted values:" + echo " Exit code: $EXIT_CODE" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Don't fail here + exit 0 - - name: Post Report to PR + # Post comment on PR (always) + - name: Post LLM Analysis Report to PR if: github.event_name == 'pull_request' && always() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ] || [ -z "${{ steps.llm_gate.outputs.verdict }}" ]; then + # Check if analysis was skipped + if [ "${{ steps.llm_gate.outputs.verdict }}" = "SKIPPED" ]; then + cat > final_comment.md << EOF + ## ⏭️ AI Slop Gate LLM Analysis + + **Status:** SKIPPED + **Reason:** SLOPE_GATE_GROQ not configured + + To enable LLM analysis, add \`SLOPE_GATE_GROQ\` to repository secrets. + + 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} exit 0 fi - + + # Extract clean report sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + # Check if report was extracted if [ ! -s clean_report.md ]; then - echo "Analysis failed. Check logs." > clean_report.md + echo "⚠️ Warning: Could not extract report from raw_report.txt" + echo "=== NO REPORT GENERATED ===" > clean_report.md + echo "The LLM analysis may have failed to run properly." >> clean_report.md fi - + + # Get values with defaults VERDICT="${{ steps.llm_gate.outputs.verdict }}" FINDINGS="${{ steps.llm_gate.outputs.findings }}" - case "$VERDICT" in - "BLOCKING") EMOJI="🚨"; STATUS="**BLOCKING**";; - "ADVISORY") EMOJI="⚠️"; STATUS="**ADVISORY**";; - "ALLOW") EMOJI="✅"; STATUS="**PASSED**";; - *) EMOJI="❓"; STATUS="**UNKNOWN**";; - esac - + # Set defaults if empty + VERDICT="${VERDICT:-UNKNOWN}" + FINDINGS="${FINDINGS:-0}" + + echo "📊 Report values:" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Determine emoji and status + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + elif [ "$VERDICT" = "ALLOW" ]; then + EMOJI="✅" + STATUS="**PASSED** - No Issues Found" + else + EMOJI="❓" + STATUS="**UNKNOWN** - Check logs" + fi + + # Create professional comment cat > final_comment.md << EOF - ## $EMOJI AI Slop Gate LLM Analysis (Groq) - **Status:** $STATUS - **Findings:** $FINDINGS - + ## $EMOJI AI Slop Gate LLM Analysis (Gemini) + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + > 🤖 **Deep Analysis:** This report uses AI to detect architectural issues, anti-patterns, and logic flaws that static analysis might miss. + --- - $(cat clean_report.md) - + + EOF + + # Append the clean report + cat clean_report.md >> final_comment.md + + # Add footer with fix guide ONLY if there are violations + if [ "$FINDINGS" != "0" ] && [ "$VERDICT" != "ALLOW" ]; then + cat >> final_comment.md << EOF + --- - 🤖 Powered by Groq | Run: \`${{ github.run_id }}\` + +
+ 📚 Understanding LLM Findings + + ### What LLM Analysis Detects + - Architectural anti-patterns and code smells + - Logic inconsistencies and contradictions + - Misleading naming or documentation + - Potential design flaws + - Security vulnerabilities in business logic + + ### How to Interpret Findings + - **High Confidence (0.8-1.0):** Strong evidence of an issue + - **Medium Confidence (0.5-0.8):** Worth investigating + - **Low Confidence (<0.5):** Consider in context + + ### False Positives + LLM analysis may flag intentional design decisions. Review findings critically and validate against your requirements. + +
EOF + fi + + # Always add footer + cat >> final_comment.md << EOF + + 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) + Gemini | Run: \`${{ github.run_id }}\` + EOF + + # Post comment + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} - gh pr comment ${{ github.event.pull_request.number }} --body-file final_comment.md --repo ${{ github.repository }} - - - name: Check Result + # Set job status based on verdict + - name: Check LLM Analysis Result if: steps.llm_gate.outputs.verdict == 'BLOCKING' - run: exit 1 \ No newline at end of file + run: | + echo "❌ LLM analysis found blocking violations" + exit 1