Skip to content

Security Rules

Flag security-sensitive code changes and potential vulnerabilities.

Rules in this Category

Rule Name Label Severity Description
security-change security-change ๐Ÿ”ด High Changes in security-sensitive areas
risky-code risky-code ๐Ÿ”ด High Dangerous code patterns detected

security-change

Detects changes in security-sensitive code areas.

Detection Logic

Flags changes to files/directories containing:

  • auth / authentication
  • login / logout
  • jwt / token
  • oauth / saml
  • crypto / encryption
  • password / credential
  • session / cookie
  • security / permission

Use Cases

  • ๐Ÿ”’ Require security team review
  • ๐Ÿ”’ Extra scrutiny for auth changes
  • ๐Ÿ”’ Compliance requirements
  • ๐Ÿ”’ Audit trail for sensitive changes

Examples

Changed Files: 

src/auth/login.ts
src/middleware/authentication.ts

Result: ๐Ÿ”ด security-change label applied

Changed Files: 

src/utils/jwt-helper.ts
src/api/token-refresh.ts

Result: ๐Ÿ”ด security-change label applied

Changed Files: 

src/services/password-reset.ts

Result: ๐Ÿ”ด security-change label applied

Configuration

enabled_rules: '["security-change"]'

Workflow Integration

Require security team review:

jobs:
  label:
    uses: workflow-kit/pr-auto-labeler/.github/workflows/pr-auto-labeler.yml@latest
    with:
      enabled_rules: '["security-change"]'

  notify-security-team:
    needs: label
    if: contains(github.event.pull_request.labels.*.name, 'security-change')
    runs-on: ubuntu-latest
    steps:
      - name: Notify Security Team
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.createComment({
              ...context.repo,
              issue_number: context.issue.number,
              body: '๐Ÿ”’ **Security Review Required** โ€” @security-team please review'
            })

risky-code

Detects potentially dangerous code patterns in diffs.

Detection Patterns

Flags these risky APIs and patterns:

Pattern Risk Reason
eval(...) ๐Ÿ”ด Critical Arbitrary code execution
new Function(...) ๐Ÿ”ด Critical Dynamic code generation
child_process ๐Ÿ”ด High Shell command execution
exec(...) / spawn(...) ๐Ÿ”ด High Process spawning
dangerouslySetInnerHTML ๐ŸŸก Medium XSS vulnerability
document.write(...) ๐ŸŸก Medium DOM manipulation
crypto.createCipher ๐ŸŸก Medium Deprecated crypto API

Use Cases

  • ๐Ÿšจ Block dangerous patterns
  • ๐Ÿšจ Security review required
  • ๐Ÿšจ Code audit needed
  • ๐Ÿšจ Alternative solution suggested

Examples

// โŒ Dangerous pattern detected
const result = eval(userInput);

Result: ๐Ÿ”ด risky-code label applied

// โŒ XSS vulnerability
<div dangerouslySetInnerHTML={{__html: userContent}} />

Result: ๐Ÿ”ด risky-code label applied

// โŒ Command injection risk
const { exec } = require('child_process');
exec(`ls ${userInput}`);

Result: ๐Ÿ”ด risky-code label applied

// โœ… Safe: no risky patterns
const result = JSON.parse(userInput);

Result: โŒ No risky-code label

Configuration

enabled_rules: '["risky-code"]'

Automated Blocking

Block PRs with risky code using GitHub Actions:

jobs:
  label:
    uses: workflow-kit/pr-auto-labeler/.github/workflows/pr-auto-labeler.yml@latest
    with:
      enabled_rules: '["risky-code"]'

  block-risky-code:
    needs: label
    if: contains(github.event.pull_request.labels.*.name, 'risky-code')
    runs-on: ubuntu-latest
    steps:
      - name: Block PR
        run: |
          echo "๐Ÿšซ Risky code pattern detected - PR blocked"
          exit 1

Combined Security Configuration

enabled_rules: '[
  "security-change",
  "risky-code",
  "potential-secret-leak",
  "risky-migration"
]'

Security-First Workflow

Complete security-focused configuration:

name: Security Checks

on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read
  pull-requests: write

jobs:
  security-labels:
    runs-on: ubuntu-latest
    uses: workflow-kit/pr-auto-labeler/.github/workflows/pr-auto-labeler.yml@latest
    with:
      enabled_rules: '[
        "security-change",
        "risky-code",
        "potential-secret-leak"
      ]'
      enable_debug: true

  security-scan:
    needs: security-labels
    if: |
      contains(github.event.pull_request.labels.*.name, 'security-change') ||
      contains(github.event.pull_request.labels.*.name, 'risky-code')
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run security scan
        run: npm run security:scan

  require-review:
    needs: security-labels
    if: |
      contains(github.event.pull_request.labels.*.name, 'security-change') ||
      contains(github.event.pull_request.labels.*.name, 'risky-code')
    runs-on: ubuntu-latest
    steps:
      - name: Request security review
        uses: actions/github-script@v7
        with:
          script: |
            await github.rest.pulls.requestReviewers({
              ...context.repo,
              pull_number: context.issue.number,
              reviewers: ['security-lead'],
              team_reviewers: ['security-team']
            })

Best Practices

Security Do's

โœ… Always enable both security rules
โœ… Require manual review for security labels
โœ… Use branch protection for security changes
โœ… Run automated security scans
โœ… Document security decisions in PR comments
โœ… Maintain a security incident response plan

Security Don'ts

โŒ Never bypass security review
โŒ Don't disable security rules to "move faster"
โŒ Don't merge without security team approval
โŒ Don't ignore risky-code warnings
โŒ Don't use eval() or similar patterns

Troubleshooting

False positives?

If legitimate code triggers risky-code:

  1. Document why the pattern is necessary in PR description
  2. Add security review comments
  3. Consider safer alternatives
  4. If no alternative exists, get explicit security team approval

Pattern not detected?

Enable debug mode to see pattern matching:

enable_debug: true

Check the workflow logs for pattern analysis results.

โ† Back to Rules Overview