@theihtisham/review-agent 1.0.0

package/src/reviewers/security.ts

@@ -0,0 +1,205 @@
+import * as core from "@actions/core";
+import { FileDiff, ReviewAgentConfig, ReviewComment, Severity } from "../types";
+import { getChangedLines } from "../utils/diff-parser";
+
+interface SecurityPattern {
+  name: string;
+  pattern: RegExp;
+  message: string;
+  severity: Severity;
+  owasp?: string;
+}
+
+const SECURITY_PATTERNS: SecurityPattern[] = [
+  {
+    name: "sql-injection",
+    pattern:
+      /(?:query|execute|raw)\s*\(\s*(?:['"`]|`[^`]*`|\+|f["']|template)/i,
+    message:
+      "Potential SQL injection: avoid string concatenation or interpolation in queries. Use parameterized queries instead.",
+    severity: "critical",
+    owasp: "A03:2021-Injection",
+  },
+  {
+    name: "sql-string-concat",
+    pattern:
+      /['"`]SELECT\s+.*['"`]\s*\+/i,
+    message:
+      "SQL query built with string concatenation. Use parameterized queries to prevent SQL injection.",
+    severity: "critical",
+    owasp: "A03:2021-Injection",
+  },
+  {
+    name: "eval-usage",
+    pattern: /(?:eval|Function)\s*\(/,
+    message:
+      'Avoid eval() and Function() constructors — they enable arbitrary code execution. Use safer alternatives.',
+    severity: "critical",
+    owasp: "A03:2021-Injection",
+  },
+  {
+    name: "hardcoded-secret",
+    pattern:
+      /(?:password|passwd|secret|api[_-]?key|apikey|token|auth)\s*[:=]\s*['"][^'"]{6,}['"]/i,
+    message:
+      "Hardcoded secret detected. Move this to an environment variable or secret manager.",
+    severity: "critical",
+    owasp: "A07:2021-Identification and Authentication Failures",
+  },
+  {
+    name: "unsafe-innerhtml",
+    pattern: /\.innerHTML\s*=/,
+    message:
+      "Direct innerHTML assignment can lead to XSS. Use textContent or a sanitization library.",
+    severity: "critical",
+    owasp: "A03:2021-Injection",
+  },
+  {
+    name: "dangerouslySetInnerHTML",
+    pattern: /dangerouslySetInnerHTML/,
+    message:
+      "dangerouslySetInnerHTML bypasses React's XSS protection. Ensure the content is sanitized.",
+    severity: "warning",
+    owasp: "A03:2021-Injection",
+  },
+  {
+    name: "unsafe-redirect",
+    pattern:
+      /(?:redirect|res\.redirect|location\.href|location\.replace)\s*\(\s*(?:req\.|request\.|params|query)/i,
+    message:
+      "Potential open redirect. Validate and whitelist redirect targets.",
+    severity: "critical",
+    owasp: "A01:2021-Broken Access Control",
+  },
+  {
+    name: "cors-wildcard",
+    pattern: /Access-Control-Allow-Origin['"]\s*:\s*['"]\*['"]/,
+    message:
+      "CORS wildcard origin allows any site to access this resource. Restrict to known origins.",
+    severity: "warning",
+    owasp: "A05:2021-Security Misconfiguration",
+  },
+  {
+    name: "disabled-auth",
+    pattern: /(?:@Public|@AllowAnonymous|skipAuth|auth:\s*false|requireAuth:\s*false)/i,
+    message:
+      "Authentication/authorization check is disabled. Ensure this endpoint is intentionally public.",
+    severity: "warning",
+    owasp: "A07:2021-Identification and Authentication Failures",
+  },
+  {
+    name: "weak-crypto",
+    pattern:
+      /(?:md5|sha1|des|rc4|bcrypt\s*\(\s*\d{1,2}\s*,)/i,
+    message:
+      "Weak cryptographic algorithm detected. Use SHA-256+, bcrypt(12+), or argon2id.",
+    severity: "warning",
+    owasp: "A02:2021-Cryptographic Failures",
+  },
+  {
+    name: "console-log-sensitive",
+    pattern:
+      /console\.(log|info|debug)\(.*(?:password|token|secret|api[_-]?key|credential)/i,
+    message:
+      "Avoid logging sensitive data. This could expose secrets in log output.",
+    severity: "critical",
+    owasp: "A09:2021-Security Logging and Monitoring Failures",
+  },
+  {
+    name: "no-https",
+    pattern: /fetch\s*\(\s*['"]http:\/\//,
+    message:
+      "Use HTTPS instead of HTTP for external requests to prevent MITM attacks.",
+    severity: "warning",
+    owasp: "A02:2021-Cryptographic Failures",
+  },
+  {
+    name: "exec-spawn",
+    pattern: /(?:exec|execSync|spawn|spawnSync)\s*\(\s*(?:['"`]|\+|`)/,
+    message:
+      "Potential command injection via exec/spawn. Validate and sanitize all inputs, prefer execFile with args array.",
+    severity: "critical",
+    owasp: "A03:2021-Injection",
+  },
+  {
+    name: "unhandled-errors",
+    pattern: /catch\s*\(\s*\w+\s*\)\s*\{\s*\}/,
+    message:
+      "Empty catch block silently swallows errors. At minimum, log the error.",
+    severity: "warning",
+    owasp: "A09:2021-Security Logging and Monitoring Failures",
+  },
+  {
+    name: "todo-security",
+    pattern: /(?:TODO|FIXME|HACK|XXX).*(?:security|auth|password|encrypt)/i,
+    message:
+      "Security-related TODO comment found. Address before merging.",
+    severity: "warning",
+    owasp: "A09:2021-Security Logging and Monitoring Failures",
+  },
+];
+
+export function scanForSecurityIssues(
+  diff: FileDiff,
+  config: ReviewAgentConfig
+): ReviewComment[] {
+  const comments: ReviewComment[] = [];
+  const changedLines = getChangedLines(diff.patch);
+
+  for (const [lineNum, lineContent] of changedLines) {
+    for (const pattern of SECURITY_PATTERNS) {
+      if (pattern.pattern.test(lineContent)) {
+        if (!severityMeetsThreshold(pattern.severity, config.review.severity)) {
+          continue;
+        }
+
+        const body = pattern.owasp
+          ? `${pattern.message}\n\n**OWASP:** ${pattern.owasp}`
+          : pattern.message;
+
+        comments.push({
+          path: diff.filename,
+          line: lineNum,
+          side: "RIGHT",
+          severity: pattern.severity,
+          category: "security",
+          body: body,
+        });
+      }
+    }
+  }
+
+  // Apply custom rules
+  for (const rule of config.rules) {
+    if (rule.category !== "security") continue;
+    try {
+      const regex = new RegExp(rule.pattern, "gi");
+      for (const [lineNum, lineContent] of changedLines) {
+        if (regex.test(lineContent)) {
+          comments.push({
+            path: diff.filename,
+            line: lineNum,
+            side: "RIGHT",
+            severity: rule.severity,
+            category: "security",
+            body: rule.message,
+          });
+        }
+      }
+    } catch (err) {
+      core.warning(
+        `Invalid custom rule pattern "${rule.pattern}": ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+
+  return comments;
+}
+
+function severityMeetsThreshold(
+  severity: Severity,
+  threshold: Severity
+): boolean {
+  const order: Record<Severity, number> = { critical: 0, warning: 1, info: 2 };
+  return order[severity] <= order[threshold];
+}

package/src/types.ts

@@ -0,0 +1,114 @@
+export type Severity = "critical" | "warning" | "info";
+
+export type ReviewCategory =
+  | "bug"
+  | "security"
+  | "performance"
+  | "style"
+  | "convention";
+
+export type LLMProvider = "openai" | "anthropic" | "ollama";
+
+export type ReviewType = "approve" | "request-changes" | "comment";
+
+export interface ReviewComment {
+  path: string;
+  line: number;
+  side: "LEFT" | "RIGHT";
+  body: string;
+  severity: Severity;
+  category: ReviewCategory;
+  startLine?: number;
+}
+
+export interface FileDiff {
+  filename: string;
+  patch: string;
+  additions: number;
+  deletions: number;
+  changeType: string;
+  content?: string;
+}
+
+export interface ReviewResult {
+  comments: ReviewComment[];
+  score: number;
+  summary: string;
+  breakdown: Record<ReviewCategory, number>;
+}
+
+export interface RepoConvention {
+  language: string;
+  patterns: string[];
+  namingStyle: string;
+  examples: string[];
+}
+
+export interface ReviewAgentConfig {
+  llm: {
+    provider: LLMProvider;
+    apiKey: string;
+    model: string;
+    baseUrl: string;
+  };
+  review: {
+    severity: Severity;
+    maxComments: number;
+    reviewType: ReviewType;
+    languageHints: string[];
+    learnConventions: boolean;
+  };
+  ignore: {
+    paths: string[];
+    extensions: string[];
+  };
+  rules: CustomRule[];
+}
+
+export interface CustomRule {
+  name: string;
+  pattern: string;
+  message: string;
+  severity: Severity;
+  category: ReviewCategory;
+}
+
+export interface ActionInputs {
+  githubToken: string;
+  llmProvider: LLMProvider;
+  llmApiKey: string;
+  llmModel: string;
+  llmBaseUrl: string;
+  configPath: string;
+  severity: Severity;
+  maxComments: number;
+  reviewType: ReviewType;
+  languageHints: string[];
+  learnConventions: boolean;
+}
+
+export interface GitHubPRContext {
+  owner: string;
+  repo: string;
+  pullNumber: number;
+  commitId: string;
+}
+
+export interface LLMReviewRequest {
+  file: FileDiff;
+  conventions: RepoConvention[];
+  config: ReviewAgentConfig;
+  existingCode?: string;
+}
+
+export interface LLMReviewResponse {
+  comments: Array<{
+    line: number;
+    endLine?: number;
+    severity: Severity;
+    category: ReviewCategory;
+    message: string;
+  }>;
+  score: number;
+  summary: string;
+}

package/src/utils/diff-parser.ts

@@ -0,0 +1,177 @@
+import * as minimatch from "minimatch";
+import { FileDiff, ReviewAgentConfig } from "../types";
+
+interface ParsedHunk {
+  oldStart: number;
+  oldLines: number;
+  newStart: number;
+  newLines: number;
+  lines: string[];
+}
+
+export function parsePatch(patch: string): ParsedHunk[] {
+  if (!patch) return [];
+
+  const hunks: ParsedHunk[] = [];
+  const lines = patch.split("\n");
+  let currentHunk: ParsedHunk | null = null;
+
+  for (const line of lines) {
+    const hunkMatch = line.match(
+      /^@@\s+-(\d+)(?:,(\d+))?\s+\+(\d+)(?:,(\d+))?\s+@@/
+    );
+    if (hunkMatch) {
+      if (currentHunk) {
+        hunks.push(currentHunk);
+      }
+      currentHunk = {
+        oldStart: parseInt(hunkMatch[1], 10),
+        oldLines: parseInt(hunkMatch[2] || "1", 10),
+        newStart: parseInt(hunkMatch[3], 10),
+        newLines: parseInt(hunkMatch[4] || "1", 10),
+        lines: [],
+      };
+    } else if (currentHunk) {
+      currentHunk.lines.push(line);
+    }
+  }
+
+  if (currentHunk) {
+    hunks.push(currentHunk);
+  }
+
+  return hunks;
+}
+
+export function getChangedLines(patch: string): Map<number, string> {
+  const changedLines = new Map<number, string>();
+  const hunks = parsePatch(patch);
+
+  for (const hunk of hunks) {
+    let currentLine = hunk.newStart;
+
+    for (const line of hunk.lines) {
+      if (line.startsWith("+")) {
+        changedLines.set(currentLine, line.substring(1));
+        currentLine++;
+      } else if (line.startsWith("-")) {
+        // Removed line - do not advance new line counter
+      } else {
+        currentLine++;
+      }
+    }
+  }
+
+  return changedLines;
+}
+
+export function shouldIgnoreFile(
+  filename: string,
+  config: ReviewAgentConfig
+): boolean {
+  const ext = filename.substring(filename.lastIndexOf("."));
+  if (config.ignore.extensions.includes(ext.toLowerCase())) {
+    return true;
+  }
+
+  for (const pattern of config.ignore.paths) {
+    if (minimatch.minimatch(filename, pattern)) {
+      return true;
+    }
+  }
+
+  const generatedPatterns = [
+    /\.generated\./,
+    /\.min\./,
+    /\/__generated__\//,
+    /\.pb\.go$/,
+    /\.graphql\.generated\./,
+  ];
+  for (const pattern of generatedPatterns) {
+    if (pattern.test(filename)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+export function getFileLanguage(filename: string): string {
+  const ext = filename.substring(filename.lastIndexOf(".")).toLowerCase();
+  const langMap: Record<string, string> = {
+    ".ts": "typescript",
+    ".tsx": "typescript",
+    ".js": "javascript",
+    ".jsx": "javascript",
+    ".py": "python",
+    ".rb": "ruby",
+    ".go": "go",
+    ".rs": "rust",
+    ".java": "java",
+    ".kt": "kotlin",
+    ".cs": "csharp",
+    ".cpp": "cpp",
+    ".c": "c",
+    ".h": "c",
+    ".hpp": "cpp",
+    ".php": "php",
+    ".swift": "swift",
+    ".scala": "scala",
+    ".sh": "bash",
+    ".bash": "bash",
+    ".zsh": "zsh",
+    ".ps1": "powershell",
+    ".sql": "sql",
+    ".html": "html",
+    ".css": "css",
+    ".scss": "scss",
+    ".less": "less",
+    ".vue": "vue",
+    ".svelte": "svelte",
+    ".dart": "dart",
+    ".lua": "lua",
+    ".r": "r",
+    ".R": "r",
+    ".m": "objc",
+    ".mm": "objc",
+    ".ex": "elixir",
+    ".exs": "elixir",
+    ".erl": "erlang",
+    ".hs": "haskell",
+    ".ml": "ocaml",
+    ".clj": "clojure",
+    ".lisp": "lisp",
+    ".tf": "terraform",
+    ".yaml": "yaml",
+    ".yml": "yaml",
+    ".json": "json",
+    ".xml": "xml",
+    ".toml": "toml",
+    ".dockerfile": "dockerfile",
+  };
+
+  if (filename.endsWith("Dockerfile")) return "dockerfile";
+  if (filename.endsWith("Makefile")) return "makefile";
+
+  return langMap[ext] || "unknown";
+}
+
+export function formatDiffForReview(diff: FileDiff): string {
+  const lines: string[] = [];
+  const hunks = parsePatch(diff.patch);
+
+  lines.push(`File: ${diff.filename} (${diff.changeType}, +${diff.additions}/-${diff.deletions})`);
+  lines.push("---");
+
+  for (const hunk of hunks) {
+    lines.push(
+      `@@ -${hunk.oldStart},${hunk.oldLines} +${hunk.newStart},${hunk.newLines} @@`
+    );
+    for (const line of hunk.lines) {
+      lines.push(line);
+    }
+    lines.push("");
+  }
+
+  return lines.join("\n");
+}

package/src/utils/rate-limiter.ts

@@ -0,0 +1,72 @@
+export class RateLimiter {
+  private queue: Array<() => void> = [];
+  private activeCount = 0;
+  private lastCallTime = 0;
+
+  constructor(
+    private maxConcurrent: number = 3,
+    private minIntervalMs: number = 500
+  ) {}
+
+  async acquire(): Promise<void> {
+    if (this.activeCount >= this.maxConcurrent) {
+      await new Promise<void>((resolve) => {
+        this.queue.push(resolve);
+      });
+    }
+
+    this.activeCount++;
+
+    const now = Date.now();
+    const elapsed = now - this.lastCallTime;
+    const remaining = this.minIntervalMs - elapsed;
+
+    if (remaining > 0) {
+      await new Promise<void>((resolve) => setTimeout(resolve, remaining));
+    }
+
+    this.lastCallTime = Date.now();
+  }
+
+  release(): void {
+    this.activeCount--;
+    const next = this.queue.shift();
+    if (next) {
+      next();
+    }
+  }
+
+  get pendingCount(): number {
+    return this.queue.length;
+  }
+
+  get activeRequests(): number {
+    return this.activeCount;
+  }
+}
+
+export class RetryHandler {
+  static async withRetry<T>(
+    fn: () => Promise<T>,
+    maxRetries: number = 3,
+    baseDelayMs: number = 1000
+  ): Promise<T> {
+    let lastError: Error | undefined;
+
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+      try {
+        return await fn();
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+
+        if (attempt < maxRetries) {
+          const jitter = Math.random() * 500;
+          const delay = baseDelayMs * Math.pow(2, attempt) + jitter;
+          await new Promise<void>((resolve) => setTimeout(resolve, delay));
+        }
+      }
+    }
+
+    throw lastError;
+  }
+}

package/src/utils/security.ts

@@ -0,0 +1,125 @@
+export function sanitizeForLog(input: string): string {
+  // Remove potential secrets: API keys, tokens, passwords
+  let sanitized = input;
+
+  const secretPatterns = [
+    /(?:api[_-]?key|apikey|token|secret|password|auth)["\s]*[:=]["\s]*[^\s"',;}\]]{8,}/gi,
+    /sk-[a-zA-Z0-9]{20,}/g,
+    /sk_live_[a-zA-Z0-9]{24,}/g,
+    /ghp_[a-zA-Z0-9]{36}/g,
+    /gho_[a-zA-Z0-9]{36}/g,
+    /ghu_[a-zA-Z0-9]{36}/g,
+    /ghs_[a-zA-Z0-9]{36}/g,
+    /github_pat_[a-zA-Z0-9_]{22,}/g,
+    /AKIA[0-9A-Z]{16}/g,
+    /AIza[0-9A-Za-z_-]{35}/g,
+    /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g,
+  ];
+
+  for (const pattern of secretPatterns) {
+    sanitized = sanitized.replace(pattern, "[REDACTED]");
+  }
+
+  return sanitized;
+}
+
+export function truncateString(input: string, maxLength: number): string {
+  if (input.length <= maxLength) return input;
+  return input.substring(0, maxLength) + "... (truncated)";
+}
+
+export function validateApiKey(apiKey: string, provider: string): void {
+  if (!apiKey && provider !== "ollama") {
+    throw new Error(
+      `API key is required for provider "${provider}". Use the llm-api-key input or switch to ollama for local inference.`
+    );
+  }
+
+  if (apiKey && apiKey.length < 8) {
+    throw new Error("API key appears to be too short. Please check your secret configuration.");
+  }
+}
+
+export function formatCommentBody(
+  message: string,
+  severity: string,
+  category: string
+): string {
+  const severityEmoji: Record<string, string> = {
+    critical: "🔴",
+    warning: "🟡",
+    info: "🔵",
+  };
+
+  const categoryLabel: Record<string, string> = {
+    bug: "Bug",
+    security: "Security",
+    performance: "Performance",
+    style: "Style",
+    convention: "Convention",
+  };
+
+  const emoji = severityEmoji[severity] || "⚪";
+  const label = categoryLabel[category] || category;
+
+  return `${emoji} **[${label}]** (${severity})\n\n${message}\n\n---\n*Powered by [ReviewAgent](https://github.com/reviewagent/review-agent)*`;
+}
+
+export function buildSummaryComment(
+  score: number,
+  breakdown: Record<string, number>,
+  summary: string,
+  filesReviewed: number,
+  commentsPosted: number
+): string {
+  const scoreColor =
+    score >= 80 ? "🟢" : score >= 60 ? "🟡" : score >= 40 ? "🟠" : "🔴";
+  const scoreLabel =
+    score >= 80
+      ? "Great"
+      : score >= 60
+        ? "Good"
+        : score >= 40
+          ? "Needs Work"
+          : "Poor";
+
+  const breakdownRows = Object.entries(breakdown)
+    .filter(([, count]) => count > 0)
+    .map(([category, count]) => {
+      const emoji: Record<string, string> = {
+        bug: "🐛",
+        security: "🔒",
+        performance: "⚡",
+        style: "🎨",
+        convention: "📐",
+      };
+      return `| ${emoji[category] || "•"} ${capitalize(category)} | ${count} |`;
+    })
+    .join("\n");
+
+  const breakdownTable = breakdownRows
+    ? `| Category | Count |\n|----------|-------|\n${breakdownRows}\n`
+    : "No issues found. Clean code! \n";
+
+  return `## ${scoreColor} ReviewAgent Code Review Summary
+
+**Score: ${score}/100** — ${scoreLabel}
+
+${summary}
+
+### Breakdown
+
+${breakdownTable}
+
+### Stats
+- **Files reviewed:** ${filesReviewed}
+- **Comments posted:** ${commentsPosted}
+
+---
+
+*ReviewAgent — AI-powered code review. Configure via \`.reviewagent.yml\`*`;
+}
+
+function capitalize(s: string): string {
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}