feat: add @droid security commands #17
Conversation
Add support for security-focused code review commands: - @droid security - Security review on PR changes - @droid security --full - Full repository security scan New features: - Security command parser (security, review-security, security-full) - Security review prompt with STRIDE methodology - Security scan prompt with threat model generation - Security configuration inputs in action.yml - Security-specific tracking comment message Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
![factory-droid[bot]](https://avatars.githubusercontent.com/in/358017?s=60&v=4){kind=small}
| generatePrompt, | ||
| allowedTools = [], | ||
| disallowedTools = [], | ||
| includeActionsTools = false, |
There was a problem hiding this comment.
[P1] Avoid generating prompts with missing tracking comment ID
Making commentId/droidCommentId optional means prepareContext may omit it; if downstream templates assume it exists for sticky comment updates, this can break PR flows (missing github_comment___update_droid_comment target). Consider enforcing a non-optional ID for PR review/security-review modes.
src/github/context.ts
Outdated
| securityBlockOnHigh: process.env.SECURITY_BLOCK_ON_HIGH === "true", | ||
| securityNotifyTeam: process.env.SECURITY_NOTIFY_TEAM ?? "", | ||
| securityScanSchedule: process.env.SECURITY_SCAN_SCHEDULE === "true", | ||
| securityScanDays: parseInt(process.env.SECURITY_SCAN_DAYS ?? "7", 10), |
There was a problem hiding this comment.
[P1] Validate SECURITY_SCAN_DAYS to avoid NaN behavior
parseInt(process.env.SECURITY_SCAN_DAYS ?? "7", 10) can yield NaN (e.g., empty string or non-numeric), which then propagates into scheduled scan scope / prompts; clamp to a positive integer fallback to keep behavior deterministic.
There was a problem hiding this comment.
Overall the security-command additions look directionally correct, but there are a couple of input/flow edge cases that can lead to non-deterministic behavior (NaN scan days) or prompts missing the tracking comment id in some paths. Addressing the inline notes should make the new security flows more robust.
| ## Summary Format (for tracking comment update) | ||
| Use \`github_comment___update_droid_comment\` to update the tracking comment with this format: | ||
There was a problem hiding this comment.
[P1] Remove “IMPORTANT: do NOT post inline comments directly” conflict
This contradicts the tooling guidance elsewhere in the repo (and the intended behavior of security review) and can result in no inline comments being posted at all; if you need batching, have the orchestrator handle it, not the prompt.
| - For auto-fixable issues: Invoke **security-review** skill to generate patches | ||
| - Commit any generated patches to the PR branch | ||
| ## Security Scope (STRIDE Categories) |
There was a problem hiding this comment.
[P1] Don’t instruct to commit to PR branch in review mode
This prompt tells the agent to commit .factory/threat-model.md to the PR branch during a security review; that can unintentionally change the contributor’s PR and add non-review changes, which is risky/incorrect behavior for a “review” flow.
There was a problem hiding this comment.
Overall: the feature wiring looks coherent, but the security-review prompt currently instructs potentially unsafe/incorrect behavior (committing files to the contributor’s PR and suppressing inline comments), which can break expected review semantics. Fixing those prompt directives should make the new security flows safer and more reliable.
- Fix SECURITY_SCAN_DAYS to avoid NaN (clamp to positive integer, default 7) - Remove instructions to commit threat model to PR branch during review - Remove instructions to commit patches to PR branch - Align security review with JSON output pattern (no direct inline comments) Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Summary
Add support for security-focused code review commands.
New Commands
@droid security- Security review on PR changes using STRIDE methodology@droid security --full- Full repository security scan with threat model generationChanges
New Files
src/tag/commands/security-review.tssrc/tag/commands/security-scan.tssrc/create-prompt/templates/security-review-prompt.tssrc/create-prompt/templates/security-report-prompt.tsThis PR is part of a split from the security review feature branch.
PR Stack