Skip to content

chore: Updated security workflow readme #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
shashank-factory wants to merge 8 commits into
base: ssharma/security-review-github-action
Choose a base branch
from
Open

chore: Updated security workflow readme #7

shashank-factory wants to merge 8 commits into from

Conversation

@shashank-factory
Copy link

@shashank-factory shashank-factory commented Jan 7, 2026
edited by factory-droid bot
Loading

Summary

Updates the README.md to document the new security workflow capabilities and the modular sub-action architecture introduced for parallel code and security reviews.

Changes

  • New commands documented: Added documentation for @droid security, @droid review security, and @droid security --full commands
  • Parallel review flow: Added new section explaining how code review and security review run in parallel when both are enabled
  • Advanced workflow example: Added comprehensive YAML example for parallel workflow setup using modular sub-actions (prepare, review, security, combine)
  • Security configuration: Documented new security-specific inputs including:
    • automatic_security_review
    • security_model
    • security_severity_threshold
    • security_block_on_critical/high
    • security_notify_team
    • security_scan_schedule/days
  • Sub-actions table: Added documentation for the modular sub-actions (Factory-AI/droid-action/prepare, /review, /security, /combine)
  • Security skills section: Documented the Factory skills used for security reviews (threat-model-generation, commit-security-scan, vulnerability-validation, security-review)
  • Configuration reorganization: Restructured configuration section into Core Inputs, Review Configuration, and Security Configuration tables
  • Formatting updates: Converted bullet points from * to - for consistency

Testing

Documentation-only changes. No code changes to test.

Related Issues

closes https://linear.app/factoryai/issue/FAC-14927/update-readme-with-new-structure-around-the-security-workflow

@shashank-factory shashank-factory changed the base branch from main to ssharma/security-review-github-action January 7, 2026 23:43
varin-nair-factory
varin-nair-factory reviewed Jan 12, 2026
View reviewed changes
factory-droid[bot]
factory-droid bot reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

@factory-droid factory-droid bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs-only PR; no code changes to validate. No additional P0/P1 bugs introduced by this diff.

Note: an existing review thread suggests removing the @droid review security command mention from README if that’s not supported/desired behavior.

varin-nair-factory
varin-nair-factory reviewed Jan 12, 2026
View reviewed changes
factory-droid[bot]
factory-droid bot reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

@factory-droid factory-droid bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs-only PR; no new P0/P1 issues found in this diff. (Existing threads about command naming/mentioning have been resolved.)

varin-nair-factory
varin-nair-factory reviewed Jan 12, 2026
View reviewed changes
varin-nair-factory
varin-nair-factory reviewed Jan 12, 2026
View reviewed changes
varin-nair-factory
varin-nair-factory reviewed Jan 12, 2026
View reviewed changes
varin-nair-factory
varin-nair-factory reviewed Jan 12, 2026
View reviewed changes
@shashank-factory shashank-factory changed the base branch from ssharma/security-review-github-action to dev January 13, 2026 22:02
@shashank-factory shashank-factory changed the base branch from dev to ssharma/security-review-github-action January 13, 2026 22:02
@shashank-factory shashank-factory changed the base branch from ssharma/security-review-github-action to ssharma/pr4-parallel-workflow January 14, 2026 01:57
@shashank-factory shashank-factory changed the base branch from ssharma/pr4-parallel-workflow to ssharma/security-review-github-action January 14, 2026 02:01
@factory-droid
Copy link
Contributor

factory-droid bot commented Jan 14, 2026
edited
Loading

Droid finished @shashank-factory's task —— View job

factory-droid[bot]
factory-droid bot reviewed Jan 14, 2026
View reviewed changes
README.md

- `@droid fill` — turns a bare pull request into a polished description that matches your template or our opinionated fallback.
- `@droid review` — performs an automated code review, surfaces potential bugs, and leaves inline comments directly on the diff.
- `@droid security` — performs an automated security review using STRIDE methodology, identifying vulnerabilities and suggesting fixes.
Copy link
Contributor

@factory-droid factory-droid bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P1] Document the correct security command name

Repo code/tests and action.yml reference @droid security-review (and @droid review security), but this README documents @droid security; users will invoke the wrong command and the workflow won’t trigger as expected.

factory-droid[bot]
factory-droid bot reviewed Jan 14, 2026
View reviewed changes
README.md
| `automatic_security_review` | `false` | Automatically run security review on PRs without requiring `@droid security`. |
| `security_model` | `""` | Override the model used for security review. Falls back to `review_model` if not set. |
| `security_severity_threshold` | `medium` | Minimum severity to report (`critical`, `high`, `medium`, `low`). Findings below this threshold are filtered out. |
| `security_block_on_critical` | `true` | Submit `REQUEST_CHANGES` review when critical severity findings are detected. |
Copy link
Contributor

@factory-droid factory-droid bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P1] Avoid promising REQUEST_CHANGES from composite action

README claims the security action will submit REQUEST_CHANGES on critical/high, but GitHub Actions tokens generally can’t create “request changes” reviews; promising this behavior is likely incorrect and will mislead users configuring enforcement.

factory-droid[bot]
factory-droid bot reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@factory-droid factory-droid bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs change looks directionally right, but it currently documents a security command name/behavior that doesn’t match what the repo code/tests/action inputs expect, which will cause users to invoke unsupported commands. Please align README with the implemented trigger(s) and avoid promising enforcement behavior that GitHub Actions can’t perform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@factory-droid factory-droid[bot] factory-droid[bot] left review comments

@varin-nair-factory varin-nair-factory Awaiting requested review from varin-nair-factory

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shashank-factory @varin-nair-factory