-
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathgemini-comprehensive-analysis.yml
More file actions
269 lines (223 loc) · 11.2 KB
/
gemini-comprehensive-analysis.yml
File metadata and controls
269 lines (223 loc) · 11.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
# AI-Powered Comprehensive Code Analysis
# Combines security scanning and WordPress standards checking using Gemini AI
name: Gemini Comprehensive Analysis
on:
push:
branches: [ main, develop ]
pull_request:
types: [opened, synchronize, reopened]
workflow_dispatch:
# Cancel previous workflow runs for the same branch
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
actions: read
jobs:
comprehensive-analysis:
name: AI Security & Standards Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v47
with:
files: |
**/*.php
**/*.js
**/*.sql
separator: "\n"
- name: Run Gemini Comprehensive Analysis
if: steps.changed-files.outputs.any_changed == 'true'
env:
CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: |
npx @google/gemini-cli@latest --prompt "
You are a WordPress security expert and development consultant with deep knowledge of plugin vulnerabilities, WordPress coding standards, and best practices.
COMPREHENSIVE ANALYSIS INSTRUCTIONS:
Perform both security vulnerability analysis AND WordPress coding standards review for the following code changes. Provide a comprehensive report covering both areas.
## 🔴 SECURITY VULNERABILITY ANALYSIS:
### CRITICAL SECURITY ISSUES:
- SQL Injection: Check for unsanitized database queries, missing prepared statements
- Cross-Site Scripting (XSS): Look for unescaped output, missing esc_html/esc_attr
- Cross-Site Request Forgery (CSRF): Verify nonce usage in forms and AJAX
- Authentication Bypass: Check user capability validation
- File Upload Vulnerabilities: Verify file type and size validation
- Directory Traversal: Look for path manipulation vulnerabilities
- Code Injection: Check for eval(), exec(), system() usage
### WORDPRESS-SPECIFIC SECURITY:
- Proper use of WordPress sanitization functions
- Correct capability checks (current_user_can)
- WordPress nonce verification
- Proper use of wpdb prepared statements
- Validation of user input and file uploads
- Secure handling of options and meta data
### SECURITY BEST PRACTICES:
- Input validation and sanitization
- Output escaping and encoding
- Secure API endpoint implementation
- Proper error handling without information disclosure
## 📋 WORDPRESS CODING STANDARDS ANALYSIS:
### CODING STANDARDS (WordPress Coding Standards):
- PSR-4 autoloading compliance
- Proper function and variable naming (snake_case)
- Class naming conventions (PascalCase with underscores)
- File naming conventions (lowercase with hyphens)
- Proper indentation (tabs vs spaces - WordPress uses tabs)
- Line length limits (150 characters max)
- Proper commenting and PHPDoc blocks
### ARCHITECTURE & STRUCTURE:
- Single responsibility principle
- Proper use of WordPress hooks (actions/filters)
- Singleton pattern implementation
- Plugin structure and organization
- Proper use of WordPress APIs
### WORDPRESS-SPECIFIC BEST PRACTICES:
- Proper plugin header format
- Text domain usage and internationalization
- Capability checks and user permissions
- Database interaction using WordPress functions
- Proper enqueueing of scripts and styles
- Use of WordPress constants and globals
- Plugin activation/deactivation hooks
### PERFORMANCE CONSIDERATIONS:
- Efficient database queries
- Proper caching strategies
- Lazy loading where appropriate
- Avoiding resource-heavy operations
- Proper use of transients
### PLUGIN-SPECIFIC CHECKS:
- WordPress optimization best practices
- Performance improvement techniques
- Admin interface conventions
- WordPress core feature interaction
- Feature toggle implementation
### COMPATIBILITY:
- PHP version compatibility (7.4+)
- WordPress version compatibility (6.5+)
- Plugin conflicts avoidance
- Theme compatibility
## REPORT FORMAT:
Please structure your response as follows:
# COMPREHENSIVE CODE ANALYSIS REPORT
## 🛡️ SECURITY ANALYSIS RESULTS
[Detailed security findings here]
## 📋 WORDPRESS STANDARDS RESULTS
[Detailed standards findings here]
## 📊 SUMMARY
- Total Issues Found: [number]
- Critical Security Issues: [number]
- High Priority Standards Issues: [number]
- Medium/Low Priority Issues: [number]
## 🎯 PRIORITY RECOMMENDATIONS
[Top 3-5 most important items to address]
For each finding in both sections:
1. Specify the exact file and line number
2. Explain the issue/vulnerability type and severity level (CRITICAL, HIGH, MEDIUM, LOW, INFO)
3. Provide specific code recommendations
4. Reference relevant WordPress Codex/security guidelines
If no issues are found in either category, confirm the code follows WordPress security standards and coding best practices.
FILES TO ANALYZE:
$CHANGED_FILES
" > comprehensive-analysis.txt
- name: Display Comprehensive Analysis Summary
if: steps.changed-files.outputs.any_changed == 'true'
run: |
echo "========================================"
echo "🔍 COMPREHENSIVE CODE ANALYSIS REPORT"
echo "========================================"
echo "Repository: ${{ github.repository }}"
echo "Commit: ${{ github.sha }}"
echo "Branch: ${{ github.ref }}"
echo "Files Analyzed: ${{ steps.changed-files.outputs.all_changed_files_count }}"
echo "Analysis Date: $(date -u +"%Y-%m-%dT%H:%M:%SZ")"
echo ""
echo "📁 Files Reviewed:"
echo "${{ steps.changed-files.outputs.all_changed_files }}"
echo ""
echo "🤖 AI Expert Analysis Results:"
echo "========================================"
if [ -f "comprehensive-analysis.txt" ]; then
cat comprehensive-analysis.txt
else
echo "⚠️ No analysis output found."
fi
echo ""
echo "========================================"
echo "📋 Next Steps:"
echo "- Review all CRITICAL and HIGH priority findings immediately"
echo "- Address security vulnerabilities before standards issues"
echo "- Test all changes thoroughly after implementing fixes"
echo "- Validate compatibility with WordPress 6.5+ and PHP 7.4+"
echo "- Consider performance optimizations where recommended"
echo "========================================"
- name: Create Workflow Summary
if: steps.changed-files.outputs.any_changed == 'true'
uses: actions/github-script@v8
env:
CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
FILES_COUNT: ${{ steps.changed-files.outputs.all_changed_files_count }}
with:
script: |
const fs = require('fs');
const changedFiles = process.env.CHANGED_FILES;
const filesCount = process.env.FILES_COUNT;
let analysisContent = 'No analysis output found.';
try {
if (fs.existsSync('comprehensive-analysis.txt')) {
analysisContent = fs.readFileSync('comprehensive-analysis.txt', 'utf8');
}
} catch (error) {
console.log('Error reading analysis file:', error);
analysisContent = 'Error reading comprehensive analysis results.';
}
const summaryContent = `
## 🔍 Comprehensive WordPress Code Analysis
**Repository:** ${context.repo.owner}/${context.repo.repo}
**Commit:** ${context.sha}
**Branch:** ${context.ref}
**Files Analyzed:** ${filesCount}
**Analysis Date:** ${new Date().toISOString()}
### 📁 Files Reviewed
\`\`\`
${changedFiles}
\`\`\`
---
### 🤖 AI Expert Analysis Results
${analysisContent}
---
### 📋 Recommended Actions
- **Priority 1:** Address all CRITICAL security vulnerabilities immediately
- **Priority 2:** Fix HIGH priority coding standards issues
- **Priority 3:** Implement suggested WordPress best practices
- **Priority 4:** Consider performance and compatibility optimizations
- **Testing:** Validate all changes with WordPress 6.5+ and PHP 7.4+
**Workflow Run:** ${context.payload.repository.html_url}/actions/runs/${context.runId}
`;
await core.summary
.addHeading('🔍 Comprehensive Code Analysis Report')
.addRaw(summaryContent)
.write();
console.log('✅ Comprehensive analysis summary created in workflow logs');
- name: Analysis Status Check
if: steps.changed-files.outputs.any_changed == 'true'
run: |
echo "========================================"
echo "📊 ANALYSIS COMPLETION STATUS"
echo "========================================"
echo "✅ Security vulnerability scan: COMPLETED"
echo "✅ WordPress coding standards check: COMPLETED"
echo "✅ Best practices review: COMPLETED"
echo "✅ Performance analysis: COMPLETED"
echo "✅ Compatibility check: COMPLETED"
echo ""
echo "🎯 This comprehensive analysis replaces separate security and standards workflows"
echo "💡 Review the detailed findings above and implement recommended changes"
echo "⚡ Reduced AI token usage by combining both analyses into a single request"
echo "========================================"