Phase 2.7 Deep Analysis enhances Argus Security with advanced semantic vulnerability detection and comprehensive code analysis. This guide explains how to integrate Phase 2.7 capabilities into your GitHub Actions workflows.
Phase 2.7 adds three analysis modes beyond standard scanning:
| Mode | Description | Cost | Use Case |
|---|---|---|---|
| off | Standard scanning only (no deep analysis) | Low | Basic security checks |
| semantic-only | Semantic vulnerability detection | Medium | PR reviews, quick checks |
| conservative | Balanced approach with cost controls | Medium-High | Regular security audits |
| full | Comprehensive analysis with maximum coverage | High | Weekly/monthly deep scans |
inputs:
deep-analysis-mode:
description: 'Phase 2.7 Deep Analysis mode (off, semantic-only, conservative, full)'
required: false
default: 'off'
max-files-deep-analysis:
description: 'Maximum files for Phase 2.7 Deep Analysis'
required: false
default: '50'
deep-analysis-cost-ceiling:
description: 'Cost ceiling in USD for Phase 2.7'
required: false
default: '5.0'
deep-analysis-timeout:
description: 'Timeout in seconds for Phase 2.7'
required: false
default: '300'
benchmark:
description: 'Enable benchmark reporting'
required: false
default: 'false'name: PR Security Review
on: [pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: devatsecure/Argus-Security@main
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
review-type: security
deep-analysis-mode: semantic-only
only-changed: true
fail-on-blockers: truename: Main Branch Security
on:
push:
branches: [main]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: devatsecure/Argus-Security@main
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
review-type: security
deep-analysis-mode: conservative
max-files-deep-analysis: 50
deep-analysis-cost-ceiling: 5.0
benchmark: truename: Weekly Security Audit
on:
schedule:
- cron: '0 2 * * 0' # Sundays at 2 AM
jobs:
full-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: devatsecure/Argus-Security@main
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
review-type: security
deep-analysis-mode: full
max-files-deep-analysis: 200
deep-analysis-cost-ceiling: 15.0
deep-analysis-timeout: 900
benchmark: true
enable-multi-agent: true
enable-spontaneous-discovery: trueBest for: Pull request reviews, quick security checks
Features:
- Semantic vulnerability detection
- Context-aware analysis
- Fast execution (2-5 minutes)
- Low cost ($0.50-$2.00 per scan)
Configuration:
deep-analysis-mode: semantic-only
max-files-deep-analysis: 100
deep-analysis-cost-ceiling: 2.0
deep-analysis-timeout: 180When to use:
- Every pull request
- Quick security feedback
- CI/CD pipelines with tight time constraints
Best for: Regular security audits, main branch protection
Features:
- Balanced analysis depth
- Cost-controlled comprehensive checks
- Medium execution time (5-10 minutes)
- Medium cost ($2.00-$5.00 per scan)
Configuration:
deep-analysis-mode: conservative
max-files-deep-analysis: 50
deep-analysis-cost-ceiling: 5.0
deep-analysis-timeout: 300When to use:
- Main branch commits
- Daily/weekly security checks
- Release preparation
Best for: Comprehensive security audits, compliance reporting
Features:
- Maximum analysis depth
- All detection capabilities enabled
- Longer execution time (10-30 minutes)
- Higher cost ($5.00-$15.00 per scan)
Configuration:
deep-analysis-mode: full
max-files-deep-analysis: 200
deep-analysis-cost-ceiling: 15.0
deep-analysis-timeout: 900When to use:
- Weekly/monthly security audits
- Pre-release security validation
- Compliance reporting
- Security incident investigation
Phase 2.7 costs are based on:
- Number of files analyzed
- File size and complexity
- Analysis depth (mode)
- LLM API usage (Claude/GPT-4)
# PR reviews - semantic only
on: pull_request
deep-analysis-mode: semantic-only
only-changed: true
# Main branch - conservative
on:
push:
branches: [main]
deep-analysis-mode: conservative
# Scheduled audits - full
on:
schedule:
- cron: '0 2 * * 0'
deep-analysis-mode: full# Hard stop at $5
deep-analysis-cost-ceiling: 5.0
# Per-mode recommendations
semantic-only: 2.0-3.0
conservative: 5.0-8.0
full: 10.0-20.0# PRs - analyze changed files only
only-changed: true
max-files-deep-analysis: 100
# Full scans - limit by priority
max-files-deep-analysis: 200
include-paths: 'src/**,lib/**'
exclude-paths: 'tests/**,docs/**'Enable benchmarking to track Phase 2.7 performance:
benchmark: trueBenchmark Metrics:
- Analysis duration
- Files analyzed
- Vulnerabilities found
- False positive rate
- Cost breakdown
- Comparison vs baseline (Phase 2.7 off)
Example Benchmark Output:
{
"phase_27_enabled": true,
"mode": "conservative",
"duration_seconds": 342,
"files_analyzed": 48,
"vulnerabilities_found": 12,
"false_positives": 1,
"cost_usd": 4.23,
"baseline_comparison": {
"additional_findings": 3,
"fp_reduction_percent": 67
}
}name: Multi-Stage Security
on: [push, pull_request]
jobs:
# Stage 1: Fast PR checks
pr-check:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: devatsecure/Argus-Security@main
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
deep-analysis-mode: semantic-only
only-changed: true
fail-on-blockers: true
# Stage 2: Conservative main branch
main-check:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: devatsecure/Argus-Security@main
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
deep-analysis-mode: conservative
benchmark: true
# Stage 3: Weekly full audit
weekly-audit:
if: github.event_name == 'schedule'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: devatsecure/Argus-Security@main
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
deep-analysis-mode: full
benchmark: truename: Smart Security Analysis
on: [pull_request]
jobs:
detect-scope:
runs-on: ubuntu-latest
outputs:
security-files-changed: ${{ steps.check.outputs.security }}
steps:
- uses: actions/checkout@v4
- id: check
run: |
if git diff --name-only origin/main | grep -E '(auth|security|crypto)'; then
echo "security=true" >> $GITHUB_OUTPUT
else
echo "security=false" >> $GITHUB_OUTPUT
fi
security-scan:
needs: detect-scope
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: devatsecure/Argus-Security@main
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
# Use full analysis if security files changed
deep-analysis-mode: ${{ needs.detect-scope.outputs.security-files-changed == 'true' && 'conservative' || 'semantic-only' }}Error: "Phase 2.7 analysis stopped: cost ceiling of $5.00 exceeded"
Solution:
# Increase ceiling or reduce scope
deep-analysis-cost-ceiling: 10.0
# OR
max-files-deep-analysis: 30Error: "Phase 2.7 analysis timed out after 300 seconds"
Solution:
# Increase timeout or reduce scope
deep-analysis-timeout: 600
# OR
max-files-deep-analysis: 30Error: "Anthropic API rate limit exceeded"
Solution:
- Use different modes for different workflows
- Implement retry logic with exponential backoff
- Consider upgrading API tier
- PR Reviews: Use
semantic-onlymode withonly-changed: true - Main Branch: Use
conservativemode for balanced security - Scheduled Audits: Use
fullmode weekly/monthly - Release Gates: Use
conservativeorfullmode
- Set appropriate cost ceilings per mode
- Use
only-changedfor PR workflows - Exclude non-critical paths (tests, docs, vendor)
- Monitor benchmark reports
- Enable parallel scanning where possible
- Use caching for dependencies
- Set reasonable timeouts
- Prioritize critical files
- Always enable for main/production branches
- Fail fast on blockers in PR reviews
- Track metrics over time
- Review benchmark reports regularly
Before:
- uses: devatsecure/Argus-Security@v1
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
review-type: securityAfter (Conservative):
- uses: devatsecure/Argus-Security@main
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
review-type: security
deep-analysis-mode: conservative
max-files-deep-analysis: 50
deep-analysis-cost-ceiling: 5.0
benchmark: trueSee .github/workflows/argus-phase-27-deep-analysis.yml for a complete example with:
- PR semantic analysis
- Main branch conservative analysis
- Weekly full analysis
- Manual on-demand analysis
- Benchmark comparison
For issues or questions:
- GitHub Issues: https://github.com/devatsecure/Argus-Security/issues
- Documentation: https://github.com/devatsecure/Argus-Security/tree/main/docs