Skip to content

Daily Repo Goal Achiever: Add Code Scanning Fixer workflow#249

Draft
github-actions[bot] wants to merge 1 commit intomainfrom
daily-goal-code-scanning-fixer-2026-03-08-33826b951796b130
Draft

Daily Repo Goal Achiever: Add Code Scanning Fixer workflow#249
github-actions[bot] wants to merge 1 commit intomainfrom
daily-goal-code-scanning-fixer-2026-03-08-33826b951796b130

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 8, 2026

Phase 1 — Consistency Check

✅ All workflows/*.md files have matching docs/*.md entries.
✅ All docs pages are listed in README.md.
✅ No style inconsistencies or typos found.

Phase 2 — New Workflow: Code Scanning Fixer

Source

Adapted from code-scanning-fixer.md in Peli's Agent Factory.

Merge Rate

Not yet documented in the blog series (newer workflow), but closely related to the Daily Malicious Code Scan workflow family with strong practical value.

Why It's Valuable

Repositories that use GitHub code scanning (CodeQL or third-party scanners) accumulate security alerts over time. Manually triaging and fixing these alerts is tedious and often deprioritized. This workflow:

  • Automatically analyzes open code scanning alerts, selecting the highest-severity unfixed one each run
  • Generates a fix using AI, understanding the vulnerability context and applying a targeted, minimal code change
  • Creates a PR with a clear description of the vulnerability, what was changed, and why
  • Tracks state via cache memory so each alert is addressed once and not duplicated across runs
  • Works with any language and any code scanning tool (CodeQL, SAST scanners, etc.)

Generalization Plan

The original workflow was adapted as follows:

  • Replaced hardcoded owner="githubnext" and repo="gh-aw" with $\{\{ github.repository_owner }} and $\{\{ github.event.repository.name }} context variables
  • Removed repo-memory campaigns section (internal gh-aw tracking mechanism)
  • Removed campaign-specific labels (agentic-campaign, z_campaign_security-alert-burndown)
  • Added weekly schedule trigger (original was manual-only)
  • Retained the core logic: cache check → list alerts → select by severity → analyze → fix → PR → update cache

Proposed Name

code-scanning-fixer — clear, direct, matches the original name in gh-aw

Changes:

  • workflows/code-scanning-fixer.md — new workflow file
  • docs/code-scanning-fixer.md — new documentation page
  • README.md — added entry to Security Workflows section

Generated by Daily Repo Goal Achiever ·

@github-actions
feat: add Code Scanning Fixer workflow
7f24d0c 
Adds a new workflow that automatically identifies and fixes GitHub code
scanning (CodeQL) security alerts, creating pull requests with targeted
remediations. The workflow processes one alert per run (highest severity
first), uses cache memory to avoid duplicate fixes, and is fully
language-agnostic.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation factory hygiene

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants