Phase 1 — Consistency Check

✅ All workflows/*.md files have matching docs/*.md entries.
✅ All docs pages are listed in README.md.
✅ No style inconsistencies or typos found.

Phase 2 — New Workflow: Code Scanning Fixer

Source

Adapted from code-scanning-fixer.md in Peli's Agent Factory.

Merge Rate

Not yet documented in the blog series (newer workflow), but closely related to the Daily Malicious Code Scan workflow family with strong practical value.

Why It's Valuable

Repositories that use GitHub code scanning (CodeQL or third-party scanners) accumulate security alerts over time. Manually triaging and fixing these alerts is tedious and often deprioritized. This workflow:

• Automatically analyzes open code scanning alerts, selecting the highest-severity unfixed one each run
• Generates a fix using AI, understanding the vulnerability context and applying a targeted, minimal code change
• Creates a PR with a clear description of the vulnerability, what was changed, and why
• Tracks state via cache memory so each alert is addressed once and not duplicated across runs
• Works with any language and any code scanning tool (CodeQL, SAST scanners, etc.)

Generalization Plan

The original workflow was adapted as follows:

• Replaced hardcoded owner="githubnext" and repo="gh-aw" with $\{\{ github.repository_owner }} and $\{\{ github.event.repository.name }} context variables
• Removed repo-memory campaigns section (internal gh-aw tracking mechanism)
• Removed campaign-specific labels (agentic-campaign, z_campaign_security-alert-burndown)
• Added weekly schedule trigger (original was manual-only)
• Retained the core logic: cache check → list alerts → select by severity → analyze → fix → PR → update cache

Proposed Name

code-scanning-fixer — clear, direct, matches the original name in gh-aw

Changes:

• workflows/code-scanning-fixer.md — new workflow file
• docs/code-scanning-fixer.md — new documentation page
• README.md — added entry to Security Workflows section

Generated by Daily Repo Goal Achiever · ◷