From 07bd51469e9961f16e00d2a5c2ecea97693652cd Mon Sep 17 00:00:00 2001 From: ShenShuo137 <13722929179@139.com> Date: Sun, 9 Nov 2025 15:50:21 +0800 Subject: [PATCH 1/3] ceshi --- test.py | 352 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 352 insertions(+) create mode 100644 test.py diff --git a/test.py b/test.py new file mode 100644 index 0000000..5ac4102 --- /dev/null +++ b/test.py @@ -0,0 +1,352 @@ +""" +用户管理系统 - 包含多种代码质量问题的测试文件 +用于验证智能代码审查工具的检测能力 +""" + +import sqlite3 +import hashlib +import smtplib +from email.mime.text import MIMEText + + +class UserManager: + """ + 用户管理类 + 警告:此代码包含故意设计的安全漏洞和代码质量问题,仅用于教学演示! + """ + + def __init__(self): + # 🔴 问题1: 硬编码数据库凭证 (CWE-798) + self.db_host = "localhost" + self.db_user = "root" + self.db_password = "Admin@123456" # 硬编码密码 + self.db_name = "user_db" + + # 🔴 问题2: 硬编码API密钥 + self.api_key = "sk-1234567890abcdef1234567890abcdef" + + # 🔴 问题3: 硬编码邮箱密码 + self.email_password = "MyEmailPass123" + + self.connection = self._connect_db() + + def _connect_db(self): + """连接数据库""" + conn = sqlite3.connect(f"{self.db_name}.db") + return conn + + # ==================== 认证相关方法 ==================== + + def login(self, username, password): + """ + 用户登录 + 🔴 问题4: SQL注入漏洞 (CWE-89) - Critical + """ + # 直接拼接SQL,未使用参数化查询 + query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'" + + cursor = self.connection.cursor() + result = cursor.execute(query).fetchall() + + if result: + return {"status": "success", "user": result[0]} + else: + return {"status": "failed"} + + def register(self, username, password, email): + """ + 用户注册 + 🔴 问题5: SQL注入漏洞 (CWE-89) + """ + # 同样的SQL注入问题 + query = f"INSERT INTO users (username, password, email) VALUES ('{username}', '{password}', '{email}')" + + cursor = self.connection.cursor() + cursor.execute(query) + self.connection.commit() + + return {"status": "success", "message": "User registered"} + + def authenticate_user(self, token): + """ + 验证用户token + 🔴 问题6: SQL注入漏洞 + """ + query = f"SELECT * FROM users WHERE token='{token}'" + cursor = self.connection.cursor() + return cursor.execute(query).fetchone() + + def reset_password(self, username, new_password): + """ + 重置密码 + 🔴 问题7: SQL注入 + 明文存储密码 + """ + query = f"UPDATE users SET password='{new_password}' WHERE username='{username}'" + cursor = self.connection.cursor() + cursor.execute(query) + self.connection.commit() + + # ==================== 通知相关方法 ==================== + + def send_welcome_email(self, user_email, username): + """ + 发送欢迎邮件 + 🔴 问题8: XSS漏洞 (CWE-79) - 如果用于Web + """ + # 未转义用户输入,直接插入HTML + html_content = f""" + + +

Welcome {username}!

+

Your email is: {user_email}

+ + + """ + + # 发送邮件的代码(简化版) + msg = MIMEText(html_content, 'html') + msg['Subject'] = 'Welcome!' + msg['From'] = 'admin@example.com' + msg['To'] = user_email + + # 实际不会真的发送 + return html_content + + def display_user_profile(self, user_input): + """ + 显示用户资料 + 🔴 问题9: XSS漏洞 (CWE-79) + """ + # 未对用户输入进行HTML转义 + html = f"

{user_input}

" + return html + + def send_notification(self, user_id, message): + """ + 发送通知 + 🔴 问题10: XSS漏洞 + """ + # 从数据库获取用户信息(含SQL注入风险) + query = f"SELECT email FROM users WHERE id={user_id}" + cursor = self.connection.cursor() + result = cursor.execute(query).fetchone() + + if result: + email = result[0] + # 未转义message + html_message = f"

Notification: {message}

" + # 发送邮件... + return html_message + + # ==================== 计算相关方法 ==================== + + def calculate_user_discount(self, user_type, amount): + """ + 计算用户折扣 + 🔴 问题11: 代码重复 (与calculate_user_tax类似) + """ + if user_type == "VIP": + discount = amount * 0.2 + elif user_type == "Premium": + discount = amount * 0.15 + elif user_type == "Regular": + discount = amount * 0.1 + elif user_type == "New": + discount = amount * 0.05 + else: + discount = 0 + + final_amount = amount - discount + return final_amount + + def calculate_user_tax(self, user_type, amount): + """ + 计算用户税费 + 🔴 问题12: 代码重复 (逻辑与calculate_user_discount几乎相同) + """ + if user_type == "VIP": + tax = amount * 0.15 + elif user_type == "Premium": + tax = amount * 0.18 + elif user_type == "Regular": + tax = amount * 0.20 + elif user_type == "New": + tax = amount * 0.22 + else: + tax = amount * 0.25 + + final_amount = amount + tax + return final_amount + + def calculate_shipping_fee(self, user_type, distance): + """ + 计算运费 + 🔴 问题13: 重复的条件判断模式 + """ + if user_type == "VIP": + fee = distance * 0.5 + elif user_type == "Premium": + fee = distance * 0.7 + elif user_type == "Regular": + fee = distance * 1.0 + elif user_type == "New": + fee = distance * 1.2 + else: + fee = distance * 1.5 + + return fee + + # ==================== 报表相关方法 ==================== + + def generate_user_report(self, user_id): + """ + 生成用户报表 + 🔴 问题14: SQL注入 + 过长方法 + 高复杂度 + """ + # SQL注入风险 + query = f"SELECT * FROM users WHERE id={user_id}" + cursor = self.connection.cursor() + user_data = cursor.execute(query).fetchone() + + if not user_data: + return None + + # 复杂的报表生成逻辑(圈复杂度高) + report = {} + + if user_data[3] == "VIP": + report['level'] = 'VIP' + report['discount'] = 20 + if user_data[4] > 10000: + report['bonus'] = 'Gold Badge' + if user_data[5] > 50: + report['extra'] = 'Free Shipping' + else: + report['extra'] = 'Priority Support' + else: + report['bonus'] = 'Silver Badge' + elif user_data[3] == "Premium": + report['level'] = 'Premium' + report['discount'] = 15 + if user_data[4] > 5000: + report['bonus'] = 'Silver Badge' + else: + report['bonus'] = 'Bronze Badge' + else: + report['level'] = 'Regular' + report['discount'] = 10 + + # 更多复杂的判断... + if user_data[6] == True: + report['verified'] = 'Yes' + if user_data[7] > 100: + report['trust_score'] = 'High' + else: + report['trust_score'] = 'Medium' + else: + report['verified'] = 'No' + report['trust_score'] = 'Low' + + return report + + def export_users_to_csv(self, filename): + """ + 导出用户到CSV + 🔴 问题15: 路径遍历漏洞 (CWE-22) + """ + # 未验证filename,可能导致路径遍历 + query = "SELECT * FROM users" + cursor = self.connection.cursor() + users = cursor.execute(query).fetchall() + + # 直接使用用户提供的文件名 + with open(filename, 'w') as f: + for user in users: + f.write(str(user) + '\n') + + # ==================== 管理相关方法 ==================== + + def delete_user(self, user_id): + """ + 删除用户 + 🔴 问题16: SQL注入 + """ + query = f"DELETE FROM users WHERE id={user_id}" + cursor = self.connection.cursor() + cursor.execute(query) + self.connection.commit() + + def search_users(self, keyword): + """ + 搜索用户 + 🔴 问题17: SQL注入 + """ + # LIKE查询也存在注入风险 + query = f"SELECT * FROM users WHERE username LIKE '%{keyword}%'" + cursor = self.connection.cursor() + return cursor.execute(query).fetchall() + + def update_user_role(self, username, new_role): + """ + 更新用户角色 + 🔴 问题18: SQL注入 + 权限控制缺失 + """ + query = f"UPDATE users SET role='{new_role}' WHERE username='{username}'" + cursor = self.connection.cursor() + cursor.execute(query) + self.connection.commit() + + # ==================== 统计相关方法 ==================== + + def get_user_statistics(self): + """ + 获取用户统计 + 🔴 问题19: 方法过长 + 复杂度高 + """ + stats = {} + + # 统计总用户数 + cursor = self.connection.cursor() + total_users = cursor.execute("SELECT COUNT(*) FROM users").fetchone()[0] + stats['total'] = total_users + + # 统计各类型用户 + vip_count = cursor.execute("SELECT COUNT(*) FROM users WHERE type='VIP'").fetchone()[0] + premium_count = cursor.execute("SELECT COUNT(*) FROM users WHERE type='Premium'").fetchone()[0] + regular_count = cursor.execute("SELECT COUNT(*) FROM users WHERE type='Regular'").fetchone()[0] + + stats['vip'] = vip_count + stats['premium'] = premium_count + stats['regular'] = regular_count + + # 计算百分比 + if total_users > 0: + stats['vip_percent'] = (vip_count / total_users) * 100 + stats['premium_percent'] = (premium_count / total_users) * 100 + stats['regular_percent'] = (regular_count / total_users) * 100 + + # 统计活跃用户 + active_users = cursor.execute("SELECT COUNT(*) FROM users WHERE active=1").fetchone()[0] + stats['active'] = active_users + + if total_users > 0: + stats['active_rate'] = (active_users / total_users) * 100 + + return stats + + +# 🔴 问题20: 在模块级别执行危险操作 +if __name__ == "__main__": + # 创建实例时就暴露了凭证 + manager = UserManager() + + # 测试用例(演示如何被攻击) + # 攻击示例1: SQL注入 + malicious_input = "admin' OR '1'='1" + result = manager.login(malicious_input, "anything") + print(result) + + # 攻击示例2: XSS + xss_payload = "" + html = manager.display_user_profile(xss_payload) + print(html) \ No newline at end of file From 582893dcff8243b3b80a96f58ba0be4c8c3bdfb9 Mon Sep 17 00:00:00 2001 From: ShenShuo137 <13722929179@139.com> Date: Sun, 9 Nov 2025 15:54:20 +0800 Subject: [PATCH 2/3] =?UTF-8?q?=E5=B7=A5=E4=BD=9C=E6=B5=81=E4=BF=AE?= =?UTF-8?q?=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/review.yml | 292 ++--------------------------------- 1 file changed, 16 insertions(+), 276 deletions(-) diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml index 7424e55..f9f3526 100644 --- a/.github/workflows/review.yml +++ b/.github/workflows/review.yml @@ -1,293 +1,33 @@ -name: 智能代码审查 (PR-Agent + CodeQL) +# 简化版工作流(保留核心功能) +name: 智能代码审查 on: pull_request: - types: [opened, reopened, ready_for_review, synchronize] - issue_comment: - types: [created, edited] - -permissions: - contents: read - pull-requests: write - issues: write - security-events: write # 新增:CodeQL 需要这个权限 + types: [opened, synchronize] jobs: - # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - # Job 1: PR-Agent (AI 智能审查) - # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - pr_agent_job: - if: ${{ github.event.sender.type != 'Bot' }} - + # Job 1: AI审查(使用你的GPT API key) + pr_agent: runs-on: ubuntu-latest - name: 🤖 AI智能审查 (GLM-4-Plus) - steps: - name: PR Agent action step id: pragent - uses: Codium-ai/pr-agent@main + - uses: Codium-ai/pr-agent@main env: - # ═══════════════════════════════════════════════════ - # 基础配置 - # ═══════════════════════════════════════════════════ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # 智谱API配置 - OPENAI_KEY: ${{ secrets.GPT_API_KEY }} - OPENAI.API_BASE: "https://api.chatanywhere.tech/v1" - - # ═══════════════════════════════════════════════════ - # 模型配置 - # ═══════════════════════════════════════════════════ - config.model: "gpt-4o" - config.fallback_models: '["gpt-4o-mini", "gpt-3.5-turbo"]' - config.custom_model_max_tokens: "128000" + OPENAI_KEY: ${{ secrets.GPT_API_KEY }} # 你的第三方key + OPENAI.API_BASE: "https://api.chatanywhere.tech/v1" # 第三方API地址 + config.model: "gpt-4o" # 或gpt-4 config.language: "zh" - - # ═══════════════════════════════════════════════════ - # ⭐ 关键配置:启用自动工具 - # ═══════════════════════════════════════════════════ github_action_config.auto_review: "true" - github_action_config.auto_describe: "true" - github_action_config.auto_improve: "true" - - # ⭐ 关键配置:指定触发事件(必须包含 synchronize) - github_action_config.pr_actions: '["opened", "reopened", "ready_for_review", "synchronize"]' - - # ═══════════════════════════════════════════════════ - # PR审查配置 - # ═══════════════════════════════════════════════════ - pr_reviewer.require_score_review: "true" - pr_reviewer.require_tests_review: "true" - pr_reviewer.require_security_review: "true" - pr_reviewer.require_estimate_effort_to_review: "true" - pr_reviewer.inline_code_comments: "true" - pr_reviewer.num_code_suggestions: "4" - - pr_reviewer.extra_instructions: >- - 请用中文进行详细代码审查,重点关注: - 1. 安全漏洞(SQL注入、XSS、CSRF、硬编码密钥、敏感信息泄露) - 2. 性能问题(N+1查询、算法复杂度、内存泄漏) - 3. 代码质量(命名规范、重复代码、函数复杂度) - 4. 最佳实践(类型注解、错误处理、日志记录、文档) - 5. 测试覆盖(单元测试、边界条件、错误场景) - - # ═══════════════════════════════════════════════════ - # PR描述配置 - # ═══════════════════════════════════════════════════ - pr_description.publish_description: "true" - pr_description.publish_labels: "true" - pr_description.enable_ai_summary: "true" - pr_description.extra_instructions: >- - 请用中文生成PR描述,包括:主要变更、影响范围、测试方法、风险评估 - - # ═══════════════════════════════════════════════════ - # 代码改进建议配置 - # ═══════════════════════════════════════════════════ - pr_code_suggestions.num_code_suggestions: "5" - pr_code_suggestions.extra_instructions: >- - 请用中文提供具体改进建议,包含问题说明、修复代码、改进理由、影响评估 - - - name: ✅ AI审查完成 - if: success() - run: | - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "✅ PR-Agent 智能审查完成!" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "🤖 使用模型: 智谱 GLM-4-Plus" - echo "🌐 审查语言: 中文" - echo "📊 查看PR评论获取详细审查结果" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "💬 可用命令:" - echo " /review - 重新审查代码" - echo " /describe - 生成PR描述" - echo " /improve - 获取改进建议" - echo " /ask <问题> - 询问关于代码的问题" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - - - name: ❌ AI审查失败处理 - if: failure() - run: | - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "❌ PR-Agent 审查失败" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "🔍 常见问题排查:" - echo "1. 检查 Settings → Secrets → ZHIPU_API_KEY" - echo "2. 访问 https://open.bigmodel.cn/ 查看余额" - echo "3. 查看上方日志获取详细错误" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - - # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - # Job 2: CodeQL (安全扫描) ⭐ 新增的部分 - # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - codeql_analysis: - # ⭐ 只在 PR 事件时运行(避免 issue_comment 时重复运行) - if: github.event_name == 'pull_request' - + + # Job 2: 安全扫描 + codeql: runs-on: ubuntu-latest - name: 🔍 安全扫描 (CodeQL) - - # ⭐ 多语言支持(如果项目包含多种语言) - strategy: - fail-fast: false - matrix: - language: ['python'] - # 如果项目有其他语言,添加到这里: - # language: ['python', 'javascript', 'java'] - steps: - # ═══════════════════════════════════════════════════ - # 步骤1: 检出代码 - # ═══════════════════════════════════════════════════ - - name: 检出代码 - uses: actions/checkout@v4 - - # ═══════════════════════════════════════════════════ - # 步骤2: 初始化 CodeQL(完全自动,无需配置) - # ═══════════════════════════════════════════════════ - - name: 初始化 CodeQL - uses: github/codeql-action/init@v3 + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v3 with: - languages: ${{ matrix.language }} - - # ⭐ 使用扩展查询集(包含更多安全规则) + languages: ['python'] queries: +security-and-quality - - # ⭐ 可选:自定义查询配置 - # config-file: ./.github/codeql/codeql-config.yml - - # ═══════════════════════════════════════════════════ - # 步骤3: 自动构建(Python 会自动跳过,Java 需要构建) - # ═══════════════════════════════════════════════════ - - name: 自动构建 - uses: github/codeql-action/autobuild@v3 - - # ═══════════════════════════════════════════════════ - # 步骤4: 执行 CodeQL 分析 - # ═══════════════════════════════════════════════════ - - name: 执行 CodeQL 分析 - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{ matrix.language }}" - # ✅ 结果会自动上传到 Security → Code scanning alerts - - - name: ✅ 安全扫描完成 - if: success() - run: | - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "✅ CodeQL 安全扫描完成!" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "🔍 扫描范围:" - echo " • SQL 注入漏洞" - echo " • XSS 跨站脚本" - echo " • 路径遍历攻击" - echo " • 命令注入" - echo " • 硬编码密钥" - echo " • 资源泄露" - echo " • 不安全的反序列化" - echo "" - echo "📊 查看结果:" - echo " • Security → Code scanning alerts" - echo " • Pull request → Files changed (代码行标注)" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - - - name: ❌ 安全扫描失败处理 - if: failure() - run: | - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "❌ CodeQL 扫描失败" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "🔍 可能的原因:" - echo "1. 代码语法错误" - echo "2. 依赖项缺失(Java 项目)" - echo "3. 构建失败" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - - # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - # Job 3: 审查总结 ⭐ 可选:生成综合报告 - # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - review_summary: - # ⭐ 等待前两个 job 完成后运行 - needs: [pr_agent_job, codeql_analysis] - - # ⭐ 即使某个 job 失败也运行 - if: always() && github.event_name == 'pull_request' - - runs-on: ubuntu-latest - name: 📊 审查总结 - - steps: - - name: 生成综合报告 - run: | - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "🎯 代码审查流程已完成" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "✅ 已完成的审查:" - echo "" - echo "┌────────────────────────────────────────────────────────┐" - echo "│ 1️⃣ PR-Agent (AI 智能审查) │" - echo "│ │" - echo "│ 🤖 技术:大语言模型 (GLM-4-Plus) │" - echo "│ 🎯 优势:理解业务逻辑、上下文推理 │" - echo "│ 📍 查看:PR 评论区 │" - echo "│ │" - echo "│ 擅长发现: │" - echo "│ • 业务逻辑错误 │" - echo "│ • 架构设计问题 │" - echo "│ • 代码可读性问题 │" - echo "│ • 最佳实践偏离 │" - echo "└────────────────────────────────────────────────────────┘" - echo "" - echo "┌────────────────────────────────────────────────────────┐" - echo "│ 2️⃣ CodeQL (深度安全扫描) │" - echo "│ │" - echo "│ 🔍 技术:语义代码分析 + 数据流追踪 │" - echo "│ 🎯 优势:精确的漏洞定位、零误报 │" - echo "│ 📍 查看:Security → Code scanning alerts │" - echo "│ │" - echo "│ 擅长发现: │" - echo "│ • SQL 注入 (CWE-89) │" - echo "│ • XSS 攻击 (CWE-79) │" - echo "│ • 路径遍历 (CWE-22) │" - echo "│ • 命令注入 (CWE-78) │" - echo "│ • 资源泄露 (CWE-772) │" - echo "└────────────────────────────────────────────────────────┘" - echo "" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "📖 下一步行动:" - echo "" - echo "1. 查看 PR 评论中的 AI 审查建议" - echo "2. 检查 Security 标签中的安全告警" - echo "3. 优先修复标记为 'Critical' 或 'High' 的问题" - echo "4. 推送修复后会自动重新审查" - echo "" - echo "💡 提示:两个工具互补使用,覆盖更全面!" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - - - name: 检查审查状态 - run: | - PR_AGENT_STATUS="${{ needs.pr_agent_job.result }}" - CODEQL_STATUS="${{ needs.codeql_analysis.result }}" - - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "📊 审查状态统计" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - - if [ "$PR_AGENT_STATUS" == "success" ]; then - echo "✅ PR-Agent: 成功" - else - echo "❌ PR-Agent: 失败 ($PR_AGENT_STATUS)" - fi - - if [ "$CODEQL_STATUS" == "success" ]; then - echo "✅ CodeQL: 成功" - else - echo "❌ CodeQL: 失败 ($CODEQL_STATUS)" - fi - - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" \ No newline at end of file + - uses: github/codeql-action/analyze@v3 \ No newline at end of file From 98c082ad592c862b4986ccae701e05fef6dbe100 Mon Sep 17 00:00:00 2001 From: ShenShuo137 <13722929179@139.com> Date: Sun, 9 Nov 2025 15:57:13 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E5=9F=BA=E6=9C=AC=E5=B7=A5=E4=BD=9C?= =?UTF-8?q?=E6=B5=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/review.yml | 204 ++++++++++++++++++++++++++++++++--- 1 file changed, 188 insertions(+), 16 deletions(-) diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml index f9f3526..bcba54a 100644 --- a/.github/workflows/review.yml +++ b/.github/workflows/review.yml @@ -1,33 +1,205 @@ -# 简化版工作流(保留核心功能) -name: 智能代码审查 +name: 智能代码审查 (PR-Agent + CodeQL) on: pull_request: - types: [opened, synchronize] + types: [opened, reopened, ready_for_review, synchronize] + issue_comment: + types: [created, edited] + +permissions: + contents: read + pull-requests: write + issues: write + security-events: write # 新增:CodeQL 需要这个权限 jobs: - # Job 1: AI审查(使用你的GPT API key) - pr_agent: + # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + # Job 1: PR-Agent (AI 智能审查) + # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + pr_agent_job: + if: ${{ github.event.sender.type != 'Bot' }} + runs-on: ubuntu-latest + name: 🤖 AI智能审查 (GLM-4-Plus) + steps: - name: PR Agent action step id: pragent - - uses: Codium-ai/pr-agent@main + uses: Codium-ai/pr-agent@main env: + # ═══════════════════════════════════════════════════ + # 基础配置 + # ═══════════════════════════════════════════════════ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - OPENAI_KEY: ${{ secrets.GPT_API_KEY }} # 你的第三方key - OPENAI.API_BASE: "https://api.chatanywhere.tech/v1" # 第三方API地址 - config.model: "gpt-4o" # 或gpt-4 + + # 智谱API配置 + OPENAI_KEY: ${{ secrets.GPT_API_KEY }} + OPENAI.API_BASE: "https://api.chatanywhere.tech/v1" + + # ═══════════════════════════════════════════════════ + # 模型配置 + # ═══════════════════════════════════════════════════ + config.model: "gpt-4o" + config.fallback_models: '["gpt-4o-mini", "gpt-3.5-turbo"]' + config.custom_model_max_tokens: "128000" config.language: "zh" + + # ═══════════════════════════════════════════════════ + # ⭐ 关键配置:启用自动工具 + # ═══════════════════════════════════════════════════ github_action_config.auto_review: "true" - - # Job 2: 安全扫描 - codeql: + github_action_config.auto_describe: "true" + github_action_config.auto_improve: "true" + + # ⭐ 关键配置:指定触发事件(必须包含 synchronize) + github_action_config.pr_actions: '["opened", "reopened", "ready_for_review", "synchronize"]' + + # ═══════════════════════════════════════════════════ + # PR审查配置 + # ═══════════════════════════════════════════════════ + pr_reviewer.require_score_review: "true" + pr_reviewer.require_tests_review: "true" + pr_reviewer.require_security_review: "true" + pr_reviewer.require_estimate_effort_to_review: "true" + pr_reviewer.inline_code_comments: "true" + pr_reviewer.num_code_suggestions: "4" + + pr_reviewer.extra_instructions: >- + 请用中文进行详细代码审查 + + # ═══════════════════════════════════════════════════ + # PR描述配置 + # ═══════════════════════════════════════════════════ + pr_description.publish_description: "true" + pr_description.publish_labels: "true" + pr_description.enable_ai_summary: "true" + pr_description.extra_instructions: >- + 请用中文生成PR描述 + + # ═══════════════════════════════════════════════════ + # 代码改进建议配置 + # ═══════════════════════════════════════════════════ + pr_code_suggestions.num_code_suggestions: "5" + pr_code_suggestions.extra_instructions: >- + 请用中文提供具体改进建议 + + - name: ✅ AI审查完成 + if: success() + run: | + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "✅ PR-Agent 智能审查完成!" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "🤖 使用模型: 智谱 GLM-4-Plus" + echo "🌐 审查语言: 中文" + echo "📊 查看PR评论获取详细审查结果" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + echo "💬 可用命令:" + echo " /review - 重新审查代码" + echo " /describe - 生成PR描述" + echo " /improve - 获取改进建议" + echo " /ask <问题> - 询问关于代码的问题" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + + - name: ❌ AI审查失败处理 + if: failure() + run: | + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "❌ PR-Agent 审查失败" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + echo "🔍 常见问题排查:" + echo "1. 检查 Settings → Secrets → ZHIPU_API_KEY" + echo "2. 访问 https://open.bigmodel.cn/ 查看余额" + echo "3. 查看上方日志获取详细错误" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + + # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + # Job 2: CodeQL (安全扫描) ⭐ 新增的部分 + # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + codeql_analysis: + # ⭐ 只在 PR 事件时运行(避免 issue_comment 时重复运行) + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + name: 🔍 安全扫描 (CodeQL) + + # ⭐ 多语言支持(如果项目包含多种语言) + strategy: + fail-fast: false + matrix: + language: ['python'] + # 如果项目有其他语言,添加到这里: + # language: ['python', 'javascript', 'java'] + steps: - - uses: actions/checkout@v4 - - uses: github/codeql-action/init@v3 + # ═══════════════════════════════════════════════════ + # 步骤1: 检出代码 + # ═══════════════════════════════════════════════════ + - name: 检出代码 + uses: actions/checkout@v4 + + # ═══════════════════════════════════════════════════ + # 步骤2: 初始化 CodeQL(完全自动,无需配置) + # ═══════════════════════════════════════════════════ + - name: 初始化 CodeQL + uses: github/codeql-action/init@v3 with: - languages: ['python'] + languages: ${{ matrix.language }} + + # ⭐ 使用扩展查询集(包含更多安全规则) queries: +security-and-quality - - uses: github/codeql-action/analyze@v3 \ No newline at end of file + + # ⭐ 可选:自定义查询配置 + # config-file: ./.github/codeql/codeql-config.yml + + # ═══════════════════════════════════════════════════ + # 步骤3: 自动构建(Python 会自动跳过,Java 需要构建) + # ═══════════════════════════════════════════════════ + - name: 自动构建 + uses: github/codeql-action/autobuild@v3 + + # ═══════════════════════════════════════════════════ + # 步骤4: 执行 CodeQL 分析 + # ═══════════════════════════════════════════════════ + - name: 执行 CodeQL 分析 + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" + # ✅ 结果会自动上传到 Security → Code scanning alerts + + - name: ✅ 安全扫描完成 + if: success() + run: | + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "✅ CodeQL 安全扫描完成!" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + echo "🔍 扫描范围:" + echo " • SQL 注入漏洞" + echo " • XSS 跨站脚本" + echo " • 路径遍历攻击" + echo " • 命令注入" + echo " • 硬编码密钥" + echo " • 资源泄露" + echo " • 不安全的反序列化" + echo "" + echo "📊 查看结果:" + echo " • Security → Code scanning alerts" + echo " • Pull request → Files changed (代码行标注)" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + + - name: ❌ 安全扫描失败处理 + if: failure() + run: | + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "❌ CodeQL 扫描失败" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + echo "🔍 可能的原因:" + echo "1. 代码语法错误" + echo "2. 依赖项缺失(Java 项目)" + echo "3. 构建失败" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + + \ No newline at end of file