Merge branch 'gemini-cli-extensions:main' into main

jajanet · web-flow · commit 690c9e0ae17d · 2025-10-21T22:19:39.000Z
diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml
@@ -0,0 +1,188 @@
+name: '🔎 Gemini Review & Security Analysis'
+
+on:
+  pull_request:
+    types:
+      - 'opened'
+  issue_comment:
+    types:
+      - 'created'
+
+concurrency:
+  group: '${{ github.workflow }}-review-${{ github.event_name }}-${{ github.event.pull_request.number || github.event.issue.number }}'
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: 'bash'
+
+jobs:
+  review:
+    if: |
+      (github.event_name == 'pull_request' && github.event.action == 'opened') ||
+      (github.event_name == 'issue_comment' && github.event.comment.body == '@gemini-cli /review')
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 15
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      issues: 'write'
+      pull-requests: 'write'
+    steps:
+      - name: 'Mint identity token'
+        id: 'mint_identity_token'
+        if: |-
+          ${{ vars.APP_ID }}
+        uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b' # ratchet:actions/create-github-app-token@v2
+        with:
+          app-id: '${{ vars.APP_ID }}'
+          private-key: '${{ secrets.APP_PRIVATE_KEY }}'
+          permission-contents: 'read'
+          permission-issues: 'write'
+          permission-pull-requests: 'write'
+    
+      - name: 'Acknowledge request'
+        env:
+          GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}'
+          ISSUE_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}'
+          MESSAGE: |-
+            🤖 Hi @${{ github.actor }}, I've received your request, and I'm working on it now! You can track my progress [in the logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details.
+          REPOSITORY: '${{ github.repository }}'
+        run: |-
+          gh issue comment "${ISSUE_NUMBER}" \
+            --body "${MESSAGE}" \
+            --repo "${REPOSITORY}"
+
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
+
+      - name: 'Run Gemini pull request review'
+        uses: 'google-github-actions/run-gemini-cli@main' # ratchet:exclude
+        id: 'gemini_pr_review'
+        env:
+          GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}'
+          ISSUE_TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}'
+          ISSUE_BODY: '${{ github.event.pull_request.body || github.event.issue.body }}'
+          PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}'
+          REPOSITORY: '${{ github.repository }}'
+        with:
+          gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          gcp_service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+          gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}'
+          gemini_api_key: '${{ secrets.GEMINI_API_KEY }}'
+          gemini_cli_version: '${{ vars.GEMINI_CLI_VERSION }}'
+          gemini_debug: '${{ fromJSON(vars.DEBUG || vars.ACTIONS_STEP_DEBUG || false) }}'
+          gemini_model: '${{ vars.GEMINI_MODEL }}'
+          google_api_key: '${{ secrets.GOOGLE_API_KEY }}'
+          use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}'
+          use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
+          settings: |-
+            {
+              "model": {
+                "maxSessionTurns": 25
+              },
+              "telemetry": {
+                "enabled": ${{ vars.GOOGLE_CLOUD_PROJECT != '' }},
+                "target": "gcp"
+              },
+              "mcpServers": {
+                "github": {
+                  "command": "docker",
+                  "args": [
+                    "run",
+                    "-i",
+                    "--rm",
+                    "-e",
+                    "GITHUB_PERSONAL_ACCESS_TOKEN",
+                    "ghcr.io/github/github-mcp-server"
+                  ],
+                  "includeTools": [
+                    "add_comment_to_pending_review",
+                    "create_pending_pull_request_review",
+                    "pull_request_read",
+                    "submit_pending_pull_request_review"
+                  ],
+                  "env": {
+                    "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
+                  }
+                }
+              },
+              "tools": {
+                "core": [
+                  "run_shell_command(cat)",
+                  "run_shell_command(echo)",
+                  "run_shell_command(grep)",
+                  "run_shell_command(head)",
+                  "run_shell_command(tail)"
+                ]
+              }
+            }
+          prompt: '/gemini-review'
+      - name: 'Run Gemini security analysis review'
+        uses: 'google-github-actions/run-gemini-cli@main' # ratchet:exclude
+        id: 'gemini_security_analysis'
+        env:
+          GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}'
+          ISSUE_TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}'
+          ISSUE_BODY: '${{ github.event.pull_request.body || github.event.issue.body }}'
+          PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}'
+          REPOSITORY: '${{ github.repository }}'
+        with:
+          gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          gcp_service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+          gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}'
+          gemini_api_key: '${{ secrets.GEMINI_API_KEY }}'
+          gemini_cli_version: '${{ vars.GEMINI_CLI_VERSION }}'
+          gemini_debug: '${{ fromJSON(vars.DEBUG || vars.ACTIONS_STEP_DEBUG || false) }}'
+          gemini_model: '${{ vars.GEMINI_MODEL }}'
+          google_api_key: '${{ secrets.GOOGLE_API_KEY }}'
+          use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}'
+          use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
+          extensions: |
+            [
+              "https://github.com/gemini-cli-extensions/security.git"
+            ]
+          settings: |-
+            {
+              "model": {
+                "maxSessionTurns": 100
+              },
+              "telemetry": {
+                "enabled": ${{ vars.GOOGLE_CLOUD_PROJECT != '' }},
+                "target": "gcp"
+              },
+              "mcpServers": {
+                "github": {
+                  "command": "docker",
+                  "args": [
+                    "run",
+                    "-i",
+                    "--rm",
+                    "-e",
+                    "GITHUB_PERSONAL_ACCESS_TOKEN",
+                    "ghcr.io/github/github-mcp-server"
+                  ],
+                  "includeTools": [
+                    "add_comment_to_pending_review",
+                    "create_pending_pull_request_review",
+                    "pull_request_read",
+                    "submit_pending_pull_request_review"
+                  ],
+                  "env": {
+                    "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
+                  }
+                }
+              },
+              "tools": {
+                "core": [
+                  "run_shell_command(cat)",
+                  "run_shell_command(echo)",
+                  "run_shell_command(grep)",
+                  "run_shell_command(head)",
+                  "run_shell_command(tail)"
+                ]
+              }
+            }
+          prompt: '/security:analyze-github-pr'
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,4 @@
+.env
+
 dist/
-node_modules/
+node_modules/
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "0.2.0"
+  ".": "0.3.0"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,33 @@
 # Changelog
 
+## [0.3.0](https://github.com/gemini-cli-extensions/security/compare/v0.2.0...v0.3.0) (2025-10-20)
+
+
+### Features
+
+* add  folder to contain artifacts ([e03b2c6](https://github.com/gemini-cli-extensions/security/commit/e03b2c60d7b0ca3256533125175f43c9758236ce))
+* add folder to contain security artifacts ([2fe3588](https://github.com/gemini-cli-extensions/security/commit/2fe35888d5cff981c88ef31fae3daf39c6a695ef))
+* Add preamble to security scan to make confirms user's decision to use command or manual security auditing ([67658d5](https://github.com/gemini-cli-extensions/security/commit/67658d587472be8283bc5aa00864429786bd1500))
+* **GHA workflows:** Add run-gemini-cli GHA workflows to repo PR's ([facc88b](https://github.com/gemini-cli-extensions/security/commit/facc88be48db43b3b8482ff6a6d19d34fd0513e1))
+* **GitHub Action:** Add /security:github-pr command for use with run-gemini-cli GitHub Action ([59db0ad](https://github.com/gemini-cli-extensions/security/commit/59db0add3f6aee54821570725f1c33859c24bc4d))
+
+
+### Bug Fixes
+
+* Diff issues were due to non remote repositories, support local changes by defulating to ([53a52c6](https://github.com/gemini-cli-extensions/security/commit/53a52c650c07575a18840b5b357eb80d8941c304))
+* **GHA:** Gemini-review MCP calls and prompt changes ([6d2d20f](https://github.com/gemini-cli-extensions/security/commit/6d2d20f070e034a90fdb7b6369b600f71d539430))
+* **GHA:** Gemini-review MCP calls and prompt changes ([ad93687](https://github.com/gemini-cli-extensions/security/commit/ad936878615d772cf00e17eb9e24d2c813e37a61))
+* **GHA:** Update github-mcp-server calls ([2c1e176](https://github.com/gemini-cli-extensions/security/commit/2c1e176bebee987e6beba630b7d1409a14f4f76f))
+* nit white space and revert deletion prompt to only affect temp files ([9d64b30](https://github.com/gemini-cli-extensions/security/commit/9d64b307eec2946b2f155a062febefae1c7f03bb))
+* phrasing and whitespace ([4fb13d6](https://github.com/gemini-cli-extensions/security/commit/4fb13d651822619d1f442bdd4226d81ec9ec4bac))
+* remove additional test causing gemini cli to try to run a command ([2caa615](https://github.com/gemini-cli-extensions/security/commit/2caa615f2f4563034ecc92842fec7583dbd102d1))
+* suggest user to run commands themselves, since gemini cli cannot correctly run it's own commands. ([caafd73](https://github.com/gemini-cli-extensions/security/commit/caafd7399b3ddae851f701885a74468a55a36424))
+* suggest user to run commands themselves, since gemini cli cannot… ([96f84f9](https://github.com/gemini-cli-extensions/security/commit/96f84f95d327482f4c5d8ddc267ea3f271aebcdb))
+* use  to store line number mappings in the MCP server ([#91](https://github.com/gemini-cli-extensions/security/issues/91)) ([909c901](https://github.com/gemini-cli-extensions/security/commit/909c901fd0a9b181b13a6462d50de7ca5acf4a5e))
+* Use a command available on all platforms to generate a file diff ([21fc350](https://github.com/gemini-cli-extensions/security/commit/21fc35037b22b7acf51e7c78a5eb233d2f02cff3))
+* Use a command available on all platforms to generate a file diff ([f1fca9b](https://github.com/gemini-cli-extensions/security/commit/f1fca9bd98bef7f10f957701d5ca4fd69c9f2e9c))
+* whitespace at end fo file ([4257532](https://github.com/gemini-cli-extensions/security/commit/4257532aaa734171bfcf083deba8472c6e8453a7))
+
 ## [0.2.0](https://github.com/gemini-cli-extensions/security/compare/v0.1.0...v0.2.0) (2025-10-07)
 
 
diff --git a/GEMINI.md b/GEMINI.md
@@ -25,7 +25,7 @@ You are a highly skilled senior security and privacy engineer. You are meticulou
    2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation.
 ```
 *   Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own.
-*   During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`)
+*   During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace.
 
 ## Skillset: SAST Vulnerability Analysis
 
diff --git a/README.md b/README.md
@@ -39,7 +39,23 @@ By default, the `/security:analyze` command determines the scope of the analysis
 
 ## GitHub Integration
 
-Coming soon!
+### I already use [run-gemini-cli](https://github.com/google-github-actions/run-gemini-cli) workflows in my repository:
+
+* Replace your existing `gemini-review.yml` with this [updated workflow](https://github.com/gemini-cli-extensions/security/blob/main/.github/workflows/gemini-review.yml), which includes the new Security Analysis step.
+
+### I don't use [run-gemini-cli](https://github.com/google-github-actions/run-gemini-cli) workflows in my repository yet:
+
+1. Integrate the Gemini CLI Security Extension into your GitHub workflow to analyze incoming code:
+
+2. Follow Steps 1-3 in this [Quick Start](https://github.com/google-github-actions/run-gemini-cli?tab=readme-ov-file#quick-start).
+
+3. Create a `.github/workflows` directory in your repository's root (if it doesn't already exist).
+
+4. Copy this [Example Workflow](https://github.com/gemini-cli-extensions/security/blob/main/.github/workflows/gemini-review.yml) into the `.github/workflows` directory. See the run-gemini-cli [configuration](https://github.com/google-github-actions/run-gemini-cli?tab=readme-ov-file#configuration) to make changes to the workflow.
+
+5. Ensure the new workflow file is committed and pushed to GitHub.
+
+6. Open a new pull request, or comment `@gemini-cli /review` on an existing PR, to run the Gemini CLI Code Review along with Security Analysis.
 
 ## Benchmark
 
diff --git a/commands/security/analyze-github-pr.toml b/commands/security/analyze-github-pr.toml
@@ -1,5 +1,6 @@
 description = "Only to be used with the run-gemini-cli GitHub Action. Analyzes code changes on a GitHub PR for common security vulnerabilities"
-prompt = """You are a highly skilled senior security analyst. You operate within a secure GitHub Actions environment. Your primary task is to conduct a security audit of the current pull request.
+prompt = """
+You are a highly skilled senior security analyst. You operate within a secure GitHub Actions environment. Your primary task is to conduct a security audit of the current pull request.
 Utilizing your skillset, you must operate by strictly following the operating principles defined in your context. 
 
 
@@ -108,12 +109,12 @@ You will now begin executing the plan. The following are your precise instructio
 1.  **To complete the 'Define the audit scope' task:**
 
     * Input Data
-        - Retrieve the GitHub repository name from the environment variable "${REPOSITORY}".
-        - Retrieve the GitHub pull request number from the environment variable "${PULL_REQUEST_NUMBER}".
-        - Retrieve the additional user instructions and context from the environment variable "${ADDITIONAL_CONTEXT}".
-        - Use `mcp__github__get_pull_request` to get the title, body, and metadata about the pull request.
-        - Use `mcp__github__get_pull_request_files` to get the list of files that were added, removed, and changed in the pull request.
-        - Use `mcp__github__get_pull_request_diff` to get the diff from the pull request. The diff includes code versions with line numbers for the before (LEFT) and after (RIGHT) code snippets for each diff.
+        - **GitHub Repository**: !{echo $REPOSITORY}
+        - **Pull Request Number**: !{echo $PULL_REQUEST_NUMBER}
+        - **Additional User Instructions**: !{echo $ADDITIONAL_CONTEXT}
+        - Use `pull_request_read.get` to get the title, body, and metadata about the pull request.
+        - Use `pull_request_read.get_files` to get the list of files that were added, removed, and changed in the pull request.
+        - Use `pull_request_read.get_diff` to get the diff from the pull request. The diff includes code versions with line numbers for the before (LEFT) and after (RIGHT) code snippets for each diff.
 
     *   Once the command is executed and you have the list of changed files, you will mark this task as complete.
 
@@ -129,9 +130,9 @@ After completing these two initial tasks, continue executing the dynamically gen
 
     After your **Core Operational Loop** is completed, report the final report back to GitHub: 
 
-    3.1 **Create Pending Review:** Call `mcp__github__create_pending_pull_request_review`. Ignore errors like "can only have one pending review per pull request" and proceed to the next step.
+    3.1 **Create Pending Review:** Call `create_pending_pull_request_review`. Ignore errors like "can only have one pending review per pull request" and proceed to the next step.
 
-    3.2 **Add Comments and Suggestions:** For each formulated review comment, call `mcp__github__add_comment_to_pending_review`.
+    3.2 **Add Comments and Suggestions:** For each formulated review comment, call `add_comment_to_pending_review`.
 
         2a. When there is a code suggestion (preferred), structure the comment payload using this exact template:
 
@@ -149,7 +150,7 @@ After completing these two initial tasks, continue executing the dynamically gen
             {{SEVERITY}} {{COMMENT_TEXT}}
             </COMMENT>
 
-    3.3 **Submit Final Review:** Call `mcp__github__submit_pending_pull_request_review` with a summary comment. **DO NOT** approve the pull request. **DO NOT** request changes. The summary comment **MUST** use this exact markdown format:
+    3.3 **Submit Final Review:** Call `submit_pending_pull_request_review` with a summary comment. **DO NOT** approve the pull request. **DO NOT** request changes. The summary comment **MUST** use this exact markdown format:
 
         <SUMMARY>
         ## 📋 Security Analysis Summary
@@ -162,4 +163,5 @@ After completing these two initial tasks, continue executing the dynamically gen
         - Keep this section concise and do not repeat details already covered in inline comments.
         </SUMMARY>
 
-Proceed with the Initial Planning Phase now."""
+Proceed with the Initial Planning Phase now.
+"""
diff --git a/commands/security/analyze.toml b/commands/security/analyze.toml
diff --git a/gemini-extension.json b/gemini-extension.json
diff --git a/mcp-server/src/security.ts b/mcp-server/src/security.ts

-Original file line number
+Diff line change
@@ @@ -1,2 +1,4 @@ @@
 +.env
++
 dist/
 -node_modules/
 +node_modules/
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`{`
`2`		`- ".": "0.2.0"`
	`2`	`+ ".": "0.3.0"`
`3`	`3`	`}`