ai-saas-guard ships as a composite GitHub Action for pull request and code scanning workflows.
Use zr9959/ai-saas-guard@v0 for the latest compatible pre-1.0 Action. Use a specific tag such as v0.29.0 or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
The Action runs the same local scanner inside the GitHub-hosted runner. It reads the checked-out repository, does not call an LLM, and does not upload source code. For pr-risk, always use actions/checkout with fetch-depth: 0 so the base branch comparison is available.
Use this when you want one PR job to act as the launch-risk middle layer: Markdown goes to $GITHUB_STEP_SUMMARY for reviewers, while SARIF goes to GitHub code scanning for alert tracking. This is not an AI reviewer and it does not approve a PR; it translates trust-boundary changes into a reviewer queue.
name: ai-saas-guard-pr-launch-gate
on:
pull_request:
permissions:
contents: read
security-events: write
jobs:
launch-gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
- uses: zr9959/ai-saas-guard@v0
with:
command: pr-risk
root: ${{ github.workspace }}
base: origin/main
config: .ai-saas-guard.json
format: markdown
output: ai-saas-guard-pr.md
- run: cat ai-saas-guard-pr.md >> "$GITHUB_STEP_SUMMARY"
- uses: zr9959/ai-saas-guard@v0
with:
command: scan
root: ${{ github.workspace }}
config: .ai-saas-guard.json
format: sarif
output: ai-saas-guard.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ai-saas-guard.sarifUse markdown when reviewers need a short, evidence-first launch decision queue: risky files, required verification, reviewer checklist, ranking explanation, and suggested PR split.
name: ai-saas-guard-pr-summary
on:
pull_request:
permissions:
contents: read
jobs:
pr-summary:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
- uses: zr9959/ai-saas-guard@v0
with:
command: pr-risk
root: ${{ github.workspace }}
base: origin/main
config: .ai-saas-guard.json
format: markdown
output: ai-saas-guard-pr.md
- run: cat ai-saas-guard-pr.md >> "$GITHUB_STEP_SUMMARY"Use markdown for PR review triage. It is intentionally short enough for a GitHub step summary or a PR comment created by your own workflow. It does not require a hosted service. The report keeps the middle-layer contract explicit: it translates trust-boundary changes into human review questions, not an automatic approval.
The Action auto-loads .ai-saas-guard.json from root when the file exists. Use the config input when the policy file lives somewhere else or when you want the workflow to be explicit:
- uses: zr9959/ai-saas-guard@v0
with:
command: scan
root: ${{ github.workspace }}
config: .ai-saas-guard.json
fail-on: noneProject config can disable noisy rules, override severity by rule ID, apply path-specific suppressions, and set a default failOn threshold. A workflow fail-on input overrides the config threshold for that run.
Use check-actions when you want the Action to inspect workflow hygiene that directly affects AI-built SaaS launch readiness: broad permissions, stale PR runs, docs-only full CI, missing fail-fast secret checks, shallow pr-risk checkouts, and unpinned Action refs.
- uses: zr9959/ai-saas-guard@v0
with:
command: check-actions
root: ${{ github.workspace }}
fail-on: highThis is intentionally narrow. It does not replace actionlint, zizmor, Scorecard, or a CI cost dashboard.
Use SARIF when you want findings to appear in GitHub code scanning alerts.
name: ai-saas-guard-sarif
on:
pull_request:
permissions:
contents: read
security-events: write
jobs:
code-scanning:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
- uses: zr9959/ai-saas-guard@v0
with:
command: scan
root: ${{ github.workspace }}
format: sarif
output: ai-saas-guard.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ai-saas-guard.sarifUse SARIF for tracking alerts over time. Use markdown for reviewer guidance on a specific PR. Many teams should run both: markdown for launch decision queues, SARIF for code scanning visibility.