diff --git a/.github/workflows/free-tier-ai.yml b/.github/workflows/free-tier-ai.yml new file mode 100644 index 0000000..b9a8f3f --- /dev/null +++ b/.github/workflows/free-tier-ai.yml @@ -0,0 +1,145 @@ +name: Free Tier AI Analysis + +on: + pull_request: + types: [opened, synchronize] + issues: + types: [opened, labeled] + workflow_dispatch: + +permissions: + contents: read + pull-requests: write + issues: write + +jobs: + # Groq - 14,400 requests/day FREE (Llama 3, Mixtral) + groq-analysis: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get diff + id: diff + run: | + git diff origin/${{ github.base_ref }}...HEAD > /tmp/diff.txt + head -c 30000 /tmp/diff.txt > /tmp/diff_truncated.txt + + - name: Groq Analysis + if: env.GROQ_API_KEY != '' + env: + GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }} + run: | + # Groq is FAST and FREE (14,400 req/day) + DIFF=$(cat /tmp/diff_truncated.txt | jq -Rs .) + + curl -s https://api.groq.com/openai/v1/chat/completions \ + -H "Authorization: Bearer $GROQ_API_KEY" \ + -H "Content-Type: application/json" \ + -d "{ + \"model\": \"llama-3.3-70b-versatile\", + \"messages\": [{ + \"role\": \"user\", + \"content\": \"Review this diff for security issues, bugs, and code smells. Be very concise. Output as: SECURITY: x issues, BUGS: x issues, SMELLS: x issues. Then list critical items only.\n\nDiff:\n${DIFF}\" + }], + \"temperature\": 0.1, + \"max_tokens\": 500 + }" | jq -r '.choices[0].message.content' > /tmp/groq_review.txt + + cat /tmp/groq_review.txt + + # Mistral - Free tier available + mistral-analysis: + if: github.event_name == 'pull_request' && vars.MISTRAL_API_KEY != '' + runs-on: ubuntu-latest + continue-on-error: true + steps: + - uses: actions/checkout@v4 + - name: Mistral Code Review + env: + MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }} + run: | + echo "Mistral analysis would run here" + # Similar pattern to Groq + + # Cohere - 1000 req/month free (good for classification) + cohere-classify: + if: github.event_name == 'issues' + runs-on: ubuntu-latest + continue-on-error: true + steps: + - name: Classify Issue + if: env.COHERE_API_KEY != '' + env: + COHERE_API_KEY: ${{ secrets.COHERE_API_KEY }} + run: | + # Use Cohere to classify issue type/priority + TITLE="${{ github.event.issue.title }}" + BODY="${{ github.event.issue.body }}" + + curl -s https://api.cohere.ai/v1/classify \ + -H "Authorization: Bearer $COHERE_API_KEY" \ + -H "Content-Type: application/json" \ + -d "{ + \"inputs\": [\"$TITLE\"], + \"examples\": [ + {\"text\": \"App crashes on login\", \"label\": \"bug\"}, + {\"text\": \"Add dark mode\", \"label\": \"feature\"}, + {\"text\": \"SQL injection in auth\", \"label\": \"security\"}, + {\"text\": \"Slow page load\", \"label\": \"performance\"} + ] + }" | jq '.classifications[0].prediction' + + # Cloudflare Workers AI - 10,000 neurons/day FREE + cloudflare-ai: + if: github.event_name == 'pull_request' && vars.CF_ACCOUNT_ID != '' + runs-on: ubuntu-latest + continue-on-error: true + steps: + - name: Cloudflare AI Analysis + env: + CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }} + CF_ACCOUNT_ID: ${{ vars.CF_ACCOUNT_ID }} + run: | + # Cloudflare Workers AI - runs at the edge + echo "Cloudflare AI analysis would run here" + # @cf/meta/llama-3-8b-instruct is free + + # Aggregate results and create summary + aggregate: + needs: [groq-analysis] + if: always() && github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: Create Summary + uses: actions/github-script@v7 + with: + script: | + const summary = `## πŸ€– Free Tier AI Analysis + + Multiple AI services analyzed this PR: + + | Service | Status | Free Tier | + |---------|--------|-----------| + | Groq (Llama 3) | ${{ needs.groq-analysis.result }} | 14,400 req/day | + | Mistral | skipped | 1M tokens/month | + | Cohere | skipped | 1000 req/month | + | Cloudflare AI | skipped | 10K neurons/day | + + --- + _Add API keys to your fork secrets to enable more services._ + _All analysis runs on contributor's free tier allowance._ + `; + + // Only comment if at least one analysis ran + if ('${{ needs.groq-analysis.result }}' !== 'skipped') { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body: summary + }); + } diff --git a/.github/workflows/free-tier-scanners.yml b/.github/workflows/free-tier-scanners.yml new file mode 100644 index 0000000..08759df --- /dev/null +++ b/.github/workflows/free-tier-scanners.yml @@ -0,0 +1,163 @@ +name: Free Tier Security Scanners + +on: + push: + branches: [dev, main] + pull_request: + branches: [dev, main] + schedule: + - cron: '0 6 * * 1' # Weekly Monday 6am + +permissions: + contents: read + security-events: write + pull-requests: write + +jobs: + # Semgrep - FREE, powerful SAST + semgrep: + runs-on: ubuntu-latest + container: + image: semgrep/semgrep + steps: + - uses: actions/checkout@v4 + + - name: Semgrep Scan + run: | + semgrep scan --config auto --sarif --output semgrep.sarif || true + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + if: always() + continue-on-error: true + + # Trivy - FREE container/IaC scanner + trivy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Trivy Vulnerability Scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy.sarif' + severity: 'CRITICAL,HIGH' + continue-on-error: true + + - name: Upload Trivy SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy.sarif + if: always() + continue-on-error: true + + # Gitleaks - FREE secret scanner + gitleaks: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Gitleaks Scan + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + continue-on-error: true + + # OSV-Scanner - FREE vulnerability DB from Google + osv-scanner: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: OSV Scanner + uses: google/osv-scanner-action@v1 + with: + scan-args: |- + --recursive + --format=sarif + --output=osv.sarif + . + continue-on-error: true + + - name: Upload OSV SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: osv.sarif + if: always() + continue-on-error: true + + # Checkov - FREE IaC scanner + checkov: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Checkov Scan + uses: bridgecrewio/checkov-action@v12 + with: + directory: . + framework: all + output_format: sarif + output_file_path: checkov.sarif + continue-on-error: true + + - name: Upload Checkov SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: checkov.sarif + if: always() + continue-on-error: true + + # Aggregate all findings for core CLI to consume + aggregate-findings: + needs: [semgrep, trivy, gitleaks, osv-scanner, checkov] + if: always() + runs-on: ubuntu-latest + steps: + - name: Summary + run: | + echo "## πŸ” Security Scan Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Scanner | Status | Free Tier |" >> $GITHUB_STEP_SUMMARY + echo "|---------|--------|-----------|" >> $GITHUB_STEP_SUMMARY + echo "| Semgrep | ${{ needs.semgrep.result }} | Unlimited |" >> $GITHUB_STEP_SUMMARY + echo "| Trivy | ${{ needs.trivy.result }} | Unlimited |" >> $GITHUB_STEP_SUMMARY + echo "| Gitleaks | ${{ needs.gitleaks.result }} | Unlimited |" >> $GITHUB_STEP_SUMMARY + echo "| OSV-Scanner | ${{ needs.osv-scanner.result }} | Unlimited |" >> $GITHUB_STEP_SUMMARY + echo "| Checkov | ${{ needs.checkov.result }} | Unlimited |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Results uploaded to GitHub Security tab." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "_All scanners are 100% free. No API keys needed._" >> $GITHUB_STEP_SUMMARY + + - name: Create findings artifact for core CLI + run: | + # Create JSON summary for core CLI to consume + cat > findings.json << 'FINDINGS' + { + "timestamp": "${{ github.event.head_commit.timestamp }}", + "commit": "${{ github.sha }}", + "scanners": { + "semgrep": "${{ needs.semgrep.result }}", + "trivy": "${{ needs.trivy.result }}", + "gitleaks": "${{ needs.gitleaks.result }}", + "osv": "${{ needs.osv-scanner.result }}", + "checkov": "${{ needs.checkov.result }}" + }, + "security_tab": "https://github.com/${{ github.repository }}/security/code-scanning" + } + FINDINGS + cat findings.json + + - uses: actions/upload-artifact@v4 + with: + name: security-findings + path: findings.json + retention-days: 30 diff --git a/doc/free-tier-services.md b/doc/free-tier-services.md new file mode 100644 index 0000000..93cc8cf --- /dev/null +++ b/doc/free-tier-services.md @@ -0,0 +1,131 @@ +# Free Tier Services Integration + +All these services provide free input that `core` CLI can monitor and feed into the Agentic system. + +## AI/LLM APIs + +| Service | Free Tier | Use Case | +|---------|-----------|----------| +| **Gemini 2.0** | 1500 req/day, 1M tokens/min | Code review, analysis | +| **Groq** | 14,400 req/day (Llama/Mixtral) | Fast inference, triage | +| **Mistral** | 1M tokens/month | Code generation | +| **Cohere** | 1000 req/month | Embeddings, classification | +| **Together.ai** | $5 free credit | Multi-model access | +| **Cloudflare AI** | 10,000 neurons/day | Edge inference | +| **Hugging Face** | Rate limited free | Open models | +| **Fireworks.ai** | 600 req/min free | Fast inference | +| **Cerebras** | Free tier | Ultra-fast inference | +| **SambaNova** | Free tier | Enterprise models | + +## Code Analysis (All Free for Public Repos) + +| Service | Provides | GitHub Integration | +|---------|----------|-------------------| +| **CodeQL** | Security vulnerabilities | Native | +| **Snyk** | Deps + code vulnerabilities | βœ… App | +| **SonarCloud** | Code quality + bugs | βœ… App | +| **Codacy** | Code quality + patterns | βœ… App | +| **DeepSource** | Code health + autofix | βœ… App | +| **CodeClimate** | Maintainability | βœ… App | +| **Semgrep** | SAST + custom rules | βœ… Action | +| **GitGuardian** | Secret detection | βœ… App | +| **Socket.dev** | Supply chain security | βœ… App | +| **Aikido Security** | Full security suite | βœ… App | +| **Qodana** | JetBrains code analysis | βœ… Action | +| **Trunk.io** | Meta-linter (50+ tools) | βœ… App | + +## Dependency Management (Free) + +| Service | Features | +|---------|----------| +| **Dependabot** | Auto-update PRs | +| **Renovate** | Smart dependency updates | +| **Socket.dev** | Malicious package detection | +| **Snyk** | Vulnerability database | +| **deps.dev** | Google's dep analysis | + +## CI/CD Free Tiers + +| Service | Free Allowance | +|---------|----------------| +| **GitHub Actions** | 2000 min/month | +| **CircleCI** | 6000 min/month | +| **GitLab CI** | 400 min/month | +| **Travis CI** | Unlimited for OSS | +| **Buildkite** | Free for OSS | +| **Semaphore** | 1300 min/month | +| **Buddy** | 5 projects free | + +## Testing & Coverage (Free for OSS) + +| Service | Features | +|---------|----------| +| **Codecov** | Coverage reports | +| **Coveralls** | Coverage tracking | +| **Percy** | Visual regression | +| **Chromatic** | Storybook visual tests | +| **BrowserStack** | Free for OSS | +| **LambdaTest** | Free tier | + +## Error & Performance (Free Tiers) + +| Service | Free Tier | +|---------|-----------| +| **Sentry** | 5K errors/month | +| **LogRocket** | 1K sessions/month | +| **Highlight.io** | 500 sessions/month | +| **Grafana Cloud** | 10K metrics | +| **Datadog** | 1 host free | + +## AI Code Assistants (Free/OSS) + +| Service | Access | +|---------|--------| +| **GitHub Copilot** | Free for OSS maintainers | +| **Jules** | Free with Copilot | +| **Amazon Q** | Free tier | +| **Codeium** | Free forever | +| **Tabnine** | Free tier | +| **Cursor** | Free tier | +| **Cody (Sourcegraph)** | Free tier | +| **Continue.dev** | Free, open source | + +## Data Flow Architecture + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ FREE TIER SERVICES β”‚ +β”‚ β”‚ +β”‚ Snyk ─────┐ β”‚ +β”‚ SonarCloud── β”‚ +β”‚ CodeQL ────┼──→ GitHub Checks API ──→ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ Semgrep ──── β”‚ β”‚ β”‚ +β”‚ DeepSourceβ”€β”˜ β”‚ core monitor β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ Gemini ────┐ β”‚ Watches for: β”‚ β”‚ +β”‚ Groq ──────┼──→ PR Comments ─────────→│ - Check failuresβ”‚ β”‚ +β”‚ Mistral β”€β”€β”€β”˜ β”‚ - Vulnerabilitiesβ”‚ +β”‚ β”‚ - Code smells β”‚ β”‚ +β”‚ Dependabot─┐ β”‚ - PR reviews β”‚ β”‚ +β”‚ Renovate ──┼──→ PRs/Issues ──────────→│ - New deps β”‚ β”‚ +β”‚ Socket.devβ”€β”˜ β”‚ β”‚ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + β”‚ + β–Ό + β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” + β”‚ core CLI β”‚ + β”‚ β”‚ + β”‚ Aggregates + filters β”‚ + β”‚ Creates actionable β”‚ + β”‚ tasks β”‚ + β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + β”‚ + β–Ό + β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” + β”‚ Host UK Agentic API β”‚ + β”‚ β”‚ + β”‚ - Task queue β”‚ + β”‚ - Agent assignment β”‚ + β”‚ - Verification flow β”‚ + β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +```