Risk Flagger Workflow

The Risk Flagger workflow analyzes code changes for security risks that require security team investigation. Unlike traditional vulnerability scanners, this workflow focuses on identifying changes that could introduce security risks, making it ideal for pull request analysis and change management.

Overview

  • Workflow ID: risk_flagger
  • Primary Use Case: Risk assessment of code changes and pull requests
  • Output: Risk findings and optional GitHub notifications
  • Required Mode: Must use --diff mode

Common Use Cases

1. Pull Request Security Gate

# Automated PR analysis with team notification
fraim run risk_flagger --location . --diff \
  --pr-url https://github.com/owner/repo/pull/123 \
  --approver security-team \
  --confidence 7

2. Custom Risk Categories

# Organization-specific risk assessment
fraim run risk_flagger --location . --diff \
  --custom-risk-list-filepath ./org-risks.yaml \
  --custom-false-positive-considerations \
    "Ignore test files in /tests/" \
    "Skip demo applications"

3. Release Branch Analysis

# Analyze changes between releases
fraim run risk_flagger --location . --diff \
  --base v1.0.0 \
  --head v1.1.0 \
  --confidence 6

4. Pre-Commit Risk Assessment

# Local risk check before committing
fraim run risk_flagger --location . --diff \
  --confidence 8

Workflow-Specific Options

Required Options

--diff

Required: The risk flagger workflow must run in diff mode. 
fraim run risk_flagger --location . --diff

GitHub Integration Options

--pr-url <URL>

URL of the pull request to analyze for GitHub integration. 
fraim run risk_flagger --location . --diff \
  --pr-url https://github.com/owner/repo/pull/123

--approver <USERNAME>

GitHub username or team to notify when risks are found. 
fraim run risk_flagger --location . --diff \
  --pr-url https://github.com/owner/repo/pull/123 \
  --approver security-team

--should-block-pull-request <BOOLEAN> (GitHub Action only)

Whether to block the pull request until security review is complete. Available only when using the GitHub Action. Default: false 
# In GitHub Action workflow_args
"should-block-pull-request": true

Customization Options

--custom-risk-list-action <append|replace>

How to handle custom risk lists. Default: append 
# Add custom risks to default list
fraim run risk_flagger --location . --diff \
  --custom-risk-list-action append

# Replace default risks with custom ones
fraim run risk_flagger --location . --diff \
  --custom-risk-list-action replace

--custom-risk-list-filepath <PATH>

Path to JSON/YAML file containing additional risks. 
fraim run risk_flagger --location . --diff \
  --custom-risk-list-filepath ./custom-risks.yaml
Example custom-risks.yaml: 
"API Endpoint Changes": "Changes to API endpoints that handle sensitive data should be reviewed by the security team"
"Payment Processing": "Any changes to payment processing logic require security review"
"User Data Handling": "Modifications to user data processing need privacy team approval"

--custom-risk-list-json <JSON>

JSON string containing additional risks. 
fraim run risk_flagger --location . --diff \
  --custom-risk-list-json '{"Custom Risk": "Description of the risk"}'

--custom-false-positive-considerations <LIST>

Additional considerations to reduce false positives. 
fraim run risk_flagger --location . --diff \
  --custom-false-positive-considerations \
    "Ignore test files" \
    "Consider demo code as low risk" \
    "Skip configuration templates"

GitHub Actions

Prerequisites: To use the Risk Flagger workflow with GitHub Actions, you need to create a Personal Access Token with the appropriate permissions. This is because the default Github Actions token does not have permissions to create status checks, or to request reviewers. Use the tool below to generate a personalized token creation URL for your repository.
name: Risk Assessment
on:
  pull_request:
    branches: [dev]
  pull_request_review:
    types: [submitted]

jobs:
  risk-assessment:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      
      - name: Run Fraim Risk Flagger Scan
        id: fraim-scan
        uses: fraim-dev/fraim-action@8d763963b80e2551c7ec3f5bdbd77bad6ce7658c
        with:
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
          workflow: risk_flagger
          workflow_args: |
            {
              "approver": "security",
              "should-block-pull-request": true,
              "custom-risk-list-json": {
                "Change Protection": "All changes to sensitive_data.py should be flagged.",
                "API Changes": "Any modifications to API endpoints require security review."
              },
              "custom-risk-list-action": "replace",
              "chunk-size": 5000,
              "confidence": 7
            }
          github-token: ${{ secrets.GH_TOKEN }}

Available workflow_args

ArgumentTypeDefaultDescription
confidenceinteger (1-10)7Minimum confidence threshold for filtering findings
chunk-sizeinteger500Number of lines per chunk
limitintegernullLimit the number of files to scan
globsarray of stringsnullFile patterns to include (uses workflow defaults if not provided)
max-concurrent-chunksinteger5Maximum number of chunks to process concurrently
approverstring""GitHub username or group to notify for approval
should-block-pull-requestbooleanfalseWhether to block the pull request until security review is complete
custom-risk-list-actionstring"append"Whether to "append" to or "replace" the default risks list
custom-risk-list-filepathstringnullPath to JSON/YAML file containing additional risks
custom-risk-list-jsonobjectnullJSON object containing additional risks to consider
custom-false-positive-considerationsarray of strings[]List of additional considerations to help reduce false positives