jimleroyer commented 1 month ago

Description

As a developer, I want to have my code reviewed by AI, So that it can catches common errors that humans might overlook once in a while Such sensitive Terraform variables not being flagged as such in the code changes.

WHY are we building?

This is following an incident action items as we did not catch a sensitive variable and that caused a leak through our logs. We want to catch that sort of bugs as early as possible in the development pipeline. An AI could catch these sort of easy to spot (but potentially easy to miss) changes and alert us on the pull requests.

WHAT are we building?

Integrating with an AI that reviews our pull requests. Namely, this one was spotted and could be tried: https://github.com/marketplace/actions/ai-code-review-action

VALUE created by our solution

More security for this specific use case, but also higher code quality in general by an AI bot reviewing our code.

This might mean some noises too as well on code changes that the AI bit might be incorrect or unaware of context.

Acceptance Criteria

[ ] A prototype of the AI code review integration is presented to the GCNotify core team.
[ ] A review document is provided with a summary of the capabilities of the code review AI. This should be tested against some common scenarios such as introducing a password variable in the Terraform repository which should be tagged as sensitive but is not.

QA Steps

[ ] Review and discussion of the summary document.
[ ] This should be tested against some common scenarios such as introducing a password variable in the Terraform repository which should be tagged as sensitive but is not.
[ ] Tested against a few PRs in Terraform, manifests, and API.

P0NDER0SA commented 1 month ago

We need to get an OpenAI API key