Enhanced SAIST GitHub Action with Manual Trigger and Multi-LLM Support

[michaelspinks]

🎯 Summary

This PR enhances the existing SAIST GitHub Action by adding manual trigger capability, configurable LLM provider selection, and intelligent scanning mode detection. The action now provides a professional developer experience for both automated PR security scanning and on-demand security analysis.

🚀 What's New
✨ Manual Workflow Trigger

Added workflow_dispatch trigger with LLM provider selection dropdown
Developers can now run security scans manually without creating PRs
Perfect for testing, development, and ad-hoc security analysis
Five LLM providers supported: OpenAI, Anthropic, DeepSeek, Gemini, Ollama

🤖 Configurable LLM Provider for PRs

PR scans now use repository variable DEFAULT_LLM_PROVIDER for team-wide configuration
No code changes needed to switch LLM providers - just update the repository variable
Automatic fallback to DeepSeek if variable is not set
Maintains backward compatibility with existing workflows

🧠 Intelligent Scan Mode Detection

Manual runs: Use filesystem mode to scan entire repository with CSV output
PR runs: Use github mode to scan only PR changes with potential PR comments
Optimized for different use cases: comprehensive analysis vs targeted PR review

🔧 Enhanced Configuration & Security

Updated to latest GitHub Actions versions (checkout@v3, setup-python@v4)
Added fetch-depth: 0 for full git history access
Secure dynamic API key selection based on provider
Proper error handling for missing API keys
Professional logging and status indicators

📊 Improved Output Management

Manual runs generate downloadable CSV artifacts (retained for 30 days)
Clear progress indicators and status logging throughout execution
Support for multiple output formats (CSV, PDF where available)
Artifacts enable team collaboration and historical analysis

Manual Runs

Go to Actions tab → "Security Analysis" → "Run workflow"
Select desired LLM provider from dropdown (openai, anthropic, deepseek, gemini, ollama)
Action scans entire repository using filesystem mode
Results available as downloadable CSV artifact
Perfect for comprehensive security audits and testing

PR Runs (Enhanced Behavior)

Triggered automatically on PR creation/updates
Uses DEFAULT_LLM_PROVIDER repository variable (fallback: deepseek)
Scans only PR changes using github mode for efficiency
Optimized for code review workflows
Maintains existing automated behavior with new flexibility

🛠️ Technical Implementation
Repository Variable Configuration
yaml# Set via: Repository Settings → Secrets and variables → Actions → Variables
DEFAULT_LLM_PROVIDER: deepseek # or openai, anthropic, gemini, ollama

Dynamic API Key Selection

Secure pattern - only stores secret names, not values

case $LLM_PROVIDER in
  openai) echo "api_key_secret=OPENAI_API_KEY" >> $GITHUB_OUTPUT ;;
  anthropic) echo "api_key_secret=ANTHROPIC_API_KEY" >> $GITHUB_OUTPUT ;;
  deepseek) echo "api_key_secret=DEEPSEEK_API_KEY" >> $GITHUB_OUTPUT ;;
  # ... additional providers
esac

Intelligent Mode Detection

if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
  # Manual: comprehensive filesystem scan
  SCAN_MODE="filesystem"
  OUTPUT_FLAGS="--csv"
else
  # PR: targeted github scan
  SCAN_MODE="github" 
  OUTPUT_FLAGS=""
fi

📋 Configuration Requirements
Required Secrets

DEEPSEEK_API_KEY - Required for DeepSeek provider (existing)
Additional API keys optional based on desired providers:

OPENAI_API_KEY - For OpenAI provider
ANTHROPIC_API_KEY - For Anthropic provider
GEMINI_API_KEY - For Google Gemini provider
Ollama requires no API key (local deployment)

Recommended Repository Variable
Name: DEFAULT_LLM_PROVIDER
Value: deepseek (or your preferred default)

🧪 Testing Completed
✅ Manual Trigger Functionality

• Manual workflow appears in Actions tab with proper UI
• LLM provider dropdown functions correctly with all options
• DeepSeek provider connects and scans successfully
• OpenAI provider connects (with rate limiting handled)
• Filesystem scan mode detects security vulnerabilities
• CSV artifacts generated and downloadable

✅ Repository Variable Integration

• DEFAULT_LLM_PROVIDER variable correctly controls PR scans
• Fallback to DeepSeek when variable not set
• Variable changes take effect without code deployment
• Secure dynamic API key selection working

✅ GitHub Mode Enhancement

• PR triggers work with new provider selection logic
• GitHub mode scans PR changes successfully
• Detects security issues in realistic application code
• Proper integration with GitHub API and tokens

✅ Backward Compatibility

• Existing PR workflows continue working unchanged
• No breaking changes to workflow behavior
• Same permissions and security model
• Consistent output and logging format

🎯 Benefits Delivered
For Development Teams

• Faster iteration: Test security scanning without creating PRs
• Provider flexibility: Easy switching between LLM providers for cost/performance optimization
• Better debugging: Manual runs help troubleshoot scan configurations and rules
• Immediate feedback: On-demand security analysis for any codebase state

For Security Teams

• Configurable policies: Team-wide LLM provider standards via repository variables
• Comprehensive analysis: Full repository scans vs PR-only analysis
• Historical tracking: Downloadable artifacts for compliance and trend analysis
• Flexible deployment: Support for both cloud and local LLM providers

For DevOps/Platform Teams

• Centralized configuration: Repository variables eliminate hardcoded values
• Cost optimization: Easy provider switching based on usage patterns and costs
• Scalable architecture: Foundation for organization-wide security scanning standards
• Operational simplicity: No code changes required for configuration updates

🔮 Future Enhancement Foundation
This implementation provides a solid foundation for additional capabilities:

• GitHub Marketplace Action: Make SAIST reusable across organizations
• Advanced reporting: Integration with GitHub Security tab, PDF reports
• Smart PR comments: Automatic inline security feedback
• Custom rule sets: Repository-specific scanning configurations
• Enterprise integration: SSO, audit logging, compliance reporting

📝 Files Modified

.github/workflows/saist.yml - Enhanced with manual trigger, configurable providers, and intelligent mode detection

🚦 Breaking Changes
None - This enhancement is fully backward-compatible. All existing PR-based workflows continue to function exactly as before, with the addition of new manual trigger capabilities and configurable provider selection.

🔗 Related Work
This addresses the "Add a github action" item from the project's Future roadmap by significantly expanding the existing GitHub Action's capabilities while maintaining production stability and security best practices.

🧪 How to Test This Enhancement
Test Manual Trigger

After merging, navigate to Actions tab
Select "Security Analysis" → "Run workflow"
Choose different LLM providers and verify successful execution
Download and examine CSV artifacts

Test Repository Variable Configuration

Set DEFAULT_LLM_PROVIDER variable in repository settings
Create test PR with security issues
Verify PR scan uses configured provider
Change variable and confirm immediate effect

Test Provider Flexibility

Add API keys for multiple providers (optional)
Test manual runs with different providers
Compare scan results, performance, and cost implications
Validate error handling for missing API keys

Production Ready ✅ This enhancement has been thoroughly tested and maintains full backward compatibility while adding significant value for security-focused development workflows.