Autonomous AI code review, auto-fix, and security scan for your PRs. Every action is recorded in a hash-chained audit log so you can verify exactly what the agent did.
name: CodeBot Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: codebot-ai/codebot@v1
with:
task: review
api-key: ${{ secrets.ANTHROPIC_API_KEY }}name: CodeBot Fix
on:
workflow_dispatch:
inputs:
issue:
description: 'What to fix'
required: true
jobs:
fix:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- uses: codebot-ai/codebot@v1
with:
task: fix
api-key: ${{ secrets.ANTHROPIC_API_KEY }}name: CodeBot Security Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: codebot-ai/codebot@v1
with:
task: scan
api-key: ${{ secrets.ANTHROPIC_API_KEY }}| Input | Required | Default | Description |
|---|---|---|---|
task |
✅ | — | review, fix, or scan |
api-key |
✅ | — | API key for the LLM provider |
provider |
anthropic |
anthropic or openai |
|
model |
claude-sonnet-4-20250514 |
Model to use | |
policy |
.codebot/policy.json |
Path to security policy file | |
max-iterations |
25 |
Max agent loop iterations | |
sandbox |
auto |
Sandbox mode: auto, on, or off |
| Provider | Input value | Secret |
|---|---|---|
| Anthropic (Claude) | anthropic |
ANTHROPIC_API_KEY |
| OpenAI (GPT) | openai |
OPENAI_API_KEY |
Every run writes a tamper-evident, SHA-256 hash-chained audit log. You can verify it after the fact:
codebot --verify-audit
codebot --export-audit sarif > results.sarifThe audit log is also uploaded as a workflow artifact automatically.
Create .codebot/policy.json to control what the agent is allowed to do:
{
"rules": [
{ "tool": "execute_command", "permission": "deny", "match": { "command": "rm -rf" } },
{ "tool": "web_fetch", "permission": "allow" }
]
}The same agent runs locally:
npm install -g codebot-ai
codebot --solve https://github.com/you/repo/issues/42