Skip to content

Optimize security-guard Claude token usage via prompt cache alignment and smaller diff payloads #2085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lpcox merged 4 commits into from
Apr 18, 2026
Merged

Optimize security-guard Claude token usage via prompt cache alignment and smaller diff payloads #2085

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
41faee5
Initial plan
Copilot Apr 18, 2026
a1ee146
chore: optimize security-guard workflow token usage
Copilot Apr 18, 2026
b5e3048
chore: refine security-guard diff truncation handling
Copilot Apr 18, 2026
3cabb26
chore: align security-guard max turns env with workflow limit
Copilot Apr 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 4 additions & 5 deletions .github/workflows/security-guard.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

30 changes: 19 additions & 11 deletions .github/workflows/security-guard.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ permissions:
issues: read
engine:
id: claude
max-turns: 12
max-turns: 10
features:
cli-proxy: true
tools:
Expand All @@ -32,14 +32,22 @@ steps:
if: github.event.pull_request.number
run: |
DELIM="GHAW_PR_FILES_$(date +%s)"
DIFF_LIMIT=5000
DIFF_TMP="$(mktemp)"
{
echo "PR_FILES<<${DELIM}"
gh api "repos/${GH_REPO}/pulls/${PR_NUMBER}/files" \
--paginate --jq '.[] | "### " + .filename + " (+" + (.additions|tostring) + "/-" + (.deletions|tostring) + ")\n" + (.patch // "") + "\n"' \
| head -c 8000 || true
> "$DIFF_TMP" || true
DIFF_SIZE="$(wc -c < "$DIFF_TMP" | tr -d ' ')"
head -c "$DIFF_LIMIT" "$DIFF_TMP" || true
if [ "$DIFF_SIZE" -gt "$DIFF_LIMIT" ]; then
echo -e "\n[DIFF TRUNCATED at ${DIFF_LIMIT} bytes — use get_file_contents for full context]"
fi
echo ""
echo "${DELIM}"
} >> "$GITHUB_OUTPUT"
rm -f "$DIFF_TMP"
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
Expand Down Expand Up @@ -101,14 +109,6 @@ This repository implements a **network firewall for AI agents** that provides L7
- Wildcard pattern security (prevents overly broad patterns)
- Protocol prefix handling

## Changed Files (Pre-fetched)

The following PR diff has been pre-computed. Focus your security analysis on these changes:

```
${{ steps.pr-diff.outputs.PR_FILES }}
```

## Your Task

Analyze PR #${{ github.event.pull_request.number }} in repository ${{ github.repository }}.
Expand Down Expand Up @@ -170,4 +170,12 @@ If no security issues are found:
- Do not add a comment (use noop safe-output)
- The PR passes the security review

**SECURITY**: Be thorough but avoid false positives. Focus on actual security weakening, not code style or refactoring that maintains the same security level.
**SECURITY**: Be thorough but avoid false positives. Focus on actual security weakening, not code style or refactoring that maintains the same security level.

## Changed Files (Pre-fetched)

The following PR diff has been pre-computed. Focus your security analysis on these changes:

```
${{ steps.pr-diff.outputs.PR_FILES }}
```
Loading