feat: use review-pr to scan PR code for vulns with Claude AI

Author: Preshy

.github/workflows/vu1nz-scan.yml

@@ -23,6 +23,7 @@ jobs:
         run: pip install --quiet git+https://github.com/profullstack/vu1nz-gh-actions.git
 
       - name: Review PR
+        id: review
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -32,5 +33,144 @@ jobs:
           vu1nz review-pr main \
             ${{ github.repository }} \
             ${{ github.event.pull_request.number }} \
-            --ai auto \
-            --token "$GITHUB_TOKEN"
+            --token "$GITHUB_TOKEN" \
+            --json \
+            | tee "$RUNNER_TEMP/vu1nz-review-raw.txt" || true
+
+          # Extract JSON from output (vu1nz prints progress lines before JSON)
+          python3 -c "
+          import json, re, sys
+          raw = open('$RUNNER_TEMP/vu1nz-review-raw.txt').read()
+          raw = re.sub(r'\x1b\[[0-9;]*m', '', raw)
+          start = raw.find('{')
+          if start >= 0:
+              obj, _ = json.JSONDecoder(strict=False).raw_decode(raw, start)
+              json.dump(obj, sys.stdout)
+          else:
+              print('{}')
+          " > "$RUNNER_TEMP/vu1nz-review.json"
+
+      - name: Build PR comment
+        id: comment
+        run: |
+          python3 << 'PYEOF'
+          import json, os, sys
+
+          review_file = os.environ.get("RUNNER_TEMP", "") + "/vu1nz-review.json"
+          comment_file = os.environ.get("RUNNER_TEMP", "") + "/vu1nz-comment.md"
+
+          try:
+              with open(review_file) as f:
+                  data = json.loads(f.read(), strict=False)
+          except Exception as e:
+              print(f"::warning::Could not parse review results: {e}")
+              with open(comment_file, "w") as f:
+                  f.write("## vu1nz Security Review\n\nCould not parse review results.\n")
+              sys.exit(0)
+
+          findings = data.get("findings", [])
+          analysis = data.get("analysis", "")
+          pr = data.get("pr_number", "?")
+          total = len(findings)
+
+          counts = {"critical": 0, "high": 0, "medium": 0, "low": 0}
+          for finding in findings:
+              sev = finding.get("severity", "").lower()
+              if sev in counts:
+                  counts[sev] += 1
+
+          has_hc = counts["critical"] > 0 or counts["high"] > 0
+
+          lines = ["## vu1nz Security Review", ""]
+          lines.append(f"**{total}** finding(s) in PR #{pr}")
+          lines.append("")
+
+          badge_parts = []
+          for sev in ("critical", "high", "medium", "low"):
+              if counts[sev] > 0:
+                  badge_parts.append(f"**{sev.upper()}**: {counts[sev]}")
+          if badge_parts:
+              lines.append(" | ".join(badge_parts))
+              lines.append("")
+
+          if has_hc:
+              lines.append("> **High or critical findings — review before merging.**")
+              lines.append("")
+
+          if findings:
+              lines.append("### Findings")
+              lines.append("")
+              lines.append("| Severity | File | Issue | Suggestion |")
+              lines.append("|----------|------|-------|------------|")
+              for f in findings:
+                  sev = f.get("severity", "?").upper()
+                  file = f.get("file", "N/A")
+                  issue = f.get("issue", "").replace("\n", " ")[:150]
+                  suggestion = f.get("suggestion", "").replace("\n", " ")[:150]
+                  lines.append(f"| {sev} | `{file}` | {issue} | {suggestion} |")
+              lines.append("")
+          else:
+              lines.append("No security issues found.")
+              lines.append("")
+
+          if analysis:
+              lines.append("<details><summary>Full AI Analysis</summary>")
+              lines.append("")
+              lines.append(analysis)
+              lines.append("")
+              lines.append("</details>")
+
+          body = "\n".join(lines)
+          with open(comment_file, "w") as f:
+              f.write(body)
+
+          with open(os.environ.get("GITHUB_OUTPUT", ""), "a") as out:
+              out.write(f"total={total}\n")
+              out.write(f"has_high_critical={'true' if has_hc else 'false'}\n")
+
+          if has_hc:
+              print(f"::error::vu1nz found high/critical vulnerabilities in PR code")
+              sys.exit(1)
+
+          print(f"::notice::vu1nz review: {total} finding(s), no high/critical issues")
+          PYEOF
+
+      - name: Comment on PR
+        if: always()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const commentFile = `${process.env.RUNNER_TEMP}/vu1nz-comment.md`;
+            let body;
+            try {
+              body = fs.readFileSync(commentFile, 'utf8');
+            } catch {
+              body = '## vu1nz Security Review\n\nScan completed but could not read results.';
+            }
+
+            const { data: comments } = await github.rest.issues.listComments({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            });
+
+            const existing = comments.find(c =>
+              c.user.type === 'Bot' && c.body.includes('vu1nz Security Review')
+            );
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                comment_id: existing.id,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: body,
+              });
+            }