Literal secret committed to source. Load the signing key from the environment so it never lands in git history.
Suggested change
+ const secret = process.env.SESSION_SIGNING_SECRET;
Commit suggestionts.security.hardcoded-credentials
Open sourceGitHub Actions
Critiq reviews every pull request.
Add the open source GitHub Action from the OSS product line. Critiq installs the CLI, runs deterministic checks, and posts findings as inline review comments. No hosted account, and your code never leaves the runner.
- Inline PR comments
- Runs the OSS CLI
- No account required
Harden session signing#482acme/web:fix/session-signing
OpenTSsrc/auth/session.ts
12 export function signSession(user: User) {
13- const secret = "sk_live_7f3a9c2e1b4d";
14 return jwt.sign({ sub: user.id }, secret);
critiq / review1 high finding · blocking
How it works
Four steps, no glue code.
Drop the action into your workflow. It runs the same critiq check your team runs locally, then reports back where you already review code.
- 01
Install
Runs your install (
npm ciornpm install) and resolves the Critiq CLI frompackage.json, or pulls the published packages onto the runner. - 02
Scan
Executes
critiq checkwith JSON output, using the pull request base and head commits for diff-aware analysis. - 03
Post
Findings on changed lines land as inline review comments. The action checks whether a comment for the same finding was already posted, so reruns do not spam the thread. Anything outside the diff is skipped, the same way GitHub handles review comments.
- 04
Gate
An optional
fail-on-severitythreshold fails the job after feedback is posted, so you can block merges on the issues that matter.
Quick start
One workflow file.
Add this to .github/workflows/critiq.yml. Pin the major tag for stability, or a commit SHA for full supply-chain control.
- Set
fetch-depth: 0on checkout so diff scans have full history. - Grant
pull-requests: writewhen you want inline comments. - Pin
@critiq/cliinpackage.jsonfor reproducible installs instead oflatest.
.github/workflows/critiq.yml
name: Critiq PR Review
on:
pull_request:
permissions:
contents: read
pull-requests: write
jobs:
critiq:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: critiq-dev/critiq-action@v1
with:
fail-on-severity: offConfiguration
Inputs you'll actually use.
Sensible defaults out of the box. Reach for these when you want to gate merges, change comment behavior, or scope a monorepo.
fail-on-severitydefaultoff- Job failure threshold:
off,low,medium,high, orcritical. The gate runs after scanning and comment posting. comment-modedefaultinline- Use
inlinefor diff comments,inline+summaryto add a PR summary, oroffwhen you only need JSON output. working-directory / targetdefault.- Scope install and scan to a monorepo package subtree while git metadata still comes from the repo root.
cli-version / rules-versiondefaultlatest- Used when
package.jsonlacks@critiq/cli. Prefer pinning versions inpackage.jsoninstead.
uses: critiq-dev/critiq-action@v1
Add Critiq to your pipeline.
Read the setup guide for monorepos, reusable workflows, and severity gating, or browse the action source on GitHub.