Skip to main content

Proactive Scan & Jules-Style Issues

The CI-Native Agent does not wait for you to ask. The proactive scan workflow finds problems on its own, files them as readable GitHub Issues, and announces the fix before it arrives.

How it runs​

.github/workflows/proactive-scan.yml ships with the SquireX setup and runs:

  • On every push to main
  • On a weekly schedule (cron)

Each run executes a full SquireX scan, uploads SARIF to GitHub Advanced Security, and the resulting code_scanning_alert webhook drives the autofix loop.

Jules-style Issues​

For every finding, the agent files a GitHub Issue written in a first-person, conversational voice β€” it explains what it found, suggests a direction, and tells you a fix is already on the way:

## πŸ”΄ I found an Excessive Agency issue in `IncidentBot.cls`

**Rule:** AGENTFORCE-1.1 β€” Unconfirmed Data Mutation
**Severity:** error | **Compliance:** SOC2_CC6, NIST_AI_RMF
**Triggered by:** schedule Β· Commit: a1b2c3d

### What I found
The agent modifies records without a user-confirmation step…

### My suggestion
Address the Excessive Agency risk in `IncidentBot.cls` by following the
patterns in the rule documentation…

> πŸ€– SquireX Autonomy is generating an automated fix. A silent draft PR
> will appear on this repository shortly, ready for your review and merge.

Issues are:

  • Severity-coded β€” πŸ”΄ error / 🟑 warning / πŸ”΅ note, plus squirex:<level> and category labels
  • Deduplicated β€” existing open SquireX issues are fetched first; the agent never re-files the same finding
  • Linked to rule docs β€” every rule references its public catalog page at squirex.dev/rules/{ruleId}

Compliance tagging​

When a rule carries regulatory mappings, the agent surfaces them directly in the issue β€” Compliance: SOC2_CC6, NIST_AI_RMF, EU_AI_ACT, HIPAA, PCI_DSS, OWASP_MCP. This turns each autonomous finding into audit-ready evidence without a separate report.

The chain: scan β†’ issue β†’ silent PR​

The proactive scan and the fix loop are one continuous chain. The issue is the human-readable announcement; the silent draft PR is the action. You review both β€” the agent never merges.