playbooks

home / skills / prowler-cloud / prowler / prowler-ci

prowler-ci skill

/skills/prowler-ci

This skill helps diagnose and fix PR CI failures in prowler-ci by analyzing workflows, filters, and gating rules across .github/workflows.

npx playbooks add skill prowler-cloud/prowler --skill prowler-ci

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.9 KB
---
name: prowler-ci
description: >
  Helps with Prowler repository CI and PR gates (GitHub Actions workflows).
  Trigger: When investigating CI checks failing on a PR, PR title validation, changelog gate/no-changelog label,
  conflict marker checks, secret scanning, CODEOWNERS/labeler automation, or anything under .github/workflows.
license: Apache-2.0
metadata:
  author: prowler-cloud
  version: "1.0"
  scope: [root]
  auto_invoke:
    - "Inspect PR CI checks and gates (.github/workflows/*)"
    - "Debug why a GitHub Actions job is failing"
    - "Understand changelog gate and no-changelog label behavior"
    - "Understand PR title conventional-commit validation"
    - "Understand CODEOWNERS/labeler-based automation"
allowed-tools: Read, Edit, Write, Glob, Grep, Bash
---

## What this skill covers

Use this skill whenever you are:

- Reading or changing GitHub Actions workflows under `.github/workflows/`
- Explaining why a PR fails checks (title, changelog, conflict markers, secret scanning)
- Figuring out which workflows run for UI/API/SDK changes and why
- Diagnosing path-filtering behavior (why a workflow did/didn't run)

## Quick map (where to look)

- PR template: `.github/pull_request_template.md`
- PR title validation: `.github/workflows/conventional-commit.yml`
- Changelog gate: `.github/workflows/pr-check-changelog.yml`
- Conflict markers check: `.github/workflows/pr-conflict-checker.yml`
- Secret scanning: `.github/workflows/find-secrets.yml`
- Auto labels: `.github/workflows/labeler.yml` and `.github/labeler.yml`
- Review ownership: `.github/CODEOWNERS`

## Debug checklist (PR failing checks)

1. Identify which workflow/job is failing (name + file under `.github/workflows/`).
2. Check path filters: is the workflow supposed to run for your changed files?
3. If it's a title check: verify PR title matches Conventional Commits.
4. If it's changelog: verify the right `CHANGELOG.md` is updated OR apply `no-changelog` label.
5. If it's conflict checker: remove `<<<<<<<`, `=======`, `>>>>>>>` markers.
6. If it's secrets (TruffleHog): see section below.

## TruffleHog Secret Scanning

TruffleHog scans for leaked secrets. Common false positives in test files:

**Patterns that trigger TruffleHog:**
- `sk-*T3BlbkFJ*` - OpenAI API keys
- `AKIA[A-Z0-9]{16}` - AWS Access Keys
- `ghp_*` / `gho_*` - GitHub tokens
- Base64-encoded strings that look like credentials

**Fix for test files:**
```python
# BAD - looks like real OpenAI key
api_key = "sk-test1234567890T3BlbkFJtest1234567890"

# GOOD - obviously fake
api_key = "sk-fake-test-key-for-unit-testing-only"
```

**If TruffleHog flags a real secret:**
1. Remove the secret from the code immediately
2. Rotate the credential (it's now in git history)
3. Consider using `.trufflehog-ignore` for known false positives (rarely needed)

## Notes

- Keep `prowler-pr` focused on *creating* PRs and filling the template.
- Use `prowler-ci` for *CI policies and gates* that apply to PRs.

Overview

This skill helps diagnose and resolve CI and PR gating issues for Prowler GitHub Actions workflows. It focuses on why checks fail (title validation, changelog gate, conflict markers, secret scanning) and how workflows under .github/workflows are triggered. Use it to quickly locate the responsible workflow and apply the correct fix to unblock PR merges.

How this skill works

The skill inspects GitHub Actions workflow files under .github/workflows and maps failing jobs to the relevant YAML file. It checks path filters, PR title rules, changelog and label gates, conflict marker checks, secret-scan triggers (TruffleHog), and CODEOWNERS/labeler automation to explain why a particular workflow ran or failed. It also provides concrete remediation steps for common failures.

When to use it

  • A PR shows failing CI checks and you need to identify which workflow/job caused it.
  • You need to know why a workflow did or did not run after your code changes (path filters).
  • PR title fails Conventional Commits validation.
  • Changelog gate blocks merge or you want to apply no-changelog label.
  • Secret scanner flags test files or real secrets.
  • Conflict markers appear in a PR and block checks.

Best practices

  • Start by locating the failing job name and the YAML file under .github/workflows.
  • Verify path filters to ensure the workflow should run for your changed files before debugging job logic.
  • Follow Conventional Commits for PR titles or adjust the title to meet validation rules.
  • Update CHANGELOG.md for meaningful changes or add the no-changelog label when appropriate.
  • Replace secret-looking test values with clearly fake placeholders to avoid TruffleHog false positives.
  • Remove merge conflict markers (<<<<<<<, =======, >>>>>>>) before pushing changes.

Example use cases

  • A UI change didn't trigger the expected UI test workflow — inspect path filters and workflow triggers.
  • A PR is blocked by changelog validation — either update CHANGELOG.md or apply the no-changelog label per project policy.
  • TruffleHog flags a test file — replace the value with an obviously fake test key and push a fix.
  • Conventional commit check failed — edit the PR title to match the convention and re-run checks.
  • Conflict-check workflow failed — search the diff for conflict markers and remove them.

FAQ

What patterns commonly trigger TruffleHog false positives?

OpenAI-like keys (sk-...), AWS access key patterns (AKIA...), GitHub tokens (ghp_/gho_) and base64 blobs often trigger flags.

Can I ignore a TruffleHog finding?

Prefer fixing test values to clearly fake strings. Only use ignore mechanisms for rare, vetted false positives and rotate any real credentials immediately.