CLI + GitHub Action gate
Shift LLM-security testing left. The `doesitdefend` CLI and the matching GitHub Action authenticate with a didk_ API key, scope the run to the diff (system_prompt / tools / watch list from .doesitdefend.yml), and post a verdict back as a PR check + comment within minutes.
Key points
- didk_ API keys are tenant-scoped and revocable from /settings/api-keys.
- Diff-aware probe selection — only the OWASP categories the change touches run, keeping CI minutes low.
- Verdict modes: regression (default — fails the build only on a real posture drop), findings (any new finding fails), never (advisory only).
- PR comment is idempotent — re-runs replace the previous comment instead of stacking.
01
Setup (5 minutes)
- Create a didk_ key in /settings/api-keys, store as DOESITDEFEND_API_KEY repo secret.
- Drop a .doesitdefend.yml at the repo root declaring target.endpoint + watched prompt files.
- Add the GitHub Action to .github/workflows/ — or run doesitdefend scan from any CI.
02
What lands on the PR
- GitHub check run with title (Baseline scan recorded / Regression detected / Improvement).
- Idempotent PR comment with the diff-selected category and per-finding evidence.
- Baseline auto-selected from the most recent same-target run within 30 days (BASELINE_MAX_AGE_DAYS).