GitHub action that analyzes PR authors’ recent activity patterns to detect automation signals.
Create a workflow file in your repository (e.g., .github/workflows/agentscan.yml):
name: AgentScan
on:
pull_request_target:
types: [opened, reopened]
permissions:
pull-requests: write
contents: read
jobs:
agentscan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: AgentScan
uses: MatteoGabriele/agentscan-action@v1.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
The action will run automatically on new and reopened pull requests, analyzing the PR author’s activity patterns to detect automation signals.
.agentscan-cache). When provided, analysis results are cached and reused within the TTL periodTo skip specific team members from being scanned, add their usernames to the skip-members input:
- name: AgentScan
uses: MatteoGabriele/agentscan-action@v1.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
skip-members: "dependabot,renovate,my-trusted-bot"
Members in the skip list will be excluded from analysis without any PR comment or labels added.
To enable caching and avoid redundant API calls, use actions/cache@v4 and pass the cache path to the action:
steps:
- uses: actions/checkout@v4
- name: Cache AgentScan analysis
uses: actions/cache@v4
with:
path: .agentscan-cache
key: agentscan-cache-${{ github.actor }}
restore-keys: agentscan-cache-
- name: AgentScan
uses: MatteoGabriele/agentscan-action@v1.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
cache-path: ".agentscan-cache"
undefinedHow caching works:undefined
actions/cache@v4 with a path and unique keycache-path inputactions/cache persists the directory between workflow runsundefinedCache Invalidation: Cached entries automatically expire after 2 days.
To skip posting a PR comment when the analysis result is “organic” (clean, human-like activity), enable the skip-comment-on-organic option:
- name: AgentScan
uses: MatteoGabriele/agentscan-action@v1.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
skip-comment-on-organic: true
When enabled, the action will still output all analysis data (for downstream steps to use) but won’t post a comment on the PR if the account is classified as organic.
To disable all PR comments and only use the action’s outputs, set agent-scan-comment to false:
- name: AgentScan
uses: MatteoGabriele/agentscan-action@v1.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
agent-scan-comment: false
This is useful if you want to use the analysis outputs in downstream steps without posting comments.
Run tests with vitest:
pnpm run test
Tests cover the following scenarios:
Stay safe out there, fellow human, and use AI responsibly.
We use cookies to analyze traffic and improve your experience. You can accept or reject analytics cookies.