AI-powered risk analysis for pull requests — a GitHub Action by MergeShield
Analyzes code changes using Claude AI and provides a risk score with pass/fail CI status across 6 dimensions: complexity, security, blast radius, test coverage, breaking changes, and dependency risk.
name: MergeShield Risk Check
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
statuses: write # Required for commit status
contents: read
pull-requests: read
jobs:
risk-check:
runs-on: ubuntu-latest
steps:
- uses: mergeshield/risk-check@v1
with:
api-key: ${{ secrets.MERGESHIELD_API_KEY }}Note: No
actions/checkoutstep is needed — the action sends PR metadata to the MergeShield API, which fetches the diff using the provided GitHub token.
| Input | Required | Default | Description |
|---|---|---|---|
api-key |
Yes | — | MergeShield API key (msk_... format) |
github-token |
No | ${{ github.token }} |
GitHub token for PR data access |
api-url |
No | https://api.mergeshield.dev |
MergeShield API URL |
risk-threshold |
No | 50 |
Risk score threshold (0-100). Scores >= this fail the check |
timeout |
No | 300 |
Max wait time in seconds for analysis |
fail-on-error |
No | true |
Fail the workflow if analysis errors |
| Output | Description | Set on |
|---|---|---|
risk-score |
Overall risk score (0-100) | completed |
risk-level |
Risk level: low, medium, high, or critical |
completed |
analysis-id |
Analysis ID for API lookups | completed |
analysis-url |
Link to the full analysis on the MergeShield dashboard | completed |
summary |
AI-generated summary of the risk findings | completed |
status |
Analysis status: completed, failed, or timeout |
Always |
Note:
risk-score,risk-level,analysis-id,analysis-url, andsummaryare only set when status iscompleted. Usefail-on-error: falsewithsteps.<id>.outputs.statusto handle all cases.
The action needs the following GitHub token permissions:
permissions:
statuses: write # To set commit status (mergeshield/risk-check)
contents: read # To read repository data
pull-requests: read # To access PR metadataIf your repository or organization uses restrictive default permissions, add the permissions block to your workflow file.
- Create an account at mergeshield.dev
- Generate an API key in Dashboard > Settings
- Add the secret to your repo: Settings > Secrets >
MERGESHIELD_API_KEY - Add the workflow file above to
.github/workflows/
- uses: mergeshield/risk-check@v1
with:
api-key: ${{ secrets.MERGESHIELD_API_KEY }}
risk-threshold: 75 # Only fail on high/critical risk- uses: mergeshield/risk-check@v1
id: risk
with:
api-key: ${{ secrets.MERGESHIELD_API_KEY }}
fail-on-error: false
- name: Comment on PR
if: steps.risk.outputs.risk-level == 'critical'
uses: actions/github-script@v7
with:
script: |
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `Warning: Critical risk detected (${steps.risk.outputs.risk-score}/100). [View analysis](${steps.risk.outputs.analysis-url})`
})- uses: mergeshield/risk-check@v1
with:
api-key: ${{ secrets.MERGESHIELD_API_KEY }}
fail-on-error: false # Don't fail the workflow- Trigger: When a PR is opened or updated, the action sends the PR details to the MergeShield API
- Analysis: Claude AI evaluates the code changes across 6 risk dimensions
- Score: A risk score (0-100) is computed with a risk level (low/medium/high/critical)
- Status: A commit status (
mergeshield/risk-check) is set on the PR with pass/fail based on your threshold - Summary: A GitHub Actions job summary table is written with the results and AI summary
| Dimension | What It Measures |
|---|---|
| Complexity | Code complexity, cognitive load, refactoring scope |
| Security | Auth changes, secrets, injection vectors, permissions |
| Blast Radius | How many systems/users are affected by the change |
| Test Coverage | Whether tests exist for the changes |
| Breaking Changes | API changes, schema migrations, config changes |
| Dependency Risk | New/updated dependencies, supply chain concerns |
MIT
