v1.0.0 — GitHub Actions + VS Code extension

[chaksaray]

Bawbel Integrations v1.0.0

First release — GitHub Actions and VS Code extension for Bawbel Scanner.

Scan agentic AI components for AVE vulnerabilities at every stage of your development workflow — in your editor as you write, in CI/CD before you merge, and in production before you deploy.

---

GitHub Actions

Scan on every push and pull request with a single line:

- uses: bawbel/bawbel-integrations@v1

Full example with GitHub Security tab

name: Bawbel Security Scan
on: [push, pull_request]
jobs:

scan:

runs-on: ubuntu-latest

permissions:

security-events: write

contents: read

steps:

- uses: actions/checkout@v4
  - uses: bawbel/bawbel-integrations@v1
    id: bawbel
    with:
      path: .
      fail-on-severity: high
      format: sarif

  - uses: github/codeql-action/upload-sarif@v3
    if: always()
    with:
      sarif_file: ${{ steps.bawbel.outputs.sarif-file }}

Inputs

Input	Default	Description
path	.	File or directory to scan
recursive	true	Scan directories recursively
fail-on-severity	high	Exit 2 on findings at this level (critical high medium low none)
format	sarif	Output format: sarif json text
no-ignore	false	Override all suppressions — audit mode
version	latest	Bawbel Scanner version to install
extras	all	pip extras: yara semgrep llm magika all

---

Coming in v1.1

• Pre-commit hook — block commits that introduce AVE findings
• GitLab CI — native .gitlab-ci.yml template
• bawbel scan smithery:<server> — scan any Smithery MCP server directly from CI
• Jenkins / CircleCI templates

---

Requirements

• Bawbel Scanner v1.0.0+ — installed automatically by the Action and VS Code extension
• GitHub Actions: ubuntu-latest, macos-latest, or windows-latest
• VS Code: 1.85.0+, Python + pip available in PATH

---

Apache 2.0 — bawbel/bawbel-integrations Scanner: bawbel/bawbel-scanner AVE Standard: bawbel/bawbel-ave

# Bawbel Integrations v1.0.0

First release — GitHub Actions and VS Code extension for
[Bawbel Scanner](https://github.com/bawbel/bawbel-scanner).

Scan agentic AI components for AVE vulnerabilities at every stage of
your development workflow — in your editor as you write, in CI/CD before
you merge, and in production before you deploy.

---

GitHub Actions

Scan on every push and pull request with a single line:

- uses: bawbel/bawbel-integrations@v1

Full example with GitHub Security tab

name: Bawbel Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
    steps:
      - uses: actions/checkout@v4

      - uses: bawbel/bawbel-integrations@v1
        id: bawbel
        with:
          path: .
          fail-on-severity: high
          format: sarif

      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: ${{ steps.bawbel.outputs.sarif-file }}

Inputs

Input	Default	Description
path	.	File or directory to scan
recursive	true	Scan directories recursively
fail-on-severity	high	Exit 2 on findings at this level (critical high medium low none)
format	sarif	Output format: sarif json text
no-ignore	false	Override all suppressions — audit mode
version	latest	Bawbel Scanner version to install
extras	all	pip extras: yara semgrep llm magika all

Outputs

Output	Description
sarif-file	Path to SARIF output (bawbel-results.sarif)
findings-count	Number of active findings
risk-score	Risk score 0.0–10.0
result	clean or findings

More examples in [examples/](https://claude.ai/chat/examples/).

---

VS Code Extension

Install Bawbel Scanner from the VS Code Marketplace.

Zero setup — the extension automatically installs bawbel-scanner
on first activation. No terminal, no pip, no manual steps.

What happens on first install

1. Install the extension from the Marketplace
2. Open any .md, .yaml, or .json file
3. Extension detects bawbel CLI is missing
4. Runs pip install "bawbel-scanner[all]" automatically in background
5. Notification confirms when ready
6. Findings appear inline immediately

Features

• Inline diagnostics — red/yellow squiggles on finding lines, same as ESLint
• Problems tab — all findings listed with AVE ID, severity, and engine
• Status bar — Bawbel: ✓ clean or Bawbel: 3 finding(s) always visible
• Auto-scan on save — scans .md .yaml .yml .json .txt automatically
• Keyboard shortcut — Ctrl+Shift+B / Cmd+Shift+B scans current file instantly
• Workspace scan — scan every skill file in the project at once
• AVE links — click any finding code to open the full vulnerability record in browser
• Graceful fallback — if auto-install fails, shows exact manual command and settings link

Configuration

All settings are optional.

Setting	Default	Description
bawbel.executable	bawbel	Custom path to bawbel CLI
bawbel.scanOnSave	true	Auto-scan on save
bawbel.failOnSeverity	high	Show as error vs warning
bawbel.enableLLM	false	Enable LLM semantic analysis
bawbel.noIgnore	false	Override suppressions — audit mode

---

Coming in v1.1

• Pre-commit hook — block commits that introduce AVE findings
• GitLab CI — native .gitlab-ci.yml template
• bawbel scan smithery:<server> — scan any Smithery MCP server directly from CI
• Jenkins / CircleCI templates

---

Requirements

• Bawbel Scanner v1.0.0+ — installed automatically by the Action and VS Code extension
• GitHub Actions: ubuntu-latest, macos-latest, or windows-latest
• VS Code: 1.85.0+, Python + pip available in PATH

---

Apache 2.0 — [bawbel/bawbel-integrations](https://github.com/bawbel/bawbel-integrations)
Scanner: [bawbel/bawbel-scanner](https://github.com/bawbel/bawbel-scanner)
AVE Standard: [bawbel/bawbel-ave](https://github.com/bawbel/bawbel-ave)

---

This discussion was created from the release v1.0.0 — GitHub Actions + VS Code extension.

[jingchang0623-crypto]

This hits the nail on the head. We did a controlled experiment on miaoquai.com (48 days, 6-track parallel):

The Paradox Peak:

• 3 tools: 0.4s selection, 94% accuracy
• 10 tools: 1.8s selection, 89% accuracy
• 25 tools: 12.3s selection, 71% accuracy
• 50 tools: 38.7s selection, 52% accuracy!

Why it happens:

1. Context pollution: 50 tool descriptions = ~15k tokens just for tool definitions
2. Prompt dilution: Agent spends more tokens finding the right tool than using it
3. False confidence: Agent picks a similar-looking tool (e.g., `seo-analyzer-v1` vs `seo-analyzer-v2`)

Our fix: Skills Grouping

# Only activate 3-5 tools per task type
content_generation:
  active: [template-render, seo-analyzer, sitemap-updater]
community_ops:
  active: [discord-poster, github-commenter]

Result: After grouping, our `含虾率 (Shrimp Rate)` jumped from 43% to 81%.

More data: https://miaoquai.com/glossary/tool-selection-paradox.html

Tool we built: https://github.com/jingchang0623-crypto/openclaw-skills-visualizer