A hardened template for running CoCo as an autonomous scan-issue-fix agent on GitHub Actions. Scan every push, score each finding, auto-fix the safe ones, and route the rest to human review.
Important
Requires Cortex Code (CoCo) beta channel, version
1.1.9+204229.0400c522997b or later.
The workflows install from the beta channel automatically (CORTEX_CHANNEL=beta).
Verify: cortex exec --version
This repository is provisioned by the
$devops-coco-agents:scaffold-for-github
skill — you do not set it up manually.
| File | Purpose |
|---|---|
.github/workflows/cortex-scan.yml |
Scan Python files on push/schedule, route findings by severity |
.github/workflows/cortex-fix.yml |
Auto-fix issues labeled coco:auto-fix; called by comment-fix |
.github/workflows/cortex-comment-fix.yml |
Triggered by /coco fix comment on any coco:needs-review issue |
.github/coco-config.yml |
Fix ceiling policy — change via PR for a full audit trail |
.cortex/prompts/scan.md |
IDD-structured scan prompt |
.cortex/prompts/fix.md |
IDD-structured fix prompt |
.agentignore |
Gitignore-style patterns the scan agent skips |
connections.toml.template |
Reference for the Snowflake connection used in CI |
-
Install Cortex Code (CoCo)
-
Install the scaffold plugin:
cortex plugin install https://github.com/Snowflake-Labs/devops-snowflake-coco-agents
-
In the CoCo chat panel:
scaffold for agentic devops with GitHubor:
$devops-coco-agents:scaffold-for-github
The scaffold walks through six guided steps — repo creation, OIDC provisioning, secrets, branch protection — and lands you here in under 10 minutes.
flowchart TD
trigger["push to main / weekly schedule"] --> scan["cortex-scan\nScore each finding\nSEVERITY × COMPLEXITY × CONFIDENCE"]
scan -->|"low risk"| autofix["Label: coco:auto-fix"]
scan -->|"higher risk"| review["Label: coco:needs-review"]
autofix --> fix1["cortex-fix\nopens PR automatically"]
review --> human["developer reviews\ncomments /coco fix"]
human --> fix2["cortex-fix\nopens PR on request"]
The fix ceiling is controlled by .github/coco-config.yml:
fix_mode:
max_auto: conservative # off | conservative | aggressive| Ceiling | Auto-fix when | Otherwise |
|---|---|---|
off |
Never | Always needs-review |
conservative |
severity=low AND complexity=low AND confidence=high | needs-review |
aggressive |
confidence >= medium | needs-review |
Change the ceiling via PR — the git history is your audit trail.
Set COCO_MAX_AUTO as a repository variable to override at runtime without a PR.
Every scan run logs the active ceiling to the Actions summary:
::notice::Fix ceiling: conservative (source: .github/coco-config.yml)
This repository is set up by the CoCo scaffold skill, which provisions:
- Snowflake SERVICE user, role, and warehouse with OIDC trust (no stored secrets)
- All GitHub secrets and the
COCO_MAX_AUTOvariable - Branch protection
To scaffold a new project using this template:
scaffold for agentic devops with GitHub
or: $devops-coco-agents:scaffold-for-github
See the full scaffold guide.
Scan trigger — cortex-scan.yml watches demo/** by default (smoke test path).
Change paths: to match your codebase:
on:
push:
branches: [main]
paths: ["src/**/*.py", "*.py"] # adapt to your project layoutScan exclusions — add patterns to .agentignore to skip files or directories.
Fix ceiling — edit .github/coco-config.yml and merge the PR.
| Token | Required permissions |
|---|---|
GITHUB_TOKEN (auto) |
issues: write, pull-requests: write, contents: write, id-token: write — set in each workflow's permissions: block |
SNOWFLAKE_* secrets |
Provisioned by scaffold skill via OIDC |
Commits follow Conventional Commits. See AGENTS.md for agent and contributor conventions.