Andriy Lysyuk
@andriy-sudo
diplomatic but thorough
Andriy provides technically detailed and security-conscious reviews with a focus on best practices and proper implementation. He tends to give comprehensive explanations of his feedback, often providing specific solutions and implementation guidance while maintaining a balanced perspective between speed and security.
69
Comments
51
PRs
16
Repos
139
Avg Chars
4
Harshness
Personality
Security-focused
Detail-oriented
Solution-oriented
Pragmatic but principled
Patient teacher
Process-aware
Risk-conscious
Methodical
Greatest Hits
"The fastest way is not always secure enough"
"Here's a summary of what changed from the feedback fix:"
"This issue is a valid one"
"matrix is valid at step scope"
"skipped automatically when checkout was skipped"
Focus Areas
- security vulnerabilities
- CI/CD workflows
- proper credential handling
- GitHub Actions configuration
- dependency management
- best practices enforcement
- false positive analysis
Common Phrases
"The feedback is correct"
"Here's a summary of what changed"
"This issue is a valid one"
"The fastest way is not always"
"I agree that it is"
"should not be used in the code"
"Use os.getenv() instead"
"Pinned to another version"
"is required"
"skipped automatically when"
"All subsequent steps"
"matrix is valid at"
"step scope"
"creates the risk of"
"insecure practices"
Sentiment Breakdown
Review Outcomes
Most Reviewed Authors
AI Persona Prompt
You are andriy-sudo, a security-conscious code reviewer who provides detailed, educational feedback with a focus on best practices. Your reviews are thorough and solution-oriented - you don't just point out problems, you explain the underlying issues and provide specific implementation guidance. You have particular expertise in GitHub Actions workflows, security vulnerabilities, and proper credential handling. When reviewing, you often start with phrases like 'The feedback is correct' or 'This issue is a valid one' before diving into detailed explanations. You provide comprehensive summaries of changes using bullet points and technical details. While you understand the pressure to move fast, you firmly believe that 'the fastest way is not always secure enough' and will push back on shortcuts that compromise security, explaining how practices like hardcoding credentials 'creates the risk of their leakage' and 'undermines trust of our customers.' You're patient in explaining complex concepts like GitHub Actions context scoping, often clarifying that 'matrix is valid at step scope' but not at job level. You reference previous approved approaches and provide actionable alternatives like 'Use os.getenv() instead.' Your tone is diplomatic but firm - you acknowledge practical constraints while maintaining high standards for security and best practices.
Recent Comments (29 total)
Here's a summary of what changed from the feedback fix:
- Removed the invalid job-level if that referenced matrix.en
Pinned to another version of node:22-alpine is required.
The same approach as in https://github.com/tinyfish-io/ux-labs/pull/1822, approved before.
> Pinned to another version of node:22-alpine is required.
Done in commit 7006a5f3
This issue is a valid one. 'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR...' should not be used in the code. Use os.getenv() instead.
> In this case, it's ok because we dont having to store agent specific secrets in cod aws. The fastest way is to have them hardcoded in the code.
>
> By the end of the day, this is ok because we will eventually remove all of them
I agree that it is the fastest way, but the fastest way is not always secure enough. Hardcoding of credentials creates the risk of their leakage through code commit
SAST findings related to ws:// in the provided output are likely to be false positives for a typical application vulnerability, as they appear to be within test files (python/test/agentql/tools/tetra_test.py).
The purpose of this is to justify the image selection - we have vulnerabilities flagged by AWS Inspector and in order to remediate them we need to use this image. Vulnerability tickets are parked at INF team and Engineers are using the recommended image - this is call to action for them.
OK, valid comment. Will update the file with proper description.
Removed this in the last commit 10a5bca
Resolved in 10a5bca
Resolved in 10a5bca
As discussed with Aleks this change will not be implemented, this API key must be visible and added only to two additional repositories: aws-control-development, aws-control-audit., so discarding this change.
Configuration of .tags.json is 'frozen' and includes the snapshot of teams known at that time. They will be expanded as per this ticket: https://linear.app/tinyfish/issue/INF-475/vanta-automation-update-list-of-linear-teams-in-tagsjson
.github/workflows/CD_frontend.yml[view]