fix(ci): restore read-all at workflow level for Scorecard verification #27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AI-powered security analysis for the agent-governance-toolkit. | |
| # Catches security issues that static analysis tools like CodeQL may miss: | |
| # prompt injection defense bypass, policy engine circumvention, trust chain | |
| # weaknesses, credential exposure, sandbox escape, and deserialization attacks. | |
| # | |
| # Two modes: | |
| # - PR scan: non-blocking analysis on every pull request | |
| # - Weekly full scan: comprehensive audit posted as a GitHub issue | |
| name: AI Security Scan | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| branches: [main] | |
| schedule: | |
| - cron: "0 6 * * 1" # Weekly Monday 6:00 UTC | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| models: read | |
| jobs: | |
| pr-security-scan: | |
| name: PR Security Analysis | |
| runs-on: ubuntu-latest | |
| if: >- | |
| github.event_name == 'pull_request_target' && | |
| github.event.pull_request.draft == false && | |
| github.actor != 'dependabot[bot]' | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| # SECURITY: pull_request_target — checkout base branch (default), NOT | |
| # the PR head. The composite action fetches the diff via GitHub API, | |
| # so checking out HEAD is unnecessary and would let a malicious PR | |
| # modify .github/actions/ code that runs with elevated GITHUB_TOKEN. | |
| fetch-depth: 0 | |
| - name: Run AI security scan | |
| uses: ./.github/actions/ai-agent-runner | |
| with: | |
| agent-type: security-scanner | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| model: gpt-4o | |
| fallback-model: gpt-4o-mini | |
| max-tokens: "4000" | |
| context-mode: pr-diff | |
| output-mode: pr-comment | |
| custom-instructions: | | |
| You are a security analyst reviewing changes to microsoft/agent-governance-toolkit — | |
| a security-focused AI agent governance library. | |
| This is CRITICAL: the toolkit itself IS the security layer. Bugs here mean | |
| security bypasses for all downstream users. | |
| Scan for: | |
| 1. **Prompt injection defense bypass** — can crafted input circumvent policy guards? | |
| 2. **Policy engine circumvention** — can policies be skipped or weakened? | |
| 3. **Trust chain weaknesses** — SPIFFE/SVID validation gaps, cert pinning issues | |
| 4. **Credential exposure** — secrets in logs, error messages, or debug output | |
| 5. **Sandbox escape** — container/process isolation breakouts | |
| 6. **Deserialization attacks** — unsafe pickle/yaml/json loading | |
| 7. **Race conditions** — TOCTOU in policy checks, concurrent trust evaluation | |
| 8. **Supply chain** — dependency confusion, typosquatting in imports | |
| Rate each finding: 🔴 CRITICAL / 🟠 HIGH / 🟡 MEDIUM / 🔵 LOW | |
| For each finding, explain the attack vector and suggest a fix. | |
| weekly-full-scan: | |
| name: Weekly Full Security Audit | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run full security audit | |
| id: audit | |
| uses: ./.github/actions/ai-agent-runner | |
| with: | |
| agent-type: security-auditor | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| model: gpt-4o | |
| fallback-model: gpt-4o-mini | |
| max-tokens: "4000" | |
| context-mode: repo-scan | |
| output-mode: none | |
| custom-instructions: | | |
| You are performing a weekly security audit of microsoft/agent-governance-toolkit. | |
| Review the repository structure and recent changes for: | |
| 1. Prompt injection defense bypass vectors | |
| 2. Policy engine circumvention paths | |
| 3. Trust chain weaknesses (SPIFFE/SVID) | |
| 4. Credential exposure risks | |
| 5. Sandbox escape vectors | |
| 6. Deserialization attack surfaces | |
| 7. Race conditions in security-critical paths | |
| 8. Supply chain vulnerabilities | |
| Format as a security report with: | |
| - Executive summary | |
| - Findings table (Severity | Category | Description | Location) | |
| - Recommendations | |
| - name: Create security audit issue | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AUDIT_RESPONSE: ${{ steps.audit.outputs.response }} | |
| run: | | |
| if [ -z "$AUDIT_RESPONSE" ]; then | |
| AUDIT_RESPONSE="Weekly security audit completed but produced no output. Check workflow logs." | |
| fi | |
| printf '%s' "$AUDIT_RESPONSE" > "$RUNNER_TEMP/audit-body.md" | |
| gh issue create \ | |
| --title "🔒 Weekly AI Security Audit — $(date +%Y-%m-%d)" \ | |
| --body-file "$RUNNER_TEMP/audit-body.md" \ | |
| --label "security,ai-audit" \ | |
| || echo "::warning::Failed to create security audit issue" |