fix: followup cleanup for merged community PRs #94
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AI-powered security analysis for the agent-governance-toolkit. | |
| # Catches security issues that static analysis tools like CodeQL may miss: | |
| # prompt injection defense bypass, policy engine circumvention, trust chain | |
| # weaknesses, credential exposure, sandbox escape, and deserialization attacks. | |
| # | |
| # Two modes: | |
| # - PR scan: non-blocking analysis on every pull request | |
| # - Weekly full scan: comprehensive audit posted as a GitHub issue | |
| name: AI Security Scan | |
| # SECURITY: Uses pull_request_target for write access to post PR comments. | |
| # All checkouts pin to BASE ref (never HEAD) to prevent RCE via modified | |
| # composite actions in fork PRs. See MSRC Case 111178. | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| branches: [main] | |
| schedule: | |
| - cron: "0 6 * * 1" # Weekly Monday 6:00 UTC | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| models: read | |
| jobs: | |
| pr-security-scan: | |
| name: PR Security Analysis | |
| runs-on: ubuntu-latest | |
| if: >- | |
| github.event_name == 'pull_request_target' && | |
| github.event.pull_request.draft == false && | |
| github.actor != 'dependabot[bot]' | |
| continue-on-error: true | |
| steps: | |
| - name: Fork safety check | |
| if: github.event.pull_request.head.repo.full_name != github.repository | |
| run: echo "::notice::Running on fork PR — composite action resolved from base branch (safe)" | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| # SECURITY: pull_request_target defaults to base branch checkout (safe). | |
| # Do NOT add ref: head.sha — see MSRC Case 111178. | |
| persist-credentials: false | |
| fetch-depth: 1 | |
| - name: Run AI security scan | |
| uses: ./.github/actions/ai-agent-runner | |
| with: | |
| agent-type: security-scanner | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| model: gpt-4o | |
| fallback-model: gpt-4o-mini | |
| max-tokens: "4000" | |
| context-mode: pr-diff | |
| output-mode: pr-comment | |
| custom-instructions: | | |
| You are a security analyst reviewing changes to microsoft/agent-governance-toolkit — | |
| a security-focused AI agent governance library. | |
| This is CRITICAL: the toolkit itself IS the security layer. Bugs here mean | |
| security bypasses for all downstream users. | |
| Scan for: | |
| 1. **Prompt injection defense bypass** — can crafted input circumvent policy guards? | |
| 2. **Policy engine circumvention** — can policies be skipped or weakened? | |
| 3. **Trust chain weaknesses** — SPIFFE/SVID validation gaps, cert pinning issues | |
| 4. **Credential exposure** — secrets in logs, error messages, or debug output | |
| 5. **Sandbox escape** — container/process isolation breakouts | |
| 6. **Deserialization attacks** — unsafe pickle/yaml/json loading | |
| 7. **Race conditions** — TOCTOU in policy checks, concurrent trust evaluation | |
| 8. **Supply chain** — dependency confusion, typosquatting in imports | |
| Rate each finding: 🔴 CRITICAL / 🟠 HIGH / 🟡 MEDIUM / 🔵 LOW | |
| For each finding, explain the attack vector and suggest a fix. | |
| weekly-full-scan: | |
| name: Weekly Full Security Audit | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| # SECURITY: schedule/workflow_dispatch defaults to the correct ref (safe). | |
| # Do NOT add ref: head.sha — see MSRC Case 111178. | |
| persist-credentials: false | |
| fetch-depth: 1 | |
| - name: Run full security audit | |
| id: audit | |
| uses: ./.github/actions/ai-agent-runner | |
| with: | |
| agent-type: security-auditor | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| model: gpt-4o | |
| fallback-model: gpt-4o-mini | |
| max-tokens: "4000" | |
| context-mode: repo-scan | |
| output-mode: none | |
| custom-instructions: | | |
| You are performing a weekly security audit of microsoft/agent-governance-toolkit. | |
| Review the repository structure and recent changes for: | |
| 1. Prompt injection defense bypass vectors | |
| 2. Policy engine circumvention paths | |
| 3. Trust chain weaknesses (SPIFFE/SVID) | |
| 4. Credential exposure risks | |
| 5. Sandbox escape vectors | |
| 6. Deserialization attack surfaces | |
| 7. Race conditions in security-critical paths | |
| 8. Supply chain vulnerabilities | |
| Format as a security report with: | |
| - Executive summary | |
| - Findings table (Severity | Category | Description | Location) | |
| - Recommendations | |
| - name: Create security audit issue | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AUDIT_RESPONSE: ${{ steps.audit.outputs.response }} | |
| run: | | |
| if [ -z "$AUDIT_RESPONSE" ]; then | |
| AUDIT_RESPONSE="Weekly security audit completed but produced no output. Check workflow logs." | |
| fi | |
| printf '%s' "$AUDIT_RESPONSE" > "$RUNNER_TEMP/audit-body.md" | |
| gh issue create \ | |
| --title "🔒 Weekly AI Security Audit — $(date +%Y-%m-%d)" \ | |
| --body-file "$RUNNER_TEMP/audit-body.md" \ | |
| --label "security,ai-audit" \ | |
| || echo "::warning::Failed to create security audit issue" |