-
Notifications
You must be signed in to change notification settings - Fork 227
134 lines (121 loc) · 5.58 KB
/
ai-security-scan.yml
File metadata and controls
134 lines (121 loc) · 5.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# AI-powered security analysis for the agent-governance-toolkit.
# Catches security issues that static analysis tools like CodeQL may miss:
# prompt injection defense bypass, policy engine circumvention, trust chain
# weaknesses, credential exposure, sandbox escape, and deserialization attacks.
#
# Two modes:
# - PR scan: non-blocking analysis on every pull request
# - Weekly full scan: comprehensive audit posted as a GitHub issue
name: AI Security Scan
# SECURITY: Uses pull_request_target for write access to post PR comments.
# All checkouts pin to BASE ref (never HEAD) to prevent RCE via modified
# composite actions in fork PRs. See workflow security audit.
on:
pull_request_target:
types: [opened, synchronize, reopened]
branches: [main]
schedule:
- cron: "0 6 * * 1" # Weekly Monday 6:00 UTC
workflow_dispatch:
permissions:
contents: read
pull-requests: write
issues: write
models: read
# SECURITY: pull_request_target runs in BASE context. Never checkout PR head ref.
jobs:
pr-security-scan:
name: PR Security Analysis
runs-on: ubuntu-latest
if: >-
github.event_name == 'pull_request_target' &&
github.event.pull_request.draft == false &&
github.actor != 'dependabot[bot]'
continue-on-error: true
steps:
- name: Fork safety check
if: github.event.pull_request.head.repo.full_name != github.repository
run: echo "::notice::Running on fork PR — composite action resolved from base branch (safe)"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# SECURITY: pull_request_target defaults to base branch checkout (safe).
# SECURITY: base-only checkout required for pull_request_target context.
persist-credentials: false
fetch-depth: 1
- name: Run AI security scan
uses: ./.github/actions/ai-agent-runner
with:
agent-type: security-scanner
github-token: ${{ secrets.GITHUB_TOKEN }}
model: gpt-4o
fallback-model: gpt-4o-mini
max-tokens: "4000"
context-mode: pr-diff
output-mode: pr-comment
custom-instructions: |
You are a security analyst reviewing changes to microsoft/agent-governance-toolkit —
a security-focused AI agent governance library.
This is CRITICAL: the toolkit itself IS the security layer. Bugs here mean
security bypasses for all downstream users.
Scan for:
1. **Prompt injection defense bypass** — can crafted input circumvent policy guards?
2. **Policy engine circumvention** — can policies be skipped or weakened?
3. **Trust chain weaknesses** — SPIFFE/SVID validation gaps, cert pinning issues
4. **Credential exposure** — secrets in logs, error messages, or debug output
5. **Sandbox escape** — container/process isolation breakouts
6. **Deserialization attacks** — unsafe pickle/yaml/json loading
7. **Race conditions** — TOCTOU in policy checks, concurrent trust evaluation
8. **Supply chain** — dependency confusion, typosquatting in imports
Rate each finding: 🔴 CRITICAL / 🟠 HIGH / 🟡 MEDIUM / 🔵 LOW
For each finding, explain the attack vector and suggest a fix.
weekly-full-scan:
name: Weekly Full Security Audit
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# SECURITY: schedule/workflow_dispatch defaults to the correct ref (safe).
# SECURITY: base-only checkout required for pull_request_target context.
persist-credentials: false
fetch-depth: 1
- name: Run full security audit
id: audit
uses: ./.github/actions/ai-agent-runner
with:
agent-type: security-auditor
github-token: ${{ secrets.GITHUB_TOKEN }}
model: gpt-4o
fallback-model: gpt-4o-mini
max-tokens: "4000"
context-mode: repo-scan
output-mode: none
custom-instructions: |
You are performing a weekly security audit of microsoft/agent-governance-toolkit.
Review the repository structure and recent changes for:
1. Prompt injection defense bypass vectors
2. Policy engine circumvention paths
3. Trust chain weaknesses (SPIFFE/SVID)
4. Credential exposure risks
5. Sandbox escape vectors
6. Deserialization attack surfaces
7. Race conditions in security-critical paths
8. Supply chain vulnerabilities
Format as a security report with:
- Executive summary
- Findings table (Severity | Category | Description | Location)
- Recommendations
- name: Create security audit issue
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AUDIT_RESPONSE: ${{ steps.audit.outputs.response }}
run: |
if [ -z "$AUDIT_RESPONSE" ]; then
AUDIT_RESPONSE="Weekly security audit completed but produced no output. Check workflow logs."
fi
printf '%s' "$AUDIT_RESPONSE" > "$RUNNER_TEMP/audit-body.md"
gh issue create \
--title "🔒 Weekly AI Security Audit — $(date +%Y-%m-%d)" \
--body-file "$RUNNER_TEMP/audit-body.md" \
--label "security,ai-audit" \
|| echo "::warning::Failed to create security audit issue"