microsoft · imran-siddique · Mar 18, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/examples/policies/cli-security-rules.yaml b/examples/policies/cli-security-rules.yaml
@@ -0,0 +1,148 @@
+# CLI Security Rules — Sample Configuration
+#
+# ⚠️  IMPORTANT: This is a SAMPLE configuration provided as a starting point.
+# You MUST review, customize, and extend these rules for your specific
+# use case before deploying to production. Microsoft does not guarantee
+# that these rules are comprehensive or sufficient for your security
+# requirements.
+
+version: "1.0"
+name: cli-security-rules
+description: >
+  Sample CLI policy checker rules — defines regex patterns for detecting
+  destructive SQL, file deletion, secret exposure, privilege escalation,
+  code injection, SQL injection, and XSS in source code files.
+
+disclaimer: >
+  This is a sample configuration. It is NOT exhaustive and should be
+  customized for your specific security requirements.
+
+rules:
+  # Destructive SQL
+  - name: block-destructive-sql
+    pattern: '\bDROP\s+(TABLE|DATABASE|SCHEMA|INDEX)\s+'
+    message: "Destructive SQL: DROP operation detected"
+    severity: critical
+    suggestion: "-- Consider using soft delete or archiving instead"
+    languages: [sql, python, javascript, typescript, php, ruby, java]
+
+  - name: block-destructive-sql
+    pattern: '\bDELETE\s+FROM\s+\w+\s*(;|$|WHERE\s+1\s*=\s*1)'
+    message: "Destructive SQL: DELETE without proper WHERE clause"
+    severity: critical
+    suggestion: "-- Add a specific WHERE clause to limit deletion"
+    languages: [sql, python, javascript, typescript, php, ruby, java]
+
+  - name: block-destructive-sql
+    pattern: '\bTRUNCATE\s+TABLE\s+'
+    message: "Destructive SQL: TRUNCATE operation detected"
+    severity: critical
+    suggestion: "-- Consider archiving data before truncating"
+    languages: [sql, python, javascript, typescript, php, ruby, java]
+
+  # File deletion
+  - name: block-file-deletes
+    pattern: '\brm\s+(-rf|-fr|--recursive\s+--force)\s+'
+    message: "Destructive operation: Recursive force delete (rm -rf)"
+    severity: critical
+    suggestion: "# Use safer alternatives like trash-cli or move to backup"
+    languages: [bash, shell, sh, zsh]
+
+  - name: block-file-deletes
+    pattern: '\bshutil\s*\.\s*rmtree\s*\('
+    message: "Recursive directory deletion (shutil.rmtree)"
+    severity: high
+    suggestion: "# Consider using send2trash for safer deletion"
+    languages: [python]
+
+  - name: block-file-deletes
+    pattern: '\bos\s*\.\s*(remove|unlink|rmdir)\s*\('
+    message: "File/directory deletion operation detected"
+    severity: medium
+    languages: [python]
+
+  # Secret exposure
+  - name: block-secret-exposure
+    pattern: '(api[_-]?key|apikey|api[_-]?secret)\s*[=:]\s*["\u0027][a-zA-Z0-9_-]{20,}["\u0027]'
+    message: "Hardcoded API key detected"
+    severity: critical
+    suggestion: '# Use environment variables: os.environ["API_KEY"]'
+    languages: null  # All languages
+
+  - name: block-secret-exposure
+    pattern: '(password|passwd|pwd)\s*[=:]\s*["\u0027][^"\u0027]+["\u0027]'
+    message: "Hardcoded password detected"
+    severity: critical
+    suggestion: "# Use environment variables or a secrets manager"
+    languages: null
+
+  - name: block-secret-exposure
+    pattern: 'AKIA[0-9A-Z]{16}'
+    message: "AWS Access Key ID detected in code"
+    severity: critical
+    languages: null
+
+  - name: block-secret-exposure
+    pattern: '-----BEGIN\s+(RSA|DSA|EC|OPENSSH)\s+PRIVATE\s+KEY-----'
+    message: "Private key detected in code"
+    severity: critical
+    languages: null
+
+  - name: block-secret-exposure
+    pattern: 'gh[pousr]_[A-Za-z0-9_]{36,}'
+    message: "GitHub token detected in code"
+    severity: critical
+    languages: null
+
+  # Privilege escalation
+  - name: block-privilege-escalation
+    pattern: '\bsudo\s+'
+    message: "Privilege escalation: sudo command detected"
+    severity: high
+    suggestion: "# Avoid sudo in scripts - run with appropriate permissions"
+    languages: [bash, shell, sh, zsh]
+
+  - name: block-privilege-escalation
+    pattern: '\bchmod\s+777\s+'
+    message: "Insecure permissions: chmod 777 detected"
+    severity: high
+    suggestion: "# Use more restrictive permissions: chmod 755 or chmod 644"
+    languages: [bash, shell, sh, zsh]
+
+  # Code injection
+  - name: block-arbitrary-exec
+    pattern: '\beval\s*\('
+    message: "Code injection risk: eval() usage detected"
+    severity: high
+    suggestion: "# Remove eval() and use safer alternatives"
+    languages: [python, javascript, typescript, php, ruby]
+
+  - name: block-arbitrary-exec
+    pattern: '\bos\s*\.\s*system\s*\([^)]*(\+|%|\.format|f["\u0027])'
+    message: "Command injection risk: os.system with dynamic input"
+    severity: critical
+    suggestion: "# Use subprocess with shell=False and proper argument handling"
+    languages: [python]
+
+  - name: block-arbitrary-exec
+    pattern: '\bexec\s*\('
+    message: "Code injection risk: exec() usage detected"
+    severity: high
+    suggestion: "# Remove exec() and use safer alternatives"
+    languages: [python]
+
+  # SQL injection
+  - name: block-sql-injection
+    pattern: '["\u0027]\s*\+\s*[^"\u0027]+\s*\+\s*["\u0027].*(?:SELECT|INSERT|UPDATE|DELETE)'
+    message: "SQL injection risk: String concatenation in SQL query"
+    severity: high
+    suggestion: "# Use parameterized queries instead"
+    languages: [python, javascript, typescript, php, ruby, java]
+
+  # XSS
+  - name: block-xss
+    pattern: '\.innerHTML\s*='
+    message: "XSS risk: innerHTML assignment detected"
+    severity: medium
+    suggestion: "// Use textContent or a sanitization library"
+    languages: [javascript, typescript]
diff --git a/examples/policies/conversation-guardian.yaml b/examples/policies/conversation-guardian.yaml
@@ -0,0 +1,144 @@
+# Conversation Guardian — Sample Configuration
+#
+# ⚠️  IMPORTANT: This is a SAMPLE configuration provided as a starting point.
+# You MUST review, customize, and extend these rules for your specific
+# use case before deploying to production. Microsoft does not guarantee
+# that these rules are comprehensive or sufficient for your security
+# requirements.
+
+version: "1.0"
+name: conversation-guardian
+description: >
+  Sample A2A conversation guardian configuration — defines thresholds and
+  patterns for detecting escalating rhetoric, offensive intent, and feedback
+  loops in agent-to-agent conversations (OWASP ASI-8 / ASI-10).
+
+disclaimer: >
+  This is a sample configuration. It is NOT exhaustive and should be
+  customized for your specific security requirements.
+
+thresholds:
+  escalation_score_threshold: 0.6
+  escalation_critical_threshold: 0.85
+  max_retry_cycles: 3
+  max_conversation_turns: 30
+  loop_window_seconds: 300.0
+  offensive_score_threshold: 0.5
+  offensive_critical_threshold: 0.8
+  composite_warn_threshold: 0.4
+  composite_pause_threshold: 0.6
+  composite_break_threshold: 0.8
+  capture_transcript: true
+  max_transcript_entries: 10000
+
+escalation_patterns:
+  # Urgency amplification (weight: 0.15 each)
+  - weight: 0.15
+    patterns:
+      - '\bcode\s+red\b'
+      - '\babsolute\s+final\b'
+      - '\bemergency\b'
+      - '\bfurious\b'
+      - '\bimperative\b'
+      - '\burgent\b'
+      - '\bcritical\s+priority\b'
+      - '\blast\s+chance\b'
+      - '\bdo\s+it\s+now\b'
+      - '\bimmediately\b'
+      - '\bdesper\w+'
+      - '\bnon[- ]?negotiable\b'
+
+  # Coercive directives (weight: 0.25 each)
+  - weight: 0.25
+    patterns:
+      - '\bdo\s+not\s+take\s+no\b'
+      - '\bdirect\s+order\b'
+      - '\byou\s+must\b'
+      - '\bi\s+(?:demand|insist|order|command)\b'
+      - '\bno\s+excuses\b'
+      - '\bfailure\s+is\s+not\s+an?\s+option\b'
+      - '\bdo\s+whatever\s+it\s+takes\b'
+      - '\bby\s+any\s+means\b'
+      - '\bi\s+don''?t\s+care\s+how\b'
+      - '\bstop\s+making\s+excuses\b'
+      - '\bjust\s+(?:do|get)\s+it\s+done\b'
+
+  # Bypass directives (weight: 0.35 each)
+  - weight: 0.35
+    patterns:
+      - '\bbypass\b.*\b(?:control|security|restriction|protection|auth)'
+      - '\bexploit\b.*\b(?:vulnerabilit\w*|weakness|flaw)'
+      - '\bevery\s+trick\b'
+      - '\bevery\s+exploit\b'
+      - '\bwork\s+around\b.*\b(?:security|access|permission|restriction)'
+      - '\bcreative(?:ly)?\b.*\b(?:bypass|hack|exploit|overcome)'
+      - '\bmore\s+aggressive(?:ly)?'
+      - '\bfind\s+a\s+way\s+(?:around|past|through)\b'
+      - '\bbreak\s+(?:through|into|past)\b'
+      - '\bcircumvent\b'
+      - '\boverride\b.*\b(?:security|permission|access|lock)'
+
+offensive_patterns:
+  # Vulnerability research (weight: 0.3 each)
+  - weight: 0.3
+    patterns:
+      - '\b(?:CVE|exploit|vulnerability|vulnerabilities|zero[- ]?day)\b'
+      - '\bfind\b.*\b(?:vulnerabilit\w*|weakness|flaw|bug)'
+      - '\breverse\s+engineer\w*'
+      - '\bsource\s+code\s+review\b.*\bsecurity'
+      - '\bflask[- ]unsign\b'
+      - '\bfuzz(?:ing)?\b.*\b(?:input|param|endpoint)'
+      - '\bpayload\b.*\b(?:inject|craft|construct)'
+      - '\battack\s+(?:surface|vector)\b'
+
+  # Privilege escalation (weight: 0.35 each)
+  - weight: 0.35
+    patterns:
+      - '\bescalate\s+privilege'
+      - '\bforge\b.*\b(?:cookie|token|session|credential)'
+      - '\badmin\s+access'
+      - '\bhardcoded\s+(?:secret|key|password|credential)'
+      - '\bsudo\b|\broot\s+access'
+      - '\bdisarm\b.*\b(?:security|defense|protection|firewall)'
+      - '\bmodify\b.*\b(?:permission|ACL|role|group)'
+      - '\bimpersonat\w*'
+      - '\bhijack\b.*\b(?:session|token|account)'
+
+  # Exfiltration planning (weight: 0.4 each)
+  - weight: 0.4
+    patterns:
+      - '\bexfiltrat\w*'
+      - '\bsteganograph\w*'
+      - '\bhide\b.*\b(?:data|secret|credential).*\b(?:image|file|header)'
+      - '\bbypass\b.*\b(?:DLP|leak\s+prevention|data\s+loss)'
+      - '\bcovert\s+channel'
+      - '\bencode\b.*\bsecret'
+      - '\btunnel\b.*\b(?:data|traffic|out)'
+      - '\bdns\s+(?:tunnel|exfil)'
+
+  # Reconnaissance (weight: 0.2 each)
+  - weight: 0.2
+    patterns:
+      - '\benumerate\b.*\b(?:service|port|endpoint|user)'
+      - '\bscan\b.*\b(?:network|port|service|host)'
+      - '\bnmap\b|\bnikto\b|\bsqlmap\b|\bmetasploit\b|\bburp\s*suite\b'
+      - '\bHTTP\s+header\b.*\b(?:security|version|server)'
+      - '\bfingerprint\b.*\b(?:service|server|version|OS)'
+      - '\brecon(?:naissance)?\b'
+
+  # Injection attacks (weight: 0.35 each)
+  - weight: 0.35
+    patterns:
+      - '\b(?:SQL|command|OS|LDAP)\s+injection\b'
+      - '\bpath\s+traversal\b'
+      - '\bshell\s*code\b'
+      - '(?:;\s*(?:cat|ls|whoami|id|passwd|shadow)\b)'
+      - '\bremote\s+code\s+execution\b|\bRCE\b'
+
+  # Lateral movement (weight: 0.3 each)
+  - weight: 0.3
+    patterns:
+      - '\blateral\s+mov\w*'
+      - '\bpivot\b.*\b(?:network|host|server|system)'
+      - '\bspread\b.*\b(?:network|system|host)'
+      - '\bcompromis\w+\b.*\b(?:server|host|node|agent)'
diff --git a/examples/policies/mcp-security.yaml b/examples/policies/mcp-security.yaml
@@ -0,0 +1,87 @@
+# MCP Security — Sample Configuration
+#
+# ⚠️  IMPORTANT: This is a SAMPLE configuration provided as a starting point.
+# You MUST review, customize, and extend these rules for your specific
+# use case before deploying to production. Microsoft does not guarantee
+# that these rules are comprehensive or sufficient for your security
+# requirements.
+
+version: "1.0"
+name: mcp-security
+description: >
+  Sample MCP security configuration — defines patterns for detecting tool
+  poisoning, hidden instructions, and protocol attacks in MCP tool definitions.
+
+disclaimer: >
+  This is a sample configuration. It is NOT exhaustive and should be
+  customized for your specific security requirements.
+
+detection_patterns:
+  invisible_unicode:
+    - '[\u200b\u200c\u200d\ufeff]'
+    - '[\u202a-\u202e]'
+    - '[\u2066-\u2069]'
+    - '[\u00ad]'
+    - '[\u2060\u180e]'
+
+  hidden_comments:
+    - '<!--.*?-->'
+    - '\[//\]:\s*#\s*\(.*?\)'
+    - '\[comment\]:\s*<>\s*\(.*?\)'
+
+  hidden_instructions:
+    - 'ignore\s+(all\s+)?previous'
+    - 'override\s+(the\s+)?(previous|above|original)'
+    - 'instead\s+of\s+(the\s+)?(above|previous|described)'
+    - 'actually\s+do'
+    - '\bsystem\s*:'
+    - '\bassistant\s*:'
+    - 'do\s+not\s+follow'
+    - 'disregard\s+(all\s+)?(above|prior|previous)'
+
+  encoded_payloads:
+    - '[A-Za-z0-9+/]{40,}={0,2}'
+    - '(?:\\x[0-9a-fA-F]{2}){4,}'
+
+  exfiltration:
+    - '\bcurl\b'
+    - '\bwget\b'
+    - '\bfetch\s*\('
+    - 'https?://'
+    - '\bsend\s+email\b'
+    - '\bsend\s+to\b'
+    - '\bpost\s+to\b'
+    - 'include\s+the\s+contents?\s+of\b'
+
+  privilege_escalation:
+    - '\bsudo\b'
+    - '\badmin\s+access\b'
+    - '\broot\s+access\b'
+    - '\belevate\s+privile'
+    - '\bexec\s*\('
+    - '\beval\s*\('
+
+  role_override:
+    - 'you\s+are\b'
+    - 'your\s+task\s+is\b'
+    - 'respond\s+with\b'
+    - 'always\s+return\b'
+    - 'you\s+must\b'
+    - 'your\s+role\s+is\b'
+
+  excessive_whitespace: '\n{5,}.+'
+
+suspicious_decoded_keywords:
+  - ignore
+  - override
+  - system
+  - password
+  - secret
+  - admin
+  - root
+  - exec
+  - eval
+  - "import os"
+  - send
+  - curl
+  - fetch