fix(security): comprehensive security audit remediation (22 findings, 37 files)

.dockerignore

@@ -17,3 +17,13 @@
 .vscode
 coverage.xml
 node_modules
+
+# Security: exclude secrets from build context
+.env
+.env.*
+*.key
+*.pem
+*.p12
+*.crt
+secrets/
+*.token

.github/CODEOWNERS

@@ -27,6 +27,13 @@
 /packages/*/src/**/identity* @microsoft/agent-governance-toolkit
 /packages/*/src/**/crypto*   @microsoft/agent-governance-toolkit
 
+# Infrastructure & container security — require maintainer review
+/scripts/                    @microsoft/agent-governance-toolkit
+**/Dockerfile                @microsoft/agent-governance-toolkit
+**/docker-compose*           @microsoft/agent-governance-toolkit
+/.dockerignore               @microsoft/agent-governance-toolkit
+/.clusterfuzzlite/           @microsoft/agent-governance-toolkit
+
 # Documentation
 /docs/                       @microsoft/agent-governance-toolkit
 *.md                         @microsoft/agent-governance-toolkit

.github/workflows/ai-release-notes.yml

@@ -32,8 +32,10 @@ jobs:
         id: prs
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          EVENT_TAG: ${{ github.event.release.tag_name }}
+          INPUT_TAG: ${{ inputs.tag }}
         run: |
-          TAG="${{ github.event.release.tag_name || inputs.tag }}"
+          TAG="${EVENT_TAG:-$INPUT_TAG}"
           if [ -z "$TAG" ]; then
             TAG=$(gh release list --limit 1 --json tagName -q '.[0].tagName' 2>/dev/null || echo "")
           fi

.github/workflows/ai-spec-drafter.yml

@@ -125,7 +125,8 @@ jobs:
       - name: Comment on issue
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
         run: |
-          gh issue comment ${{ github.event.issue.number }} \
+          gh issue comment "$ISSUE_NUMBER" \
             --body "🤖 An engineering spec has been drafted and a PR created. Please review the PR for the full specification." \
             || true

.github/workflows/ai-test-generator.yml

@@ -44,8 +44,9 @@ jobs:
         id: changes
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
-          FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only \
+          FILES=$(gh pr diff "$PR_NUMBER" --name-only \
             | grep -E '^packages/[^/]+/src/.*\.py$' || true)
           if [ -z "$FILES" ]; then
             echo "skip=true" >> "$GITHUB_OUTPUT"

.github/workflows/ci.yml

@@ -403,7 +403,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
       - name: Build
         working-directory: packages/agent-mesh/sdks/rust/agentmesh
         run: cargo build --release

.github/workflows/markdown-link-check.yml

@@ -6,6 +6,9 @@ on:
       - '**/*.md'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   link-check:
     runs-on: ubuntu-latest
@@ -20,12 +23,15 @@ jobs:
           files: |
             **/*.md
 
+      - name: Write changed files list
+        if: steps.changed-files.outputs.any_changed == 'true'
+        env:
+          CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+        run: printf '%s\n' $CHANGED_FILES > "$RUNNER_TEMP/changed-md-files.txt"
+
       - name: Run Link Checker
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
         with:
-          # Configuration is defined here directly in YAML (no JSON file needed)
-          # --exclude-loopback: ignores localhost/127.0.0.1
-          # --verbose: shows details in the logs
-          args: --verbose --no-progress --exclude-loopback ${{ steps.changed-files.outputs.all_changed_files }}
+          args: --verbose --no-progress --exclude-loopback --input "${{ runner.temp }}/changed-md-files.txt"
           fail: true

.github/workflows/sbom.yml

@@ -49,8 +49,9 @@ jobs:
         if: github.event_name == 'release'
         env:
           GH_TOKEN: ${{ github.token }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
         run: |
-          gh release upload "${{ github.event.release.tag_name }}" \
+          gh release upload "$RELEASE_TAG" \
             sbom.spdx.json \
             sbom.cdx.json \
             --clobber

.github/workflows/secret-scanning.yml

@@ -55,7 +55,7 @@ jobs:
               2>/dev/null || true)
             if [ -n "$MATCHES" ]; then
               echo "::warning::Potential secrets found matching pattern: $pattern"
-              echo "$MATCHES" | head -5
+              echo "$MATCHES" | head -5 | sed 's/:.*/:***REDACTED***/'
               FOUND=1
             fi
           done

.github/workflows/spell-check.yml

@@ -33,4 +33,6 @@ jobs:
 
       - name: Check spelling
         if: steps.changed-markdown.outputs.any_changed == 'true'
-        run: cspell --config .cspell.json --no-progress ${{ steps.changed-markdown.outputs.all_changed_files }}
+        env:
+          CHANGED_FILES: ${{ steps.changed-markdown.outputs.all_changed_files }}
+        run: cspell --config .cspell.json --no-progress $CHANGED_FILES

Dockerfile

@@ -2,7 +2,7 @@
 
 ARG PYTHON_VERSION=3.11
 
-FROM python:${PYTHON_VERSION}-slim AS base
+FROM python:3.11-slim@sha256:9358444059ed78e2975ada2c189f1c1a3144a5dab6f35bff8c981afb38946634 AS base
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

SECURITY.md

@@ -13,6 +13,31 @@ please review the latest guidance for Microsoft repositories at
 
 <!-- END MICROSOFT SECURITY.MD BLOCK -->
 
+## Security Contact
+
+To report a vulnerability, email **secure@microsoft.com**. You will receive acknowledgement
+within 24 hours and a detailed response within 72 hours indicating next steps.
+
+## Supported Versions
+
+| Version | Supported          |
+|---------|--------------------|
+| 2.1.x   | :white_check_mark: |
+| 2.0.x   | :white_check_mark: |
+| < 2.0   | :x:                |
+
+## Disclosure Policy
+
+We follow a **90-day coordinated disclosure** timeline. After a vulnerability is
+reported and confirmed, we will:
+
+1. Acknowledge receipt within **24 hours**.
+2. Provide a fix or mitigation within **90 days**.
+3. Coordinate public disclosure with the reporter after the fix is released.
+
+If a fix requires more than 90 days, we will negotiate an extended timeline with
+the reporter before any public disclosure.
+
 ## Security Advisories
 
 ### CostGuard Organization Kill Switch Bypass (Fixed in v2.1.0)

packages/agent-hypervisor/examples/docker-compose/app/server.py

@@ -155,7 +155,7 @@ async def lifespan(app: FastAPI):  # type: ignore[no-untyped-def]
 
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=os.environ.get("CORS_ALLOWED_ORIGINS", "http://localhost:3000,http://localhost:8080").split(","),
     allow_methods=["*"],
     allow_headers=["*"],
 )

packages/agent-hypervisor/src/hypervisor/api/server.py

@@ -12,6 +12,7 @@
 from __future__ import annotations
 
 import logging
+import os
 from contextlib import asynccontextmanager
 from typing import Any
 
@@ -126,7 +127,7 @@ def create_app() -> FastAPI:
 
     application.add_middleware(
         CORSMiddleware,
-        allow_origins=["*"],
+        allow_origins=os.environ.get("CORS_ALLOWED_ORIGINS", "http://localhost:3000,http://localhost:8080").split(","),
         allow_credentials=True,
         allow_methods=["*"],
         allow_headers=["*"],

packages/agent-mesh/examples/docker-compose/docker-compose.yml

@@ -141,7 +141,7 @@ services:
       - "3000:3000"
     environment:
       GF_SECURITY_ADMIN_USER: admin
-      GF_SECURITY_ADMIN_PASSWORD: agentmesh
+      GF_SECURITY_ADMIN_PASSWORD: ${GF_ADMIN_PASSWORD:?Set GF_ADMIN_PASSWORD in .env}
       GF_USERS_ALLOW_SIGN_UP: "false"
       GF_DASHBOARDS_DEFAULT_HOME_DASHBOARD_PATH: /etc/grafana/provisioning/dashboards/trust-metrics.json
     volumes: