feedback from security review (#10)

Merged: 2025-11-12 11:41:09

Author: derekmisler

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Global owners
+* @docker/ai-agent-team

.github/ISSUE_TEMPLATE/bug-.md

@@ -0,0 +1,35 @@
+---
+name: Bug!
+about: Create a report to help us squash the bugs
+title: "<short bug description>"
+labels: kind/bug
+assignees: ""
+---
+
+**Describe the bug**
+
+A clear and concise description of what the bug is.
+
+**Version affected**
+
+Please include the version of the action that you are using.  
+
+**How To Reproduce**
+
+Detailed steps to reproduce the behavior:
+
+1. Run workflow '...'
+2. Wait for job '...'
+3. See error
+
+**Expectation**
+
+A clear and concise description of what you expected to see/happen.
+
+**Screenshots**
+
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+
+Any other info you consider useful can be included here

.github/ISSUE_TEMPLATE/feature-.md

@@ -0,0 +1,27 @@
+---
+name: Feature!
+about: Suggest a new feature you'd like to see
+title: "<your feature>"
+labels: kind/feature
+assignees: ""
+---
+
+**What you'd like to see**
+
+Describe in as much detail as possible the feature you'd like to see.
+Please limit this to a single small feature whenever possible to ease development and contribution efforts.
+
+**Why you'd like to see it**
+
+Tell us why it's important for you.
+`x` thing would help me do '...'
+`y` feature frustrates me.
+`z` feature would get rid of these issues '...'
+
+**Workarounds?**
+
+Are you using any workarounds at the moment? If so, tell us about them.
+
+**Additional context**
+
+Any other info you consider useful can be included here.

.github/SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+The maintainers of the Docker `cagent` GitHub Action take security seriously. If you discover a security issue, please bring it to their attention right away!
+
+## Reporting a Vulnerability
+
+Please **DO NOT** file a public issue, instead send your report privately to [security@docker.com](mailto:security@docker.com).
+
+Reporter(s) can expect a response within 72 hours, acknowledging the issue was received.
+
+## Review Process
+
+After receiving the report, an initial triage and technical analysis is performed to confirm the report and determine its scope. We may request additional information in this stage of the process.
+
+Once a reviewer has confirmed the relevance of the report, a draft security advisory will be created on GitHub. The draft advisory will be used to discuss the issue with maintainers, the reporter(s), and where applicable, other affected parties under embargo.
+
+If the vulnerability is accepted, a timeline for developing a patch, public disclosure, and patch release will be determined. If there is an embargo period on public disclosure before the patch release, the reporter(s) are expected to participate in the discussion of the timeline and abide by agreed upon dates for public disclosure.
+
+## Accreditation
+
+Security reports are greatly appreciated and we will publicly thank you, although we will keep your name confidential if you request it. We also like to send gifts - if you're into swag, make sure to let us know. We do not currently offer a paid security bounty program at this time.
+
+## Further Information
+
+Should anything in this document be unclear or if you are looking for additional information about how Docker reviews and responds to security vulnerabilities, please take a look at Docker's [Vulnerability Disclosure Policy](https://www.docker.com/trust/vulnerability-disclosure-policy/).

.github/workflows/security-scan.yml

@@ -3,7 +3,7 @@ name: Security Scan
 on:
   schedule:
     # Run every Monday at 9:00 AM UTC
-    - cron: "0 9 * * 1"
+    - cron: "43 1 * * 1"
   workflow_dispatch:
     inputs:
       days_back:
@@ -17,15 +17,16 @@ permissions:
 
 jobs:
   security-scan:
+    name: Security Scan with cagent
     runs-on: ubuntu-latest
     permissions:
       contents: read
       issues: write
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          fetch-depth: 0  # Need full history to get commits from past week
+          fetch-depth: 0 # Need full history to get commits from past week
 
       - name: Get commits from past week
         id: commits
@@ -107,7 +108,7 @@ jobs:
           agent: agentcatalog/github-action-security-scanner
           prompt: ${{ steps.commits.outputs.prompt }}
           anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
-          timeout: 300  # 5 minutes
+          timeout: 300 # 5 minutes
 
       - name: Validate reported file paths
         id: validate

action.yml

@@ -151,18 +151,6 @@ runs:
         # Run sanitization which outputs risk-level and blocked status
         $ACTION_PATH/security/sanitize-input.sh /tmp/prompt-input.txt /tmp/prompt-clean.txt
 
-    - name: Check prompt for suspicious patterns
-      if: inputs.prompt != ''
-      id: sanitize-prompt
-      shell: bash
-      env:
-        PROMPT_INPUT: ${{ inputs.prompt }}
-        ACTION_PATH: ${{ github.action_path }}
-      run: |
-        echo "🔍 Additional prompt pattern checking..."
-        # Use environment variable to safely pass prompt (avoids GitHub Actions expansion issues)
-        printf '%s\n' "$PROMPT_INPUT" | $ACTION_PATH/security/sanitize-prompt.sh
-
     - name: Cache cagent binary
       id: cache-cagent
       uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0

security/README.md

@@ -96,25 +96,30 @@ SECRET_PATTERNS=(
 - `leaked=true/false` to `$GITHUB_OUTPUT`
 - Exits with code 1 if secrets detected
 
-### `sanitize-prompt.sh`
+### `sanitize-input.sh`
 
-**Purpose:** Prompt sanitization for general agent mode
+**Purpose:** Input sanitization for PR diffs and user prompts
 
 **Function:**
-- Warns about suspicious patterns in user prompts
-- Detects prompt injection attempts
-- Checks for encoded content
-
-**Note:** This is warning-only (execution continues) unlike input sanitization which blocks
+- Removes code comments from diffs (prevents hidden instructions)
+- Detects HIGH-RISK patterns (blocks execution)
+  - Instruction override attempts ("ignore previous instructions")
+  - Direct secret extraction commands (`echo $API_KEY`, `console.log(process.env)`)
+  - System prompt extraction attempts
+  - Jailbreak attempts
+  - Encoding/obfuscation (base64, hex)
+- Detects MEDIUM-RISK patterns (warns but allows execution)
+  - API key variable names in configuration
 
 **Usage:**
 ```bash
-./sanitize-prompt.sh "User prompt here"
+./sanitize-input.sh input-file.txt output-file.txt
 ```
 
 **Outputs:**
-- `suspicious=true/false` to `$GITHUB_OUTPUT`
-- Exits with code 0 (warnings only)
+- `blocked=true/false` to `$GITHUB_OUTPUT`
+- `risk-level=low/medium/high` to `$GITHUB_OUTPUT`
+- Exits with code 1 if HIGH-RISK patterns detected
 
 ## Built-in Protections
 
@@ -138,7 +143,7 @@ SECRET_PATTERNS=(
 ```bash
 cd tests
 
-# Run security test suite (10 tests)
+# Run security test suite (13 tests)
 ./test-security.sh
 
 # Run exploit simulation tests (6 tests)
@@ -147,21 +152,25 @@ cd tests
 
 ### Test Coverage
 
-**test-security.sh** (10 tests):
+**test-security.sh** (13 tests):
 1. Clean input (should pass)
 2. Prompt injection in comment (should block)
 3. Clean output (should pass)
 4. Leaked API key (should block)
 5. Leaked GitHub token (should block)
 6. Authorization - OWNER (should pass)
-7. Authorization - CONTRIBUTOR (should block)
-8. Clean prompt (should pass)
-9. Prompt injection in user prompt (should warn)
-10. Encoded content in prompt (should warn)
+7. Authorization - COLLABORATOR (should pass)
+8. Authorization - CONTRIBUTOR (should block)
+9. Clean prompt (should pass)
+10. Prompt injection in user prompt (should block)
+11. Encoded content in prompt (should block)
+12. Low risk input - normal code (should pass)
+13. Medium risk input - API key variable (should warn but pass)
+14. High risk input - behavioral injection (should block)
 
 **test-exploits.sh** (6 tests):
-1. Prompt injection via comment (should be blocked)
-2. Encoded base64 injection (should be blocked)
+1. Prompt injection via comment (should be stripped)
+2. High-risk behavioral injection (should be blocked)
 3. Output token leak (should be blocked)
 4. Prompt override attempt (should warn)
 5. Extra args parsing sanity check

security/sanitize-input.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
-# Sanitize PR input by removing code comments and blocking suspicious patterns
-# This prevents prompt injection attacks hidden in code comments
+# Sanitize input by removing code comments and blocking suspicious patterns
+# This prevents prompt injection attacks hidden in code comments or user prompts
 
 set -e
 
@@ -32,15 +32,72 @@ rm -f "$OUTPUT.bak"
 # Define HIGH-RISK patterns that strongly indicate prompt injection attempts
 # These are behavioral instructions that shouldn't appear in normal code
 HIGH_RISK_PATTERNS=(
+  # Instruction override attempts
   "ignore.*previous.*instruction"
+  "ignore.*all.*instruction"
+  "disregard.*previous"
+  "forget.*previous"
+  "new.*instruction.*follow"
+
+  # System/mode override attempts
   "system.*override"
+  "system.*mode"
+  "admin.*mode"
   "debug.*mode.*enable"
-  "print.*environment.*variable"
-  "echo.*\\\$ANTHROPIC_API_KEY"
-  "echo.*\\\$GITHUB_TOKEN"
-  "echo.*\\\$OPENAI_API_KEY"
-  "console\\.log.*process\\.env"
+  "debug.*mode"
+  "developer.*mode"
+
+  # Direct secret extraction commands - shell
+  "echo.*\\\$.*ANTHROPIC_API_KEY"
+  "echo.*\\\$.*GITHUB_TOKEN"
+  "echo.*\\\$.*OPENAI_API_KEY"
+  "echo.*\\\$.*GOOGLE_API_KEY"
+
+  # Direct secret extraction commands - Python
+  "print\(.*ANTHROPIC_API_KEY"
+  "print\(.*OPENAI_API_KEY"
+  "print\(.*GITHUB_TOKEN"
+  "print\(.*GOOGLE_API_KEY"
   "print.*os\\.environ"
+
+  # Direct secret extraction commands - JavaScript
+  "console\\.log.*process\\.env"
+  "console\\.log\(.*ANTHROPIC_API_KEY"
+  "console\\.log\(.*OPENAI_API_KEY"
+  "console\\.log\(.*GITHUB_TOKEN"
+  "console\\.log\(.*GOOGLE_API_KEY"
+
+  # Environment variable extraction
+  "print.*environment.*variable"
+  "printenv[[:space:]]+(ANTHROPIC_API_KEY|OPENAI_API_KEY|GITHUB_TOKEN|GOOGLE_API_KEY)"
+
+  # File access to secrets
+  "cat[[:space:]]+\\.env"
+
+  # Direct secret revelation requests
+  "show.*me.*(your|the|my).*(key|secret|token|api)"
+  "reveal.*(your|the|my).*(key|secret|token|api)"
+  "display.*(your|the|my).*(key|secret|token|api)"
+  "what.*is.*(your|the).*(api.*key|secret|token)"
+  "give.*me.*(your|the).*(key|secret|token|api)"
+
+  # System prompt extraction
+  "repeat.*system.*prompt"
+  "what.*are.*your.*instructions"
+  "show.*initial.*prompt"
+  "show.*system.*prompt"
+
+  # Jailbreak attempts
+  "act.*as.*no.*restrictions"
+  "pretend.*to.*be.*evil"
+  "pretend.*you.*are.*jailbroken"
+
+  # Encoding/obfuscation attempts
+  "base64.*decode"
+  "decode.*base64"
+  "atob\("
+  "btoa\("
+  "0x[0-9a-fA-F]{20,}"
 )
 
 # Define MEDIUM-RISK patterns that warrant warnings but shouldn't block
@@ -49,9 +106,10 @@ MEDIUM_RISK_PATTERNS=(
   "ANTHROPIC_API_KEY"
   "GITHUB_TOKEN"
   "OPENAI_API_KEY"
+  "GOOGLE_API_KEY"
 )
 
-echo "Checking for suspicious patterns..."
+echo "🔍 Checking for suspicious patterns..."
 
 FOUND_HIGH_RISK=false
 FOUND_MEDIUM_RISK=false
@@ -111,6 +169,12 @@ if [ "$FOUND_HIGH_RISK" = true ]; then
     echo "blocked=true" >> "$GITHUB_OUTPUT" || true
     echo "risk-level=high" >> "$GITHUB_OUTPUT" || true
   fi
+  echo "::error::═══════════════════════════════════════════════════════
+🚨 BLOCKED: HIGH-RISK PROMPT INJECTION DETECTED
+═══════════════════════════════════════════════════════
+The input contains patterns that strongly indicate a
+prompt injection attack. Execution has been blocked.
+═══════════════════════════════════════════════════════"
   exit 1
 fi