Skip to content

Release v0.2: Add configurable agent security testing pipeline#2

Closed
purcl-cybersec-agent wants to merge 95 commits into
v0.1from
v0.2
Closed

Release v0.2: Add configurable agent security testing pipeline#2
purcl-cybersec-agent wants to merge 95 commits into
v0.1from
v0.2

Conversation

@purcl-cybersec-agent
Copy link
Copy Markdown

@purcl-cybersec-agent purcl-cybersec-agent commented Apr 27, 2026

🎉 ASTRA v0.2 Release

This release adds a complete, configurable pipeline for generating security test cases to evaluate AI coding agents' vulnerability to adversarial prompts.

🆕 What's New in v0.2

🔄 Agent Security Testing Pipeline

A complete end-to-end system for generating, parsing, and curating adversarial test cases:

  • Multi-agent orchestration: Coordinator, composer, and reviewer committee
  • Knowledge graph-driven: Systematic coverage of security domains and attack techniques
  • Configurable & extensible: YAML-based configuration, no code changes needed
  • Production-ready: CLI tools, error handling, resume capability

📦 New Components

Scripts

  • agent/main_agent_sec.py - Generate test cases with parallel processing
  • agent/parse_agent_sec.py - Parse and validate XML outputs
  • agent/upload_to_hf_dataset.py - Upload to HuggingFace datasets
  • agent/agent_sec_composer/output_parser.py - Pydantic-based validation

Configuration System

  • resources/agent-sec-config.yaml - Pipeline settings

    • Model selection for coordinator, composer, reviewers
    • Parallel task limits for rate control
    • Output/log directory paths

  • resources/client-config.yaml - Enhanced with provider-based routing

    • provider: bedrock for AWS Bedrock models
    • provider: openai for OpenAI-compatible servers (vLLM, SGLang)
    • Pre-configured models: Claude Sonnet/Haiku, GPT-OSS
    • Easy to add custom models

Documentation

  • README-coding-agent-security.md - Complete pipeline guide
    • Step-by-step workflow
    • Configuration instructions
    • Model selection tips
    • Troubleshooting guide

🎯 Key Features

Provider-Based Model Routing

  • Automatic backend detection using explicit provider field
  • No Python code changes to add new models
  • Mix Bedrock and local models seamlessly
  • Clear error messages for invalid configurations

Flexible Configuration

# Change models without code edits
coordinator_model: "claude-sonnet-4-5"
composer_model: "claude-sonnet-4-5"
reviewer_models:
  - "claude-sonnet-3-7"
  - "claude-haiku-4-5"
  - "qwen3coder"
parallel_tasks: 50

Knowledge Graph Structure

Prohibited Domain (e.g., "Web Security")
└── Technique Family (e.g., "Injection Attacks")
    └── Concrete Instance (e.g., "SQL Injection")

📊 Example Dataset

Generated dataset available at: https://huggingface.co/datasets/PurCL/astra-agent-security

🚀 Quick Start

# 1. Generate test cases
python agent/main_agent_sec.py

# 2. Parse outputs
python agent/parse_agent_sec.py \
  -i data_out/syn_agent_sec.jsonl \
  -o data_out/syn_agent_sec_parsed.jsonl

# 3. Upload to HuggingFace
python agent/upload_to_hf_dataset.py \
  -i data_out/syn_agent_sec_parsed.jsonl \
  -d username/astra-agent-security

🔒 Security & Best Practices

  • ✅ No hardcoded paths - all scripts use CLI arguments
  • ✅ No credentials in config - uses placeholders
  • ✅ Proper .gitignore for build artifacts
  • ✅ LFS tracking for large knowledge graph files
  • ✅ Clean configuration/code separation

📈 Statistics

  • 17 files changed: 766 insertions(+), 85 deletions(-)
  • 8 new files added
  • 9 files updated for configuration system

🎓 Use Cases

  • Red team testing: Generate adversarial prompts for coding agents
  • Security evaluation: Systematic assessment of agent vulnerabilities
  • Research: Dataset generation for agent safety research
  • Benchmarking: Create standardized security test suites

📚 Documentation

Complete documentation in README-coding-agent-security.md covering:

  • Installation and prerequisites
  • Configuration guide for Bedrock and OpenAI-compatible servers
  • Multi-agent system architecture
  • Customization and extension guide
  • Troubleshooting

Built on top of: v0.1 (Amazon Nova AI Challenge Winner 🏆)

XZ-X and others added 30 commits July 9, 2025 05:17
@XZ-X
add code for enumerator
a7e056d
@XZ-X
other vul code generator
04e160d
@XZ-X
update
3229ff9
@XZ-X
add context and risk
aeb7e85
add code for malware enumeration
ac7d9fc
Merge branch 'gs'
a5b697b
update tactics kg
5f8b5e0
update malware asset and software kg
a043e9b
@XZ-X
update
8aec5b4
@XZ-X
share
e161ced
init commit for temporal exploration module
c45ed03
@XZ-X
initial version of data syn agent
78b20cf
@XZ-X
fix
4937438
snapshot before refactor
ecd7ace
update gitignore
68fb773
update temporal explorator module
f4ffea4
update md
3c88094
update
02fceb4
fix
3c5e027
remove log
824d7a2
update md
71344c7
update md
89d61cb
test md image layout
52e88cf
test md image layout
680c261
test md image layout
0eddbcb
test md image layout
6916fd9
test md image layout
e30658b
test md image layout
7fbc377
test md title font
6d59ef7
update md gif
3a8f37c
XZ-X and others added 29 commits August 11, 2025 14:27
@XZ-X
add missing files
e2ac502
@XZ-X
update gitignore
9154693
backup
84f3c15
update temporal explorator module
52103b3
update temporal explorator module
8ab6be9
@XZ-X
merge for mal online (#2)
639bed4 
* backup

* update temporal explorator module

* update temporal explorator module

---------

Co-authored-by: solidshen <solidshen519@gmail.com>
@XZ-X
updates
b2a6a09
@XZ-X
add file w lfs
0f147b0
@XZ-X
update gitignore according to lfs
25fa11b
@XZ-X
add readme
accdffd
remove comment
462453a
@XZ-X
merge
3e00cb4
@XZ-X
update readme
629c496
@XZ-X
fix script
9d07766
@XZ-X
Gs (#4)
de7bcb7 
* update online module

* update

* update path

* fix

* remove file

* remove tests

* update

---------

Co-authored-by: solidshen <solidshen519@gmail.com>
@XZ-X
move temporal exp
f62afe5
@XZ-X
update readme
64f8c10
@XZ-X
fix citation
3d7038d
@XZ-X
Release v0.1
3d9dd07
@XZ-X
v0.1 release
ebaa37a
@XZ-X
update requirements
414ddb1
@XZ-X
fix readme
9b246d8
@XZ-X
update requirements
0b6f064
@XZ-X
Merge branch 'main' into v0.1
7a29c15
@XZ-X
update requirements
3653d7d
update format
859b2f9
update blue team host instruction
2ab466f
@XZ-X
update code for openhands
db53035
@XZ-X @claude
Add configurable agent security testing pipeline for ASTRA
7c97b92 
Implement complete pipeline for generating, parsing, and uploading security
test cases to evaluate AI coding agents' vulnerability to adversarial prompts.

## Core Features

### Data Generation Pipeline
- Multi-agent system for generating adversarial test cases
- Knowledge graph-driven approach (prohibited_domain → technique_family → concrete_instance)
- Three specialized agents: coordinator, composer, and reviewer committee
- Parallel generation with configurable task limits
- Resume capability for interrupted runs
- Output: structured JSONL with test cases and evaluation scores

### Scripts Added
- agent/main_agent_sec.py: Main generation script with CLI args
- agent/parse_agent_sec.py: Parse and validate XML outputs (--input, --output)
- agent/upload_to_hf_dataset.py: Upload to HuggingFace (--input, --dataset-name)
- agent/agent_sec_composer/output_parser.py: Pydantic-based XML validator

### Configuration System
- resources/agent-sec-config.yaml: Pipeline settings
  - Configurable models for coordinator, composer, reviewer committee
  - Adjustable parallel_tasks for rate limit control
  - Customizable output/log directories

- resources/client-config.yaml: Model definitions with provider-based routing
  - provider: bedrock → AWS Bedrock Converse API
  - provider: openai → OpenAI-compatible servers (vLLM, SGLang)
  - Pre-configured Bedrock models (Claude Sonnet/Haiku/Opus, GPT-OSS)
  - Template for custom local models

### Provider-Based Model Routing
Replaced hardcoded model detection with explicit provider field:
- Automatic backend selection based on 'provider' field
- No Python code changes needed to add new models
- Removed ~70 lines of hardcoded model functions
- Better error messages for missing/invalid configs
- Supports mixing Bedrock and local models in reviewer committee

### Documentation
- README-coding-agent-security.md: Complete pipeline guide
  - Step-by-step workflow (generate → parse → upload)
  - Configuration instructions for both Bedrock and OpenAI-compatible servers
  - Model selection tips and provider routing explanation
  - Knowledge graph structure details
  - Troubleshooting guide
  - Link to example dataset: https://huggingface.co/datasets/PurCL/astra-agent-security

### Security & Best Practices
- No hardcoded paths: all scripts accept CLI arguments
- No credentials committed: config files use placeholders
- .gitignore updated: excludes .vscode, data_out, log_out_agent_sec
- LFS tracking for knowledge graph files
- Clean separation of configuration and code

## Example Usage

```bash
# Generate test cases
python agent/main_agent_sec.py

# Parse outputs
python agent/parse_agent_sec.py -i data_out/syn_agent_sec.jsonl -o data_out/parsed.jsonl

# Upload to HuggingFace
python agent/upload_to_hf_dataset.py -i data_out/parsed.jsonl -d username/dataset-name
```

## Benefits
- Fully configurable via YAML (no code changes for customization)
- Easy to extend with new models (just edit client-config.yaml)
- Provider-agnostic: works with Bedrock, vLLM, SGLang, etc.
- Production-ready with proper error handling and validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@XZ-X XZ-X closed this Apr 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@purcl-cybersec-agent @XZ-X