security-related mitigations

[derekmisler]

This PR transforms the cagent-action into a production-ready, security-hardened GitHub Action with comprehensive protections against prompt injection, secret leakage, and unauthorized access.

🔒 Security Features

Universal Security (All Modes):

• Secret Leak Prevention: Scans all agent outputs for API keys/tokens (Anthropic, OpenAI, GitHub) using regex patterns
• Automatic Incident Response: Creates security issues and fails workflows when secrets are detected
• Output Sanitization: Universal scanning applied to every agent execution

PR Review Mode Security (when pr-number provided):

• Authorization: Hardcoded OWNER/MEMBER-only access (cannot be disabled)
• Input Sanitization: Removes code comments and blocks malicious diff patterns
• Safe Prompt Construction: Builds prompts from sanitized sources with anti-extraction rules
• Size Limits: Enforces max PR size (default 3000 lines) to prevent DoS attacks
• Prompt Injection Detection: Warns about suspicious patterns in user prompts (general mode)

📁 New Files

Security Scripts (security/):

• check-auth.sh - Authorization validation (OWNER/MEMBER only)
• sanitize-input.sh - PR diff sanitization (removes comments, detects injection)
• sanitize-output.sh - Secret leak detection in AI responses
• sanitize-prompt.sh - User prompt injection detection (general mode)
• secret-patterns.sh - Shared secret detection regex patterns
• README.md - Complete security documentation

Agent Configuration (agents/):

• pr-reviewer.yaml - Multi-agent PR reviewer with coordinator + specialists
  • Root coordinator with hierarchical delegation
  • review_rules - Base CI/CD review rules
  • frontend_engineer - TypeScript/React/Redux/Electron specialist
  • golang_engineer - Go/concurrency/stdlib specialist
  • python_engineer - Django/LangGraph/async specialist
  • Optimized model configurations (temperature: 0 for deterministic behavior)
  • Context7 MCP integration for documentation lookup

Test Suite (tests/):

• test-security.sh - Authorization, sanitization, secret detection tests
• test-exploits.sh - Prompt injection attack simulation tests

🔧 Action Changes (action.yml)

New Inputs:

• pr-number - Enable secure PR review mode (optional, mutually exclusive with manual agent)
• max-pr-size - PR size limit in lines (default 3000)

New Outputs:

• security-blocked - Whether execution was blocked for security reasons
• secrets-detected - Whether secrets were found in output
• prompt-suspicious - Whether user prompt contains suspicious patterns

Execution Flow:

1. Validation - Ensure either agent or pr-number provided
2. Authorization - Check contributor role (PR review mode only)
3. Fetch PR Data - Get diff via GitHub API with size validation
4. Sanitize Input - Remove comments, detect injection patterns
5. Build Safe Prompt - Construct prompt from sanitized sources with security rules
6. Run Agent - Execute with secure argument handling (no eval)
7. Sanitize Output - Scan for leaked secrets (universal)
8. Post Comment - Only if safe (no secrets detected)
9. Handle Incident - Create security issue and fail on secret detection

Security Improvements:

• Removed eval usage - direct command execution with quoted args
• Early output file creation for defensive programming
• Comprehensive error handling for missing files
• Shared secret patterns for consistency across checks

📚 Documentation (README.md)

Added:

• Security features overview section
• PR review mode usage examples
• Security-focused workflow examples
• Updated all version references to v2.0.0
• New input/output documentation

🧪 CI/CD (test.yml)

New Test Jobs:

• test-security - Runs authorization and sanitization tests
• test-exploits - Tests prompt injection attack prevention
• Security-focused test organization with explicit permissions

Improvements:

• Pinned actions/checkout to SHA for supply chain security
• Explicit contents: read permissions on all jobs
• Proper job naming and organization

🔄 Workflow Updates

Manual Test Workflows:

• Updated to v2.0.0
• Added explicit contents: read permissions
• Consistent permission declarations

Example Workflows:

• Updated pr-review.yml with security best practices
• Added issues: write permission for incident reporting

📊 Statistics

• 17 files changed
• 1,695 insertions, 49 deletions
• 6 commits on branch
• 5 new security scripts with comprehensive test coverage
• 266-line multi-agent PR reviewer configuration

🎯 Breaking Changes

v1 → v2 Migration:

• agent input now optional when pr-number provided (uses built-in secure reviewer)
• New security outputs may affect downstream workflow logic
• PR review mode enforces OWNER/MEMBER authorization (hardcoded)

✅ Testing

All security measures validated with:

• 176 lines of security tests (test-security.sh)
• 131 lines of exploit tests (test-exploits.sh)
• Automated CI/CD test execution on PR/push

---

This establishes cagent-action@v2 as a secure-by-default solution for AI-powered code reviews with defense-in-depth against common attack vectors.

[Copilot]

Pull Request Overview

This PR introduces comprehensive security mitigations for the cagent-action to enable safe AI-powered code reviews in public repositories. The implementation includes multi-layer defenses against prompt injection attacks, secret leakage, and unauthorized access.

Key Changes:

• Universal secret scanning for all agent outputs to prevent API key/token leakage
• PR review mode with authorization checks (OWNER/MEMBER only) and input sanitization
• Automated security incident response with issue creation and workflow failure

Reviewed Changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
tests/test.diff	Test fixture containing prompt injection attempt in comment
tests/test-security.sh	Security test suite covering 10 scenarios for auth, sanitization, and scanning
tests/test-exploits.sh	Red team tests simulating prompt injection and secret leak attacks
security/sanitize-prompt.sh	Detects prompt injection patterns in user-provided prompts (general mode)
security/sanitize-output.sh	Scans agent responses for leaked secrets before posting
security/sanitize-input.sh	Removes comments and blocks suspicious patterns in PR diffs
security/check-auth.sh	Validates user authorization for PR review triggers
examples/pr-review.yml	Updated example workflow using new PR review mode
agents/pr-reviewer.yaml	Multi-agent PR reviewer with hardened security rules
action.yml	Core action logic implementing defense-in-depth security architecture
README.md	Documentation of security features and usage examples
.github/workflows/test.yml	CI workflow running security and exploit tests
.github/workflows/manual-test-pirate-agent.yml	Manual test workflow with version update
.github/workflows/manual-test-github-agent.yml	Manual test workflow with version update

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 14 out of 15 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.