Skip to content

[compiler-threat-spec] spec: extend CTR rule catalog to CTR-006 through CTR-011#30922

Merged
pelikhan merged 1 commit into
mainfrom
spec/ctr-006-011-coverage-2026-05-08-4a7dbf54a334eb8e
May 8, 2026
Merged

[compiler-threat-spec] spec: extend CTR rule catalog to CTR-006 through CTR-011#30922
pelikhan merged 1 commit into
mainfrom
spec/ctr-006-011-coverage-2026-05-08-4a7dbf54a334eb8e

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 8, 2026

Summary

This PR extends the compiler threat detection specification from 5 rules (CTR-001–005) to 11 rules (CTR-001–011), synchronizing the spec with six threat categories that already have compiler implementations but were not yet documented.

Threats Reviewed

Rule Threat Class Already Implemented? Action
CTR-001 Privilege Escalation ✅ Yes Already in spec
CTR-002 Unpinned Action Integrity ✅ Yes Already in spec
CTR-003 Unsafe Tool Scope Expansion ✅ Yes Already in spec
CTR-004 Sandbox Bypass Configuration ✅ Yes Already in spec
CTR-005 Unsafe Output Route ✅ Yes Already in spec
CTR-006 Template Injection ✅ Yes Added to spec
CTR-007 Markdown Content Security ✅ Yes Added to spec
CTR-008 Pull Request Target Safety ✅ Yes Added to spec
CTR-009 Shell Expansion in Safe-Outputs ✅ Yes Added to spec
CTR-010 Expression Safety Allowlist ✅ Yes Added to spec
CTR-011 Network Firewall Configuration ✅ Yes Added to spec

Rule Details

  • CTR-006: template_injection_validation.go detects ${{ ... }} expressions used directly in run: shell steps (not via env:), preventing user-controlled data from flowing into shell execution context.
  • CTR-007: markdown_security_scanner.go scans externally-sourced markdown for unicode abuse, hidden content, obfuscated links, HTML abuse, embedded scripts, and social engineering.
  • CTR-008: pull_request_target_validation.go enforces checkout restrictions for pull_request_target triggers and warns/errors on pwn-request risk in strict mode.
  • CTR-009: safe_outputs_steps_shell_expansion_validation.go catches dangerous bash expansions (${var@op}, ${!var}, $(...), backticks) in safe-outputs run scripts at compile time.
  • CTR-010: expression_safety_validation.go enforces an allowlist of approved expressions and rejects multi-line or unauthorized expressions.
  • CTR-011: network_firewall_validation.go validates firewall configuration dependencies and rejects invalid domain patterns.

Files Changed

  • specs/compiler-threat-detection-spec.md — version bumped to 1.0.1, Section 4.1 and 6.1 extended

References: §25534953257

Generated by Daily Compiler Threat Spec Optimizer · ● 7M ·

  • expires on May 15, 2026, 3:33 AM UTC

@github-actions
spec: extend CTR rule catalog to CTR-006 through CTR-011
d25d613 
Add six new rules to the compiler threat detection specification to reflect
existing implementation coverage that was not yet represented in the spec:

- CTR-006 Template Injection: expression-in-shell detection
- CTR-007 Markdown Content Security: unicode/HTML/social-engineering scanning
- CTR-008 Pull Request Target Safety: pwn-request prevention
- CTR-009 Shell Expansion in Safe-Outputs: dangerous bash expansion at compile time
- CTR-010 Expression Safety Allowlist: authorized expression enforcement
- CTR-011 Network Firewall Configuration: firewall dependency validation

Updated version to 1.0.1 and added change log entry.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@pelikhan pelikhan merged commit b31c0f2 into main May 8, 2026
@pelikhan pelikhan deleted the spec/ctr-006-011-coverage-2026-05-08-4a7dbf54a334eb8e branch May 8, 2026 04:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation compiler security specification

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pelikhan