[compiler-threat-spec] spec: add CTR-017 Secret Leakage via Env Vars and CTR-018 Version Integrity Bypass#32538
Merged
pelikhan merged 1 commit intoMay 16, 2026
Conversation
…egrity Bypass Two implemented security validation rules were missing from the compiler threat detection specification: - CTR-017 Secret Leakage via Environment Variables: covers strict_mode_env_validation.go (validateEnvSecrets) and strict_mode_steps_validation.go (validateStepsSecrets), which detect secrets expressions in env:, engine.env, and uncontrolled step fields that would expose secrets to the agent container. - CTR-018 Version Integrity Bypass: covers update_check_validation.go (validateUpdateCheck), which warns/rejects when check-for-updates: false disables the compile-agentic version update check. Also adds T-CTR-017 and T-CTR-018 test ID entries in Section 7.1, extends the Section 6.1 implementation mapping table, updates the mapping audit note, bumps spec version to 1.0.8, and adds change-log entries for 1.0.7 and 1.0.8. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
pelikhan
approved these changes
May 16, 2026
pelikhan
deleted the
spec/add-ctr-017-018-secret-leakage-version-bypass-ee3ef06497a95f5a
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two implemented security validation rules were missing from the compiler threat detection specification (
specs/compiler-threat-detection-spec.md). This PR adds them per the spec's Bidirectional sync principle: Implemented rules MUST appear in spec.Threats Reviewed
Reviewed all compiler validation files in
pkg/workflow/against the existing CTR-001–CTR-016 catalog. Found two security validations with no corresponding CTR mapping:Already Covered → Added to Spec
CTR-017 Secret Leakage via Environment Variables
strict_mode_env_validation.go(validateEnvSecrets,validateEnvSecretsSection) andstrict_mode_steps_validation.go(validateStepsSecrets)${{ secrets.* }}expressions in top-levelenv:,engine.env(non-engine vars), and uncontrolled custom step fields that would expose secrets to the agent containerenv_secrets_validation_test.go,jobs_secrets_validation_test.goCTR-018 Version Integrity Bypass
update_check_validation.go(validateUpdateCheck)check-for-updates: falsewhich disables the compile-agentic version update checkupdate_check_validation_test.goRule IDs Added
CTR-017— Secret Leakage via Environment VariablesCTR-018— Version Integrity BypassFiles Changed
specs/compiler-threat-detection-spec.md— version bumped 1.0.6 → 1.0.8; CTR-017/018 added to §4.1 catalog, §6.1 mapping table, §7.1 test ID catalog, and §9 change logTests
No implementation changes — spec-only update. Existing tests for the mapped implementations are already passing.
References: