Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pkg/cli/compile_security_benchmark_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ timeout-minutes: 10

Analyze the issue and provide feedback.

Issue: ${{ needs.activation.outputs.text }}
Issue: ${{ steps.sanitized.outputs.text }}
`

testFile := filepath.Join(tmpDir, "test-workflow.md")
Expand Down
6 changes: 3 additions & 3 deletions scratchpad/github-actions-security-best-practices.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,10 +68,10 @@ jobs:
```yaml
# SECURE: Use sanitized context output
# For GitHub Agentic Workflows
Analyze this content: "${{ needs.activation.outputs.text }}"
Analyze this content: "${{ steps.sanitized.outputs.text }}"
```

**Why it's secure**: The `needs.activation.outputs.text` output is automatically sanitized:
**Why it's secure**: The `steps.sanitized.outputs.text` output is automatically sanitized:
- @mentions neutralized (`` `@user` ``)
- Bot triggers protected (`` `fixes #123` ``)
- XML tags converted to safe format
Expand Down Expand Up @@ -929,7 +929,7 @@ Use this checklist when creating or reviewing GitHub Actions workflows:
- [ ] No untrusted input in `${{ }}` expressions
- [ ] Untrusted data passed via environment variables
- [ ] Safe context variables used where possible
- [ ] Sanitized context used (gh-aw: `needs.activation.outputs.text`)
- [ ] Sanitized context used (gh-aw: `steps.sanitized.outputs.text`)

### Shell Scripts
- [ ] All variables quoted: `"$VAR"`
Expand Down
2 changes: 1 addition & 1 deletion scratchpad/oh-my-code.md
Original file line number Diff line number Diff line change
Expand Up @@ -586,7 +586,7 @@ on:
| **Sandboxing** | GitHub Actions containers | Limited blast radius |
| **SHA pinning** | `actions/checkout@abc123...` | Supply chain security |
| **Expression limits** | Max 120 chars per expression | Prevent injection attacks |
| **Context sanitization** | `needs.activation.outputs.text` | Neutralized @mentions, safe XML |
| **Context sanitization** | `steps.sanitized.outputs.text` | Neutralized @mentions, safe XML |
| **Audit logging** | GitHub Actions logs | Full traceability |

**Risk Profile**: **Low trust, controlled power** - Suitable for team/org automation with strict security requirements
Expand Down
4 changes: 2 additions & 2 deletions scratchpad/template-injection-prevention.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,10 @@ When writing GitHub Actions workflows:
- ❌ `${{ github.event.head_commit.message }}`
- ❌ `${{ github.head_ref }}` (can be controlled by PR authors)
- ❌ `${{ github.ref_name }}` (branch/tag names)
- ❌ `${{ steps.*.outputs.* }}` (step outputs may contain user data)
- ❌ `${{ steps.*.outputs.* }}` (generic step outputs may contain user data; exception: `steps.sanitized.outputs.*` below)

2. **Use sanitized context instead:**
- ✅ `${{ needs.activation.outputs.text }}` (sanitized by gh-aw)
- ✅ `${{ steps.sanitized.outputs.text }}` (sanitized by gh-aw — this is the explicit exception to the rule above)

3. **Pass data through environment variables:**
```yaml
Expand Down
2 changes: 1 addition & 1 deletion specs/security-architecture-spec-validation.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ All major security architecture claims in the specification have been verified a

**Specification Claim**:
> **OI-01**: A conforming implementation MUST separate workflow execution into distinct job types:
> 1. **Activation Job**: Performs sanitization and produces `needs.activation.outputs.text`
> 1. **Activation Job**: Performs sanitization and produces `steps.sanitized.outputs.text`
> 2. **Agent Job**: Executes AI agent with read-only permissions
> 3. **Safe Output Jobs**: Perform validated GitHub API operations with write permissions

Expand Down
10 changes: 5 additions & 5 deletions specs/security-architecture-spec.md
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,7 @@ The input sanitization layer protects against template injection and prompt inje
- Commit messages
- User-provided input fields

**IS-02**: Sanitized content MUST be made available through a dedicated output variable (e.g., `needs.activation.outputs.text`).
**IS-02**: Sanitized content MUST be made available through a dedicated output variable (e.g., `steps.sanitized.outputs.text`).

**IS-03**: Workflows MUST NOT use raw GitHub event context (e.g., `github.event.issue.title`) directly in AI agent prompts.

Expand Down Expand Up @@ -388,7 +388,7 @@ The output isolation layer enforces separation between AI agent operations (read

**OI-01**: A conforming implementation MUST separate workflow execution into distinct job types:

1. **Activation Job**: Performs sanitization and produces `needs.activation.outputs.text`
1. **Activation Job**: Performs sanitization and produces `steps.sanitized.outputs.text`
2. **Agent Job**: Executes AI agent with read-only permissions
3. **Safe Output Jobs**: Perform validated GitHub API operations with write permissions

Expand Down Expand Up @@ -875,7 +875,7 @@ Compilation-time security checks validate workflow definitions before generating
- `${{ github.actor }}`
- `${{ github.repository }}`
- `${{ github.run_id }}`
- `${{ needs.activation.outputs.text }}` (sanitized)
- `${{ steps.sanitized.outputs.text }}` (sanitized)

**CS-05**: Expression safety violations MUST cause compilation failure with suggestions for safe alternatives.

Expand Down Expand Up @@ -1735,7 +1735,7 @@ Use this checklist to verify that a compiled `.lock.yml` workflow file meets all

- [ ] `activation` job runs the timestamp validation step (`check_workflow_timestamp_api.cjs`)
- [ ] `activation` job runs the sanitize content step (`sanitize_content_core.cjs`)
- [ ] Agent prompts use `needs.activation.outputs.text` (sanitized), not raw `github.event.*` context
- [ ] Agent prompts use `steps.sanitized.outputs.text` (sanitized), not raw `github.event.*` context

#### G.5 Threat Detection

Expand Down Expand Up @@ -1781,7 +1781,7 @@ prompt: |
**Do**:
```yaml
prompt: |
Analyze this issue: ${{ needs.activation.outputs.text }}
Analyze this issue: ${{ steps.sanitized.outputs.text }}
```

#### BP-02: Enable Strict Mode for Production
Expand Down
Loading