Add docker agent exposure rules and reduce false positives

[harekrishnarai]

Summary

• Add three new security rules for detecting vulnerable CI/CD patterns involving containers and AI agents
• Significantly reduce false positives across multiple existing rules
• Enable context-aware suppression and cancellation in concurrent scan paths

New Rules

DOCKER_EXEC_WITH_SECRETS_ON_FORK_CODE

Detects pull_request_target workflows that run Docker containers with secrets forwarded via -e/--env while operating on fork code (verified via untrusted checkout evidence). Only flags when:

• Workflow has pull_request_target trigger
• Job checks out PR head ref (untrusted code)
• Docker run forwards secrets without --network=none

AI_AGENT_ON_UNTRUSTED_CODE

Detects AI agent invocations (Claude, Copilot, GPT, Aider, etc.) processing fork-controlled code with secrets available in pull_request_target workflows. Now checks for --network=none mitigation and resolves line numbers for uses:-based detections.

AI_AGENT_COMMENT_TRIGGERED (NEW)

Detects AI agents triggered by issue_comment or pull_request_review_comment without author_association gating. Two attack tiers:

• Critical/High — Secrets passed to agent → prompt injection enables secret exfiltration
• Medium — No secrets but agent still runs → denial-of-wallet (any external user can spam @mentions to burn API credits)

Covers: Claude Code Action, Gemini, Copilot, CodeRabbit, Sourcery, Sweep, Aider, Devin, Qodo, Cursor + CLI variants.

Suppressed when workflow already gates on author_association == 'MEMBER'/'OWNER'/'COLLABORATOR'.

False Positive Reductions

• Supply chain: Skip SHA-pinned actions (with proper hex validation), skip local actions
• Runner detection: Narrow isManaged to exact GitHub-hosted patterns (no longer matches ubuntu-self-hosted)
• External triggers: issue_comment now gated on write permissions (read-only is benign)
• Docker/agent rules: Require untrusted checkout evidence before flagging pull_request_target workflows
• Reusable workflow detection: Fixed to job-level only (step-level .github/workflows/ is invalid syntax)
• Secrets scope: Use parsed job.Secrets field instead of file-global strings.Contains("secrets:")

Infrastructure Fixes

• Restore ctx.Done() cancellation check in concurrent scan goroutine
• detectRepositoryOwner: falls back to directory name, handles ssh:// URL format
• AI agent rule resolves line numbers for both run: and uses: steps

Test Coverage

• 8 test cases for docker/agent exposure rules
• Author association gate suppression test
• Denial-of-wallet detection test
• Updated TestExternalTriggerPermissions for new issue_comment behavior

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Files

[Copilot]

Pull request overview

This PR adds new detection rules for Docker/agent secret exposure in GitHub Actions pull_request_target workflows, and refines multiple existing rules and infrastructure paths to reduce false positives and enable context-aware suppression during scans.

Changes:

• Added new rules: DOCKER_EXEC_WITH_SECRETS_ON_FORK_CODE and AI_AGENT_ON_UNTRUSTED_CODE, plus tests.
• Reduced false positives in supply-chain and runner-detection logic (e.g., skip local actions, downgrade/skip SHA-pinned third-party actions, recognize managed runner labels).
• Routed concurrent scanning through RuleEngine.ExecuteRules() (context-aware suppression/severity adjustment), added YAML parsing in HybridEngine conversion, and added repository owner detection from git remotes.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
pkg/rules/supply_chain.go	Refines action-source checks (skip local actions; adjust handling of SHA-pinned/untrusted actions).
pkg/rules/shell_injection.go	Updates self-hosted runner detection to recognize additional GitHub-hosted and managed runner labels.
pkg/rules/rules.go	Registers new rules and reduces false positives for dangerous write ops + external-trigger findings.
pkg/rules/docker_agent_exposure.go	Implements new Docker/agent exposure detection logic (direct docker runs + reusable workflow patterns + AI agent detection).
pkg/rules/docker_agent_exposure_test.go	Adds test coverage for the new Docker/agent exposure rules.
pkg/platform/platform.go	Extends platform workflow model with RepositoryOwner.
pkg/parser/parser.go	Extends parser.Job to support reusable workflow fields (uses/with/secrets).
pkg/engine/hybrid.go	Parses YAML into legacy workflow struct, and infers repository owner from .git/config.
pkg/concurrent/concurrent.go	Uses RuleEngine.ExecuteRules() to enable context-aware suppression in concurrent scans.
pkg/analysis/context/analyzer.go	Adds suppression logic for ARTIPACKED_VULNERABILITY in trusted/no-untrusted-input contexts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Version pinning detection treats any 40-character ref as a commit SHA. This can misclassify non-SHA refs (e.g., long tag/branch names) and incorrectly skip UNTRUSTED_ACTION_SOURCE findings. Consider reusing the existing SHA validation helper (e.g., isHexString / analyzeVersionPinning in advanced_supply_chain.go) to confirm the ref is actually a 40-hex commit hash before treating it as SHA-pinned.

[Copilot]

This goroutine no longer checks ctx.Done() while running standard rules. If a workflow-level timeout/cancel happens, engine.ExecuteRules will keep running until completion, which defeats the cancellation behavior that existed before the refactor. Consider adding a cancellation check before/after execution, or extending RuleEngine.ExecuteRules to accept a context and short-circuit per rule.

[Copilot]

checkDockerExecWithSecrets currently treats any pull_request_target workflow that runs docker run -e/--env as “operating on fork code”, but pull_request_target is safe if the workflow never checks out / uses PR head content. This will create significant false positives for PRT workflows that only act on base-repo metadata. Consider requiring evidence of untrusted-code checkout/usage (e.g., actions/checkout with ref: ${{ github.event.pull_request.head.sha }} / head_ref) similar to existing pull_request_target risk checks before emitting this finding.

[Copilot]

The fallback strings.Contains(contentStr, "secrets:") is workflow-global and will mark hasSecrets true even when the specific reusable-workflow job does not pass any secrets. This is likely to reintroduce false positives. Prefer relying on the parsed job.Secrets / job.With fields (now in parser.Job), and if parsing is unavailable, scope any text search to the specific job block rather than the entire file.

[Copilot]

This test models a reusable workflow call as a step Uses: org/.../.github/workflows/..., but reusable workflows are invoked at the job level (job.Uses + job.Secrets). As a result, the test can pass via the step-level fallback logic and may not cover the real-world path you added in checkReusableWorkflowAgentExposure. Consider setting parser.Job{Uses: ..., Secrets: ...} (and omitting steps) to validate the intended behavior.

Suggested change

	Steps: []parser.Step{
	{
	Uses: "org/reusable-workflows/.github/workflows/review-pull-request.yml@main",
	},
	},
	Uses: "org/reusable-workflows/.github/workflows/review-pull-request.yml@main",
	Secrets: "inherit",

[Copilot]

isManaged returns true for any runner label starting with ubuntu-/macos-/windows-. Self-hosted runners commonly include OS-like custom labels (e.g., ubuntu-self-hosted), so this change can suppress SELF_HOSTED_RUNNER_SECURITY findings (false negatives). Consider limiting this heuristic to known GitHub-hosted variants (e.g., ubuntu-latest-*, macos-*-large) and the explicit managed-provider prefixes, rather than any ubuntu- prefix.

Suggested change

	isManaged := func(label string) bool {
	if githubHostedRunners[label] {
	return true
	}
	lower := strings.ToLower(label)
	for _, prefix := range managedRunnerPrefixes {
	if strings.HasPrefix(lower, prefix) {
	return true
	}
	}
	// GitHub variant suffixes: ubuntu-latest-xl, macos-13-large, etc.
	if strings.HasPrefix(lower, "ubuntu-") || strings.HasPrefix(lower, "macos-") || strings.HasPrefix(lower, "windows-") {
	return true
	// Narrowly scoped managed runner patterns for known GitHub-hosted variants.
	// Avoid treating arbitrary OS-prefixed labels such as "ubuntu-self-hosted"
	// as managed runners.
	managedRunnerPatterns := []*regexp.Regexp{
	regexp.MustCompile(`^ubuntu-latest-[0-9]+-cores$`),
	regexp.MustCompile(`^macos-(latest|[0-9]+)-(large|xlarge)$`),
	}
	isManaged := func(label string) bool {
	lower := strings.ToLower(label)
	if githubHostedRunners[lower] {
	return true
	}
	for _, prefix := range managedRunnerPrefixes {
	if strings.HasPrefix(lower, prefix) {
	return true
	}
	}
	for _, pattern := range managedRunnerPatterns {
	if pattern.MatchString(lower) {
	return true
	}

[Copilot]

The comment says we “Only flag triggers that combine external accessibility with write permissions”, but issue_comment is included in dangerousTriggers and is always flagged (High) even when permissions are read-only. Either move issue_comment into the write-permission-gated map or update the comment/logic so the behavior matches the stated intent.

[Copilot]

This step-level check for .github/workflows/ in step.Uses won’t match valid GitHub Actions syntax (reusable workflows are invoked via job.uses, not step uses). As written, real reusable-workflow calls may be missed while tests can pass using invalid structures. Consider moving reusable-workflow detection to job.Uses/job.Secrets (new parser.Job fields) and limiting step-level detection to composite actions (.github/actions/).

[Copilot]

The AI-agent rule claims to detect lack of network isolation, but the implementation does not check for --network=none (or other isolation) at all, so even mitigated docker-based agent steps can still be flagged. Also, line numbers are only resolved for run: steps; uses:-based detections will report LineNumber: 1. Consider adding an isolation check when the evidence is a docker run, and use the line mapper to resolve uses: lines too.

[Copilot]

The comment says this “falls back to the directory name”, but on read/parse failure the function currently returns an empty string. Either implement the documented fallback (e.g., derive from filepath.Base(repoPath)), or update the comment so callers don’t assume an owner will be present. Also consider handling common ssh://git@host/owner/repo.git remote URL formats, which won’t be parsed correctly by the current SSH heuristic.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 10 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

triggerName is assigned but never used in CheckAIAgentCommentTriggered, which will cause a Go compile error (unused variable). Remove it or incorporate it into the finding evidence/description (e.g., include which comment trigger(s) were detected).

Suggested change

	triggerName := ""
	switch on := workflow.Workflow.On.(type) {
	case map[string]interface{}:
	if _, ok := on["issue_comment"]; ok {
	hasCommentTrigger = true
	triggerName = "issue_comment"
	}
	if _, ok := on["pull_request_review_comment"]; ok {
	hasCommentTrigger = true
	if triggerName != "" {
	triggerName += " + pull_request_review_comment"
	} else {
	triggerName = "pull_request_review_comment"
	}
	switch on := workflow.Workflow.On.(type) {
	case map[string]interface{}:
	if _, ok := on["issue_comment"]; ok {
	hasCommentTrigger = true
	}
	if _, ok := on["pull_request_review_comment"]; ok {
	hasCommentTrigger = true

[Copilot]

checkIndirectDockerWithSecrets falls back to strings.Contains(contentStr, "secrets: inherit") to decide hasSecrets. This can produce false positives because it is file-global (could match a different job) and secrets: inherit is job-level reusable-workflow syntax, not step-level composite action syntax. Use the parsed job.Secrets field (and/or the specific job’s with:/env:) instead of scanning the entire file content.

[Copilot]

checkAIAgentOnUntrustedCode flags any detected AI agent step in pull_request_target workflows, but it does not require evidence that the job is actually operating on fork-controlled code (e.g., checkout of PR head ref). This will reintroduce false positives for pull_request_target workflows that only run on trusted base branch code. Consider gating on jobCheckoutsUntrustedCode(job) (similar to checkDockerExecWithSecrets) before emitting findings.

[Copilot]

Actor-gating suppression is currently too permissive: any if containing author_association suppresses the finding, even if it’s not restricting to trusted actors (e.g., != 'MEMBER' or checks for 'NONE'). Additionally, the raw file scan can suppress findings if those strings appear in unrelated contexts. Tighten this to only suppress when the relevant job/step if: expression positively restricts to MEMBER/OWNER/COLLABORATOR (e.g., via a regex for equality/in-list checks).

[Copilot]

In the runs-on array case, the presence of any dynamic expression (${{ ... }}) causes an immediate return false, which can hide an explicit self-hosted label in the same list (e.g., runs-on: [self-hosted, ${{ matrix.os }}]). Instead, treat dynamic entries as “unknown” and continue scanning other labels; only return false when you can confidently classify the job as managed/GitHub-hosted.

[Copilot]

isBranchRef is set for any version that doesn’t start with v and isn’t a SHA. This will classify common semver tags like 1.2.3 (no v prefix) as a “branch name” and raise severity to High. Consider treating numeric semver tags without v as pinned versions (e.g., via parseSemanticVersion or a semver regex) and reserving the “branch ref” classification for clearly mutable refs like main/master or non-semver strings.

[Copilot]

checkIndirectDockerWithSecrets declares a lineMapper parameter but never uses it, which will cause a Go compile error (unused parameter). Either use it to compute LineNumber for the finding(s) (e.g., locate the uses: line), or remove the parameter and adjust the caller accordingly.

[Copilot]

Severity escalation to Critical is based on job.Permissions != nil && permsImplyWrite(job.Permissions), but permsImplyWrite(nil) returns true (GitHub default is write-all). As written, jobs that inherit workflow permissions (nil) will never be marked Critical even when they effectively have write access. Consider using permsImplyWrite(job.Permissions) directly and also factoring in workflow.Workflow.Permissions when job.Permissions is nil/inherited.

Suggested change

	// If the job has write permissions, severity is Critical
	if job.Permissions != nil && permsImplyWrite(job.Permissions) {
	// If the job effectively has write permissions, severity is Critical.
	// Job-level permissions inherit from workflow-level permissions when nil,
	// and permsImplyWrite(nil) reflects GitHub's default permissions.
	effectivePermissions := job.Permissions
	if effectivePermissions == nil {
	effectivePermissions = workflow.Workflow.Permissions
	}
	if permsImplyWrite(effectivePermissions) {

[Copilot]

This goroutine now checks ctx.Done() only once before running all standard rules. Since RuleEngine.ExecuteRules doesn’t take a context, long rule execution won’t be cancellable until completion. Consider reinstating a per-rule (or per-finding batch) ctx.Done() check around rule execution, or updating the rule engine to support context-aware cancellation.

Suggested change

	standardFindings = engine.ExecuteRules(job.Workflow, job.StandardRules)
	for i := range job.StandardRules {
	select {
	case <-ctx.Done():
	errChan <- ctx.Err()
	return
	default:
	}
	ruleFindings := engine.ExecuteRules(job.Workflow, job.StandardRules[i:i+1])
	standardFindings = append(standardFindings, ruleFindings...)
	}

[Copilot]

Local actions can also be referenced with ../ prefixes (and other parts of the codebase already treat both ./ and ../ as local). To avoid reintroducing local-action false positives here, consider skipping ../ as well (and any other local forms you support consistently elsewhere).

Suggested change

	if strings.HasPrefix(step.Uses, "./") {
	if strings.HasPrefix(step.Uses, "./") || strings.HasPrefix(step.Uses, "../") {

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.