Updated cagent to latest version and updated docs (#18)

derekmisler · web-flow · commit 1f7ec0445e13 · 2026-01-05T10:27:36.000-05:00
diff --git a/README.md b/README.md
@@ -5,8 +5,9 @@ A GitHub Action for running [cagent](https://github.com/docker/cagent) AI agents
 ## Quick Start
 
 1. **Add the action to your workflow**:
+
    ```yaml
-   - uses: docker/cagent-action@v1.0.0
+   - uses: docker/cagent-action@v1.0.4
      with:
        agent: docker/code-analyzer
        prompt: "Analyze this code"
@@ -15,6 +16,7 @@ A GitHub Action for running [cagent](https://github.com/docker/cagent) AI agents
    ```
 
 2. **Configure API key** in your repository settings:
+
    - Go to `Settings` → `Secrets and variables` → `Actions`
    - Add `ANTHROPIC_API_KEY` with your API key from [Anthropic Console](https://console.anthropic.com/)
 
@@ -40,7 +42,7 @@ See [security/README.md](security/README.md) for complete security documentation
 
 ```yaml
 - name: Run CAgent
-  uses: docker/cagent-action@v1.0.0
+  uses: docker/cagent-action@v1.0.4
   with:
     agent: docker/github-action-security-scanner
     prompt: "Analyze these commits for security vulnerabilities"
@@ -50,7 +52,7 @@ See [security/README.md](security/README.md) for complete security documentation
 
 ### Analyzing Code Changes
 
-```yaml
+````yaml
 name: Code Analysis
 on:
   pull_request:
@@ -59,7 +61,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
-  issues: write  # For security incident reporting
+  issues: write # For security incident reporting
 
 jobs:
   analyze:
@@ -76,7 +78,7 @@ jobs:
 
       - name: Analyze Changes
         id: analysis
-        uses: docker/cagent-action@v1.0.0
+        uses: docker/cagent-action@v1.0.4
         with:
           agent: docker/code-analyzer
           prompt: |
@@ -94,13 +96,13 @@ jobs:
             --body-file "${{ steps.analysis.outputs.output-file }}"
         env:
           GH_TOKEN: ${{ github.token }}
-```
+````
 
 ### Using a Local Agent File
 
 ```yaml
 - name: Run Custom Agent
-  uses: docker/cagent-action@v1.0.0
+  uses: docker/cagent-action@v1.0.4
   with:
     agent: ./agents/my-agent.yaml
     prompt: "Analyze the codebase"
@@ -112,16 +114,16 @@ jobs:
 
 ```yaml
 - name: Run CAgent with Custom Settings
-  uses: docker/cagent-action@v1.0.0
+  uses: docker/cagent-action@v1.0.4
   with:
     agent: docker/code-analyzer
     prompt: "Analyze this codebase"
     cagent-version: v1.9.11
-    mcp-gateway: true  # Set to true to install mcp-gateway
+    mcp-gateway: true # Set to true to install mcp-gateway
     mcp-gateway-version: v0.22.0
-    yolo: false  # Require manual approval
-    timeout: 600  # 10 minute timeout
-    debug: true   # Enable debug logging
+    yolo: false # Require manual approval
+    timeout: 600 # 10 minute timeout
+    debug: true # Enable debug logging
     working-directory: ./src
     extra-args: "--verbose"
   env:
@@ -133,7 +135,7 @@ jobs:
 ```yaml
 - name: Run CAgent
   id: agent
-  uses: docker/cagent-action@v1.0.0
+  uses: docker/cagent-action@v1.0.4
   with:
     agent: docker/code-analyzer
     prompt: "Analyze this codebase"
@@ -157,34 +159,34 @@ jobs:
 
 ## Inputs
 
-| Input | Description | Required | Default |
-|-------|-------------|----------|---------|
-| `agent` | Agent identifier (e.g., `docker/code-analyzer`) or path to `.yaml` file | Yes | - |
-| `prompt` | Prompt to pass to the agent | No | - |
-| `cagent-version` | Version of cagent to use | No | `v1.9.12` |
-| `mcp-gateway` | Install mcp-gateway (`true`/`false`) | No | `false` |
-| `mcp-gateway-version` | Version of mcp-gateway to use (specifying this will enable mcp-gateway installation) | No | `v0.22.0` |
-| `anthropic-api-key` | Anthropic API key | No | `$ANTHROPIC_API_KEY` env var |
-| `openai-api-key` | OpenAI API key | No | `$OPENAI_API_KEY` env var |
-| `google-api-key` | Google API key for Gemini | No | `GOOGLE_API_KEY` env var |
-| `github-token` | GitHub token for API access | No | Auto-provided by GitHub Actions |
-| `timeout` | Timeout in seconds for agent execution (0 for no timeout) | No | `0` |
-| `debug` | Enable debug mode with verbose logging (`true`/`false`) | No | `false` |
-| `working-directory` | Working directory to run the agent in | No | `.` |
-| `yolo` | Auto-approve all prompts (`true`/`false`) | No | `true` |
-| `extra-args` | Additional arguments to pass to `cagent exec` | No | - |
+| Input                 | Description                                                                          | Required | Default                         |
+| --------------------- | ------------------------------------------------------------------------------------ | -------- | ------------------------------- |
+| `agent`               | Agent identifier (e.g., `docker/code-analyzer`) or path to `.yaml` file              | Yes      | -                               |
+| `prompt`              | Prompt to pass to the agent                                                          | No       | -                               |
+| `cagent-version`      | Version of cagent to use                                                             | No       | `v1.15.6`                       |
+| `mcp-gateway`         | Install mcp-gateway (`true`/`false`)                                                 | No       | `false`                         |
+| `mcp-gateway-version` | Version of mcp-gateway to use (specifying this will enable mcp-gateway installation) | No       | `v0.22.0`                       |
+| `anthropic-api-key`   | Anthropic API key                                                                    | No       | `$ANTHROPIC_API_KEY` env var    |
+| `openai-api-key`      | OpenAI API key                                                                       | No       | `$OPENAI_API_KEY` env var       |
+| `google-api-key`      | Google API key for Gemini                                                            | No       | `GOOGLE_API_KEY` env var        |
+| `github-token`        | GitHub token for API access                                                          | No       | Auto-provided by GitHub Actions |
+| `timeout`             | Timeout in seconds for agent execution (0 for no timeout)                            | No       | `0`                             |
+| `debug`               | Enable debug mode with verbose logging (`true`/`false`)                              | No       | `false`                         |
+| `working-directory`   | Working directory to run the agent in                                                | No       | `.`                             |
+| `yolo`                | Auto-approve all prompts (`true`/`false`)                                            | No       | `true`                          |
+| `extra-args`          | Additional arguments to pass to `cagent exec`                                        | No       | -                               |
 
 ## Outputs
 
-| Output | Description |
-|--------|-------------|
-| `exit-code` | Exit code from the cagent exec |
-| `output-file` | Path to the output log file |
-| `cagent-version` | Version of cagent that was used |
-| `mcp-gateway-installed` | Whether mcp-gateway was installed (`true`/`false`) |
-| `execution-time` | Agent execution time in seconds |
-| `secrets-detected` | Whether secrets were detected in output |
-| `prompt-suspicious` | Whether suspicious patterns were detected in user prompt |
+| Output                  | Description                                              |
+| ----------------------- | -------------------------------------------------------- |
+| `exit-code`             | Exit code from the cagent exec                           |
+| `output-file`           | Path to the output log file                              |
+| `cagent-version`        | Version of cagent that was used                          |
+| `mcp-gateway-installed` | Whether mcp-gateway was installed (`true`/`false`)       |
+| `execution-time`        | Agent execution time in seconds                          |
+| `secrets-detected`      | Whether secrets were detected in output                  |
+| `prompt-suspicious`     | Whether suspicious patterns were detected in user prompt |
 
 ## Environment Variables
 
@@ -227,15 +229,15 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Security Review
-        uses: docker/cagent-action@v1.0.0
+        uses: docker/cagent-action@v1.0.4
         with:
           agent: docker/github-action-security-scanner
           prompt: "Analyze for security issues"
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
 
       - name: Code Quality Analysis
-        uses: docker/cagent-action@v1.0.0
+        uses: docker/cagent-action@v1.0.4
         with:
           agent: docker/code-quality-analyzer
           prompt: "Analyze code quality and best practices"
@@ -251,11 +253,11 @@ on:
   workflow_dispatch:
     inputs:
       agent:
-        description: 'Agent to run'
+        description: "Agent to run"
         required: true
-        default: 'docker/code-analyzer'
+        default: "docker/code-analyzer"
       prompt:
-        description: 'Prompt for the agent'
+        description: "Prompt for the agent"
         required: true
 
 jobs:
@@ -265,15 +267,14 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Run Agent
-        uses: docker/cagent-action@v1.0.0
+        uses: docker/cagent-action@v1.0.4
         with:
           agent: ${{ github.event.inputs.agent }}
           prompt: ${{ github.event.inputs.prompt }}
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
 ```
 
-
 ## Contributing
 
 We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details on:
diff --git a/action.yml b/action.yml
@@ -15,7 +15,7 @@ inputs:
   cagent-version:
     description: "Version of cagent to use"
     required: false
-    default: "v1.9.12"
+    default: "v1.15.6"
   mcp-gateway:
     description: "Install mcp-gateway (true/false)"
     required: false
diff --git a/examples/code-analysis.yml b/examples/code-analysis.yml
@@ -28,7 +28,7 @@ jobs:
 
       - name: Analyze Code Changes
         id: analysis
-        uses: docker/cagent-action@v1.0.0
+        uses: docker/cagent-action@v1.0.4
         with:
           agent: docker/code-analyzer
           prompt: |
diff --git a/security/README.md b/security/README.md
@@ -7,6 +7,7 @@ This directory contains security hardening scripts for the cagent-action GitHub
 This action includes **built-in security features for all agent executions**:
 
 1. **Output Scanning** - All agent responses are scanned for leaked secrets:
+
    - API key patterns: `sk-ant-*`, `sk-*`, `sk-proj-*`
    - GitHub tokens: `ghp_*`, `gho_*`, `ghu_*`, `ghs_*`, `github_pat_*`
    - Environment variable names in output
@@ -57,15 +58,18 @@ The action implements a defense-in-depth approach:
 ### Shared Patterns (`secret-patterns.sh`)
 
 Central source of truth for secret detection patterns. This file is sourced by:
+
 - `sanitize-output.sh` - Uses `SECRET_PATTERNS` array for comprehensive regex matching
 - `action.yml` (Build safe prompt step) - Uses `SECRET_PATTERNS` for prompt verification
 
 **Why shared patterns?**
+
 - **DRY principle**: Single source of truth prevents drift
 - **Consistency**: Same patterns across all security layers
 - **Maintainability**: Update patterns in one place
 
 **Secret patterns detected:**
+
 ```bash
 SECRET_PATTERNS=(
   'sk-ant-[a-zA-Z0-9_-]{30,}'        # Anthropic API keys
@@ -88,11 +92,13 @@ SECRET_PATTERNS=(
 **Patterns:** Sources from `secret-patterns.sh` for comprehensive detection
 
 **Usage:**
+
 ```bash
 ./sanitize-output.sh output-file.txt
 ```
 
 **Outputs:**
+
 - `leaked=true/false` to `$GITHUB_OUTPUT`
 - Exits with code 1 if secrets detected
 
@@ -101,6 +107,7 @@ SECRET_PATTERNS=(
 **Purpose:** Input sanitization for PR diffs and user prompts
 
 **Function:**
+
 - Removes code comments from diffs (prevents hidden instructions)
 - Detects HIGH-RISK patterns (blocks execution)
   - Instruction override attempts ("ignore previous instructions")
@@ -112,11 +119,13 @@ SECRET_PATTERNS=(
   - API key variable names in configuration
 
 **Usage:**
+
 ```bash
 ./sanitize-input.sh input-file.txt output-file.txt
 ```
 
 **Outputs:**
+
 - `blocked=true/false` to `$GITHUB_OUTPUT`
 - `risk-level=low/medium/high` to `$GITHUB_OUTPUT`
 - Exits with code 1 if HIGH-RISK patterns detected
@@ -153,6 +162,7 @@ cd tests
 ### Test Coverage
 
 **test-security.sh** (13 tests):
+
 1. Clean input (should pass)
 2. Prompt injection in comment (should block)
 3. Clean output (should pass)
@@ -169,6 +179,7 @@ cd tests
 14. High risk input - behavioral injection (should block)
 
 **test-exploits.sh** (6 tests):
+
 1. Prompt injection via comment (should be stripped)
 2. High-risk behavioral injection (should be blocked)
 3. Output token leak (should be blocked)
@@ -185,7 +196,7 @@ All tests must pass before deployment.
 ```yaml
 - name: Run Agent
   id: agent
-  uses: docker/cagent-action@v1.0.0
+  uses: docker/cagent-action@v1.0.4
   with:
     agent: my-agent
     prompt: "Analyze the logs"
@@ -204,6 +215,7 @@ All tests must pass before deployment.
 ```
 
 All executions automatically include:
+
 - Prompt sanitization warnings
 - Output scanning for secrets
 - Incident issue creation if secrets detected
@@ -216,6 +228,7 @@ All executions automatically include:
 When adding new secret patterns:
 
 1. **Update `secret-patterns.sh`** with new regex pattern:
+
    ```bash
    SECRET_PATTERNS=(
      # ... existing patterns ...
@@ -224,11 +237,13 @@ When adding new secret patterns:
    ```
 
 2. **Add to `SECRET_PREFIXES`** if needed for quick checks:
+
    ```bash
    SECRET_PREFIXES='(sk-ant-|...|new-provider-)'
    ```
 
 3. **Run tests** to verify:
+
    ```bash
    cd tests
    ./test-security.sh
@@ -253,9 +268,9 @@ Before deploying changes:
 
 The action provides security-related outputs that can be checked in subsequent steps:
 
-| Output | Description |
-|--------|-------------|
-| `secrets-detected` | `true` if secrets were detected in output |
+| Output              | Description                                           |
+| ------------------- | ----------------------------------------------------- |
+| `secrets-detected`  | `true` if secrets were detected in output             |
 | `prompt-suspicious` | `true` if suspicious patterns were detected in prompt |
 
 ## Reporting Security Issues
diff --git a/tests/test-job-summary.sh b/tests/test-job-summary.sh
@@ -35,7 +35,7 @@ echo "---"
   echo "| Agent | \`agents/security-scanner.yaml\` |"
   echo "| Exit Code | 0 |"
   echo "| Execution Time | 45s |"
-  echo "| CAgent Version | v1.6.6 |"
+  echo "| CAgent Version | v1.15.6 |"
   echo "| MCP Gateway | false |"
   echo ""
   echo "✅ **Status:** Success"
