fix: restrict /proc/self/environ and docker-compose.yml secret exposure

[Mossaka]

Summary

PR #607 adds runtime configuration for the one-shot token library (AWF_ONE_SHOT_TOKENS), which addresses secret leaking via getenv() (path 1 of the attack surface identified in githubnext/gh-aw-security#62).

However, two additional exposure paths remain unmitigated:

1. /proc/self/environ bypasses LD_PRELOAD

The kernel exposes all environment variables of a process through /proc/self/environ. Reading this file directly bypasses getenv() entirely, so the LD_PRELOAD one-shot token library cannot intercept it.

cat /proc/self/environ | tr '\0' '\n' | grep COPILOT_GITHUB_TOKEN

2. Docker Compose file contains plaintext tokens

AWF writes sensitive tokens (e.g., COPILOT_GITHUB_TOKEN) in plaintext into the generated docker-compose.yml at /tmp/awf-*/docker-compose.yml. Since the host filesystem is mounted into the container at /host, the agent can read:

cat /host/tmp/awf-*/docker-compose.yml | grep -A 2 COPILOT_GITHUB_TOKEN

Proposed Mitigations

1. /proc/self/environ: Mount procfs with restricted access, or overwrite sensitive env vars in the process environment before executing the agent command (after the legitimate consumer has read them).

2. Docker Compose file: Either:

   • Remove/redact sensitive values from the compose file after containers start
   • Use Docker secrets instead of environment variables
   • Restrict the /host mount to exclude /tmp/awf-*
   • Make the workdir path inaccessible from within the container

Related

• PR feat: add runtime configuration for one-shot token protection via AWF_ONE_SHOT_TOKENS #607: feat: add runtime configuration for one-shot token list via AWF_ONE_SHOT_TOKENS
• githubnext/gh-aw-security#62: COPILOT_GITHUB_TOKEN exposed in Docker Compose environment configuration

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[Mossaka]

Closing as this appears to have been resolved in main. Both exposure paths are mitigated: (1) /proc/self/environ: commit #809 (9582c57) unsets sensitive tokens from entrypoint's environment after the agent starts, so /proc/1/environ no longer contains live tokens; (2) docker-compose.yml secrets: commit #718 (5f91324) adds a tmpfs overlay on the workDir so the agent container sees an empty in-memory filesystem instead of the real /tmp/awf-* directory containing docker-compose.yml with tokens. Integration tests added in #1163 and #1219 verify both mitigations.