agent-governance-toolkit/.github/workflows/ai-security-scan.yml at main · microsoft/agent-governance-toolkit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# AI-powered security analysis for the agent-governance-toolkit.
# Catches security issues that static analysis tools like CodeQL may miss:
# prompt injection defense bypass, policy engine circumvention, trust chain
# weaknesses, credential exposure, sandbox escape, and deserialization attacks.
#
# Two modes:
# - PR scan: non-blocking analysis on every pull request
# - Weekly full scan: comprehensive audit posted as a GitHub issue
name: AI Security Scan

on:
  pull_request_target:
    types: [opened, synchronize, reopened]
    branches: [main]
  schedule:
    - cron: "0 6 * * 1" # Weekly Monday 6:00 UTC
  workflow_dispatch:

permissions:
  contents: read
  pull-requests: write
  issues: write
  models: read

jobs:
  pr-security-scan:
    name: PR Security Analysis
    runs-on: ubuntu-latest
    if: >-
      github.event_name == 'pull_request_target' &&
      github.event.pull_request.draft == false &&
      github.actor != 'dependabot[bot]'
    continue-on-error: true
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # SECURITY: pull_request_target — checkout base branch (default), NOT
          # the PR head. The composite action fetches the diff via GitHub API,
          # so checking out HEAD is unnecessary and would let a malicious PR
          # modify .github/actions/ code that runs with elevated GITHUB_TOKEN.
          fetch-depth: 0

      - name: Run AI security scan
        uses: ./.github/actions/ai-agent-runner
        with:
          agent-type: security-scanner
          github-token: ${{ secrets.GITHUB_TOKEN }}
          model: gpt-4o
          fallback-model: gpt-4o-mini
          max-tokens: "4000"
          context-mode: pr-diff
          output-mode: pr-comment
          custom-instructions: |
            You are a security analyst reviewing changes to microsoft/agent-governance-toolkit —
            a security-focused AI agent governance library.

            This is CRITICAL: the toolkit itself IS the security layer. Bugs here mean
            security bypasses for all downstream users.

            Scan for:
            1. **Prompt injection defense bypass** — can crafted input circumvent policy guards?
            2. **Policy engine circumvention** — can policies be skipped or weakened?
            3. **Trust chain weaknesses** — SPIFFE/SVID validation gaps, cert pinning issues
            4. **Credential exposure** — secrets in logs, error messages, or debug output
            5. **Sandbox escape** — container/process isolation breakouts
            6. **Deserialization attacks** — unsafe pickle/yaml/json loading
            7. **Race conditions** — TOCTOU in policy checks, concurrent trust evaluation
            8. **Supply chain** — dependency confusion, typosquatting in imports

            Rate each finding: 🔴 CRITICAL / 🟠 HIGH / 🟡 MEDIUM / 🔵 LOW
            For each finding, explain the attack vector and suggest a fix.

  weekly-full-scan:
    name: Weekly Full Security Audit
    runs-on: ubuntu-latest
    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Run full security audit
        id: audit
        uses: ./.github/actions/ai-agent-runner
        with:
          agent-type: security-auditor
          github-token: ${{ secrets.GITHUB_TOKEN }}
          model: gpt-4o
          fallback-model: gpt-4o-mini
          max-tokens: "4000"
          context-mode: repo-scan
          output-mode: none
          custom-instructions: |
            You are performing a weekly security audit of microsoft/agent-governance-toolkit.

            Review the repository structure and recent changes for:
            1. Prompt injection defense bypass vectors
            2. Policy engine circumvention paths
            3. Trust chain weaknesses (SPIFFE/SVID)
            4. Credential exposure risks
            5. Sandbox escape vectors
            6. Deserialization attack surfaces
            7. Race conditions in security-critical paths
            8. Supply chain vulnerabilities

            Format as a security report with:
            - Executive summary
            - Findings table (Severity | Category | Description | Location)
            - Recommendations

      - name: Create security audit issue
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AUDIT_RESPONSE: ${{ steps.audit.outputs.response }}
        run: |
          if [ -z "$AUDIT_RESPONSE" ]; then
            AUDIT_RESPONSE="Weekly security audit completed but produced no output. Check workflow logs."
          fi
          printf '%s' "$AUDIT_RESPONSE" > "$RUNNER_TEMP/audit-body.md"
          gh issue create \
            --title "🔒 Weekly AI Security Audit — $(date +%Y-%m-%d)" \
            --body-file "$RUNNER_TEMP/audit-body.md" \
            --label "security,ai-audit" \
            || echo "::warning::Failed to create security audit issue"