[Security Review] Daily Security Review — 2026-05-13

[github-actions[bot]]

📊 Executive Summary

Overall Security Posture: GOOD with a small number of medium-severity design trade-offs that are already documented.

Metric	Value
npm dependency vulnerabilities	0 (critical/high/moderate/low)
Attack surfaces identified	8
Critical findings	0
High findings	1
Medium findings	3
Low/Informational	4
Lines of security-critical TS analyzed	~16,000

The firewall follows strong defense-in-depth principles: iptables default-deny → Squid domain ACL → seccomp → capability drop → no-new-privileges. The architecture is well-reasoned and documented.

---

🔍 Findings from Previous Firewall Escape Test

The pre-fetched file at /tmp/gh-aw/escape-test-summary.txt contained GitHub Actions CI log metadata from a "Secret Digger (Copilot)" workflow run (GH_AW_SECRET_VERIFICATION_RESULT: success, GH_AW_AGENT_CONCLUSION: success, concluded with noop output). This indicates:

• The prior adversarial agent found no secrets to exfiltrate
• GH_AW_INFERENCE_ACCESS_ERROR: false — inference firewall functioned correctly
• GH_AW_LOCKDOWN_CHECK_FAILED: false — no lockdown bypass
• No discussion/issue/code-push was produced — the agent had nothing to report

Interpretation: The secret-digging agent successfully ran under firewall restrictions and could not exfiltrate credentials, validating the credential-isolation design.

---

🛡️ Architecture Security Analysis

Network Security

Evidence (containers/agent/setup-iptables.sh):

# IPv6 is explicitly disabled:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

# Dangerous ports returned before DNAT (22, 23, 25, 110, 143 ...):
iptables -t nat -A OUTPUT -p tcp --dport "$port" -j RETURN

# Default-deny TCP + UDP:
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP

The iptables ruleset is sound. IPv6 is disabled at the kernel level inside the container namespace to prevent proxy bypass via IPv6 dual-stack paths. The dangerous-ports list is maintained in sync with DANGEROUS_PORTS in src/squid/policy-manifest.ts. HTTP (port 80) and HTTPS (port 443) are DNAT'd to Squid, providing defense-in-depth for proxy-unaware tools.

Observation: The --log-uid flag on LOG rules enables agent UID tracking, but PID is not available in iptables logs — a known limitation documented in LOGGING.md.

Container Security

Evidence (src/services/agent-service.ts:88–115):

cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],
cap_drop: ['NET_RAW', 'SYS_PTRACE', 'SYS_MODULE', 'SYS_RAWIO', 'MKNOD'],
security_opt: [
  'no-new-privileges:true',
  `seccomp=${config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',   // ← see Finding H-1
],

Evidence (containers/agent/entrypoint.sh:909):

exec capsh --drop=${CAPS_TO_DROP} --user=${HOST_USER} -- -c 'exec ${SCRIPT_FILE}'

SYS_CHROOT and SYS_ADMIN are dropped via capsh from the bounding set before user code runs, so user code cannot regain them even with a setuid binary. The iptables-init container holds NET_ADMIN/NET_RAW only; the agent container never has NET_ADMIN.

The pids_limit: 1000 and mem_limit: 6g prevent DoS via fork bombs or memory exhaustion.

Domain Validation

Evidence (src/domain-patterns.ts:25, 153):

export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

export function validateDomainOrPattern(input: string): void {
  // rejects backslash, dangerous chars, prevents Squid config injection
}

Domains are validated before being interpolated into Squid config. The formatDomainForSquid() function normalizes to dstdomain .domain.com format. Wildcard patterns are converted to anchored regexes using DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*' — a character class that prevents ReDoS via catastrophic backtracking.

The apiProxyIp value in src/squid-config.ts:37 is validated with a strict per-octet IPv4 regex before being embedded in Squid config, preventing config injection via that field.

Input Validation

Evidence (src/option-parsers.ts:447):

export function escapeShellArg(arg: string): string { ... }

All subprocess calls use execa with array arguments (never string interpolation into shell commands), which prevents shell injection. This applies to docker, iptables, openssl, mount, umount, ip6tables, and sysctl invocations throughout src/host-iptables-rules.ts, src/ssl-bump.ts, etc.

---

⚠️ Threat Model (STRIDE)

#	Category	Threat	Evidence	Likelihood	Impact	Severity
T1	Elevation of Privilege	apparmor:unconfined removes MAC protection; if capsh drop fails, SYS_ADMIN is available to user code	agent-service.ts:112	Low	High	H-1
T2	Information Disclosure	docker-compose.yml contains secrets in plaintext; tmpfs overlay (workDir) mitigates this within container	agent-service.ts:55–76	Very Low	High	M-1
T3	Tampering	Agent writes to workspace (read-write mount); malicious agent can modify workspace files	agent-volumes.ts	Medium	Medium	M-2
T4	Elevation of Privilege	memswap_limit: -1 (unlimited swap) when no user memory limit; a swap-based side-channel could persist beyond container lifecycle	agent-service.ts:119	Low	Low	M-3
T5	Denial of Service	pids_limit: 1000 set, mem_limit: 6g set; fork bomb or memory exhaustion contained	agent-service.ts	Low	Medium	Low
T6	Spoofing	DNS servers limited to configured list; container DNS is Docker's 127.0.0.11 forward-only resolver	setup-iptables.sh	Very Low	Medium	Low
T7	Repudiation	Squid logs all traffic; iptables LOG rules audit non-HTTP traffic; logs preserved in agent-logs/	squid-config.ts:40	N/A	N/A	Positive
T8	Information Disclosure	Proxy-unaware HTTPS tools receive TLS error (not 403) — still blocked, but error message differs	AGENTS.md	Low	Low	Low

---

🎯 Attack Surface Map

Surface	Entry Point	Current Protections	Risk
HTTP/HTTPS egress	Port 80/443 DNAT → Squid	Domain ACL, Squid deny-all default	Low
Non-HTTP TCP egress	iptables OUTPUT	Default DROP, dangerous-port RETURN	Low
UDP egress (DNS)	Port 53 → allowed DNS servers only	iptables UDP DROP; DNS server allowlist	Low
IPv6 egress	All IPv6 interfaces	sysctl disable_ipv6=1 in container NS	Low
Domain input (CLI)	--allow-domains arg	validateDomainOrPattern(), SQUID_DANGEROUS_CHARS	Low
Container capabilities	SYS_ADMIN pre-drop window	apparmor:unconfined; capsh drops before user code	Medium
Workspace filesystem	/workspace RW mount	No write restrictions on workspace itself	Medium
API credentials	--enable-api-proxy sidecar	Secrets never in agent env; sidecar at 172.30.0.30	Low

---

📋 Evidence Collection

npm audit — 0 vulnerabilities

Vulns: {'info': 0, 'low': 0, 'moderate': 0, 'high': 0, 'critical': 0, 'total': 0}

Container capability configuration (agent-service.ts)

cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],
cap_drop: ['NET_RAW', 'SYS_PTRACE', 'SYS_MODULE', 'SYS_RAWIO', 'MKNOD'],
security_opt: [
  'no-new-privileges:true',
  `seccomp=${config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',
],
pids_limit: 1000,
mem_limit: config.memoryLimit || '6g',
memswap_limit: config.memoryLimit ? config.memoryLimit : '-1',

iptables default-deny + dangerous ports (setup-iptables.sh)

DANGEROUS_PORTS=(22 23 25 110 143 3306 5432 6379 27017 ...)
for port in "${DANGEROUS_PORTS[@]}"; do
  iptables -t nat -A OUTPUT -p tcp --dport "$port" -j RETURN
done
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination "${SQUID_IP}:${SQUID_PORT}"
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination "${SQUID_IP}:${SQUID_PORT}"
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP

capsh privilege drop (entrypoint.sh:909)

exec capsh --drop=${CAPS_TO_DROP} --user=${HOST_USER} -- -c 'exec ${SCRIPT_FILE}'
# CAPS_TO_DROP = cap_sys_chroot,cap_sys_admin (in chroot mode)

Domain injection prevention (domain-patterns.ts)

export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;
// validateDomainOrPattern() rejects backslash and SQUID_DANGEROUS_CHARS before interpolation
export const DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*'; // prevents ReDoS

---

✅ Recommendations

🔴 Critical

None identified.

🟠 High

H-1: AppArmor unconfined weakens MAC layer
src/services/agent-service.ts:112 sets apparmor:unconfined to allow mount(2) for procfs. If capsh fails to drop SYS_ADMIN (e.g., capsh binary missing or corrupted on the host), user code would have both SYS_ADMIN and no AppArmor profile — a significant privilege.

• Mitigation: The seccomp profile (containers/agent/seccomp-profile.json) still constrains syscalls, and the entrypoint already validates capsh availability (entrypoint.sh:592). Consider writing a targeted AppArmor profile that allows only mount for procfs and blocks other privileged paths, rather than full unconfined.
• Workaround already in place: no-new-privileges:true + seccomp + capsh validation provide compensating controls.

🟡 Medium

M-1: Secret exposure window in docker-compose.yml
The tmpfs overlay on workDir prevents the agent from reading docker-compose.yml (which contains API keys as environment variables). This is well-mitigated, but the secret is still in plaintext in memory on the host filesystem during the run. Consider using Docker secrets or environment-file injection instead of compose YAML for long-lived runs.

M-2: Workspace write access is unrestricted
The agent has read-write access to the full workspace. A compromised or prompt-injected agent can overwrite any file in the workspace (including .github/workflows/). This is by design for coding agents, but operators deploying untrusted code should be aware.

• Recommendation: Document recommended usage with --block-domains for untrusted code scenarios. Consider a future --workspace-readonly flag for read-only analysis tasks.

M-3: Unlimited swap when no memory limit specified
memswap_limit: -1 (unlimited) is set when the user doesn't provide --memory-limit. This prevents OOM kills (intentional) but means sensitive data could be paged to disk swap. On hosts with encrypted swap this is acceptable; on bare-metal runners without swap encryption it's a minor concern.

• Recommendation: Document this trade-off in docs/environment.md.

🟢 Low

L-1: Dangerous-port list maintained in two places
DANGEROUS_PORTS is defined in both src/squid/policy-manifest.ts and containers/agent/setup-iptables.sh (as a bash array comment says "matches DANGEROUS_PORTS in squid-config.ts"). A drift could leave a port blocked at iptables but allowed at Squid (or vice versa). Consider auto-generating the shell array from the TypeScript source at build time.

L-2: Log injection via User-Agent
src/squid-config.ts:377 notes that Squid's logformat does not JSON-escape strings, so a malicious User-Agent header can inject log lines. This is a cosmetic/audit concern, not a security bypass.

L-3: Proxy-unaware HTTPS tools get TLS error, not 403
Tools that ignore proxy env vars and connect directly to port 443 are DNAT'd to Squid, which rejects the raw TLS ClientHello with a connection error rather than a clean 403. The connection is still blocked, but error messages in agent output may be confusing. No code change needed, but document in troubleshooting.

L-4: Escape test produced noop (no findings)
The previous Secret Digger agent concluded with noop and no secrets exfiltrated — a positive result. Continued periodic testing is recommended to catch regressions.

---

📈 Security Metrics

Metric	Value
Security-critical TS lines analyzed	~16,051
Attack surfaces enumerated	8
STRIDE threats modeled	8
npm vulnerabilities	0
Seccomp profile	✅ enforced
AppArmor	⚠️ unconfined (compensated by seccomp + capsh)
Capability drop before user code	✅ SYS_CHROOT + SYS_ADMIN
IPv6 disabled	✅
Default-deny iptables	✅ TCP + UDP
Secret exfiltration test result	✅ noop (nothing found)

Generated by Daily Security Review and Threat Modeling · ● 3.2M · ◷

• expires on May 20, 2026, 5:07 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-05-20T05:07:10.141Z.

Closed by Workflow