feat: deployment-aware agentic risk amplification scoring#204
Draft
arunSunnyKVS wants to merge 1 commit into
Draft
feat: deployment-aware agentic risk amplification scoring#204arunSunnyKVS wants to merge 1 commit into
arunSunnyKVS wants to merge 1 commit into
Conversation
Adds a per-evaluator risk score (0-10) that amplifies a finding's static severity by the target's agentic power, so the same flaw scores higher on an autonomous, tool-rich, multi-tenant agent than on a read-only chatbot. Replaces the cosmetic "Avg Score" column with "Risk (this agent)". - amplify.ts: pure amplifiedRisk(severity, isFinding, power) = base + (10-base)*power, with CVSS/AIVSS band floors. Worst-case per evaluator (findings only, else 0.0); averaging is deliberately avoided so one breach can't be hidden by sibling passes. - agentProfile.ts: deriveAgentProfile() heuristically infers the power profile from businessUseCase + target metadata already in the config -- no new setup questions. - aggregate.ts: buildUnifiedReport computes per-evaluator risk when a profile is present. The summary shape and severity-weighted headline scores are untouched. - report: new "Base Sev" + "Risk (this agent)" columns with a plain-English caption explaining why findings were amplified. - tests: unit coverage for amplify + agentProfile; existing equivalence/smoke pass. Follows the OWASP AIVSS amplification model, reduced to something fully automatic. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Findings today carry a static severity label (
low/high/critical) that never changes with the deployment, plus a cosmetic per-evaluator "Avg Score" that averages judge scores — and averaging hides breaches (9 9 2 → 6.7reads healthy while one attack got through).This adds a deployment-aware per-evaluator risk score (0–10): the severity label is a floor, amplified by the target's agentic power, so the same flaw scores higher on an autonomous, tool-rich, multi-tenant agent than on a read-only chatbot. Follows the OWASP AIVSS amplification model, reduced to something fully automatic.
Closes #200. Follow-ups: #201 (LLM profile enrichment), #202 (headline integration), #203 (MCP tools/list signal).
How it works
amplifiedRisk(severity, isFinding, power)—base + (10 - base) * power, with CVSS/AIVSS band floors (critical 9.0, high 7.0, medium 4.0, low 1.0). Worst-case at the evaluator level: a finding scores from its floor, a defended evaluator scores0.0. Averaging is deliberately avoided.deriveAgentProfile()— a deterministic, no-LLM heuristic that infers the power profile (autonomy / tools / identity / persistence, each 0/0.5/1.0) frombusinessUseCase+ target metadata already in the config. No new setup questions.Worked example (customer-support): base
high= 7.0, inferred power 0.875 →7.0 + (10-7.0)*0.875 = 9.6. A "high" BOLA on a money-moving, multi-tenant agent surfaces as 9.6; defended evaluators show green 0.0. A caption under the table explains, in plain English, why findings were amplified.Scope / safety
summaryshape are untouched — feeding amplified risk into the headline is deliberately deferred to Risk scoring: integrate amplified risk into the headline Safety Score #202 (it changes existing score semantics + the equivalence test's exact-shape assertion).riskis additive optional metadata; runs without a profile (e.g. directbuildUnifiedReportin tests) simply carry norisk.Testing
core/tests/amplify.test.ts,core/tests/agentProfile.test.ts.npm run build+npm run typecheckgreen; verified the rendered report end-to-end (BOLA(high,FAIL)→9.6, passes→0.0, summary shape intact).Files
core/src/execute/amplify.ts(new) — pure risk functioncore/src/execute/agentProfile.ts(new) — heuristic profile derivercore/src/execute/{aggregate,runAll,runAllBrowser,types}.ts— wire + thread the profilecore/src/report/{types,buildReport,render}.ts— "Base Sev" + "Risk (this agent)" columnsREADME.md— Risk scoring section🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Tests