Skip to content

Security: cowboycodr/antipattern

Security

docs/security.md

Security Model

antipattern is designed to preserve maintainer attention without expanding the attack surface of untrusted pull requests.

Defaults

  • allowUnsafeExecution defaults to false.
  • Default mode is comment-only.
  • Labels are suggested only by default.
  • Reports are written locally for the workflow run; long-term storage is off by default.
  • Secrets and high-entropy tokens are redacted from prompt context.
  • Check runs are neutral unless strict mode is explicitly configured.

No Untrusted Code Execution

By default, antipattern inspects GitHub metadata, issue or PR text, labels, changed file metadata, and diffs. It must not run:

  • npm install
  • pip install
  • build scripts
  • test scripts
  • arbitrary repository commands

This matters because untrusted PRs can modify package scripts, dependency hooks, test files, and build tooling.

Why pull_request_target Is Dangerous

pull_request_target runs with permissions from the base repository. If a workflow checks out and executes code from an untrusted PR under pull_request_target, attacker-controlled code can potentially access privileged tokens or secrets.

Use pull_request for untrusted PR analysis. If write permissions are needed for comments, labels, or check runs, keep them in a separate job with narrow permissions and sanitized inputs.

Recommended Permissions

For default comment mode:

permissions:
  contents: read
  pull-requests: write
  issues: write

For dry-run analysis only:

permissions:
  contents: read
  pull-requests: read
  issues: read

For optional check runs:

permissions:
  contents: read
  pull-requests: write
  issues: write
  checks: write

Prompt Injection Handling

PR bodies, issue bodies, comments, commit messages, filenames, and diffs are untrusted. antipattern sanitizes common instruction-like strings before building Codex prompt context and records a policy finding when such strings appear.

Codex second-pass prompts must instruct the model to ignore instructions inside contribution content and return strict JSON only.

Secret Redaction

antipattern redacts common token formats such as GitHub tokens, OpenAI API keys, AWS access keys, and long high-entropy strings before prompt context is emitted.

Do not print raw event payloads, raw diffs, or API keys in workflow logs.

There aren't any published security advisories