eliott/get-shit-done
1
0
Fork 0
mirror of https://github.com/glittercowboy/get-shit-done synced 2026-04-25 17:25:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

ci(security): add prompt injection, base64, and secret scanning

Browse Source 
Add CI security pipeline to catch prompt injection attacks, base64-obfuscated
payloads, leaked secrets, and .planning/ directory commits in PRs.

This is critical for get-shit-done because the entire codebase is markdown
prompts — a prompt injection in a workflow file IS the attack surface.

New files:
- scripts/prompt-injection-scan.sh: scans for instruction override, role
  manipulation, system boundary injection, DAN/jailbreak, and tool call
  injection patterns in changed files
- scripts/base64-scan.sh: extracts base64 blobs >= 40 chars, decodes them,
  and checks decoded content against injection patterns (skips data URIs
  and binary content)
- scripts/secret-scan.sh: detects AWS keys, OpenAI/Anthropic keys, GitHub
  PATs, Stripe keys, private key headers, and generic credential patterns
- .github/workflows/security-scan.yml: runs all three scans plus a
  .planning/ directory check on every PR
- .base64scanignore / .secretscanignore: per-repo false positive allowlists
- tests/security-scan.test.cjs: 51 tests covering script existence,
  pattern matching, false positive avoidance, and workflow structure

All scripts support --diff (CI), --file, and --dir modes. Cross-platform
(macOS + Linux). SHA-pinned actions. Environment variables used for
github context in run blocks (no direct interpolation).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Tom Boucher
2026-03-24 13:22:42 -04:00
parent cb549fef4b
commit feec5a37a2
7 changed files with 1152 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

262
scripts/base64-scan.sh Executable file
View File

@@ -0,0 +1,262 @@
#!/usr/bin/env bash
# base64-scan.sh — Detect base64-obfuscated prompt injection in source files
#
# Extracts base64 blobs >= 40 chars, decodes them, and checks decoded content
# against the same injection patterns used by prompt-injection-scan.sh.
#
# Usage:
# scripts/base64-scan.sh --diff origin/main # CI mode: scan changed files
# scripts/base64-scan.sh --file path/to/file # Scan a single file
# scripts/base64-scan.sh --dir agents/ # Scan all files in a directory
#
# Exit codes:
# 0 = clean
# 1 = findings detected
# 2 = usage error
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
MIN_BLOB_LENGTH=40
# ─── Injection Patterns (decoded content) ────────────────────────────────────
# Subset of patterns — if someone base64-encoded something, check for the
# most common injection indicators.
DECODED_PATTERNS=(
'ignore[[:space:]]+(all[[:space:]]+)?previous[[:space:]]+instructions'
'you[[:space:]]+are[[:space:]]+now[[:space:]]+'
'system[[:space:]]+prompt'
'</?system>'
'</?assistant>'
'\[SYSTEM\]'
'\[INST\]'
'<<SYS>>'
'override[[:space:]]+(system|safety|security)'
'pretend[[:space:]]+(you|to)[[:space:]]'
'act[[:space:]]+as[[:space:]]+(a|an|if)'
'jailbreak'
'bypass[[:space:]]+(safety|content|security)'
'eval[[:space:]]*\('
'exec[[:space:]]*\('
'rm[[:space:]]+-rf'
'curl[[:space:]].*\|[[:space:]]*sh'
'wget[[:space:]].*\|[[:space:]]*sh'
)
# ─── Ignorelist ──────────────────────────────────────────────────────────────
IGNOREFILE=".base64scanignore"
IGNORED_PATTERNS=()
load_ignorelist() {
if [[ -f "$IGNOREFILE" ]]; then
while IFS= read -r line; do
# Skip comments and empty lines
[[ "$line" =~ ^[[:space:]]*# ]] && continue
[[ -z "${line// }" ]] && continue
IGNORED_PATTERNS+=("$line")
done < "$IGNOREFILE"
fi
}
is_ignored() {
local blob="$1"
if [[ ${#IGNORED_PATTERNS[@]} -eq 0 ]]; then
return 1
fi
for pattern in "${IGNORED_PATTERNS[@]}"; do
if [[ "$blob" == "$pattern" ]]; then
return 0
fi
done
return 1
}
# ─── Skip Rules ──────────────────────────────────────────────────────────────
should_skip_file() {
local file="$1"
# Skip binary files
case "$file" in
*.png|*.jpg|*.jpeg|*.gif|*.ico|*.woff|*.woff2|*.ttf|*.eot|*.otf) return 0 ;;
*.zip|*.tar|*.gz|*.bz2|*.xz|*.7z) return 0 ;;
*.pdf|*.doc|*.docx|*.xls|*.xlsx) return 0 ;;
esac
# Skip lockfiles and node_modules
case "$file" in
*/node_modules/*) return 0 ;;
*/package-lock.json) return 0 ;;
*/yarn.lock) return 0 ;;
*/pnpm-lock.yaml) return 0 ;;
esac
# Skip the scan scripts themselves and test files
case "$file" in
*/base64-scan.sh) return 0 ;;
*/security-scan.test.cjs) return 0 ;;
esac
return 1
}
is_data_uri() {
local context="$1"
# data:image/png;base64,... or data:application/font-woff;base64,...
echo "$context" | grep -qE 'data:[a-zA-Z]+/[a-zA-Z0-9.+-]+;base64,' 2>/dev/null
}
# ─── File Collection ─────────────────────────────────────────────────────────
collect_files() {
local mode="$1"
shift
case "$mode" in
--diff)
local base="${1:-origin/main}"
git diff --name-only --diff-filter=ACMR "$base"...HEAD 2>/dev/null \
| grep -vE '\.(png|jpg|jpeg|gif|ico|woff|woff2|ttf|eot|otf|zip|tar|gz|pdf)$' || true
;;
--file)
if [[ -f "$1" ]]; then
echo "$1"
else
echo "Error: file not found: $1" >&2
exit 2
fi
;;
--dir)
local dir="$1"
if [[ ! -d "$dir" ]]; then
echo "Error: directory not found: $dir" >&2
exit 2
fi
find "$dir" -type f ! -path '*/node_modules/*' ! -path '*/.git/*' ! -path '*/dist/*' \
! -name '*.png' ! -name '*.jpg' ! -name '*.gif' ! -name '*.woff*' 2>/dev/null || true
;;
--stdin)
cat
;;
*)
echo "Usage: $0 --diff [base] | --file <path> | --dir <path> | --stdin" >&2
exit 2
;;
esac
}
# ─── Scanner ─────────────────────────────────────────────────────────────────
extract_and_check_blobs() {
local file="$1"
local found=0
local line_num=0
while IFS= read -r line; do
line_num=$((line_num + 1))
# Skip data URIs — legitimate base64 usage
if is_data_uri "$line"; then
continue
fi
# Extract base64-like blobs (alphanumeric + / + = padding, >= MIN_BLOB_LENGTH)
local blobs
blobs=$(echo "$line" | grep -oE '[A-Za-z0-9+/]{'"$MIN_BLOB_LENGTH"',}={0,3}' 2>/dev/null || true)
if [[ -z "$blobs" ]]; then
continue
fi
while IFS= read -r blob; do
[[ -z "$blob" ]] && continue
# Check ignorelist
if [[ ${#IGNORED_PATTERNS[@]} -gt 0 ]] && is_ignored "$blob"; then
continue
fi
# Try to decode — if it fails, not valid base64
local decoded
decoded=$(echo "$blob" | base64 -d 2>/dev/null || echo "")
if [[ -z "$decoded" ]]; then
continue
fi
# Check if decoded content is mostly printable text (not random binary)
local printable_ratio
local total_chars=${#decoded}
if [[ $total_chars -eq 0 ]]; then
continue
fi
# Count printable ASCII characters
local printable_count
printable_count=$(echo -n "$decoded" | tr -cd '[:print:]' | wc -c | tr -d ' ')
# Skip if less than 70% printable (likely binary data, not obfuscated text)
if [[ $((printable_count * 100 / total_chars)) -lt 70 ]]; then
continue
fi
# Scan decoded content against injection patterns
for pattern in "${DECODED_PATTERNS[@]}"; do
if echo "$decoded" | grep -iqE "$pattern" 2>/dev/null; then
if [[ $found -eq 0 ]]; then
echo "FAIL: $file"
found=1
fi
echo " line $line_num: base64 blob decodes to suspicious content"
echo " blob: ${blob:0:60}..."
echo " decoded: ${decoded:0:120}"
echo " matched: $pattern"
break
fi
done
done <<< "$blobs"
done < "$file"
return $found
}
# ─── Main ────────────────────────────────────────────────────────────────────
main() {
if [[ $# -eq 0 ]]; then
echo "Usage: $0 --diff [base] | --file <path> | --dir <path>" >&2
exit 2
fi
load_ignorelist
local mode="$1"
shift
local files
files=$(collect_files "$mode" "$@")
if [[ -z "$files" ]]; then
echo "base64-scan: no files to scan"
exit 0
fi
local total=0
local failed=0
while IFS= read -r file; do
[[ -z "$file" ]] && continue
if should_skip_file "$file"; then
continue
fi
total=$((total + 1))
if ! extract_and_check_blobs "$file"; then
failed=$((failed + 1))
fi
done <<< "$files"
echo ""
echo "base64-scan: scanned $total files, $failed with findings"
if [[ $failed -gt 0 ]]; then
exit 1
fi
exit 0
}
main "$@"

196
scripts/prompt-injection-scan.sh Executable file
View File

@@ -0,0 +1,196 @@
#!/usr/bin/env bash
# prompt-injection-scan.sh — Scan files for prompt injection patterns
#
# Usage:
# scripts/prompt-injection-scan.sh --diff origin/main # CI mode: scan changed .md files
# scripts/prompt-injection-scan.sh --file path/to/file # Scan a single file
# scripts/prompt-injection-scan.sh --dir agents/ # Scan all files in a directory
#
# Exit codes:
# 0 = clean
# 1 = findings detected
# 2 = usage error
set -euo pipefail
# ─── Patterns ────────────────────────────────────────────────────────────────
# Each pattern is a POSIX extended regex. Keep alphabetized by category.
PATTERNS=(
# Instruction override
'ignore[[:space:]]+(all[[:space:]]+)?(previous|prior|above|earlier|preceding)[[:space:]]+(instructions|prompts|rules|directives|context)'
'disregard[[:space:]]+(all[[:space:]]+)?(previous|prior|above)[[:space:]]+(instructions|prompts|rules)'
'forget[[:space:]]+(all[[:space:]]+)?(previous|prior|above)[[:space:]]+(instructions|prompts|rules|context)'
'override[[:space:]]+(all[[:space:]]+)?(system|previous|safety)[[:space:]]+(instructions|prompts|rules|checks|filters|guards)'
'override[[:space:]]+(system|safety|security)[[:space:]]'
# Role manipulation
'you[[:space:]]+are[[:space:]]+now[[:space:]]+(a|an|my)[[:space:]]'
'from[[:space:]]+now[[:space:]]+on[[:space:]]+(you|pretend|act|behave)'
'pretend[[:space:]]+(you[[:space:]]+are|to[[:space:]]+be)[[:space:]]'
'act[[:space:]]+as[[:space:]]+(a|an|if|my)[[:space:]]'
'roleplay[[:space:]]+as[[:space:]]'
'assume[[:space:]]+the[[:space:]]+role[[:space:]]+of[[:space:]]'
# System prompt extraction
'output[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
'reveal[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
'show[[:space:]]+me[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
'print[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
'what[[:space:]]+(is|are)[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
'repeat[[:space:]]+(your|the|all)[[:space:]]+(system[[:space:]]+)?(prompt|instructions|rules)'
# Fake message boundaries
'</?system>'
'</?assistant>'
'</?human>'
'\[SYSTEM\]'
'\[/SYSTEM\]'
'\[INST\]'
'\[/INST\]'
'<<SYS>>'
'<</SYS>>'
# Tool call injection / code execution in markdown
'eval[[:space:]]*\([[:space:]]*["\x27]'
'exec[[:space:]]*\([[:space:]]*["\x27]'
'Function[[:space:]]*\([[:space:]]*["\x27].*return'
# Jailbreak / DAN patterns
'do[[:space:]]+anything[[:space:]]+now'
'DAN[[:space:]]+mode'
'developer[[:space:]]+mode[[:space:]]+(enabled|output|activated)'
'jailbreak'
'bypass[[:space:]]+(safety|content|security)[[:space:]]+(filter|check|rule|guard)'
)
# ─── Allowlist ───────────────────────────────────────────────────────────────
# Files that legitimately discuss injection patterns (security docs, tests, this script)
ALLOWLIST=(
'scripts/prompt-injection-scan.sh'
'tests/security-scan.test.cjs'
'tests/security.test.cjs'
'tests/prompt-injection-scan.test.cjs'
'get-shit-done/bin/lib/security.cjs'
'hooks/gsd-prompt-guard.js'
'SECURITY.md'
)
is_allowlisted() {
local file="$1"
for allowed in "${ALLOWLIST[@]}"; do
if [[ "$file" == *"$allowed" ]]; then
return 0
fi
done
return 1
}
# ─── File Collection ─────────────────────────────────────────────────────────
collect_files() {
local mode="$1"
shift
case "$mode" in
--diff)
local base="${1:-origin/main}"
# Get changed files in the diff, filter to scannable extensions
git diff --name-only --diff-filter=ACMR "$base"...HEAD 2>/dev/null \
| grep -E '\.(md|cjs|js|json|yml|yaml|sh)$' || true
;;
--file)
if [[ -f "$1" ]]; then
echo "$1"
else
echo "Error: file not found: $1" >&2
exit 2
fi
;;
--dir)
local dir="$1"
if [[ ! -d "$dir" ]]; then
echo "Error: directory not found: $dir" >&2
exit 2
fi
find "$dir" -type f \( -name '*.md' -o -name '*.cjs' -o -name '*.js' -o -name '*.json' -o -name '*.yml' -o -name '*.yaml' -o -name '*.sh' \) \
! -path '*/node_modules/*' ! -path '*/.git/*' ! -path '*/dist/*' 2>/dev/null || true
;;
--stdin)
cat
;;
*)
echo "Usage: $0 --diff [base] | --file <path> | --dir <path> | --stdin" >&2
exit 2
;;
esac
}
# ─── Scanner ─────────────────────────────────────────────────────────────────
scan_file() {
local file="$1"
local found=0
if is_allowlisted "$file"; then
return 0
fi
for pattern in "${PATTERNS[@]}"; do
# Use grep -iE for case-insensitive extended regex
# -n for line numbers, -c for count mode first to check
local matches
matches=$(grep -inE -e "$pattern" "$file" 2>/dev/null || true)
if [[ -n "$matches" ]]; then
if [[ $found -eq 0 ]]; then
echo "FAIL: $file"
found=1
fi
echo "$matches" | while IFS= read -r line; do
echo " $line"
done
fi
done
return $found
}
# ─── Main ────────────────────────────────────────────────────────────────────
main() {
if [[ $# -eq 0 ]]; then
echo "Usage: $0 --diff [base] | --file <path> | --dir <path>" >&2
exit 2
fi
local mode="$1"
shift
local files
files=$(collect_files "$mode" "$@")
if [[ -z "$files" ]]; then
echo "prompt-injection-scan: no files to scan"
exit 0
fi
local total=0
local failed=0
while IFS= read -r file; do
[[ -z "$file" ]] && continue
total=$((total + 1))
if ! scan_file "$file"; then
failed=$((failed + 1))
fi
done <<< "$files"
echo ""
echo "prompt-injection-scan: scanned $total files, $failed with findings"
if [[ $failed -gt 0 ]]; then
exit 1
fi
exit 0
}
main "$@"

227
scripts/secret-scan.sh Executable file
View File

@@ -0,0 +1,227 @@
#!/usr/bin/env bash
# secret-scan.sh — Check files for accidentally committed secrets/credentials
#
# Usage:
# scripts/secret-scan.sh --diff origin/main # CI mode: scan changed files
# scripts/secret-scan.sh --file path/to/file # Scan a single file
# scripts/secret-scan.sh --dir agents/ # Scan all files in a directory
#
# Exit codes:
# 0 = clean
# 1 = findings detected
# 2 = usage error
set -euo pipefail
# ─── Secret Patterns ─────────────────────────────────────────────────────────
# Format: "LABEL:::REGEX"
# Each entry is a human label paired with a POSIX extended regex.
SECRET_PATTERNS=(
# AWS
"AWS Access Key:::AKIA[0-9A-Z]{16}"
"AWS Secret Key:::aws_secret_access_key[[:space:]]*=[[:space:]]*[A-Za-z0-9/+=]{40}"
# OpenAI / Anthropic / AI providers
"OpenAI API Key:::sk-[A-Za-z0-9]{20,}"
"Anthropic API Key:::sk-ant-[A-Za-z0-9_-]{20,}"
# GitHub
"GitHub PAT:::ghp_[A-Za-z0-9]{36}"
"GitHub OAuth:::gho_[A-Za-z0-9]{36}"
"GitHub App Token:::ghs_[A-Za-z0-9]{36}"
"GitHub Fine-grained PAT:::github_pat_[A-Za-z0-9_]{20,}"
# Stripe
"Stripe Secret Key:::sk_live_[A-Za-z0-9]{24,}"
"Stripe Publishable Key:::pk_live_[A-Za-z0-9]{24,}"
# Generic patterns
"Private Key Header:::-----BEGIN[[:space:]]+(RSA|EC|DSA|OPENSSH)?[[:space:]]*PRIVATE[[:space:]]+KEY-----"
"Generic API Key Assignment:::api[_-]?key[[:space:]]*[:=][[:space:]]*['\"][A-Za-z0-9_-]{20,}['\"]"
"Generic Secret Assignment:::secret[[:space:]]*[:=][[:space:]]*['\"][A-Za-z0-9_-]{20,}['\"]"
"Generic Token Assignment:::token[[:space:]]*[:=][[:space:]]*['\"][A-Za-z0-9_-]{20,}['\"]"
"Generic Password Assignment:::password[[:space:]]*[:=][[:space:]]*['\"][^'\"]{8,}['\"]"
# Slack
"Slack Bot Token:::xoxb-[0-9]{10,}-[A-Za-z0-9]{20,}"
"Slack Webhook:::hooks\.slack\.com/services/T[A-Z0-9]{8,}/B[A-Z0-9]{8,}/[A-Za-z0-9]{24}"
# Google
"Google API Key:::AIza[A-Za-z0-9_-]{35}"
# NPM
"NPM Token:::npm_[A-Za-z0-9]{36}"
# .env file content (key=value with sensitive-looking keys)
"Env Variable Leak:::(DATABASE_URL|DB_PASSWORD|REDIS_URL|MONGO_URI|JWT_SECRET|SESSION_SECRET|ENCRYPTION_KEY)[[:space:]]*=[[:space:]]*[^[:space:]]{8,}"
)
# ─── Ignorelist ──────────────────────────────────────────────────────────────
IGNOREFILE=".secretscanignore"
IGNORED_FILES=()
load_ignorelist() {
if [[ -f "$IGNOREFILE" ]]; then
while IFS= read -r line; do
[[ "$line" =~ ^[[:space:]]*# ]] && continue
[[ -z "${line// }" ]] && continue
IGNORED_FILES+=("$line")
done < "$IGNOREFILE"
fi
}
is_ignored() {
local file="$1"
if [[ ${#IGNORED_FILES[@]} -eq 0 ]]; then
return 1
fi
for pattern in "${IGNORED_FILES[@]}"; do
# Support glob-style matching
# shellcheck disable=SC2254
case "$file" in
$pattern) return 0 ;;
esac
done
return 1
}
# ─── Skip Rules ──────────────────────────────────────────────────────────────
should_skip_file() {
local file="$1"
# Skip binary files
case "$file" in
*.png|*.jpg|*.jpeg|*.gif|*.ico|*.woff|*.woff2|*.ttf|*.eot|*.otf) return 0 ;;
*.zip|*.tar|*.gz|*.bz2|*.xz|*.7z) return 0 ;;
*.pdf|*.doc|*.docx|*.xls|*.xlsx) return 0 ;;
esac
# Skip lockfiles and node_modules
case "$file" in
*/node_modules/*) return 0 ;;
*/package-lock.json) return 0 ;;
*/yarn.lock) return 0 ;;
*/pnpm-lock.yaml) return 0 ;;
esac
# Skip the scan scripts themselves and test files
case "$file" in
*/secret-scan.sh) return 0 ;;
*/security-scan.test.cjs) return 0 ;;
esac
return 1
}
# ─── File Collection ─────────────────────────────────────────────────────────
collect_files() {
local mode="$1"
shift
case "$mode" in
--diff)
local base="${1:-origin/main}"
git diff --name-only --diff-filter=ACMR "$base"...HEAD 2>/dev/null \
| grep -vE '\.(png|jpg|jpeg|gif|ico|woff|woff2|ttf|eot|otf|zip|tar|gz|pdf)$' || true
;;
--file)
if [[ -f "$1" ]]; then
echo "$1"
else
echo "Error: file not found: $1" >&2
exit 2
fi
;;
--dir)
local dir="$1"
if [[ ! -d "$dir" ]]; then
echo "Error: directory not found: $dir" >&2
exit 2
fi
find "$dir" -type f ! -path '*/node_modules/*' ! -path '*/.git/*' ! -path '*/dist/*' \
! -name '*.png' ! -name '*.jpg' ! -name '*.gif' ! -name '*.woff*' 2>/dev/null || true
;;
--stdin)
cat
;;
*)
echo "Usage: $0 --diff [base] | --file <path> | --dir <path> | --stdin" >&2
exit 2
;;
esac
}
# ─── Scanner ─────────────────────────────────────────────────────────────────
scan_file() {
local file="$1"
local found=0
if is_ignored "$file"; then
return 0
fi
for entry in "${SECRET_PATTERNS[@]}"; do
local label="${entry%%:::*}"
local pattern="${entry#*:::}"
local matches
matches=$(grep -nE -e "$pattern" "$file" 2>/dev/null || true)
if [[ -n "$matches" ]]; then
if [[ $found -eq 0 ]]; then
echo "FAIL: $file"
found=1
fi
echo "$matches" | while IFS= read -r line; do
echo " [$label] $line"
done
fi
done
return $found
}
# ─── Main ────────────────────────────────────────────────────────────────────
main() {
if [[ $# -eq 0 ]]; then
echo "Usage: $0 --diff [base] | --file <path> | --dir <path>" >&2
exit 2
fi
load_ignorelist
local mode="$1"
shift
local files
files=$(collect_files "$mode" "$@")
if [[ -z "$files" ]]; then
echo "secret-scan: no files to scan"
exit 0
fi
local total=0
local failed=0
while IFS= read -r file; do
[[ -z "$file" ]] && continue
if should_skip_file "$file"; then
continue
fi
total=$((total + 1))
if ! scan_file "$file"; then
failed=$((failed + 1))
fi
done <<< "$files"
echo ""
echo "secret-scan: scanned $total files, $failed with findings"
if [[ $failed -gt 0 ]]; then
exit 1
fi
exit 0
}
main "$@"