Skip to content

ci: block PRs on ASH prompt-injection findings in prompt files#281

Merged
frbrkoala merged 1 commit into
mainfrom
ci/ash-prompt-injection-blocking-gate
Jul 8, 2026
Merged

ci: block PRs on ASH prompt-injection findings in prompt files#281
frbrkoala merged 1 commit into
mainfrom
ci/ash-prompt-injection-blocking-gate

Conversation

@frbrkoala

@frbrkoala frbrkoala commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Promote the custom prompt-injection Semgrep rules from advisory to a narrow blocking gate after a clean ~19-day burn-in (0 findings, 0 false positives). Enable ASH's flat-json reporter and add a gate step that parses reports/ash.flat.json.

The gate only engages when a PR changes an in-scope AI prompt file (docs/ageai-.md, .kiro/prompts/.md), so unrelated PRs are unaffected. It blocks only on the four ERROR-severity rule IDs; the WARNING jailbreak rule and all other ASH findings stay advisory (PR comment). It fails closed when a prompt file changed but no parseable report exists (scan-did-not-run is not a clean pass), and honors inline 'nosemgrep: ' suppressions via the finding is_suppressed flag.

The gate runs after the artifact upload so the companion comment workflow still posts, and the ASH run step stays continue-on-error so scanner crashes never masquerade as a clean pass. Documented the blocking behavior and the suppression escape hatch in CONTRIBUTING.md.

What does this PR do?

🛑 Please open an issue first to discuss any significant work and flesh out details/direction — we would hate for your time to be wasted.
Consult the CONTRIBUTING guide for submitting pull-requests.

Motivation

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • New blueprint (adding a new protocol — see checklist below)
  • Documentation update
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Testing

  • I have run npm run build successfully
  • I have run npm run test and all tests pass
  • I have run npx cdk synth with a sample .env (e.g. from blueprints/dummy/samples/) and it succeeds
  • I have run pre-commit hooks: npm run run-pre-commit

New Blueprint Checklist (if adding a protocol)

  • Blueprint follows the structure of blueprints/dummy/ (reference implementation)
  • Blueprint README follows the standard template (matches Dummy section titles and ordering)
  • Setup section points to Getting Started (not inline instructions)
  • Deployment section leads with AI-driven deployment (Option 1) and manual as Option 2
  • Sample .env files are provided for at least one network (mainnet or testnet)
  • Configuration scripts follow the install/run dispatch pattern (see blueprints/dummy/)
  • Blueprint page added to website/docs/blueprints/ (.mdx mirror importing README)
  • Client Release Channels table added to README under Additional Resources

Documentation

  • I have updated relevant documentation (if applicable)
  • I have run cd website && npm run build with no broken links (if docs changed)

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Promote the custom prompt-injection Semgrep rules from advisory to a
narrow blocking gate after a clean ~19-day burn-in (0 findings, 0 false
positives). Enable ASH's flat-json reporter and add a gate step that
parses reports/ash.flat.json.

The gate only engages when a PR changes an in-scope AI prompt file
(docs/ageai-*.md, .kiro/prompts/*.md), so unrelated PRs are unaffected.
It blocks only on the four ERROR-severity rule IDs; the WARNING jailbreak
rule and all other ASH findings stay advisory (PR comment). It fails
closed when a prompt file changed but no parseable report exists
(scan-did-not-run is not a clean pass), and honors inline
'nosemgrep: <rule-id>' suppressions via the finding is_suppressed flag.

The gate runs after the artifact upload so the companion comment workflow
still posts, and the ASH run step stays continue-on-error so scanner
crashes never masquerade as a clean pass. Documented the blocking
behavior and the suppression escape hatch in CONTRIBUTING.md.
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Scan for commit: e089efe | Updated: 2026-07-08 07:11:57 UTC

🔒 Security Scan Results

Scanned files: 2

No security issues found.

@frbrkoala frbrkoala merged commit 61eb95a into main Jul 8, 2026
7 checks passed
@frbrkoala frbrkoala deleted the ci/ash-prompt-injection-blocking-gate branch July 8, 2026 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants