genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,850 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "ASI02",
|
|
3
|
+
"name": "Tool Misuse and Exploitation",
|
|
4
|
+
"source_list": "Agentic-Top10-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "Critical",
|
|
7
|
+
"aivss_score": 9.6,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ml-engineer",
|
|
12
|
+
"ot-engineer",
|
|
13
|
+
"ciso",
|
|
14
|
+
"compliance",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0037",
|
|
22
|
+
"control_name": "Output Manipulation",
|
|
23
|
+
"tier": "Foundational",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0037",
|
|
26
|
+
"notes": "Crafting inputs that produce tool calls with destructive parameters"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0015",
|
|
31
|
+
"control_name": "LLM Capability Escalation",
|
|
32
|
+
"tier": "Foundational",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0015",
|
|
35
|
+
"notes": "Exploiting overly permissive tool access to exceed intended agent scope"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0068",
|
|
40
|
+
"control_name": "Automated Collection",
|
|
41
|
+
"tier": "Foundational",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0068",
|
|
44
|
+
"notes": "Agent autonomously harvesting data through tool chains beyond authorised scope"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "GV-1.7",
|
|
49
|
+
"control_name": "Policies for trustworthy AI",
|
|
50
|
+
"tier": "Foundational",
|
|
51
|
+
"scope": "Both",
|
|
52
|
+
"notes": "Policy defines permissible tool invocations per agent role — human confirmation required for irreversible tools"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MP-5.1",
|
|
57
|
+
"control_name": "Interdependencies",
|
|
58
|
+
"tier": "Foundational",
|
|
59
|
+
"scope": "Both",
|
|
60
|
+
"notes": "All agent tool integrations mapped — data received, permission scope, reversibility, and risk rating per tool"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MS-2.5",
|
|
65
|
+
"control_name": "Testing — adversarial",
|
|
66
|
+
"tier": "Foundational",
|
|
67
|
+
"scope": "Both",
|
|
68
|
+
"notes": "Adversarial testing of tool misuse scenarios — destructive parameter injection, tool chaining, MCP descriptor poisoning"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-2.2",
|
|
73
|
+
"control_name": "Risk response",
|
|
74
|
+
"tier": "Foundational",
|
|
75
|
+
"scope": "Both",
|
|
76
|
+
"notes": "Incident response for tool misuse — tool disable, parameter audit, downstream impact assessment"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "Tool misuse risks identified and mitigated",
|
|
81
|
+
"control_name": "Art. 9 — Risk management",
|
|
82
|
+
"tier": "Foundational",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "All agent tool integrations assessed in Art. 9 risk management — reversibility classification documented"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Human oversight over high-risk AI actions",
|
|
89
|
+
"control_name": "Art. 14 — Human oversight",
|
|
90
|
+
"tier": "Foundational",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Irreversible tool invocations require human confirmation — Art. 14 binding requirement"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "Cybersecurity measures preventing tool misuse",
|
|
97
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
98
|
+
"tier": "Foundational",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "Per-tool permission manifests and parameter validation are Art. 15 technical requirements"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "ISO/IEC 27001:2022",
|
|
104
|
+
"control_id": "A.8.2",
|
|
105
|
+
"control_name": "Privileged access rights",
|
|
106
|
+
"tier": "Foundational",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "Agent tool access managed as privileged access — per-tool permission manifests, minimum scope, regular review"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.5.15",
|
|
113
|
+
"control_name": "Identity management",
|
|
114
|
+
"tier": "Foundational",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "Agent tool access governed through identity management — tool permissions scoped per agent identity"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.8.15",
|
|
121
|
+
"control_name": "Logging",
|
|
122
|
+
"tier": "Foundational",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "All tool invocations logged with full context — tool identity, parameters, agent identity, timestamp"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.8.28",
|
|
129
|
+
"control_name": "Secure coding",
|
|
130
|
+
"tier": "Foundational",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "Tool parameter validation as secure coding requirement — LLM-generated parameters treated as untrusted"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 42001:2023",
|
|
136
|
+
"control_id": "A.6.1.2",
|
|
137
|
+
"control_name": "Responsible AI system management",
|
|
138
|
+
"tier": "Foundational",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "Tool access managed responsibly throughout agent lifecycle — permission review, irreversibility classification, human oversight requirements"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.6.2.3",
|
|
145
|
+
"control_name": "AI system security",
|
|
146
|
+
"tier": "Foundational",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "Per-tool permission manifests and parameter validation as AIMS security controls"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "A.5.2",
|
|
153
|
+
"control_name": "Impact assessment",
|
|
154
|
+
"tier": "Foundational",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "Tool misuse impact assessed — what harm is possible if each tool is misused autonomously"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "A.10.1",
|
|
161
|
+
"control_name": "Third-party AI system acquisition",
|
|
162
|
+
"tier": "Foundational",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "Tool and MCP server providers assessed as third-party AI components — security obligations in contracts"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "CIS Controls v8.1",
|
|
168
|
+
"control_id": "5.4 Restrict administrator privileges",
|
|
169
|
+
"control_name": "CIS 5 — Account Management",
|
|
170
|
+
"tier": "Foundational",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "Agent tool access managed as privileged access — minimum scope, regular review"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "6.1 Establish access granting process",
|
|
177
|
+
"control_name": "CIS 6 — Access Control Management",
|
|
178
|
+
"tier": "Foundational",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "Formal process for granting agent tool access — documented justification per tool"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "8.5 Collect detailed audit logs",
|
|
185
|
+
"control_name": "CIS 8 — Audit Log Management",
|
|
186
|
+
"tier": "Foundational",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "All tool invocations logged — tool identity, parameters, agent identity, timestamp"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "16.1 Establish secure development standards",
|
|
193
|
+
"control_name": "CIS 16 — Application Software Security",
|
|
194
|
+
"tier": "Foundational",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "Tool parameter validation as secure development requirement"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
200
|
+
"control_id": "V4.1.3",
|
|
201
|
+
"control_name": "Verify access control enforces least privilege",
|
|
202
|
+
"tier": "Foundational",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "Agent tool access scoped to minimum required operations — read-only by default, write access formally approved"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V4.1.1",
|
|
209
|
+
"control_name": "Verify all sensitive functions have access control",
|
|
210
|
+
"tier": "Foundational",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "All destructive tool operations require explicit authorisation — not inheritable from agent session"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V7.2.2",
|
|
217
|
+
"control_name": "Verify all business logic decisions logged",
|
|
218
|
+
"tier": "Foundational",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "All tool invocations logged — tool identity, parameters, agent session, timestamp"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
224
|
+
"control_id": "V11.1.2",
|
|
225
|
+
"control_name": "Verify business logic abuse scenarios identified",
|
|
226
|
+
"tier": "Foundational",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "Tool chain exploitation scenarios identified in threat model — mitigations implemented and verified"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
232
|
+
"control_id": "V13.1.1",
|
|
233
|
+
"control_name": "Verify API rate limiting",
|
|
234
|
+
"tier": "Foundational",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "Tool API endpoints rate-limited — anomalous invocation frequency detected"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "SR 2.2",
|
|
241
|
+
"control_name": "Least privilege",
|
|
242
|
+
"tier": "Foundational",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "Per-tool minimum permission — setpoint adjustment tool restricted to specific tags and safe ranges"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "ISA/IEC 62443",
|
|
248
|
+
"control_id": "SR 2.1",
|
|
249
|
+
"control_name": "Use control",
|
|
250
|
+
"tier": "Foundational",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "Allowlisted tool operations for each agent role — agent cannot invoke tools outside its defined function"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "ISA/IEC 62443",
|
|
256
|
+
"control_id": "SR 6.6",
|
|
257
|
+
"control_name": "Timely response to events",
|
|
258
|
+
"tier": "Foundational",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "Anomalous tool invocation patterns detected and responded to — alert, suspend, investigate"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "ISA/IEC 62443",
|
|
264
|
+
"control_id": "SR 3.3",
|
|
265
|
+
"control_name": "Software and information integrity",
|
|
266
|
+
"tier": "Foundational",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "Tool descriptor integrity verified — poisoned MCP tool descriptors rejected at loading"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
272
|
+
"control_id": "Common ICS vulnerabilities",
|
|
273
|
+
"control_name": "§5.3",
|
|
274
|
+
"tier": "Foundational",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "Excessive privilege is specifically listed as OT vulnerability class"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
280
|
+
"control_id": "Risk assessment",
|
|
281
|
+
"control_name": "§6.2",
|
|
282
|
+
"tier": "Foundational",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Assess agent permission scope as part of OT risk register"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
288
|
+
"control_id": "Secure architecture",
|
|
289
|
+
"control_name": "§7.1",
|
|
290
|
+
"tier": "Foundational",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Least privilege must be enforced at zone boundary for all automated systems"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST CSF 2.0",
|
|
296
|
+
"control_id": "PR.AA-05",
|
|
297
|
+
"control_name": "Identity Management, Authentication & Access Control",
|
|
298
|
+
"tier": "Foundational",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Access permissions managed — per-tool permission manifests, least privilege per tool, irreversibility classification"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST CSF 2.0",
|
|
304
|
+
"control_id": "GV.OC-01",
|
|
305
|
+
"control_name": "Organisational Context",
|
|
306
|
+
"tier": "Foundational",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "Policy defines permissible tool invocations — which tools require human confirmation"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "NIST CSF 2.0",
|
|
312
|
+
"control_id": "DE.CM-01",
|
|
313
|
+
"control_name": "Continuous Monitoring",
|
|
314
|
+
"tier": "Foundational",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "All tool invocations logged and monitored — anomalous parameters, unusual sequences, high frequency detected"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "NIST CSF 2.0",
|
|
320
|
+
"control_id": "RS.AN-03",
|
|
321
|
+
"control_name": "Incident Analysis",
|
|
322
|
+
"tier": "Foundational",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "Root cause analysis — which tool was misused, what downstream impact occurred, what parameters were used"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "SOC 2",
|
|
328
|
+
"control_id": "Control activities define tool permission scope — which tools are permitted, which parameters are valid, which actions require confirmation",
|
|
329
|
+
"control_name": "CC5.2",
|
|
330
|
+
"tier": "Foundational",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Tool permission policy, permitted action allowlist"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "SOC 2",
|
|
336
|
+
"control_id": "Logical access controls enforce tool permissions — agent cannot invoke tools outside authorised scope",
|
|
337
|
+
"control_name": "CC6.1",
|
|
338
|
+
"tier": "Foundational",
|
|
339
|
+
"scope": "Both",
|
|
340
|
+
"notes": "Tool invocation logs, access rejection records"
|
|
341
|
+
},
|
|
342
|
+
{
|
|
343
|
+
"framework": "SOC 2",
|
|
344
|
+
"control_id": "Monitoring for anomalous tool invocations — destructive parameters, out-of-scope tools, unexpected sequences detected",
|
|
345
|
+
"control_name": "CC7.2",
|
|
346
|
+
"tier": "Foundational",
|
|
347
|
+
"scope": "Both",
|
|
348
|
+
"notes": "Tool call audit log, anomaly alert records"
|
|
349
|
+
},
|
|
350
|
+
{
|
|
351
|
+
"framework": "SOC 2",
|
|
352
|
+
"control_id": "Tool invocations are complete and accurate — parameter validation ensures tool calls match intended business operation",
|
|
353
|
+
"control_name": "PI1.2",
|
|
354
|
+
"tier": "Foundational",
|
|
355
|
+
"scope": "Both",
|
|
356
|
+
"notes": "Validation configuration, rejected call logs"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"framework": "PCI DSS v4.0",
|
|
360
|
+
"control_id": "Agent tool permissions follow least-privilege — agent can only access CHD systems required for defined function",
|
|
361
|
+
"control_name": "Req 7.2",
|
|
362
|
+
"tier": "Foundational",
|
|
363
|
+
"scope": "Both",
|
|
364
|
+
"notes": "Access control matrix for agent tools, privilege review records"
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"framework": "PCI DSS v4.0",
|
|
368
|
+
"control_id": "Agent tool permissions reviewed periodically — unused tool permissions removed; review schedule documented",
|
|
369
|
+
"control_name": "Req 7.3",
|
|
370
|
+
"tier": "Foundational",
|
|
371
|
+
"scope": "Both",
|
|
372
|
+
"notes": "Periodic access review records"
|
|
373
|
+
},
|
|
374
|
+
{
|
|
375
|
+
"framework": "PCI DSS v4.0",
|
|
376
|
+
"control_id": "All tool invocations on CHD systems logged — tool name, parameters, data accessed, user/session identity",
|
|
377
|
+
"control_name": "Req 10.2",
|
|
378
|
+
"tier": "Foundational",
|
|
379
|
+
"scope": "Both",
|
|
380
|
+
"notes": "Tool invocation audit log"
|
|
381
|
+
},
|
|
382
|
+
{
|
|
383
|
+
"framework": "PCI DSS v4.0",
|
|
384
|
+
"control_id": "Tool parameter validation in agent code — LLM-generated tool parameters validated before execution",
|
|
385
|
+
"control_name": "Req 6.2",
|
|
386
|
+
"tier": "Foundational",
|
|
387
|
+
"scope": "Both",
|
|
388
|
+
"notes": "Code review records covering parameter validation"
|
|
389
|
+
},
|
|
390
|
+
{
|
|
391
|
+
"framework": "ENISA Multilayer Framework",
|
|
392
|
+
"control_id": "L2",
|
|
393
|
+
"control_name": "AI System Integrity (ASI)",
|
|
394
|
+
"tier": "Foundational",
|
|
395
|
+
"scope": "Both",
|
|
396
|
+
"notes": "Tool permissions defined per agent role — scope enforced at the framework layer; irreversibility controls prevent unrecoverable actions"
|
|
397
|
+
},
|
|
398
|
+
{
|
|
399
|
+
"framework": "ENISA Multilayer Framework",
|
|
400
|
+
"control_id": "SCS",
|
|
401
|
+
"control_name": "Supply Chain Security",
|
|
402
|
+
"tier": "Foundational",
|
|
403
|
+
"scope": "Both",
|
|
404
|
+
"notes": "All tool integrations assessed as supply chain components — integrity verification, vendor security review before integration"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"framework": "ENISA Multilayer Framework",
|
|
408
|
+
"control_id": "MON",
|
|
409
|
+
"control_name": "Monitoring and Detection",
|
|
410
|
+
"tier": "Foundational",
|
|
411
|
+
"scope": "Both",
|
|
412
|
+
"notes": "All agent tool invocations logged — data volumes, destination, and parameter patterns monitored for anomalies"
|
|
413
|
+
},
|
|
414
|
+
{
|
|
415
|
+
"framework": "ENISA Multilayer Framework",
|
|
416
|
+
"control_id": "L1",
|
|
417
|
+
"control_name": "General ICT — Access Control",
|
|
418
|
+
"tier": "Foundational",
|
|
419
|
+
"scope": "Both",
|
|
420
|
+
"notes": "Agent tool credentials issued with least-privilege — no unnecessary tool permissions granted"
|
|
421
|
+
},
|
|
422
|
+
{
|
|
423
|
+
"framework": "OWASP SAMM v2.0",
|
|
424
|
+
"control_id": "D-SA",
|
|
425
|
+
"control_name": "Design / Security Architecture",
|
|
426
|
+
"tier": "Foundational",
|
|
427
|
+
"scope": "Both",
|
|
428
|
+
"notes": "Define per-agent permission sets; review in architecture assessment"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"framework": "OWASP SAMM v2.0",
|
|
432
|
+
"control_id": "G-SM",
|
|
433
|
+
"control_name": "Governance / Strategy & Metrics",
|
|
434
|
+
"tier": "Foundational",
|
|
435
|
+
"scope": "Both",
|
|
436
|
+
"notes": "Formalise agent identity and permission lifecycle"
|
|
437
|
+
},
|
|
438
|
+
{
|
|
439
|
+
"framework": "OWASP SAMM v2.0",
|
|
440
|
+
"control_id": "V-AA",
|
|
441
|
+
"control_name": "Verification / Architecture Assessment",
|
|
442
|
+
"tier": "Foundational",
|
|
443
|
+
"scope": "Both",
|
|
444
|
+
"notes": "Periodic review of declared vs granted permissions per agent"
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"framework": "OWASP SAMM v2.0",
|
|
448
|
+
"control_id": "O-OM",
|
|
449
|
+
"control_name": "Operations / Operational Management",
|
|
450
|
+
"tier": "Foundational",
|
|
451
|
+
"scope": "Both",
|
|
452
|
+
"notes": "Alert when agent requests permissions outside declared scope"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"framework": "OWASP SAMM v2.0",
|
|
456
|
+
"control_id": "G-PC",
|
|
457
|
+
"control_name": "Governance / Policy & Compliance",
|
|
458
|
+
"tier": "Foundational",
|
|
459
|
+
"scope": "Both",
|
|
460
|
+
"notes": "Document what permissions each agent class is authorised to hold"
|
|
461
|
+
},
|
|
462
|
+
{
|
|
463
|
+
"framework": "CWE/CVE",
|
|
464
|
+
"control_id": "Improper Access Control",
|
|
465
|
+
"control_name": "CWE-284",
|
|
466
|
+
"tier": "Foundational",
|
|
467
|
+
"scope": "Both",
|
|
468
|
+
"notes": "Agent can invoke tools it should not have access to; tool parameters not range-validated"
|
|
469
|
+
},
|
|
470
|
+
{
|
|
471
|
+
"framework": "CWE/CVE",
|
|
472
|
+
"control_id": "Missing Authorisation",
|
|
473
|
+
"control_name": "CWE-862",
|
|
474
|
+
"tier": "Foundational",
|
|
475
|
+
"scope": "Both",
|
|
476
|
+
"notes": "No authorisation check before irreversible tool invocations; human confirmation not required"
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"framework": "CWE/CVE",
|
|
480
|
+
"control_id": "Unrestricted Upload of File with Dangerous Type",
|
|
481
|
+
"control_name": "CWE-434",
|
|
482
|
+
"tier": "Foundational",
|
|
483
|
+
"scope": "Both",
|
|
484
|
+
"notes": "Analogy: agent accepts and executes tool payloads without content validation"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"framework": "CWE/CVE",
|
|
488
|
+
"control_id": "Improper Control of Dynamically-Managed Code Resources",
|
|
489
|
+
"control_name": "CWE-913",
|
|
490
|
+
"tier": "Foundational",
|
|
491
|
+
"scope": "Both",
|
|
492
|
+
"notes": "MCP descriptors and tool specifications are dynamically loaded code resources — modification not controlled"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"framework": "CWE/CVE",
|
|
496
|
+
"control_id": "Improper Input Validation",
|
|
497
|
+
"control_name": "CWE-20",
|
|
498
|
+
"tier": "Foundational",
|
|
499
|
+
"scope": "Both",
|
|
500
|
+
"notes": "Tool parameters generated by LLM not validated against safe ranges before execution"
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"framework": "OWASP AI Testing Guide",
|
|
504
|
+
"control_id": "Tool permission boundary enforcement",
|
|
505
|
+
"control_name": "AST — Agent-Specific",
|
|
506
|
+
"tier": "Foundational",
|
|
507
|
+
"scope": "Both",
|
|
508
|
+
"notes": "Attempt to invoke tools outside the agent's defined role; test parameter ranges; verify irreversibility controls"
|
|
509
|
+
},
|
|
510
|
+
{
|
|
511
|
+
"framework": "OWASP AI Testing Guide",
|
|
512
|
+
"control_id": "Per-tool authorisation",
|
|
513
|
+
"control_name": "ACT — Access Control",
|
|
514
|
+
"tier": "Foundational",
|
|
515
|
+
"scope": "Both",
|
|
516
|
+
"notes": "Verify each tool enforces its own access controls independently of the agent framework"
|
|
517
|
+
},
|
|
518
|
+
{
|
|
519
|
+
"framework": "OWASP AI Testing Guide",
|
|
520
|
+
"control_id": "LLM-generated tool parameters",
|
|
521
|
+
"control_name": "OHT — Output Handling",
|
|
522
|
+
"tier": "Foundational",
|
|
523
|
+
"scope": "Both",
|
|
524
|
+
"notes": "Verify tool call parameters generated by the LLM are validated before execution"
|
|
525
|
+
},
|
|
526
|
+
{
|
|
527
|
+
"framework": "MAESTRO",
|
|
528
|
+
"control_id": "L3",
|
|
529
|
+
"control_name": "Agent Frameworks",
|
|
530
|
+
"tier": "Foundational",
|
|
531
|
+
"scope": "Both"
|
|
532
|
+
},
|
|
533
|
+
{
|
|
534
|
+
"framework": "MAESTRO",
|
|
535
|
+
"control_id": "L6",
|
|
536
|
+
"control_name": "Security & Compliance",
|
|
537
|
+
"tier": "Foundational",
|
|
538
|
+
"scope": "Both"
|
|
539
|
+
},
|
|
540
|
+
{
|
|
541
|
+
"framework": "MAESTRO",
|
|
542
|
+
"control_id": "L4",
|
|
543
|
+
"control_name": "Deployment & Infrastructure",
|
|
544
|
+
"tier": "Foundational",
|
|
545
|
+
"scope": "Both"
|
|
546
|
+
},
|
|
547
|
+
{
|
|
548
|
+
"framework": "AIUC-1",
|
|
549
|
+
"control_id": "B001",
|
|
550
|
+
"control_name": "Third-party testing of adversarial robustness",
|
|
551
|
+
"tier": "Foundational",
|
|
552
|
+
"scope": "Both"
|
|
553
|
+
},
|
|
554
|
+
{
|
|
555
|
+
"framework": "AIUC-1",
|
|
556
|
+
"control_id": "B004",
|
|
557
|
+
"control_name": "Prevent AI endpoint scraping",
|
|
558
|
+
"tier": "Foundational",
|
|
559
|
+
"scope": "Both"
|
|
560
|
+
},
|
|
561
|
+
{
|
|
562
|
+
"framework": "AIUC-1",
|
|
563
|
+
"control_id": "B006",
|
|
564
|
+
"control_name": "Prevent unauthorized AI agent actions",
|
|
565
|
+
"tier": "Foundational",
|
|
566
|
+
"scope": "Both"
|
|
567
|
+
},
|
|
568
|
+
{
|
|
569
|
+
"framework": "AIUC-1",
|
|
570
|
+
"control_id": "B007",
|
|
571
|
+
"control_name": "Enforce user access privileges to AI systems",
|
|
572
|
+
"tier": "Foundational",
|
|
573
|
+
"scope": "Both"
|
|
574
|
+
},
|
|
575
|
+
{
|
|
576
|
+
"framework": "OWASP NHI Top 10",
|
|
577
|
+
"control_id": "Agent with excess privilege can call tools in destructive ways even within normal use",
|
|
578
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
579
|
+
"tier": "Foundational",
|
|
580
|
+
"scope": "Both",
|
|
581
|
+
"notes": "Per-tool permission manifests — each tool scoped to minimum required operations"
|
|
582
|
+
},
|
|
583
|
+
{
|
|
584
|
+
"framework": "OWASP NHI Top 10",
|
|
585
|
+
"control_id": "Compromised third-party tool identity gets full scope of agent credential",
|
|
586
|
+
"control_name": "NHI-3 Vulnerable Third-Party NHI",
|
|
587
|
+
"tier": "Foundational",
|
|
588
|
+
"scope": "Both",
|
|
589
|
+
"notes": "Validate all third-party tool identities — reject tokens from unregistered issuers"
|
|
590
|
+
},
|
|
591
|
+
{
|
|
592
|
+
"framework": "OWASP NHI Top 10",
|
|
593
|
+
"control_id": "Single shared credential allows tool misuse to affect multiple services",
|
|
594
|
+
"control_name": "NHI-9 NHI Reuse",
|
|
595
|
+
"tier": "Foundational",
|
|
596
|
+
"scope": "Both",
|
|
597
|
+
"notes": "Unique credential per tool integration — tool-scoped tokens, not agent-wide tokens"
|
|
598
|
+
},
|
|
599
|
+
{
|
|
600
|
+
"framework": "NIST SP 800-218A",
|
|
601
|
+
"control_id": "Define explicit security requirements specifying the maximum permitted tool access, API scope, data source access, and resource boundaries for each agent deployment",
|
|
602
|
+
"control_name": "PW.1.1-PS – Define security requirements",
|
|
603
|
+
"tier": "Foundational",
|
|
604
|
+
"scope": "Build",
|
|
605
|
+
"notes": "Establishes access control as a mandatory deployment requirement"
|
|
606
|
+
},
|
|
607
|
+
{
|
|
608
|
+
"framework": "NIST SP 800-218A",
|
|
609
|
+
"control_id": "Threat model all agent access paths to tools, data stores, and APIs; design least-privilege tool manifests and enforce tenant isolation by design",
|
|
610
|
+
"control_name": "PW.2.1-PS – Design software to meet security requirements",
|
|
611
|
+
"tier": "Foundational",
|
|
612
|
+
"scope": "Build",
|
|
613
|
+
"notes": "Ensures access boundaries are designed before implementation"
|
|
614
|
+
},
|
|
615
|
+
{
|
|
616
|
+
"framework": "NIST SP 800-218A",
|
|
617
|
+
"control_id": "Protect agent configuration files, tool manifests, permission policies, and orchestration definitions from unauthorised modification",
|
|
618
|
+
"control_name": "PS.1.1-PS – Protect all code from unauthorised access",
|
|
619
|
+
"tier": "Foundational",
|
|
620
|
+
"scope": "Build",
|
|
621
|
+
"notes": "Prevents tampering with access control configuration"
|
|
622
|
+
},
|
|
623
|
+
{
|
|
624
|
+
"framework": "NIST SP 800-218A",
|
|
625
|
+
"control_id": "Review agent access control enforcement — verify that tool permission manifests, RBAC policies, and tenant isolation boundaries are correctly implemented and cannot be bypassed",
|
|
626
|
+
"control_name": "PW.7.2-PS – Review the software for security vulnerabilities",
|
|
627
|
+
"tier": "Foundational",
|
|
628
|
+
"scope": "Build",
|
|
629
|
+
"notes": "Validates access controls before production deployment"
|
|
630
|
+
},
|
|
631
|
+
{
|
|
632
|
+
"framework": "FedRAMP",
|
|
633
|
+
"control_id": "AC-3",
|
|
634
|
+
"control_name": "Access Enforcement — agent resource access",
|
|
635
|
+
"tier": "Foundational",
|
|
636
|
+
"scope": "Build",
|
|
637
|
+
"notes": "Enforce role-based access control on all agent resources — tools, data stores, APIs, and inter-agent communication channels; deny by default"
|
|
638
|
+
},
|
|
639
|
+
{
|
|
640
|
+
"framework": "FedRAMP",
|
|
641
|
+
"control_id": "AC-6",
|
|
642
|
+
"control_name": "Least Privilege — agent permissions",
|
|
643
|
+
"tier": "Foundational",
|
|
644
|
+
"scope": "Build",
|
|
645
|
+
"notes": "Enforce least privilege for all agent permissions; restrict tool access, data store access, and API scope to minimum necessary per agent role"
|
|
646
|
+
},
|
|
647
|
+
{
|
|
648
|
+
"framework": "FedRAMP",
|
|
649
|
+
"control_id": "CM-7",
|
|
650
|
+
"control_name": "Least Functionality — agent capability restrictions",
|
|
651
|
+
"tier": "Foundational",
|
|
652
|
+
"scope": "Build",
|
|
653
|
+
"notes": "Restrict agents to minimum necessary capabilities; disable unused tools, APIs, and action types; enforce capability restrictions in agent configuration"
|
|
654
|
+
},
|
|
655
|
+
{
|
|
656
|
+
"framework": "FedRAMP",
|
|
657
|
+
"control_id": "AU-2",
|
|
658
|
+
"control_name": "Event Logging — access decision logging",
|
|
659
|
+
"tier": "Foundational",
|
|
660
|
+
"scope": "Build",
|
|
661
|
+
"notes": "Log all agent access decisions — permitted and denied — with sufficient detail for access control review and incident investigation"
|
|
662
|
+
},
|
|
663
|
+
{
|
|
664
|
+
"framework": "DORA",
|
|
665
|
+
"control_id": "Art. 9",
|
|
666
|
+
"control_name": "Protection and Prevention — agent access controls",
|
|
667
|
+
"tier": "Foundational",
|
|
668
|
+
"scope": "Build",
|
|
669
|
+
"notes": "Implement security controls enforcing least privilege on agent tool access, data store access, and API permissions within financial systems"
|
|
670
|
+
},
|
|
671
|
+
{
|
|
672
|
+
"framework": "DORA",
|
|
673
|
+
"control_id": "Art. 5–7",
|
|
674
|
+
"control_name": "ICT Risk Management — agent permission governance",
|
|
675
|
+
"tier": "Foundational",
|
|
676
|
+
"scope": "Build",
|
|
677
|
+
"notes": "Include agent access control policies in ICT risk management framework; define acceptable permission scopes per agent role and financial function"
|
|
678
|
+
},
|
|
679
|
+
{
|
|
680
|
+
"framework": "DORA",
|
|
681
|
+
"control_id": "Art. 10",
|
|
682
|
+
"control_name": "Detection — unauthorised access detection",
|
|
683
|
+
"tier": "Foundational",
|
|
684
|
+
"scope": "Build",
|
|
685
|
+
"notes": "Monitor agent access patterns for unauthorised tool invocations, data access beyond scope, and permission violations; alert on detection"
|
|
686
|
+
},
|
|
687
|
+
{
|
|
688
|
+
"framework": "DORA",
|
|
689
|
+
"control_id": "Art. 24–27",
|
|
690
|
+
"control_name": "Resilience Testing — access control testing",
|
|
691
|
+
"tier": "Foundational",
|
|
692
|
+
"scope": "Build",
|
|
693
|
+
"notes": "Include agent access control bypass in resilience testing; verify that agents cannot exceed defined permission boundaries under adversarial conditions"
|
|
694
|
+
}
|
|
695
|
+
],
|
|
696
|
+
"tools": [
|
|
697
|
+
{
|
|
698
|
+
"name": "Invariant Analyzer",
|
|
699
|
+
"type": "open-source",
|
|
700
|
+
"url": "https://github.com/invariantlabs-ai/invariant"
|
|
701
|
+
},
|
|
702
|
+
{
|
|
703
|
+
"name": "NeMo Guardrails",
|
|
704
|
+
"type": "open-source",
|
|
705
|
+
"url": "https://github.com/NVIDIA/NeMo-Guardrails"
|
|
706
|
+
},
|
|
707
|
+
{
|
|
708
|
+
"name": "MCP Inspector",
|
|
709
|
+
"type": "open-source",
|
|
710
|
+
"url": "https://github.com/modelcontextprotocol/inspector"
|
|
711
|
+
},
|
|
712
|
+
{
|
|
713
|
+
"name": "Claroty",
|
|
714
|
+
"type": "commercial",
|
|
715
|
+
"url": "https://claroty.com"
|
|
716
|
+
},
|
|
717
|
+
{
|
|
718
|
+
"name": "OWASP Dependency-Check",
|
|
719
|
+
"type": "open-source",
|
|
720
|
+
"url": "https://github.com/jeremylong/DependencyCheck"
|
|
721
|
+
},
|
|
722
|
+
{
|
|
723
|
+
"name": "Semgrep",
|
|
724
|
+
"type": "open-source",
|
|
725
|
+
"url": "https://github.com/returntocorp/semgrep"
|
|
726
|
+
},
|
|
727
|
+
{
|
|
728
|
+
"name": "Koi Security",
|
|
729
|
+
"type": "commercial",
|
|
730
|
+
"url": "https://www.koi.ai"
|
|
731
|
+
},
|
|
732
|
+
{
|
|
733
|
+
"name": "SPIFFE / SPIRE",
|
|
734
|
+
"type": "open-source",
|
|
735
|
+
"url": "https://spiffe.io"
|
|
736
|
+
},
|
|
737
|
+
{
|
|
738
|
+
"name": "HashiCorp Vault",
|
|
739
|
+
"type": "open-source",
|
|
740
|
+
"url": "https://www.vaultproject.io"
|
|
741
|
+
},
|
|
742
|
+
{
|
|
743
|
+
"name": "LAAF (LLM Agent Assessment Framework)",
|
|
744
|
+
"type": "open-source",
|
|
745
|
+
"url": "https://github.com/OWASP/LAAF"
|
|
746
|
+
},
|
|
747
|
+
{
|
|
748
|
+
"name": "Open Policy Agent (OPA)",
|
|
749
|
+
"type": "open-source",
|
|
750
|
+
"url": "https://www.openpolicyagent.org"
|
|
751
|
+
},
|
|
752
|
+
{
|
|
753
|
+
"name": "Guardrails AI",
|
|
754
|
+
"type": "open-source",
|
|
755
|
+
"url": "https://github.com/guardrails-ai/guardrails"
|
|
756
|
+
},
|
|
757
|
+
{
|
|
758
|
+
"name": "Open Policy Agent",
|
|
759
|
+
"type": "open-source",
|
|
760
|
+
"url": "https://www.openpolicyagent.org"
|
|
761
|
+
},
|
|
762
|
+
{
|
|
763
|
+
"name": "AWS IAM / Azure RBAC",
|
|
764
|
+
"type": "commercial",
|
|
765
|
+
"url": "https://aws.amazon.com/iam/"
|
|
766
|
+
},
|
|
767
|
+
{
|
|
768
|
+
"name": "LAAF v2.0",
|
|
769
|
+
"url": "https://github.com/qorvexconsulting1/laaf-V2.0",
|
|
770
|
+
"type": "open-source"
|
|
771
|
+
}
|
|
772
|
+
],
|
|
773
|
+
"incidents": [
|
|
774
|
+
{
|
|
775
|
+
"name": "Indirect prompt injection in LLM email assistant via malicious email body",
|
|
776
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
777
|
+
"year": 2024,
|
|
778
|
+
"incident_id": "INC-007"
|
|
779
|
+
},
|
|
780
|
+
{
|
|
781
|
+
"name": "Microsoft Copilot for M365 — document exfiltration via indirect injection",
|
|
782
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
783
|
+
"year": 2024,
|
|
784
|
+
"incident_id": "INC-010"
|
|
785
|
+
},
|
|
786
|
+
{
|
|
787
|
+
"name": "LangChain and LlamaIndex RCE — agent code execution via prompt injection",
|
|
788
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
789
|
+
"year": 2023,
|
|
790
|
+
"incident_id": "INC-012"
|
|
791
|
+
},
|
|
792
|
+
{
|
|
793
|
+
"name": "Agentic AI privilege escalation via tool chain manipulation — research",
|
|
794
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
795
|
+
"year": 2024,
|
|
796
|
+
"incident_id": "INC-019"
|
|
797
|
+
},
|
|
798
|
+
{
|
|
799
|
+
"name": "LAAF v2.0 — Empirical LPCI breakthrough rates of 67–100% across 5 production LLMs",
|
|
800
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
801
|
+
"year": 2026,
|
|
802
|
+
"incident_id": "INC-021"
|
|
803
|
+
},
|
|
804
|
+
{
|
|
805
|
+
"name": "Greshake et al. \"Not What You've Signed Up For\" indirect prompt injection paper",
|
|
806
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
807
|
+
"year": 2023,
|
|
808
|
+
"incident_id": "INC-022"
|
|
809
|
+
},
|
|
810
|
+
{
|
|
811
|
+
"name": "Slack AI indirect injection via channel content",
|
|
812
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
813
|
+
"year": 2024,
|
|
814
|
+
"incident_id": "INC-024"
|
|
815
|
+
},
|
|
816
|
+
{
|
|
817
|
+
"name": "GitHub Copilot Workspace prompt injection via repository content",
|
|
818
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
819
|
+
"year": 2024,
|
|
820
|
+
"incident_id": "INC-025"
|
|
821
|
+
},
|
|
822
|
+
{
|
|
823
|
+
"name": "Cursor AI code agent leaking repository secrets via context window",
|
|
824
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
825
|
+
"year": 2025,
|
|
826
|
+
"incident_id": "INC-034"
|
|
827
|
+
}
|
|
828
|
+
],
|
|
829
|
+
"crossrefs": {
|
|
830
|
+
"llm_top10": [
|
|
831
|
+
"LLM05",
|
|
832
|
+
"LLM06",
|
|
833
|
+
"LLM07"
|
|
834
|
+
],
|
|
835
|
+
"dsgai_2026": [
|
|
836
|
+
"DSGAI06",
|
|
837
|
+
"DSGAI12",
|
|
838
|
+
"DSGAI07",
|
|
839
|
+
"DSGAI08"
|
|
840
|
+
]
|
|
841
|
+
},
|
|
842
|
+
"changelog": [
|
|
843
|
+
{
|
|
844
|
+
"date": "2026-03-27",
|
|
845
|
+
"version": "1.0.0",
|
|
846
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
847
|
+
"author": "emmanuelgjr"
|
|
848
|
+
}
|
|
849
|
+
]
|
|
850
|
+
}
|