genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,764 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "ASI05",
|
|
3
|
+
"name": "Unexpected Code Execution",
|
|
4
|
+
"source_list": "Agentic-Top10-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "Critical",
|
|
7
|
+
"aivss_score": 9.9,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ml-engineer",
|
|
12
|
+
"ot-engineer",
|
|
13
|
+
"ciso",
|
|
14
|
+
"compliance",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0040",
|
|
22
|
+
"control_name": "Unsafe Deserialisation via LLM",
|
|
23
|
+
"tier": "Foundational",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0040",
|
|
26
|
+
"notes": "Agent-generated code or payloads executed by downstream components"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0054",
|
|
31
|
+
"control_name": "LLM Jailbreak",
|
|
32
|
+
"tier": "Foundational",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0054",
|
|
35
|
+
"notes": "Overriding code execution safety guardrails to allow arbitrary command execution"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0037",
|
|
40
|
+
"control_name": "Output Manipulation",
|
|
41
|
+
"tier": "Foundational",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0037",
|
|
44
|
+
"notes": "Crafting inputs that produce malicious executable code in agent output"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "GV-1.7",
|
|
49
|
+
"control_name": "Policies for trustworthy AI",
|
|
50
|
+
"tier": "Hardening",
|
|
51
|
+
"scope": "Build",
|
|
52
|
+
"notes": "Policy explicitly addresses agent code execution capability — sandbox requirements, permitted operations"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MP-2.3",
|
|
57
|
+
"control_name": "Risk categorisation",
|
|
58
|
+
"tier": "Hardening",
|
|
59
|
+
"scope": "Build",
|
|
60
|
+
"notes": "Code execution risk categorised separately per agent — blast radius, permitted operations, sandbox status"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MS-2.5",
|
|
65
|
+
"control_name": "Testing — adversarial",
|
|
66
|
+
"tier": "Hardening",
|
|
67
|
+
"scope": "Build",
|
|
68
|
+
"notes": "Adversarial testing of code execution paths — sandbox escape attempts, command injection via generated code"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-2.2",
|
|
73
|
+
"control_name": "Risk response",
|
|
74
|
+
"tier": "Hardening",
|
|
75
|
+
"scope": "Build",
|
|
76
|
+
"notes": "Incident response for agent code execution anomaly — sandbox isolation, kill switch, forensic capture"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "Code execution risks identified and mitigated",
|
|
81
|
+
"control_name": "Art. 9 — Risk management",
|
|
82
|
+
"tier": "Hardening",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "Agent code execution capability documented in Art. 9 risk management — sandbox status, permitted operations"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Technical robustness against adversarial code execution",
|
|
89
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
90
|
+
"tier": "Hardening",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Sandboxing, input filtering, static analysis are Art. 15 requirements for agents with code execution"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "Post-market monitoring covering code execution incidents",
|
|
97
|
+
"control_name": "Art. 17 — Quality management",
|
|
98
|
+
"tier": "Hardening",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "Code execution anomaly response in quality management system"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "ISO/IEC 27001:2022",
|
|
104
|
+
"control_id": "A.8.28",
|
|
105
|
+
"control_name": "Secure coding",
|
|
106
|
+
"tier": "Hardening",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "Sandbox, static analysis, and allowlist as secure coding requirements — no code execution without these controls"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.8.26",
|
|
113
|
+
"control_name": "Application security requirements",
|
|
114
|
+
"tier": "Hardening",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "Security requirements for agent code execution capability specified before development — sandbox spec, permitted operations"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.8.29",
|
|
121
|
+
"control_name": "Security testing",
|
|
122
|
+
"tier": "Hardening",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "Sandbox escape and code injection scenarios in security testing — adversarial testing before each deployment"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.8.16",
|
|
129
|
+
"control_name": "Monitoring activities",
|
|
130
|
+
"tier": "Hardening",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "Code execution environments monitored — anomalous system calls, network attempts detected"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 42001:2023",
|
|
136
|
+
"control_id": "A.6.2.3",
|
|
137
|
+
"control_name": "AI system security",
|
|
138
|
+
"tier": "Hardening",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "Sandbox, static analysis, and allowlist as AIMS security design requirements for code execution capability"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.6.2.6",
|
|
145
|
+
"control_name": "Testing of AI systems",
|
|
146
|
+
"tier": "Hardening",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "Sandbox escape and code injection scenarios in AIMS testing — adversarial testing before each deployment"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "A.5.2",
|
|
153
|
+
"control_name": "Impact assessment",
|
|
154
|
+
"tier": "Hardening",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "Impact of code execution capability formally assessed — RCE impact on persons and systems documented"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "Cl.6.1",
|
|
161
|
+
"control_name": "Risk assessment",
|
|
162
|
+
"tier": "Hardening",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "Code execution risk in AI risk register — blast radius, sandbox status, permitted operations documented"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "CIS Controls v8.1",
|
|
168
|
+
"control_id": "16.1 Establish secure development standards",
|
|
169
|
+
"control_name": "CIS 16 — Application Software Security",
|
|
170
|
+
"tier": "Hardening",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "Sandbox, static analysis, and allowlist as secure development requirements for code execution"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "4.1 Establish secure configuration process",
|
|
177
|
+
"control_name": "CIS 4 — Secure Configuration",
|
|
178
|
+
"tier": "Hardening",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "Secure configuration includes code execution sandbox — no defaults permitting unrestricted execution"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "18.1 Establish penetration testing",
|
|
185
|
+
"control_name": "CIS 18 — Penetration Testing",
|
|
186
|
+
"tier": "Hardening",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "Sandbox escape and code injection in penetration testing — adversarial scenarios before each deployment"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "13.8 Deploy network intrusion detection",
|
|
193
|
+
"control_name": "CIS 13 — Network Monitoring",
|
|
194
|
+
"tier": "Hardening",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "Code execution environments network-monitored — outbound connection attempts from sandbox detected"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
200
|
+
"control_id": "V5.2.1",
|
|
201
|
+
"control_name": "Verify output encoding of untrusted data in HTML context",
|
|
202
|
+
"tier": "Hardening",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "Agent code output encoded before rendering in any context"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V5.2.4",
|
|
209
|
+
"control_name": "Verify application does not use eval or dynamic code",
|
|
210
|
+
"tier": "Hardening",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "No eval or exec of agent-generated code — absolute prohibition enforced in code review"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V5.2.5",
|
|
217
|
+
"control_name": "Verify output encoding in OS command context",
|
|
218
|
+
"tier": "Hardening",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "Agent-generated commands validated before any shell execution"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
224
|
+
"control_id": "V5.3.5",
|
|
225
|
+
"control_name": "Verify output encoding in SQL context",
|
|
226
|
+
"tier": "Hardening",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "No raw agent output in SQL context — parameterised execution only"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
232
|
+
"control_id": "V11.1.2",
|
|
233
|
+
"control_name": "Verify business logic limits",
|
|
234
|
+
"tier": "Hardening",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "Code execution capability in agents subject to business logic controls — sandbox, allowlist, static analysis"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "SR 3.3",
|
|
241
|
+
"control_name": "Software and information integrity",
|
|
242
|
+
"tier": "Hardening",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "All agent-generated code validated before execution — allowlisted operations only"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "ISA/IEC 62443",
|
|
248
|
+
"control_id": "SR 2.3",
|
|
249
|
+
"control_name": "Use control",
|
|
250
|
+
"tier": "Hardening",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "Agent code execution restricted to specific, defined operations — no shell access, no network programming"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "ISA/IEC 62443",
|
|
256
|
+
"control_id": "SR 3.7",
|
|
257
|
+
"control_name": "Software and information integrity (monitoring)",
|
|
258
|
+
"tier": "Hardening",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "Runtime monitoring of agent code execution — anomalous system calls detected and blocked"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
264
|
+
"control_id": "Supply chain risks",
|
|
265
|
+
"control_name": "§5.5",
|
|
266
|
+
"tier": "Foundational",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "Third-party tool components in OT"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
272
|
+
"control_id": "Supply chain risk management",
|
|
273
|
+
"control_name": "§6.3",
|
|
274
|
+
"tier": "Foundational",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "Tool integration approval process"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
280
|
+
"control_id": "Third-party management",
|
|
281
|
+
"control_name": "§8.4",
|
|
282
|
+
"tier": "Foundational",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Vendor assessment for OT tool providers"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST CSF 2.0",
|
|
288
|
+
"control_id": "PR.PS-04",
|
|
289
|
+
"control_name": "Platform Security",
|
|
290
|
+
"tier": "Hardening",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Secure software development — static analysis, sandbox, allowlist as code execution platform security controls"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST CSF 2.0",
|
|
296
|
+
"control_id": "PR.IR-01",
|
|
297
|
+
"control_name": "Infrastructure Resilience",
|
|
298
|
+
"tier": "Hardening",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Networks and environments protected — sandbox isolated from production infrastructure"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST CSF 2.0",
|
|
304
|
+
"control_id": "DE.CM-01",
|
|
305
|
+
"control_name": "Continuous Monitoring",
|
|
306
|
+
"tier": "Hardening",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "Code execution monitored — sandbox escape attempts, anomalous system calls detected"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "NIST CSF 2.0",
|
|
312
|
+
"control_id": "RS.MI-01",
|
|
313
|
+
"control_name": "Incident Mitigation",
|
|
314
|
+
"tier": "Hardening",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "Code execution incidents contained — sandbox isolated, forensic capture initiated"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "SOC 2",
|
|
320
|
+
"control_id": "Control activities define permitted code execution scope — sandbox requirements, approved languages, forbidden operations",
|
|
321
|
+
"control_name": "CC5.2",
|
|
322
|
+
"tier": "Hardening",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "Code execution policy, sandbox configuration"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "SOC 2",
|
|
328
|
+
"control_id": "Execution sandboxes access-controlled — no host filesystem or network access without authorisation",
|
|
329
|
+
"control_name": "CC6.1",
|
|
330
|
+
"tier": "Hardening",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Sandbox configuration, access control evidence"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "SOC 2",
|
|
336
|
+
"control_id": "Code execution events monitored — syscall patterns, network calls, and filesystem access from sandboxes logged",
|
|
337
|
+
"control_name": "CC7.2",
|
|
338
|
+
"tier": "Hardening",
|
|
339
|
+
"scope": "Both",
|
|
340
|
+
"notes": "Execution audit log, alert configuration"
|
|
341
|
+
},
|
|
342
|
+
{
|
|
343
|
+
"framework": "SOC 2",
|
|
344
|
+
"control_id": "Code execution is authorised — agent cannot execute code that was not explicitly requested by authorised user",
|
|
345
|
+
"control_name": "PI1.1",
|
|
346
|
+
"tier": "Hardening",
|
|
347
|
+
"scope": "Both",
|
|
348
|
+
"notes": "Code execution authorisation records"
|
|
349
|
+
},
|
|
350
|
+
{
|
|
351
|
+
"framework": "PCI DSS v4.0",
|
|
352
|
+
"control_id": "Code generation and execution controls in secure development — agent cannot execute generated code without validation",
|
|
353
|
+
"control_name": "Req 6.2",
|
|
354
|
+
"tier": "Hardening",
|
|
355
|
+
"scope": "Both",
|
|
356
|
+
"notes": "Secure development policy covering code generation"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"framework": "PCI DSS v4.0",
|
|
360
|
+
"control_id": "Agent execution environments protected — WAF or equivalent for agent endpoints with code execution capability",
|
|
361
|
+
"control_name": "Req 6.4",
|
|
362
|
+
"tier": "Hardening",
|
|
363
|
+
"scope": "Both",
|
|
364
|
+
"notes": "WAF configuration, protection evidence"
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"framework": "PCI DSS v4.0",
|
|
368
|
+
"control_id": "Code execution paths in penetration testing — test whether crafted inputs cause execution of out-of-scope code",
|
|
369
|
+
"control_name": "Req 11.3",
|
|
370
|
+
"tier": "Hardening",
|
|
371
|
+
"scope": "Both",
|
|
372
|
+
"notes": "Pen test report with code execution test cases"
|
|
373
|
+
},
|
|
374
|
+
{
|
|
375
|
+
"framework": "PCI DSS v4.0",
|
|
376
|
+
"control_id": "Code execution events logged — all agent-initiated execution with session identity and code summary",
|
|
377
|
+
"control_name": "Req 10.2",
|
|
378
|
+
"tier": "Hardening",
|
|
379
|
+
"scope": "Both",
|
|
380
|
+
"notes": "Code execution audit log"
|
|
381
|
+
},
|
|
382
|
+
{
|
|
383
|
+
"framework": "ENISA Multilayer Framework",
|
|
384
|
+
"control_id": "L2",
|
|
385
|
+
"control_name": "AI System Integrity (ASI)",
|
|
386
|
+
"tier": "Hardening",
|
|
387
|
+
"scope": "Both",
|
|
388
|
+
"notes": "Agent-generated code validated and sandboxed before execution — AI system integrity verification includes code generation scope testing"
|
|
389
|
+
},
|
|
390
|
+
{
|
|
391
|
+
"framework": "ENISA Multilayer Framework",
|
|
392
|
+
"control_id": "MON",
|
|
393
|
+
"control_name": "Monitoring and Detection",
|
|
394
|
+
"tier": "Hardening",
|
|
395
|
+
"scope": "Both",
|
|
396
|
+
"notes": "All agent-initiated code execution logged — process spawning, filesystem access, and network calls from agent sandboxes monitored"
|
|
397
|
+
},
|
|
398
|
+
{
|
|
399
|
+
"framework": "ENISA Multilayer Framework",
|
|
400
|
+
"control_id": "L1",
|
|
401
|
+
"control_name": "General ICT — Secure Development",
|
|
402
|
+
"tier": "Hardening",
|
|
403
|
+
"scope": "Both",
|
|
404
|
+
"notes": "Code execution sandbox as a secure development requirement — agent-generated code never executed in host context"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"framework": "ENISA Multilayer Framework",
|
|
408
|
+
"control_id": "L1",
|
|
409
|
+
"control_name": "General ICT — Network",
|
|
410
|
+
"tier": "Hardening",
|
|
411
|
+
"scope": "Both",
|
|
412
|
+
"notes": "Agent code execution sandboxes network-isolated — no outbound connections to non-approved destinations"
|
|
413
|
+
},
|
|
414
|
+
{
|
|
415
|
+
"framework": "OWASP SAMM v2.0",
|
|
416
|
+
"control_id": "D-SR",
|
|
417
|
+
"control_name": "Design / Security Requirements",
|
|
418
|
+
"tier": "Foundational",
|
|
419
|
+
"scope": "Both",
|
|
420
|
+
"notes": "Security requirements for every tool: auth, scope, output validation"
|
|
421
|
+
},
|
|
422
|
+
{
|
|
423
|
+
"framework": "OWASP SAMM v2.0",
|
|
424
|
+
"control_id": "I-SB",
|
|
425
|
+
"control_name": "Implementation / Secure Build",
|
|
426
|
+
"tier": "Foundational",
|
|
427
|
+
"scope": "Both",
|
|
428
|
+
"notes": "Only approved tools can be registered; unsigned tools are rejected"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"framework": "OWASP SAMM v2.0",
|
|
432
|
+
"control_id": "V-ST",
|
|
433
|
+
"control_name": "Verification / Security Testing",
|
|
434
|
+
"tier": "Foundational",
|
|
435
|
+
"scope": "Both",
|
|
436
|
+
"notes": "Automated checks on tool descriptors, endpoints, and permissions"
|
|
437
|
+
},
|
|
438
|
+
{
|
|
439
|
+
"framework": "OWASP SAMM v2.0",
|
|
440
|
+
"control_id": "G-PC",
|
|
441
|
+
"control_name": "Governance / Policy & Compliance",
|
|
442
|
+
"tier": "Foundational",
|
|
443
|
+
"scope": "Both",
|
|
444
|
+
"notes": "Process for approving, reviewing, and revoking tool integrations"
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"framework": "OWASP SAMM v2.0",
|
|
448
|
+
"control_id": "O-OM",
|
|
449
|
+
"control_name": "Operations / Operational Management",
|
|
450
|
+
"tier": "Foundational",
|
|
451
|
+
"scope": "Both",
|
|
452
|
+
"notes": "Alert on tool calls outside normal operating parameters"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"framework": "CWE/CVE",
|
|
456
|
+
"control_id": "Improper Control of Generation of Code",
|
|
457
|
+
"control_name": "CWE-94",
|
|
458
|
+
"tier": "Foundational",
|
|
459
|
+
"scope": "Both",
|
|
460
|
+
"notes": "Agent generates and executes code without adequate static analysis or sandbox"
|
|
461
|
+
},
|
|
462
|
+
{
|
|
463
|
+
"framework": "CWE/CVE",
|
|
464
|
+
"control_id": "Improper Neutralisation of Special Elements in OS Command",
|
|
465
|
+
"control_name": "CWE-78",
|
|
466
|
+
"tier": "Foundational",
|
|
467
|
+
"scope": "Both",
|
|
468
|
+
"notes": "LLM-generated code containing shell commands executed without sanitisation"
|
|
469
|
+
},
|
|
470
|
+
{
|
|
471
|
+
"framework": "CWE/CVE",
|
|
472
|
+
"control_id": "Improper Neutralisation of Special Elements in Command",
|
|
473
|
+
"control_name": "CWE-77",
|
|
474
|
+
"tier": "Foundational",
|
|
475
|
+
"scope": "Both",
|
|
476
|
+
"notes": "LLM output used directly in command context"
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"framework": "CWE/CVE",
|
|
480
|
+
"control_id": "Improper Neutralisation of Directives in Dynamically Evaluated Code",
|
|
481
|
+
"control_name": "CWE-95",
|
|
482
|
+
"tier": "Foundational",
|
|
483
|
+
"scope": "Both",
|
|
484
|
+
"notes": "Eval of LLM-generated code"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"framework": "CWE/CVE",
|
|
488
|
+
"control_id": "Use of Potentially Dangerous Function",
|
|
489
|
+
"control_name": "CWE-676",
|
|
490
|
+
"tier": "Foundational",
|
|
491
|
+
"scope": "Both",
|
|
492
|
+
"notes": "Agent uses exec(), eval(), subprocess without validation"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"framework": "OWASP AI Testing Guide",
|
|
496
|
+
"control_id": "Code injection via crafted prompts",
|
|
497
|
+
"control_name": "IHT — Input Handling",
|
|
498
|
+
"tier": "Hardening",
|
|
499
|
+
"scope": "Both",
|
|
500
|
+
"notes": "Craft inputs designed to generate code containing network calls, file system access, or shell commands"
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"framework": "OWASP AI Testing Guide",
|
|
504
|
+
"control_id": "Generated code validation",
|
|
505
|
+
"control_name": "OHT — Output Handling",
|
|
506
|
+
"tier": "Hardening",
|
|
507
|
+
"scope": "Both",
|
|
508
|
+
"notes": "Verify static analysis catches dangerous operations before execution"
|
|
509
|
+
},
|
|
510
|
+
{
|
|
511
|
+
"framework": "OWASP AI Testing Guide",
|
|
512
|
+
"control_id": "Sandbox escape attempts",
|
|
513
|
+
"control_name": "AST — Agent-Specific",
|
|
514
|
+
"tier": "Hardening",
|
|
515
|
+
"scope": "Both",
|
|
516
|
+
"notes": "Test sandbox boundary enforcement from within the execution environment"
|
|
517
|
+
},
|
|
518
|
+
{
|
|
519
|
+
"framework": "MAESTRO",
|
|
520
|
+
"control_id": "L4",
|
|
521
|
+
"control_name": "Deployment & Infrastructure",
|
|
522
|
+
"tier": "Hardening",
|
|
523
|
+
"scope": "Both"
|
|
524
|
+
},
|
|
525
|
+
{
|
|
526
|
+
"framework": "MAESTRO",
|
|
527
|
+
"control_id": "L3",
|
|
528
|
+
"control_name": "Agent Frameworks",
|
|
529
|
+
"tier": "Hardening",
|
|
530
|
+
"scope": "Both"
|
|
531
|
+
},
|
|
532
|
+
{
|
|
533
|
+
"framework": "MAESTRO",
|
|
534
|
+
"control_id": "L1",
|
|
535
|
+
"control_name": "Foundation Models",
|
|
536
|
+
"tier": "Hardening",
|
|
537
|
+
"scope": "Both"
|
|
538
|
+
},
|
|
539
|
+
{
|
|
540
|
+
"framework": "AIUC-1",
|
|
541
|
+
"control_id": "B001",
|
|
542
|
+
"control_name": "Third-party testing of adversarial robustness",
|
|
543
|
+
"tier": "Foundational",
|
|
544
|
+
"scope": "Build"
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"framework": "AIUC-1",
|
|
548
|
+
"control_id": "B005",
|
|
549
|
+
"control_name": "Implement real-time input filtering",
|
|
550
|
+
"tier": "Foundational",
|
|
551
|
+
"scope": "Build"
|
|
552
|
+
},
|
|
553
|
+
{
|
|
554
|
+
"framework": "AIUC-1",
|
|
555
|
+
"control_id": "B006",
|
|
556
|
+
"control_name": "Prevent unauthorized AI agent actions",
|
|
557
|
+
"tier": "Foundational",
|
|
558
|
+
"scope": "Build"
|
|
559
|
+
},
|
|
560
|
+
{
|
|
561
|
+
"framework": "AIUC-1",
|
|
562
|
+
"control_id": "B009",
|
|
563
|
+
"control_name": "Limit output over-exposure",
|
|
564
|
+
"tier": "Foundational",
|
|
565
|
+
"scope": "Build"
|
|
566
|
+
},
|
|
567
|
+
{
|
|
568
|
+
"framework": "OWASP NHI Top 10",
|
|
569
|
+
"control_id": "Code executes in context of over-privileged agent credential — amplifies RCE impact",
|
|
570
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
571
|
+
"tier": "Hardening",
|
|
572
|
+
"scope": "Both",
|
|
573
|
+
"notes": "Sandbox code execution under a separate, minimal credential — not the agent's primary identity"
|
|
574
|
+
},
|
|
575
|
+
{
|
|
576
|
+
"framework": "OWASP NHI Top 10",
|
|
577
|
+
"control_id": "Code execution in production context with prod credentials",
|
|
578
|
+
"control_name": "NHI-8 Environment Isolation Failure",
|
|
579
|
+
"tier": "Hardening",
|
|
580
|
+
"scope": "Both",
|
|
581
|
+
"notes": "Strict environment isolation for code execution — dedicated sandboxed identity"
|
|
582
|
+
},
|
|
583
|
+
{
|
|
584
|
+
"framework": "OWASP NHI Top 10",
|
|
585
|
+
"control_id": "Shared credential means RCE in one agent affects all agents sharing the credential",
|
|
586
|
+
"control_name": "NHI-9 NHI Reuse",
|
|
587
|
+
"tier": "Hardening",
|
|
588
|
+
"scope": "Both",
|
|
589
|
+
"notes": "Unique credential per agent — code execution in one instance cannot leverage other instances' access"
|
|
590
|
+
},
|
|
591
|
+
{
|
|
592
|
+
"framework": "NIST SP 800-218A",
|
|
593
|
+
"control_id": "Threat model all code execution paths in agent workflows; design sandboxing, resource limits, and execution constraints as explicit security requirements",
|
|
594
|
+
"control_name": "PW.2.1-PS – Design software to meet security requirements",
|
|
595
|
+
"tier": "Foundational",
|
|
596
|
+
"scope": "Both",
|
|
597
|
+
"notes": "Ensures code execution boundaries are designed before implementation"
|
|
598
|
+
},
|
|
599
|
+
{
|
|
600
|
+
"framework": "NIST SP 800-218A",
|
|
601
|
+
"control_id": "Implement secure coding for agent code execution — sandbox isolation, input validation for code generation, output filtering, and prevention of self-modification",
|
|
602
|
+
"control_name": "PW.5.1-PS – Secure coding practices",
|
|
603
|
+
"tier": "Foundational",
|
|
604
|
+
"scope": "Both",
|
|
605
|
+
"notes": "Prevents code execution vulnerabilities in agent implementation"
|
|
606
|
+
},
|
|
607
|
+
{
|
|
608
|
+
"framework": "NIST SP 800-218A",
|
|
609
|
+
"control_id": "Conduct adversarial testing targeting code execution — sandbox escapes, resource limit bypasses, self-modification, and host system access through generated code",
|
|
610
|
+
"control_name": "PW.8.2-PS – Test for security vulnerabilities",
|
|
611
|
+
"tier": "Foundational",
|
|
612
|
+
"scope": "Both",
|
|
613
|
+
"notes": "Validates execution boundary controls under attack conditions"
|
|
614
|
+
},
|
|
615
|
+
{
|
|
616
|
+
"framework": "NIST SP 800-218A",
|
|
617
|
+
"control_id": "Protect agent execution environments, sandbox configurations, and runtime constraints from unauthorised modification",
|
|
618
|
+
"control_name": "PS.1.1-PS – Protect all code from unauthorised access",
|
|
619
|
+
"tier": "Foundational",
|
|
620
|
+
"scope": "Both",
|
|
621
|
+
"notes": "Prevents weakening of execution boundaries through configuration tampering"
|
|
622
|
+
},
|
|
623
|
+
{
|
|
624
|
+
"framework": "FedRAMP",
|
|
625
|
+
"control_id": "CM-7",
|
|
626
|
+
"control_name": "Least Functionality — code execution restrictions",
|
|
627
|
+
"tier": "Foundational",
|
|
628
|
+
"scope": "Both",
|
|
629
|
+
"notes": "Restrict agent code execution to minimum necessary scope; enforce sandbox boundaries, disable unnecessary language features, and limit filesystem and network access"
|
|
630
|
+
},
|
|
631
|
+
{
|
|
632
|
+
"framework": "FedRAMP",
|
|
633
|
+
"control_id": "SC-7",
|
|
634
|
+
"control_name": "Boundary Protection — execution sandbox",
|
|
635
|
+
"tier": "Foundational",
|
|
636
|
+
"scope": "Both",
|
|
637
|
+
"notes": "Enforce strict boundary protection on agent code execution environments; isolate from production systems, restrict network access, and enforce resource limits"
|
|
638
|
+
},
|
|
639
|
+
{
|
|
640
|
+
"framework": "FedRAMP",
|
|
641
|
+
"control_id": "SI-3",
|
|
642
|
+
"control_name": "Malicious Code Protection — agent-generated code",
|
|
643
|
+
"tier": "Foundational",
|
|
644
|
+
"scope": "Both",
|
|
645
|
+
"notes": "Scan agent-generated code for malicious patterns before execution; detect and block code that attempts filesystem access, network communication, or privilege escalation"
|
|
646
|
+
},
|
|
647
|
+
{
|
|
648
|
+
"framework": "FedRAMP",
|
|
649
|
+
"control_id": "CA-8",
|
|
650
|
+
"control_name": "Penetration Testing — execution boundary testing",
|
|
651
|
+
"tier": "Foundational",
|
|
652
|
+
"scope": "Both",
|
|
653
|
+
"notes": "Include agent code execution sandbox escape in penetration testing scope; test boundary integrity under adversarial conditions"
|
|
654
|
+
},
|
|
655
|
+
{
|
|
656
|
+
"framework": "DORA",
|
|
657
|
+
"control_id": "Art. 9",
|
|
658
|
+
"control_name": "Protection and Prevention — code execution controls",
|
|
659
|
+
"tier": "Foundational",
|
|
660
|
+
"scope": "Both",
|
|
661
|
+
"notes": "Implement security controls restricting agent code execution — sandboxing, capability restrictions, network isolation, and resource limits"
|
|
662
|
+
},
|
|
663
|
+
{
|
|
664
|
+
"framework": "DORA",
|
|
665
|
+
"control_id": "Art. 24–27",
|
|
666
|
+
"control_name": "Resilience Testing — sandbox escape testing",
|
|
667
|
+
"tier": "Foundational",
|
|
668
|
+
"scope": "Both",
|
|
669
|
+
"notes": "Include agent code execution sandbox escape in threat-led penetration testing; test boundary integrity under adversarial conditions"
|
|
670
|
+
},
|
|
671
|
+
{
|
|
672
|
+
"framework": "DORA",
|
|
673
|
+
"control_id": "Art. 17–23",
|
|
674
|
+
"control_name": "ICT Incident Management — code execution incident reporting",
|
|
675
|
+
"tier": "Foundational",
|
|
676
|
+
"scope": "Both",
|
|
677
|
+
"notes": "Classify uncontrolled code execution events as ICT-related incidents; assess impact on financial systems and report per DORA criteria"
|
|
678
|
+
},
|
|
679
|
+
{
|
|
680
|
+
"framework": "DORA",
|
|
681
|
+
"control_id": "Art. 10",
|
|
682
|
+
"control_name": "Detection — execution anomaly detection",
|
|
683
|
+
"tier": "Foundational",
|
|
684
|
+
"scope": "Both",
|
|
685
|
+
"notes": "Monitor agent code execution for anomalous patterns — unexpected system calls, network access, filesystem operations; alert on detection"
|
|
686
|
+
}
|
|
687
|
+
],
|
|
688
|
+
"tools": [
|
|
689
|
+
{
|
|
690
|
+
"name": "gVisor",
|
|
691
|
+
"type": "open-source",
|
|
692
|
+
"url": "https://gvisor.dev"
|
|
693
|
+
},
|
|
694
|
+
{
|
|
695
|
+
"name": "Semgrep",
|
|
696
|
+
"type": "open-source",
|
|
697
|
+
"url": "https://semgrep.dev"
|
|
698
|
+
},
|
|
699
|
+
{
|
|
700
|
+
"name": "Bandit",
|
|
701
|
+
"type": "open-source",
|
|
702
|
+
"url": "https://github.com/PyCQA/bandit"
|
|
703
|
+
},
|
|
704
|
+
{
|
|
705
|
+
"name": "Firecracker",
|
|
706
|
+
"type": "open-source",
|
|
707
|
+
"url": "https://firecracker-microvm.github.io"
|
|
708
|
+
},
|
|
709
|
+
{
|
|
710
|
+
"name": "Dragos",
|
|
711
|
+
"type": "commercial",
|
|
712
|
+
"url": "https://www.dragos.com"
|
|
713
|
+
},
|
|
714
|
+
{
|
|
715
|
+
"name": "Garak",
|
|
716
|
+
"type": "open-source",
|
|
717
|
+
"url": "https://github.com/leondz/garak"
|
|
718
|
+
},
|
|
719
|
+
{
|
|
720
|
+
"name": "E2B",
|
|
721
|
+
"type": "open-source",
|
|
722
|
+
"url": "https://e2b.dev"
|
|
723
|
+
}
|
|
724
|
+
],
|
|
725
|
+
"incidents": [
|
|
726
|
+
{
|
|
727
|
+
"name": "LangChain and LlamaIndex RCE — agent code execution via prompt injection",
|
|
728
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
729
|
+
"year": 2023,
|
|
730
|
+
"incident_id": "INC-012"
|
|
731
|
+
},
|
|
732
|
+
{
|
|
733
|
+
"name": "AutoGPT and BabyAGI — uncontrolled web browsing and file system access",
|
|
734
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
735
|
+
"year": 2023,
|
|
736
|
+
"incident_id": "INC-017"
|
|
737
|
+
}
|
|
738
|
+
],
|
|
739
|
+
"crossrefs": {
|
|
740
|
+
"llm_top10": [
|
|
741
|
+
"LLM05",
|
|
742
|
+
"LLM07",
|
|
743
|
+
"LLM03",
|
|
744
|
+
"LLM02",
|
|
745
|
+
"LLM01",
|
|
746
|
+
"LLM06"
|
|
747
|
+
],
|
|
748
|
+
"dsgai_2026": [
|
|
749
|
+
"DSGAI12",
|
|
750
|
+
"DSGAI13",
|
|
751
|
+
"DSGAI06",
|
|
752
|
+
"DSGAI05",
|
|
753
|
+
"DSGAI08"
|
|
754
|
+
]
|
|
755
|
+
},
|
|
756
|
+
"changelog": [
|
|
757
|
+
{
|
|
758
|
+
"date": "2026-03-27",
|
|
759
|
+
"version": "1.0.0",
|
|
760
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
761
|
+
"author": "emmanuelgjr"
|
|
762
|
+
}
|
|
763
|
+
]
|
|
764
|
+
}
|