ship-safe 6.4.0 → 8.0.0

package/cli/agents/cicd-scanner.js

@@ -241,6 +241,28 @@ const PATTERNS = [
     description: 'claw-code (Rust/Python Claude Code rewrite) is invoked with --dangerously-skip-permissions in CI. Any prompt injection in the workspace executes without confirmation.',
     fix: 'Remove --dangerously-skip-permissions. Use --permission-mode=workspace-write for CI automation.',
   },
+
+  // ── Branch Name Injection (Codex-class attack, CVE pending) ──────────────
+  {
+    rule: 'CICD_BRANCH_NAME_INJECTION',
+    title: 'CI/CD: Unsanitized Branch Name in Shell Command',
+    regex: /(?:git\s+(?:checkout|switch|clone\s+--branch|fetch\s+origin))\s+(?:\$\{\{[^}]*(?:head\.ref|branch|ref_name)[^}]*\}\}|\$(?:BRANCH|GITHUB_HEAD_REF|CI_COMMIT_BRANCH|BITBUCKET_BRANCH))/gi,
+    severity: 'critical',
+    cwe: 'CWE-78',
+    owasp: 'CICD-SEC-4',
+    description: 'Branch name from an external source (PR head ref, environment variable) is passed directly to a git shell command without sanitization. Attackers can create branches with names containing shell metacharacters to inject arbitrary commands. This is the exact attack vector used in the OpenAI Codex GitHub token theft (BeyondTrust Phantom Labs, Mar 2026).',
+    fix: 'Sanitize branch names: strip shell metacharacters, use -- to separate git options from arguments, or use actions/checkout which handles this safely.',
+  },
+  {
+    rule: 'CICD_BRANCH_NAME_IN_RUN',
+    title: 'CI/CD: Branch Name Interpolated in run Step',
+    regex: /run\s*:\s*[^\n]*\$\{\{\s*(?:github\.head_ref|github\.ref_name)\s*\}\}/g,
+    severity: 'high',
+    cwe: 'CWE-78',
+    owasp: 'CICD-SEC-4',
+    description: 'GitHub expression for branch name used directly in a run step. An attacker can craft a branch name with shell injection payloads. This pattern was exploited in the OpenAI Codex vulnerability to steal GitHub OAuth tokens.',
+    fix: 'Assign to an environment variable first: env: BRANCH: ${{ github.head_ref }}, then reference as "$BRANCH" (quoted) in the run step.',
+  },
 ];
 
 export class CICDScanner extends BaseAgent {

package/cli/agents/config-auditor.js

@@ -299,6 +299,74 @@ const CONFIG_PATTERNS = [
     fix: 'Remove sensitive host mounts. Use named volumes for data persistence.',
   },
 
+  // ── Container Sandbox Hardening (Mythos-class escape prevention) ──────────
+  {
+    rule: 'DOCKER_NO_READ_ONLY_ROOT',
+    title: 'Docker: Writable Root Filesystem',
+    regex: /(?:read_only|readOnlyRootFilesystem)\s*:\s*false/g,
+    severity: 'high',
+    cwe: 'CWE-732',
+    description: 'Container has writable root filesystem. Attackers can write exploit payloads after gaining code execution.',
+    fix: 'Set read_only: true (Compose) or readOnlyRootFilesystem: true (K8s). Use tmpfs mounts for writable paths.',
+  },
+  {
+    rule: 'DOCKER_NO_NEW_PRIVILEGES',
+    title: 'Docker: Missing no-new-privileges Flag',
+    regex: /security_opt\s*:\s*\[?[^\]]*no-new-privileges\s*:\s*false/g,
+    severity: 'high',
+    cwe: 'CWE-269',
+    description: 'Container allows privilege escalation via setuid/setgid binaries. This enables sandbox escape.',
+    fix: 'Add security_opt: [no-new-privileges:true] to container configuration.',
+  },
+  {
+    rule: 'DOCKER_NETWORK_HOST',
+    title: 'Docker: Host Network Mode',
+    regex: /network_mode\s*:\s*["']?host["']?/g,
+    severity: 'critical',
+    cwe: 'CWE-284',
+    description: 'Container uses host network stack. A sandbox escape gains full network access to the host and local network.',
+    fix: 'Remove network_mode: host. Use bridge networking with explicit port mappings.',
+  },
+  {
+    rule: 'DOCKER_CAP_SYS_ADMIN',
+    title: 'Docker: SYS_ADMIN Capability',
+    regex: /cap_add\s*:[\s\S]*?(?:SYS_ADMIN|ALL)/g,
+    severity: 'critical',
+    cwe: 'CWE-250',
+    description: 'SYS_ADMIN or ALL capabilities grant near-root host access. This is equivalent to privileged mode.',
+    fix: 'Remove SYS_ADMIN from cap_add. Use the minimum capabilities required.',
+  },
+  {
+    rule: 'DOCKER_PID_HOST',
+    title: 'Docker: Host PID Namespace',
+    regex: /pid\s*:\s*["']?host["']?/g,
+    severity: 'high',
+    cwe: 'CWE-284',
+    description: 'Container shares host PID namespace. Processes can inspect and signal host processes after escape.',
+    fix: 'Remove pid: host. Use default PID namespace isolation.',
+  },
+
+  // ── Kubernetes Sandbox Hardening ──────────────────────────────────────────
+  {
+    rule: 'K8S_ALLOW_PRIVILEGE_ESCALATION',
+    title: 'Kubernetes: allowPrivilegeEscalation Not Disabled',
+    regex: /allowPrivilegeEscalation\s*:\s*true/g,
+    severity: 'high',
+    cwe: 'CWE-269',
+    description: 'Container allows privilege escalation. Set to false to prevent setuid-based escape.',
+    fix: 'Set allowPrivilegeEscalation: false in securityContext.',
+  },
+  {
+    rule: 'K8S_NO_SECCOMP',
+    title: 'Kubernetes: Missing Seccomp Profile',
+    regex: /securityContext\s*:\s*\{(?:(?!seccompProfile)[\s\S])*?\}/g,
+    severity: 'medium',
+    cwe: 'CWE-693',
+    confidence: 'low',
+    description: 'No seccomp profile configured. Seccomp restricts syscalls available to the container, reducing escape surface.',
+    fix: 'Add seccompProfile: { type: RuntimeDefault } to securityContext.',
+  },
+
   // ── Nginx ──────────────────────────────────────────────────────────────────
   {
     rule: 'NGINX_AUTOINDEX',
@@ -416,12 +484,14 @@ export class ConfigAuditor extends BaseAgent {
     for (const file of dockerfiles) {
       findings = findings.concat(this.scanFileWithPatterns(file, DOCKERFILE_PATTERNS));
       findings = findings.concat(this.checkDockerfileUser(file));
+      findings = findings.concat(this.checkDockerEngineVersion(file));
     }
 
     // ── Scan docker-compose ───────────────────────────────────────────────────
     const composeFiles = files.filter(f => /docker-compose\.ya?ml$/i.test(path.basename(f)));
     for (const file of composeFiles) {
       findings = findings.concat(this.scanFileWithPatterns(file, CONFIG_PATTERNS));
+      findings = findings.concat(this.checkComposeNetworkIsolation(file));
     }
 
     // ── Scan Terraform ────────────────────────────────────────────────────────
@@ -430,6 +500,11 @@ export class ConfigAuditor extends BaseAgent {
       findings = findings.concat(this.scanFileWithPatterns(file, CONFIG_PATTERNS));
     }
 
+    // ── Scan for S3 Files NFS mounts (Terraform, ECS task defs, K8s) ─────────
+    for (const file of tfFiles) {
+      findings = findings.concat(this.checkS3FilesMountSecurity(file));
+    }
+
     // ── Scan Kubernetes manifests ─────────────────────────────────────────────
     const k8sFiles = files.filter(f => {
       const relPath = path.relative(rootPath, f).replace(/\\/g, '/');
@@ -439,6 +514,20 @@ export class ConfigAuditor extends BaseAgent {
       findings = findings.concat(this.scanFileWithPatterns(file, CONFIG_PATTERNS));
     }
 
+    // ── S3 Files NFS mounts in K8s ─────────────────────────────────────────────
+    for (const file of k8sFiles) {
+      findings = findings.concat(this.checkS3FilesMountSecurity(file));
+    }
+
+    // ── ECS task definitions with S3 Files ────────────────────────────────────
+    const ecsFiles = files.filter(f => {
+      const content = this.readFile(f);
+      return content && /taskDefinition|containerDefinitions/i.test(content) && /\.(?:json|ya?ml|tf)$/i.test(f);
+    });
+    for (const file of ecsFiles) {
+      findings = findings.concat(this.checkS3FilesMountSecurity(file));
+    }
+
     // ── Project-level: K8s NetworkPolicy check ─────────────────────────────────
     if (k8sFiles.length > 0) {
       const hasNetworkPolicy = k8sFiles.some(f => {
@@ -516,6 +605,152 @@ export class ConfigAuditor extends BaseAgent {
     }
     return [];
   }
+
+  /**
+   * Check Dockerfile for vulnerable Docker Engine versions (CVE-2026-34040).
+   * Detects version pins in FROM directives and docker-compose engine constraints.
+   */
+  checkDockerEngineVersion(filePath) {
+    const content = this.readFile(filePath);
+    if (!content) return [];
+
+    const findings = [];
+    const lines = content.split('\n');
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (this.isSuppressed(line)) continue;
+
+      // Match: FROM docker:<version> or engine version references in comments/labels
+      const versionMatch = line.match(/(?:docker|moby)[:\s]+(\d+)\.(\d+)\.(\d+)/i);
+      if (versionMatch) {
+        const major = parseInt(versionMatch[1], 10);
+        const minor = parseInt(versionMatch[2], 10);
+        const patch = parseInt(versionMatch[3], 10);
+
+        // CVE-2026-34040: fixed in 29.3.1
+        if (major < 29 || (major === 29 && minor < 3) || (major === 29 && minor === 3 && patch < 1)) {
+          findings.push(createFinding({
+            file: filePath,
+            line: i + 1,
+            severity: 'critical',
+            category: 'config',
+            rule: 'DOCKER_CVE_2026_34040',
+            title: 'Docker: Engine Version Vulnerable to AuthZ Bypass (CVE-2026-34040)',
+            description: `Docker Engine ${versionMatch[1]}.${versionMatch[2]}.${versionMatch[3]} is vulnerable to CVE-2026-34040 (CVSS 8.8). Attackers can bypass authorization plugins via oversized requests, creating privileged containers and extracting host credentials.`,
+            matched: versionMatch[0],
+            cwe: 'CWE-863',
+            fix: 'Upgrade to Docker Engine 29.3.1 or later. As a temporary mitigation, run Docker in rootless mode or use --userns-remap.',
+          }));
+        }
+      }
+    }
+    return findings;
+  }
+
+  /**
+   * Check for S3 Files NFS mounts without security restrictions.
+   * S3 Files (April 2026) allows mounting S3 buckets as NFS filesystems.
+   * When AI agents have filesystem access to mounted S3 buckets, prompt injection
+   * can access entire buckets through normal file reads.
+   */
+  checkS3FilesMountSecurity(filePath) {
+    const content = this.readFile(filePath);
+    if (!content) return [];
+
+    const findings = [];
+    const lines = content.split('\n');
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (this.isSuppressed(line)) continue;
+
+      // Detect S3 Files / S3 NFS mount references
+      const isS3Mount = /(?:s3[_-]?files|s3.*(?:nfs|mount|filesystem)|file_system_id.*s3|efs.*s3|mount.*s3:\/\/)/i.test(line);
+      if (!isS3Mount) continue;
+
+      // Check surrounding context (10 lines) for read-only or prefix scoping
+      const contextStart = Math.max(0, i - 5);
+      const contextEnd = Math.min(lines.length, i + 10);
+      const context = lines.slice(contextStart, contextEnd).join('\n');
+
+      const hasReadOnly = /read[_-]?only|readOnly|ro\b|access_mode.*read/i.test(context);
+      const hasPrefixScope = /prefix|sub[_-]?path|path[_-]?prefix|mount[_-]?point.*\/[a-z]/i.test(context);
+
+      if (!hasReadOnly) {
+        findings.push(createFinding({
+          file: filePath,
+          line: i + 1,
+          severity: 'high',
+          category: 'config',
+          rule: 'S3_FILES_MOUNT_NOT_READONLY',
+          title: 'S3 Files: NFS Mount Without Read-Only Restriction',
+          description: 'S3 bucket mounted as a filesystem without read-only flag. AI agents or compromised workloads can write arbitrary data to the entire bucket via standard file operations.',
+          matched: line.trim(),
+          cwe: 'CWE-732',
+          fix: 'Mount S3 Files with read-only access unless writes are explicitly needed. Use IAM policies to restrict access scope.',
+        }));
+      }
+
+      if (!hasPrefixScope) {
+        findings.push(createFinding({
+          file: filePath,
+          line: i + 1,
+          severity: 'medium',
+          category: 'config',
+          rule: 'S3_FILES_MOUNT_NO_PREFIX',
+          title: 'S3 Files: NFS Mount Without Prefix Scoping',
+          description: 'S3 bucket mounted at root without prefix scoping. The entire bucket is accessible as a filesystem. Scope mounts to specific prefixes to limit blast radius.',
+          matched: line.trim(),
+          cwe: 'CWE-284',
+          confidence: 'medium',
+          fix: 'Mount only the specific S3 prefix needed (e.g., s3://bucket/app-data/) instead of the entire bucket.',
+        }));
+      }
+    }
+    return findings;
+  }
+
+  /**
+   * Check if a docker-compose service running an AI agent has network restrictions.
+   * Services with "agent", "ai", "llm", "mcp" in the name or image without
+   * explicit network_mode or networks configuration are flagged.
+   */
+  checkComposeNetworkIsolation(filePath) {
+    const content = this.readFile(filePath);
+    if (!content) return [];
+
+    const findings = [];
+    // Check for services that look like AI/agent containers without network restrictions
+    const serviceBlockRe = /^\s{2}(\S+):\s*\n((?:\s{4,}.+\n)*)/gm;
+    let match;
+    while ((match = serviceBlockRe.exec(content)) !== null) {
+      const serviceName = match[1];
+      const serviceBlock = match[2];
+      const isAgentService = /(?:agent|ai|llm|mcp|model|inference)/i.test(serviceName) ||
+        /(?:agent|ai|llm|mcp|model|inference)/i.test(serviceBlock);
+
+      if (isAgentService) {
+        const hasNetworkRestriction = /network_mode\s*:|networks\s*:/m.test(serviceBlock);
+        if (!hasNetworkRestriction) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push(createFinding({
+            file: filePath,
+            line: lineNum,
+            severity: 'high',
+            category: 'config',
+            rule: 'COMPOSE_AGENT_UNRESTRICTED_NETWORK',
+            title: 'Docker Compose: AI Agent Service Without Network Restrictions',
+            description: `Service "${serviceName}" appears to run an AI agent but has no network_mode or networks configuration. Unrestricted outbound network access enables data exfiltration after sandbox escape.`,
+            matched: serviceName,
+            cwe: 'CWE-284',
+            fix: 'Add network_mode: none for fully isolated agents, or configure a restricted network with explicit egress rules.',
+          }));
+        }
+      }
+    }
+    return findings;
+  }
 }
 
 export default ConfigAuditor;

package/cli/agents/deep-analyzer.js

@@ -25,8 +25,15 @@ import { createProvider, autoDetectProvider } from '../providers/llm-provider.js
 // CONSTANTS
 // =============================================================================
 
-/** Max file content to send per finding (tokens are expensive) */
-const MAX_FILE_CHARS = 4000;
+/** Max file content per finding for standard providers (tokens cost money) */
+const MAX_FILE_CHARS_DEFAULT = 4000;
+
+/**
+ * Max file content per finding for large-context providers (Gemma 4 128K–256K).
+ * Sending the full file enables cross-function taint tracing that a 40-line
+ * window cannot catch.
+ */
+const MAX_FILE_CHARS_LARGE_CTX = 80000;
 
 /** Max findings to analyze per run (cost control) */
 const MAX_FINDINGS = 30;
@@ -84,6 +91,14 @@ export class DeepAnalyzer {
     this.verbose = options.verbose || false;
     this.spentCents = 0;
     this.analyzedCount = 0;
+
+    // If the provider advertises a large context window (Gemma 4, etc.),
+    // increase file context and batch size to take full advantage.
+    const ctxWindow = this.provider?.contextWindow ?? 0;
+    this.largeContext = ctxWindow >= 65536;
+    this.maxFileChars = this.largeContext ? MAX_FILE_CHARS_LARGE_CTX : MAX_FILE_CHARS_DEFAULT;
+    // Larger batches for local large-context models (no per-token cost)
+    this.batchSize = this.largeContext ? 15 : 5;
   }
 
   /**
@@ -91,11 +106,11 @@ export class DeepAnalyzer {
    * Returns null if no provider is available.
    */
   static create(rootPath, options = {}) {
-    // --local flag: use Ollama
+    // --local flag: use Gemma 4 via Ollama (structured output, large context)
     if (options.local) {
-      const provider = createProvider('ollama', null, {
-        model: options.model || 'llama3.2',
-        baseUrl: options.ollamaUrl || 'http://localhost:11434/api/chat',
+      const provider = createProvider('gemma4', null, {
+        model:   options.model,
+        baseUrl: options.ollamaUrl,
       });
       return new DeepAnalyzer({ provider, ...options });
     }
@@ -141,11 +156,10 @@ export class DeepAnalyzer {
       toAnalyze.length = Math.max(1, affordable);
     }
 
-    // Batch findings (5 per request to balance cost vs. context)
-    const batchSize = 5;
+    // Batch findings — larger batches for large-context providers (Gemma 4 etc.)
     const results = new Map();
 
-    for (let i = 0; i < toAnalyze.length; i += batchSize) {
+    for (let i = 0; i < toAnalyze.length; i += this.batchSize) {
       // Budget check before each batch
       if (this.spentCents >= this.budgetCents) {
         if (this.verbose) {
@@ -154,7 +168,7 @@ export class DeepAnalyzer {
         break;
       }
 
-      const batch = toAnalyze.slice(i, i + batchSize);
+      const batch = toAnalyze.slice(i, i + this.batchSize);
       const prompt = this._buildPrompt(batch, context);
 
       try {
@@ -261,16 +275,22 @@ ${JSON.stringify(items, null, 2)}`;
       const lines = content.split('\n');
       const lineNum = finding.line || 1;
 
-      // Get a window of ~40 lines around the finding
-      const start = Math.max(0, lineNum - 21);
-      const end = Math.min(lines.length, lineNum + 20);
-      let context = lines.slice(start, end)
-        .map((l, i) => `${start + i + 1}: ${l}`)
-        .join('\n');
+      let context;
+      if (this.largeContext) {
+        // Large-context providers (Gemma 4): send the entire file so the model
+        // can trace taint flows across functions, not just the immediate window.
+        context = lines.map((l, i) => `${i + 1}: ${l}`).join('\n');
+      } else {
+        // Standard providers: 40-line window around the finding
+        const start = Math.max(0, lineNum - 21);
+        const end = Math.min(lines.length, lineNum + 20);
+        context = lines.slice(start, end)
+          .map((l, i) => `${start + i + 1}: ${l}`)
+          .join('\n');
+      }
 
-      // Truncate if too long
-      if (context.length > MAX_FILE_CHARS) {
-        context = context.slice(0, MAX_FILE_CHARS) + '\n... (truncated)';
+      if (context.length > this.maxFileChars) {
+        context = context.slice(0, this.maxFileChars) + '\n... (truncated)';
       }
 
       return context;