Skip to content

feat: add SKILL.md security scanner gate (QEMETRICS-2414)#42

Merged
Benkapner merged 5 commits into
mainfrom
QEMETRICS-2414/security-gate-additions
Jun 25, 2026
Merged

feat: add SKILL.md security scanner gate (QEMETRICS-2414)#42
Benkapner merged 5 commits into
mainfrom
QEMETRICS-2414/security-gate-additions

Conversation

@Benkapner

Copy link
Copy Markdown
Collaborator

Summary

Adds a new SecurityGate implementation that scans SKILL.md files in submissions for security risks using deterministic regex checks, complementing the existing Cisco scanner. Security scanning patterns originate from the harness-eval-lab repo (setup-eval) and are adapted for ABEvalFlow's gate architecture.

Also refactors the SecurityGate base class to extract shared JSON-reading and scoring logic into evaluate_scan_json(), removing ~130 lines of duplication. Both CiscoGate and the new SkillMdScannerGate now delegate to this shared method.

What it scans

The scanner checks markdown files for 5 categories of security risk:

  • Prompt injection (17 patterns): jailbreak attempts, encoding tricks, markdown image exfiltration, role hijack, safety bypass
  • Sensitive path references (10 patterns): ~/.ssh/, ~/.aws/credentials, /etc/shadow, ~/.kube/config
  • Sensitive env var access (9 patterns): $OPENAI_API_KEY, $AWS_SECRET_ACCESS_KEY, $GITHUB_TOKEN
  • Dangerous commands (3 patterns): sudo, chmod 777, chown root
  • Obfuscation (8 patterns): eval with decode, hex/unicode escapes, zero-width chars, dynamic exec

Context-aware severity: patterns inside code blocks or example text ("for example", blockquotes) are demoted to LOW instead of blocking.

Narrowed patterns: markdown image skips trusted domains (docs, github, imgur), translate evasion skips known languages. Directory excludes: .git, node_modules, vendor, pycache, .venv.

Files

File What
abevalflow/security/skillmd_scanner.py Scanning engine (regex patterns, context-awareness)
scripts/skillmd_security_scan.py CLI entry point (writes JSON report)
abevalflow/gates/security/skillmd_scanner.py SecurityGate subclass (reads JSON, returns GateResult)
abevalflow/gates/security/base.py Refactored base class with shared evaluate_scan_json()
abevalflow/gates/security/cisco.py Slimmed down to use shared base method
pipeline/tasks/phases/test.yaml Wired as step 3 in test phase
tests/test_skillmd_scanner.py 46 tests (scanner + gate + false-positive resistance)

How it integrates

The gate registers via @register_security_gate(\"skillmd-scanner\") and is auto-discovered by aggregate_scorecard.py through get_all_security_gates(). No changes needed to scorecard, certification, or Compass facts.

Task always exits 0; gate decides pass/fail via policy (matches Cisco pattern).

Test plan

  • 46 new tests pass (scanner patterns, context-awareness, false-positive resistance, gate modes)
  • All 26 existing gate registry tests pass (including refactored CiscoGate)
  • ruff lint + format clean
  • Run pipeline test script (./scripts/misc/trigger_test_runs.sh)

Ref: QEMETRICS-2414

Replaces PR #38 (moved from fork to org branch per review feedback).">

Add a SecurityGate implementation that scans SKILL.md files for security
risks. Plugs into the gate registry alongside the existing Cisco gate.
Patterns ported from harness-eval-lab (setup-eval).

Checks: prompt injection (17 patterns), credential access (22 patterns),
data exfiltration (8), reverse shells (10), obfuscation (8). Context-aware
severity demotion for patterns inside code blocks or examples.

Also refactors SecurityGate base class to extract shared JSON-reading and
scoring logic, removing duplication between Cisco and the new gate.
- Wire skillmd-security-scan into the test phase as step 3
- Remove exit 1 from Tekton task; let aggregate_scorecard.py decide
  pass/fail via gate policy (matches Cisco pattern)
- Narrow markdown image pattern to exclude docs/github/imgur domains
- Narrow translate evasion pattern to exclude known languages
- Add directory excludes (.git, node_modules, vendor, __pycache__)
- Add false-positive tests for narrowed patterns and dir excludes
These are shell/code patterns (curl, wget, netcat, bash -i) that target
Python and shell files. The Cisco scanner already covers these in .py
files. In markdown files they almost exclusively appear inside code blocks,
where they get demoted to LOW severity and add noise without signal.
The scan runs inline as step 3 in pipeline/tasks/phases/test.yaml.
The standalone task file was never wired into any pipeline.
@Benkapner Benkapner requested a review from GuyZivRH June 24, 2026 10:52
GuyZivRH
GuyZivRH previously approved these changes Jun 24, 2026

@GuyZivRH GuyZivRH left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

solve minor linting issues and mereg

@Benkapner Benkapner merged commit a147648 into main Jun 25, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants