awi-scan
v0.2.0
Published
Detect Agentic Workflow Injection risks in GitHub Actions workflows.
Maintainers
Readme
awi-scan
Detect Agentic Workflow Injection risks in GitHub Actions workflows.
Agentic Workflow Injection happens when untrusted GitHub text, such as a pull request body or issue comment, is sent to an AI coding agent that runs with repository privileges. awi-scan looks for that source-to-agent-to-privilege path before the agent runs.
awi-scan runs locally and offline. It does not send workflow contents to an external service.
npx awi-scan . --format humanawi-scan: 3 finding(s) in 5 workflow file(s)
critical awi.untrusted-prompt-to-agent examples/vulnerable/pull-request-target-agent.yml:1:1
Untrusted GitHub event content can reach an AI agent running with workflow privileges.
critical awi.untrusted-checkout-to-agent examples/vulnerable/pull-request-target-checkout-agent.yml:1:1
An AI agent can run after untrusted pull request code is checked out in a privileged workflow.Example Finding
name: vulnerable pull request agent
on:
pull_request_target:
permissions:
contents: write
jobs:
agent:
runs-on: ubuntu-latest
steps:
- uses: anthropics/claude-code-action@v1
with:
prompt: ${{ github.event.pull_request.body }}awi-scan reports this because untrusted pull request text reaches an agent while the workflow has write permissions.
critical awi.untrusted-prompt-to-agent .github/workflows/danger.yml:10:1
Untrusted GitHub event content can reach an AI agent running with workflow privileges.Safer Pattern
Run agents on trusted triggers, keep permissions read-only by default, and require a maintainer-controlled approval boundary before using untrusted text.
on:
workflow_dispatch:
permissions:
contents: readGitHub Action
name: awi-scan
on: [pull_request]
permissions:
contents: read
security-events: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: gnim81/[email protected]
with:
fail-on: highCLI
npx awi-scan --format human
npx awi-scan --format json --output awi-scan.json
npx awi-scan --format sarif --output awi-scan.sarif
npx awi-scan --fail-on critical
npx awi-scan rules
npx awi-scan explain awi.untrusted-prompt-to-agentWhat It Detects
- Untrusted issue, PR, comment, review, or discussion text.
- Event payload reads through
GITHUB_EVENT_PATH,gh,curl, or GitHub API calls. - Agent actions and agent CLI invocations.
- Untrusted pull request head checkouts before agent execution.
- Dangerous contexts such as
pull_request_target, write permissions, secrets, OIDC, and self-hosted runners.
See Threat Model and Rules for details.
Project
- Supported agent patterns: docs/agent-actions.md
- SARIF upload: docs/sarif-upload.md
- False positives: docs/false-positives.md
- Security reports: SECURITY.md
- Contributing: CONTRIBUTING.md
- Examples: docs/examples.md
License
MIT
