今日已更新 166 条资讯 | 累计 20138 条内容
关于我们

your CI agent is reading more than your prompt

Paulo Victor Leite Lima Gomes 2026年06月20日 08:01 2 次阅读 来源:Dev.to

The dangerous thing about CI agents is not that they can write code. It is that they run in the place where we already concentrate trust. CI has repository access. CI has tokens. CI has build logs. CI can fetch dependencies, publish artifacts, comment on pull requests, open issues, deploy previews, and sometimes touch production systems. It is the automation layer we taught ourselves to trust because the alternative was humans doing the same boring steps by hand. Now we are putting agents inside it. That is useful. It is also exactly where the security model gets weird. Microsoft published a write-up this month about a Claude Code GitHub Action case where untrusted GitHub content and file-reading capability could combine badly. The short version is that an agent operating in a CI/CD context had enough ambient access to read more than the user probably intended, including process environment data that could expose workflow secrets. Anthropic mitigated the issue in Claude Code 2.1.128. The specific bug matters. The pattern matters more. CI/CD agents are not chatbots with a build badge. They are automated actors running in a high-trust environment while reading untrusted instructions from pull requests, issues, comments, commit messages, files, logs, and whatever else the workflow feeds them. That combination deserves more fear than it is getting. prompts are now part of the attack surface We are used to thinking about CI security in terms of code and configuration. Who can modify the workflow file? Which secrets are available to pull requests? Do forks get privileged tokens? Are dependencies pinned? Are artifacts trusted? Can a build script publish something? Does the workflow run on pull_request or pull_request_target ? Those questions still matter. But agents add another layer: text becomes operational input. The agent may read a pull request description. It may read a comment asking it to fix a test. It may read source files changed by an untrusted contributor. It

本文内容来源于互联网,版权归原作者所有
查看原文