| Version | Supported |
|---|---|
| 0.5.x | Yes |
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public GitHub issue
- Email security concerns to the maintainers directly
- Include a description of the vulnerability and steps to reproduce
We will respond within 48 hours and provide a fix timeline.
autoforge implements the following security controls:
| Risk | Mitigation |
|---|---|
| ASI01: Agent Goal Hijack | Prompt injection detection hooks |
| ASI02: Tool Misuse | Minimal-privilege tool configuration |
| ASI06: Data Leakage | Secret leak detection in LLM output |
| ASI07: Unsafe Code Execution | Syntax validation on all edits, command blocklist |
| ASI08: Uncontrolled Autonomy | Human approval gate for production deploys |
- Prompt injection detection: 7 patterns checked on all LLM inputs
- Secret leak prevention: API keys, private keys, tokens detected and blocked
- Command blocklist:
sudo,rm -rf /,curl, etc. blocked in ACI toolkit
Test and Security agents use a different LLM model than the code generator, eliminating self-evaluation bias.