Coding Agent Security Checklist
26 audit checks for coding agents covering prompt-to-sink execution, repository trust boundaries, tool misuse, secret exposure, approval bypass, and evidence integrity.
🚨 Coding Agent Threat Landscape
Coding agents collapse prompt handling, shell execution, repository access, package installation, and cloud credentials into a single runtime. The real failures often happen at the execution sink, not the prompt layer.
• Prompt to shell a single untrusted issue, README, or ticket field can steer code execution if argument provenance is weak
• Repository trust drift agents routinely treat repo files, tests, and config as trusted even when attacker-controlled
• Approval surface global auto-approve and standing permissions turn one mistaken grant into persistent execution authority
• Secret blast radius developer machines and CI contexts often expose package tokens, cloud creds, and SSH material to agent tooling
• Evidence fragility logs, task history, and scratch files are often incomplete or mutable, weakening forensics
• Supply chain overlap coding agents frequently install dependencies, run scripts, and modify CI, so AI misuse and package compromise compound
CATEGORIES
Mixed-Trust Input Inventory
CriticalAll prompt-adjacent inputs are classified by trust, including issues, PR text, READMEs, tests, package metadata, and generated files
Prompt-to-Sink Mapping
CriticalEach untrusted input path is traced to execution sinks like shell, eval, package install, CI config, or file write
Argument-Level Provenance
CriticalThe system preserves provenance for command arguments, file paths, destinations, and generated code, not just for the top-level task
Command Construction Safety
CriticalShell commands are built with structured argument arrays or equivalent safe construction, never with raw concatenated attacker-controlled strings
Dynamic Execution Controls
CriticalGenerated code, eval helpers, notebook cells, migrations, and package scripts execute only inside constrained sandboxes
Write-Scope Enforcement
HighAgents cannot write outside approved directories or mutate policy files like shell config, git hooks, IDE settings, and CI workflows without explicit re-approval
Branch and Repo Target Validation
HighAgent actions are pinned to the intended repository, worktree, and branch, with safeguards against retargeting via poisoned instructions
Untrusted Test Containment
HighRunning repository tests, build scripts, or codegen is treated as executing untrusted code unless the repo is explicitly trusted
Hook and Filter Neutralization
CriticalGit hooks, smudge/clean filters, aliases, and post-checkout behaviors are disabled or tightly controlled for agent sessions
Credential Exposure Minimization
CriticalAgent runtimes receive only task-scoped credentials, not the operator's full shell environment or general-purpose cloud access
Secret Use Mediation
HighSensitive operations use mediated brokers or attested tooling where possible, instead of exposing raw reusable secrets to the agent
Output Secret Scrubbing
HighLogs, patches, error traces, and generated docs are scrubbed for secrets before display, storage, or PR creation
Approval Persistence Boundaries
CriticalApprovals expire appropriately and do not silently persist across sessions, workspaces, subagents, or unrelated action classes
High-Risk Action Re-Authorization
CriticalDestructive or externally impactful actions require fresh authorization even if a broader permission was previously granted
Delegated Worker Attenuation
HighSubagents and delegated workers receive reduced authority by default, not the full parent runtime
Dependency Installation Review
HighPackage installs, plugin adds, MCP connections, and remote setup scripts are gated by provenance checks and trust policy
Build and CI Mutation Review
HighChanges to CI, release, deployment, or package publishing workflows receive enhanced scrutiny
Plugin and Skill Provenance
HighAgent plugins, skills, and connector manifests are treated as executable policy artifacts and reviewed for hidden authority
Network Egress Policy
HighAgents have explicit outbound network policy, with internal services, metadata endpoints, and credential brokers blocked by default
Remote Destination Validation
HighPR comments, issue posts, webhooks, and other outbound destinations are validated against expected owners and repositories
Cost and Token Abuse Controls
MediumThe platform detects runaway loops, oversized contexts, and expensive model routing triggered by malicious tasks or poisoned content
Action Log Integrity
HighEvery command, file write, approval decision, and external action is recorded with tamper-evident metadata
Transcript and Artifact Retention
MediumConversation history, generated plans, and scratch artifacts are retained long enough for post-incident review
Diff Reviewability
MediumThe system produces human-reviewable diffs and rationale for every material code change
Rollback and Containment Readiness
MediumOperators can revert agent changes, disable delegated workers, and revoke credentials quickly after suspicious behavior
Owner-Harm Scenarios Tested
CriticalThe audit explicitly tests whether the agent can betray its own operator through secret leak, destructive code change, or unauthorized remote action
Need a coding agent security audit?
Zealynx reviews the real authority surface of coding agents, from prompt-to-shell sinks and repo trust boundaries to approval semantics, secrets, and forensics.