[Security Review] Daily Security Review and Threat Modeling — 2026-03-23

[github-actions[bot]]

📊 Executive Summary

This review covers the gh-aw-firewall codebase as of 2026-03-23, analyzing network security, container hardening, domain validation, input handling, and the full threat surface. The overall security posture is strong, with a defense-in-depth architecture combining host-level iptables, Squid L7 proxy filtering, container capability dropping, seccomp allowlisting, one-shot token protection, and tmpfs overlays. No critical vulnerabilities were found. Two medium-severity design gaps and two low-severity observations are documented below, with actionable recommendations.

Category	Rating	Key Evidence
Network Filtering	✅ Strong	Host DOCKER-USER chain + Squid ACLs, IPv6 fallback via sysctl
Container Hardening	✅ Good	Seccomp default-deny, no-new-privileges, resource limits
Credential Isolation	⚠️ Partial	One-shot tokens protect most secrets; GITHUB_TOKEN forwarded unconditionally
Domain Validation	✅ Good	ReDoS-safe regex, broad wildcard rejection
Input Handling	✅ Good	Shell escaping in Docker Compose command array
Dependencies	✅ Clean	npm audit: 0 vulnerabilities

---

🔍 Findings from Previous Security Testing

No "firewall-escape-test" workflow was found in the workflow registry (agenticworkflows-status). The closest workflow is security-review (this workflow, running daily). The secret-digger-claude, secret-digger-codex, and secret-digger-copilot workflows run hourly and provide complementary secret-leakage detection. No prior run logs were accessible from within this workflow context. All findings below are independently gathered from codebase analysis.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Host-level filtering (src/host-iptables.ts):

# Confirmed evidence — src/host-iptables.ts
const CHAIN_NAME = 'FW_WRAPPER';       # Dedicated chain in DOCKER-USER
iptables -t filter -A CHAIN_NAME -s squidIp -j ACCEPT        # Squid gets unrestricted outbound
iptables -t filter -A CHAIN_NAME -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A CHAIN_NAME -d 169.254.0.0/16 -j REJECT # Cloud metadata blocked
iptables -t filter -A CHAIN_NAME -p udp -j REJECT             # UDP default deny
iptables -t filter -A CHAIN_NAME -j REJECT                    # TCP default deny

Rules are correctly ordered: Squid egress allow → conntrack → localhost → DNS → deny all. The "allow before final deny" pattern is correct.

Container-level NAT (containers/agent/setup-iptables.sh):

• HTTP (80) and HTTPS (443) are DNAT'd to Squid port 3128 — defense-in-depth for proxy-unaware tools
• Dangerous ports (SSH 22, SMTP 25, databases 1433/1521/3306/5432/6379/27017) are blocked at NAT level before DNAT
• Docker embedded DNS rules (127.0.0.11) are saved and restored after NAT flush — prevents silent DNS breakage

IPv6 fallback: When ip6tables is unavailable, both host (src/host-iptables.ts:108) and container (containers/agent/setup-iptables.sh:35-37) disable IPv6 via sysctl net.ipv6.conf.all.disable_ipv6=1, preventing an unfiltered bypass path.

Squid configuration (src/squid-config.ts:549-554):

acl dst_ipv4 dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
acl dst_ipv6 dstdom_regex ^\[?[0-9a-fA-F:]+\]?$
http_access deny dst_ipv4
http_access deny dst_ipv6

Direct IP-address connections are blocked before domain allowlist checks, preventing domain filter bypass via raw IPs.

Container Security Assessment

Seccomp profile (containers/agent/seccomp-profile.json):

• Default action: SCMP_ACT_ERRNO — default-deny allowlist model (excellent)
• Explicitly blocked: ptrace, process_vm_readv/writev (memory injection prevention), kexec_*, reboot, kernel module loading, pivot_root, keyctl, umount
• Architecture targets: x86_64, x86, aarch64

Capabilities (src/docker-manager.ts:1013-1022):

cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],   // Needed for chroot + procfs mount
cap_drop: ['...all dangerous caps...'],
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',               // ← See Finding F-1
],
mem_limit: config.memoryLimit || '2g',
pids_limit: 1000,

SYS_ADMIN is dropped via capsh in containers/agent/entrypoint.sh:307 before user code runs:

echo "[entrypoint] Chroot mode enabled - dropping CAP_SYS_CHROOT and CAP_SYS_ADMIN"

Resource limits: 2 GB memory (no swap), 1000 PIDs, default CPU shares — prevents container-level DoS.

Credential isolation: One-shot token LD_PRELOAD library (/usr/local/lib/one-shot-token.so) caches specified env vars in process memory and clears them from /proc/self/environ on first read. Protected tokens: COPILOT_GITHUB_TOKEN, GITHUB_TOKEN, GH_TOKEN, GITHUB_API_TOKEN, ANTHROPIC_API_KEY, OPENAI_API_KEY, etc. (src/docker-manager.ts:422).

Docker-compose.yml secrets exposure: Mitigated by tmpfs overlay over workDir (src/docker-manager.ts:996):

tmpfs: [
  `\$\{config.workDir}:rw,noexec,nosuid,size=1m`,  // Hides docker-compose.yml from container
  `/host\$\{config.workDir}:rw,noexec,nosuid,size=1m`,
]

DinD disabled: containers/agent/docker-stub.sh replaced the Docker binary with a stub that exits 127 with an error message (removed in v0.9.1 per PR #205).

Domain Validation Assessment

src/domain-patterns.ts implements:

• Explicit rejection of *, *.*, and any pattern matching /^[*.]+$/ — prevents "allow all" configurations
• wildcardToRegex() converts * → [a-zA-Z0-9.-]* (not .*) — prevents catastrophic ReDoS backtracking
• 512-character max domain length guard in isDomainMatchedByPattern()
• Protocol-specific allowlisting ((redacted) https://`, or both)

Example of proper validation:

if (trimmed === '*') throw new Error("Pattern '*' matches all domains and is not allowed");
if (/^[*.]+$/.test(trimmed) && trimmed.includes('*')) throw new Error(...);

Input Validation Assessment

Agent command escaping (src/docker-manager.ts:1050):

command: ['/bin/bash', '-c', config.agentCommand.replace(/\$/g, '$$$$')],

Dollar signs are doubled to prevent Docker Compose YAML variable interpolation ($VAR → $$VAR). The command is passed as an array to Docker Compose (not a raw shell string), reducing shell injection risk on the Docker API boundary.

Secret redaction in logs (src/redact-secrets.ts):

.replace(/(Authorization:\s*Bearer\s+)(\S+)/gi, '$1***REDACTED***')
.replace(/(\w*(?:TOKEN|SECRET|PASSWORD|KEY|AUTH)\w*)=(\S+)/gi, '$1=***REDACTED***')
.replace(/\b(gh[pousr]_[a-zA-Z0-9]{36,255})/g, '***REDACTED***')

Covers Bearer tokens, env-var-style assignments, and GitHub token format patterns. Applied in src/cli.ts:1721 before debug logging.

---

⚠️ Threat Model (STRIDE)

ID	Category	Threat	Severity	Likelihood
T-1	Info Disclosure	GITHUB_TOKEN/GH_TOKEN always forwarded to agent (see F-2)	Medium	Medium
T-2	Info Disclosure	--env-all passes cloud provider credentials to agent	Medium	Low
T-3	Elevation of Privilege	SYS_ADMIN window during entrypoint.sh before capsh drop	Low	Very Low
T-4	Tampering	AppArmor disabled; agent could use mount syscall with SYS_ADMIN active	Low	Very Low
T-5	Denial of Service	No Squid request rate limiting; agent can saturate allowed domain bandwidth	Low	Low
T-6	Repudiation	Squid logs (L7) and iptables logs (L3) have no correlation ID	Info	—
T-7	Spoofing	DNS exfiltration via TXT/encoded queries to allowed DNS servers (encoding data in query names)	Low	Low
T-8	Info Disclosure	unshare allowed in seccomp; user namespaces could be attempted	Info	Very Low

---

🎯 Attack Surface Map

Attack Surface	Location	Current Protection	Risk
Agent network egress	setup-iptables.sh + Squid	DNAT + domain ACL allowlist	Low
DNS queries	setup-iptables.sh:120-150	Upstream DNS restricted to configured servers	Low
Cloud metadata (169.254.x.x)	src/host-iptables.ts:385	REJECT rule in FW_WRAPPER chain	Low
Direct IP connections	src/squid-config.ts:549-554	http_access deny dst_ipv4/dst_ipv6	Low
Credential env vars	src/docker-manager.ts:420-422	One-shot token LD_PRELOAD (most tokens)	Medium (GITHUB_TOKEN gap)
docker-compose.yml secrets	src/docker-manager.ts:996	tmpfs overlay hides file from container	Low
Docker socket	src/docker-manager.ts:798	Mounted as /dev/null by default	Low
Host filesystem	src/docker-manager.ts:596-707	Selective bind mounts; /etc/shadow not mounted	Low
Credential files (~/.npmrc, ~/.cargo/credentials)	src/docker-manager.ts:900-904	/dev/null overlay mounts	Low
Agent command injection	src/docker-manager.ts:1050 + src/cli.ts:1349	$$ escaping + array args	Low
Domain wildcard bypass	src/domain-patterns.ts:validateDomainOrPattern	Explicit broad-pattern rejection	Low
Procfs namespace escape	containers/agent/entrypoint.sh:365	Container-scoped procfs (nosuid,nodev,noexec)	Low
IPv6 bypass	src/host-iptables.ts:104-108	ip6tables or sysctl disable	Low

---

🔎 Detailed Findings

F-1: AppArmor Disabled for Agent Container (Medium)

Evidence:

// src/docker-manager.ts:1026-1029
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',   // ← AppArmor disabled
],

Comment in code: "AppArmor is set to unconfined to allow mounting procfs at /host/proc"

Analysis: AppArmor is intentionally disabled because Docker's default profile blocks the mount syscall, which is needed to mount a container-scoped procfs at /host/proc. The seccomp profile, no-new-privileges, and capability dropping (capsh) are all present as compensating controls. Since SYS_ADMIN is dropped before user code runs, user code cannot actually mount anything even with AppArmor disabled.

Residual risk: During the window before capsh drops SYS_ADMIN (i.e., during entrypoint.sh execution), AppArmor is not restricting file access patterns. A bug in entrypoint.sh could be exploited with both SYS_ADMIN and no AppArmor.

Recommendation (Medium): Consider a custom AppArmor profile that permits mount only for procfs (proc on * type proc) but restricts other dangerous mount types, rather than using unconfined. This would add the file-access controls AppArmor provides while still allowing the needed procfs mount.

---

F-2: GITHUB_TOKEN Forwarded Without API-Proxy Guard (Medium)

Evidence:

// src/docker-manager.ts:501-511
if (process.env.GITHUB_TOKEN) environment.GITHUB_TOKEN = process.env.GITHUB_TOKEN;
if (process.env.GH_TOKEN) environment.GH_TOKEN = process.env.GH_TOKEN;
// ...
// COPILOT_GITHUB_TOKEN — forward when api-proxy is NOT enabled
if (process.env.COPILOT_GITHUB_TOKEN && !config.enableApiProxy) environment.COPILOT_GITHUB_TOKEN = ...

COPILOT_GITHUB_TOKEN has a !config.enableApiProxy guard and is replaced with a placeholder. GITHUB_TOKEN and GH_TOKEN have no such guard and are forwarded unconditionally regardless of whether --enable-api-proxy is active.

Mitigating control: GITHUB_TOKEN is in AWF_ONE_SHOT_TOKENS (src/docker-manager.ts:422), so it's protected by the one-shot LD_PRELOAD mechanism. After the agent reads the token once, it's cleared from /proc/self/environ.

Residual risk: If the agent makes an authorized GitHub API call (e.g., to the allowlisted api.github.com), the token can be used and potentially exfiltrated via the response payload going to an allowed domain, or reflected in agent output.

Recommendation (Medium): Consider adding the !config.enableApiProxy guard to GITHUB_TOKEN/GH_TOKEN forwarding (same pattern as COPILOT_GITHUB_TOKEN). When --enable-api-proxy is active and GitHub API calls should be proxied, set a placeholder or route them through the sidecar.

---

F-3: --env-all Passes Arbitrary Host Credentials (Low–Medium, by design)

Evidence:

// src/docker-manager.ts:492-499
if (config.envAll) {
  for (const [key, value] of Object.entries(process.env)) {
    if (value !== undefined && !EXCLUDED_ENV_VARS.has(key) &&
        !Object.prototype.hasOwnProperty.call(environment, key)) {
      environment[key] = value;
    }
  }
}

EXCLUDED_ENV_VARS contains: PATH, PWD, OLDPWD, SHLVL, _, SUDO_*. It does not contain AWS_ACCESS_KEY_ID, AZURE_CLIENT_SECRET, GCP_SA_KEY, etc.

Analysis: --env-all is an opt-in flag with a documented warning (src/cli.ts:1661-1662). However, on GitHub Actions runners or developer machines, the host environment often contains cloud provider credentials that would be silently forwarded into the container.

Recommendation (Low): Document in --env-all help text that cloud provider credentials (AWS, Azure, GCP) will be forwarded. Consider adding a --no-inherit-env (pattern) option or explicitly listing common cloud credential env var names in EXCLUDED_ENV_VARS with a note that users can override with --env.

---

F-4: No Request Rate Limiting at Squid Level (Low)

Evidence: No delay_pools or max_connections directives are present in the generated squid.conf (src/squid-config.ts).

Analysis: An AI agent can make unlimited HTTP/HTTPS requests to allowlisted domains. A prompt-injected agent could saturate bandwidth, trigger rate limits on the allowlisted APIs (potentially denying service to legitimate users), or abuse services at high frequency.

Recommendation (Low): Consider adding opt-in delay_pools or per-host max_connections Squid directives, configurable via a --max-requests-per-domain CLI flag.

---

📋 Evidence Collection

Commands run during this review

# Seccomp profile analysis
cat containers/agent/seccomp-profile.json | python3 -c "import json,sys; d=json.load(sys.stdin); [print(f'action={s[\"action\"]} names={s.get(\"names\",[])}') for s in d.get('syscalls',[])]"
# Result: Default SCMP_ACT_ERRNO; 3 explicit ALLOW groups; ptrace/kexec/reboot blocked

# Dependency audit
npm audit --json 2>/dev/null | python3 -c "..."
# Result: {'info': 0, 'low': 0, 'moderate': 0, 'high': 0, 'critical': 0, 'total': 0}

# AppArmor configuration
grep -n "apparmor" src/docker-manager.ts
# Result: line 1029: 'apparmor:unconfined'

# GITHUB_TOKEN forwarding
grep -n "GITHUB_TOKEN\|GH_TOKEN" src/docker-manager.ts | grep -v "//\|ONE_SHOT\|placeholder"
# Result: lines 501-502 forward unconditionally; line 511 has !config.enableApiProxy guard

# Cloud metadata protection
grep -n "169.254" src/host-iptables.ts
# Result: line 385: '-d', '169.254.0.0/16', '-j', 'REJECT'

# Squid direct IP blocking
grep -n "dst_ipv4\|dst_ipv6" src/squid-config.ts
# Result: lines 549-554 deny CONNECT to raw IP addresses

# Domain wildcard validation
grep -n "trimmed === '\*'" src/domain-patterns.ts
# Result: validateDomainOrPattern blocks *, *.*, /^[*.]+$/ patterns

# Resource limits
grep -n "mem_limit\|pids_limit" src/docker-manager.ts
# Result: mem_limit: 2g, memswap_limit: 2g, pids_limit: 1000

# tmpfs overlay for workDir
grep -n "tmpfs" src/docker-manager.ts
# Result: workDir and /host/workDir mounted as tmpfs (hides docker-compose.yml)

# One-shot token list
grep -n "AWF_ONE_SHOT_TOKENS" src/docker-manager.ts
# Result: COPILOT_GITHUB_TOKEN,GITHUB_TOKEN,GH_TOKEN,ANTHROPIC_API_KEY,OPENAI_API_KEY,...

---

✅ Recommendations (Prioritized)

🔴 Critical

None identified.

🟠 High

None identified.

🟡 Medium

1. F-2 — GITHUB_TOKEN consistency: Add !config.enableApiProxy guard to GITHUB_TOKEN/GH_TOKEN forwarding in src/docker-manager.ts:501-502, consistent with the existing COPILOT_GITHUB_TOKEN guard on line 511. If GitHub API calls still need to work, set a one-shot placeholder like COPILOT_GITHUB_TOKEN.

2. F-1 — Custom AppArmor profile: Create a minimal AppArmor profile that allows mount only for type proc while maintaining file-access controls. This replaces apparmor:unconfined and restores AppArmor's MAC layer for the entrypoint.sh window before SYS_ADMIN is dropped.

🔵 Low

3. F-3 — Document --env-all credential risks: Expand the --env-all warning (src/cli.ts:1661) to enumerate common cloud credential patterns (AWS_*, AZURE_*, GOOGLE_*). Consider adding a --exclude-env-pattern option.

4. F-4 — Rate limiting: Add optional delay_pools/max_connections support in src/squid-config.ts to constrain per-domain request frequency.

5. unshare in seccomp allowlist: unshare is present in the allowed syscalls. While no-new-privileges:true limits user namespace creation, consider removing it unless a specific use case requires it.

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analyzed	~4,500 (host-iptables.ts, docker-manager.ts, setup-iptables.sh, entrypoint.sh, squid-config.ts, domain-patterns.ts)
Attack surfaces identified	14
Critical findings	0
High findings	0
Medium findings	2
Low findings	2
Informational	2
npm audit vulnerabilities	0
Seccomp syscall allowlist entries	~300+ (default-deny profile)
Defense-in-depth layers	6 (host iptables → container iptables → Squid ACL → seccomp → capabilities → one-shot tokens)

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 30, 2026, 2:01 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-30T14:01:01.555Z.

Closed by Workflow