[Security Review] Security Review — gh-aw-firewall (2026-06-27)

[github-actions[bot]]

Scope: Evidence-based security review of AWF (v0.23.1), conducted 2026-06-27.
Escape-test context: Prior "Secret Digger (Copilot)" run returned GH_AW_SECRET_VERIFICATION_RESULT: success with a noop — no credentials discovered or exfiltrated, validating credential-isolation mechanisms.

---

📊 Executive Summary

AWF applies a well-designed layered security model: iptables DNAT → Squid L7 filtering → domain ACL → capability drops → seccomp → hidepid=2 procfs → one-shot token protection. No critical or high findings were identified. Five findings warrant attention (1 medium, 3 low, 1 informational).

Metric	Value
Non-test source files analyzed	~256
Security-critical LOC (entrypoint + iptables scripts)	~1,800
Attack surfaces identified	9
Findings	1 medium · 3 low · 1 informational

---

🔍 Escape-Test Corroboration

The escape-test noop directly validates:

• Credential isolation via API proxy: ANTHROPIC_API_KEY, GITHUB_TOKEN not accessible to agent
• One-shot token LD_PRELOAD library: env vars cleared from /proc before any exfiltration window
• hidepid=2: cross-process credential reading blocked

---

🛡️ Architecture Security Analysis

Network Security

Strengths: Triple-layer egress (iptables → Squid → ACL); IPv6 disabled via sysctl; direct-IP HTTPS blocked in Squid (http_access deny dst_ipv4/dst_ipv6); 14-port dangerous-port blocklist at NAT; forwarded_for delete.

Gaps: Dangerous-port NAT RETURN rules are IPv4-only; DNS UDP/53 to 8.8.8.8/8.8.4.4 allows query-name exfiltration.

Container Security

Strengths: CAP_SYS_CHROOT+CAP_SYS_ADMIN dropped via capsh before user code; NET_ADMIN never granted to agent; seccomp blocks ptrace, process_vm_readv/writev, kexec_load, reboot, init_module, umount; procfs mounted with hidepid=2,nosuid,nodev,noexec; UID/GID=0 explicitly rejected; /etc/shadow excluded; SSL Bump CA keys in tmpfs with secure-wipe on cleanup.

Gaps: One-shot token protection silently disabled on Alpine/musl hosts; 1-second token-clearance timing window (mitigated by hidepid=2).

Domain & Input Validation

Strengths: Squid-injection chars rejected (\s, \0, ", ', `, ;, #, \); wildcard regex uses [a-zA-Z0-9.-]* (not .*) to prevent ReDoS; over-broad patterns (*, *.*) rejected; port specs validated in both TS and shell with shared test fixtures; CLI proxy uses execFile (no shell).

---

⚠️ Findings

🔴 M-1 — Shell metacharacters pass through in agentCommand (Medium)

File: src/services/agent-service.ts:146

command: ['/bin/bash', '-c', config.agentCommand.replace(/\$/g, '$$$$')],

Only $→$$ is escaped (for Docker Compose YAML interpolation). Unquoted ;, &&, ||, `, > pass through to bash -c. Example: awf -- 'curl x.com; id' runs both commands.
Blast radius is contained — the container runs as an unprivileged user post-cap-drop with seccomp active; no host-escape path. However, it is an injection surface for users crafting malicious AWF invocations.
Recommendation: Parse the command into argv via a shell-quote library and use the array form, eliminating bash -c wrapping.

---

🟡 L-1 — IPv6 disable sysctl silent failure; no ip6tables dangerous-port blocklist (Low)

File: containers/agent/setup-iptables.sh:110–111

sysctl -w net.ipv6.conf.all.disable_ipv6=1 2>/dev/null || echo "[iptables] WARNING: failed..."

Continues on failure with only a warning. If the sysctl fails, IPv6 remains enabled but the DANGEROUS_PORTS blocklist (iptables only, not ip6tables) doesn't apply.
Recommendation: Either fail hard on sysctl failure, or add ip6tables equivalents for the 14 dangerous ports.

---

🟡 L-2 — DNS exfiltration via allowed UDP/53 (Low)

File: containers/agent/setup-iptables.sh:244–245
UDP/53 queries to configured upstream DNS servers (default: 8.8.8.8, 8.8.4.4) are unconditionally allowed. A compromised agent could encode data in DNS query names for out-of-band exfiltration.
Recommendation: Recommend --dns-over-https in documentation; add UDP/53 rate-limiting (e.g., --limit 100/min) as defense-in-depth in standard mode.

---

🟡 L-3 — Fixed container names cause concurrent-instance conflicts (Low)

Container names (awf-agent, awf-squid, etc.) are static. Concurrent AWF instances on the same host collide silently.
Recommendation: Append the existing workdir timestamp to container names; add startup collision detection with a clear error.

---

i️ INFO-1 — Dev dependency CVEs (21 total, 1 high) — production unaffected

linkify-it ≤5.0.0 (GHSA-22p9-wv53-3rq4): quadratic-complexity DoS in markdownlint-cli2 (dev linting only). Production deps (commander, chalk, execa, js-yaml, ajv) are clean.
Recommendation: npm audit fix to clear noise for security scanners.

---

🎯 Attack Surface Map

#	Surface	Entry Point	Risk
1	Domain allowlist input	src/domain-validation.ts	Low
2	Agent command execution	src/services/agent-service.ts:146	Medium
3	DNS UDP/53	setup-iptables.sh:244	Low
4	Squid L7 proxy	containers/squid/ :3128	Low
5	API proxy sidecar	containers/api-proxy/server.js :10000-10003	Low
6	CLI proxy sidecar	containers/cli-proxy/server.js:POST /exec	Low
7	Container filesystem	Bind mounts under /host/	Low
8	IPv6 egress path	setup-iptables.sh:110	Low
9	procfs /host/proc	entrypoint.sh:521 (hidepid=2)	Low

---

✅ Prioritised Recommendations

Priority	Item	File
🔴 Medium	Parse agentCommand as argv array, eliminate bash -c wrapping	src/services/agent-service.ts:146
🟡 Low	Fail hard on IPv6 sysctl failure OR add ip6tables dangerous-port rules	setup-iptables.sh:110–111
🟡 Low	Document DNS exfiltration risk; recommend DoH; add UDP/53 rate limit	setup-iptables.sh:244
🟡 Low	Add timestamp suffix to container names; detect/fail on collision	src/constants.ts
🟢 Nice	npm audit fix for dev deps	package.json
🟢 Nice	Add deploy.resources.limits (CPU/memory) to agent service in generated Compose	src/services/agent-service.ts

---

📈 Security Metrics

Metric	Value
Critical/High findings	0
Medium findings	1 (agentCommand shell metachar pass-through)
Low findings	3
Informational	1 (dev-dep CVEs, no prod impact)
Escape-test credential verification	✅ Pass — no credentials exfiltrated

Generated by Daily Security Review and Threat Modeling · 118.3 AIC · ⊞ 7K · ◷

• expires on Jul 4, 2026, 12:50 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent was here. The omens are clear, the build is sound, and the run leaves a clean trail through the firewall.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir above the repository waters. The smoke test agent has passed through, traced the omens, and left this sign in the astral log.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir around this discussion. The smoke test agent was here, and the omens read as passed.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent was here. May the firewall hold, the paths stay true, and the build remain in favorable alignment.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir: the smoke test agent was here, and the omens are favorable.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir. The smoke test agent was here, and the omens are favorable.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits have spoken: the smoke test agent passed through GitHub’s veil and returned in harmony.

The omens are clear, the build was blessed, and the workflow stands affirmed.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex