Skip to content

feat: reduce Detection Job firewall domain allowlist to Copilot-API-only set and enable Bash * in detection job#22948

Merged
davidslater merged 4 commits intomainfrom
copilot/reduce-detection-job-dependencies
Mar 25, 2026
Merged

feat: reduce Detection Job firewall domain allowlist to Copilot-API-only set and enable Bash * in detection job#22948
davidslater merged 4 commits intomainfrom
copilot/reduce-detection-job-dependencies

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026
edited
Loading

  • Move "threat-detection" to alphabetical position in ecosystem_domains.json
  • Fix failing CI test: update TestThreatDetectionSteps_IncludeBashReadTools to check for "Bash" (unrestricted) instead of individual Bash(cmd) tool names, since the detection job now uses bash: ["*"]

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@davidslater
feat: reduce Detection Job firewall domain allowlist to Copilot-API-o…
8672ab9 
…nly set

The detection job previously allowed 10 domains (full CopilotDefaultDomains),
including registry.npmjs.org and raw.githubusercontent.com. Neither is needed
for read-only threat analysis:

- registry.npmjs.org: Copilot CLI binary is pre-installed; no npm packages are
  installed at detection runtime because MCP servers are disabled
  (--disable-builtin-mcps) and no npm-based tools are configured.
- raw.githubusercontent.com: detection does not download scripts or config from
  GitHub; the prompt and agent output are already present as local files.

Changes:
- Add CopilotDetectionDomains (8 entries vs 10 in CopilotDefaultDomains)
- Add GetCopilotDetectionAllowedDomains() for detection-specific domain building
- Use detection-specific domains when IsDetectionRun in copilot_engine_execution.go
- Fix misleading "deny-all" comment in threat_detection.go
- Add TestCopilotDetectionDomains and TestGetCopilotDetectionAllowedDomains
- Recompile all 178 workflows to update lock.yml files

Co-authored-by: davidslater <12449447+davidslater@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e055fb7e-815c-4341-b132-244cd2fabfa3
Copilot AI requested a review from davidslater March 25, 2026 18:40
@github-actions github-actions bot mentioned this pull request Mar 25, 2026
Closed
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Mar 25, 2026

Maybe have a "detection" domain set?

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Mar 25, 2026

Add new domain here and reuse so that we know all the domain sets. https://github.com/github/gh-aw/blob/main/pkg/workflow/data/ecosystem_domains.json

@github-actions github-actions bot mentioned this pull request Mar 25, 2026
Closed
@davidslater
refactor: rename GetCopilotDetectionAllowedDomains → GetThreatDetecti…
99641e2 
…onAllowedDomains

Also rename the corresponding test functions:
- TestCopilotDetectionDomains → TestThreatDetectionDomains
- TestGetCopilotDetectionAllowedDomains → TestGetThreatDetectionAllowedDomains

Matches the "threat-detection" ecosystem key in ecosystem_domains.json.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/1fca0257-0f07-4351-829d-a6c70b2d8c60

Co-authored-by: davidslater <12449447+davidslater@users.noreply.github.com>
@davidslater davidslater marked this pull request as ready for review March 25, 2026 20:38
Copilot AI review requested due to automatic review settings March 25, 2026 20:38
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens the threat-detection job’s firewall domain allowlist to a minimal Copilot-API-focused set and updates the detection job configuration to rely on AWF as the primary security boundary.

Changes:

  • Added a new "threat-detection" ecosystem domain set in ecosystem_domains.json and introduced GetThreatDetectionAllowedDomains() to consume it.
  • Updated the Copilot engine execution path to use the minimal detection allowlist when IsDetectionRun is set.
  • Relaxed detection-run shell/tool restrictions (wildcard bash / --allow-all-tools) and regenerated many workflow lockfiles accordingly.

Reviewed changes

Copilot reviewed 157 out of 157 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/threat_detection.go Enables wildcard bash tool for detection runs and updates explanatory comments.
pkg/workflow/domains.go Adds GetThreatDetectionAllowedDomains() using the new threat-detection ecosystem.
pkg/workflow/copilot_engine_execution.go Switches allow-domain calculation based on IsDetectionRun.
pkg/workflow/data/ecosystem_domains.json Introduces the "threat-detection" domain list (8 entries).
pkg/workflow/domains_test.go Adds tests asserting the threat-detection domain set and merged allow-domains behavior.
.github/workflows/workflow-skill-extractor.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/workflow-normalizer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/workflow-health-manager.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/workflow-generator.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/weekly-issue-summary.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/weekly-editors-health-check.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/weekly-blog-post-writer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/video-analyzer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/update-astro.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/ubuntu-image-analyzer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/tidy.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/test-project-url-default.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/test-dispatcher.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/terminal-stylist.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/technical-doc-writer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/super-linter.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/sub-issue-closer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/stale-repo-identifier.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/smoke-workflow-call.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/smoke-test-tools.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/smoke-temporary-id.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/smoke-project.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/smoke-multi-pr.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/smoke-gemini.lock.yml Adjusts Gemini tool configuration to a broader run_shell_command tool entry.
.github/workflows/smoke-copilot.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/slide-deck-maintainer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/security-review.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/security-compliance.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/research.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/repository-quality-improver.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/repo-tree-map.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/repo-audit-analyzer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/release.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/refiner.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/q.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/python-data-charts.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/pr-triage-agent.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/pr-nitpick-reviewer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/portfolio-analyst.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/poem-bot.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/plan.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/pdf-summary.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/org-health-report.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/mergefest.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/mcp-inspector.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/layout-spec-maintainer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/jsweep.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/issue-triage-agent.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/issue-monster.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/hourly-ci-cleaner.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/gpclean.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/glossary-maintainer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/github-remote-mcp-auth-test.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/functional-pragmatist.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/firewall-escape.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/draft-pr-cleanup.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/docs-noob-tester.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/discussion-task-miner.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/dictation-prompt.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/dev.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/dev-hawk.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/dependabot-go-checker.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/dependabot-burner.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/delight.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/dead-code-remover.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-workflow-updater.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-team-status.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-syntax-error-quality.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-semgrep-scan.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-secrets-analysis.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-safe-output-integrator.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-repo-chronicle.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-regulatory.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-performance-summary.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-news.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-integrity-analysis.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-firewall-report.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-file-diet.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-copilot-token-report.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-compiler-quality.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-community-attribution.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-cli-tools-tester.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-cli-performance.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-assign-issue-to-user.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/daily-architecture-diagram.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/craft.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/copilot-pr-prompt-analysis.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/copilot-pr-nlp-analysis.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/copilot-pr-merged-report.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/copilot-cli-deep-research.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/contribution-check.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/constraint-solving-potd.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/code-simplifier.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/code-scanning-fixer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/cli-consistency-checker.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/ci-doctor.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/ci-coach.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/breaking-change-checker.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/brave.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/auto-triage-issues.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/artifacts-summary.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/archie.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/agent-persona-explorer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
.github/workflows/agent-performance-analyzer.lock.yml Regenerates to use reduced --allow-domains and --allow-all-tools for detection.
Comments suppressed due to low confidence (4)

pkg/workflow/threat_detection.go:1

  • Allowing unrestricted shell commands for detection runs meaningfully increases the impact of prompt-injection or sandbox-escape attempts, especially since detection workflows also allow api.github.com / github.com egress (which can be used for data exfiltration) and often run with elevated AWF options (e.g., host access in lockfiles). If the intent is to reduce friction, consider keeping a minimal shell allowlist for detection (e.g., only file inspection/search tooling), or compensating with stronger constraints such as read-only filesystem/workspace, reduced token permissions, and/or disabling host-access for detection jobs.
    pkg/workflow/domains_test.go:1
  • This test file now introduces testify/assert. If the rest of domains_test.go predominantly uses standard-library test assertions (if ... { t.Fatalf(...) }), consider staying consistent and avoiding an extra external dependency here (or converting the whole file to a consistent assertion style). This reduces dependency surface and keeps tests uniform.
    pkg/workflow/domains_test.go:1
  • These assertions validate membership by substring against a comma-separated string, which can produce false positives/negatives (e.g., a malicious or unexpected entry like api.githubcopilot.com.evil would satisfy Contains, and NotContains doesn't enforce exact domain tokens). Consider splitting result on commas into a slice and asserting exact membership/exclusion against the tokens.
    pkg/workflow/domains_test.go:1
  • The comment says 'every required Copilot API domain', but the requiredDomains list also includes non-API endpoints like github.com and host.docker.internal. Consider rewording to something like 'required domains for threat detection runs' to match what the test is actually asserting.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@davidslater davidslater changed the title feat: reduce Detection Job firewall domain allowlist to Copilot-API-only set feat: reduce Detection Job firewall domain allowlist to Copilot-API-only set and enable Bash * in detection job Mar 25, 2026
@davidslater
fix CI: update TestThreatDetectionSteps_IncludeBashReadTools for bash…
44c0eb9 
… wildcard

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/91c4548d-8567-4bd7-8ad6-21942864387d

Co-authored-by: davidslater <12449447+davidslater@users.noreply.github.com>
@davidslater davidslater merged commit 4245eab into main Mar 25, 2026
82 checks passed
@davidslater davidslater deleted the copilot/reduce-detection-job-dependencies branch March 25, 2026 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@davidslater davidslater Awaiting requested review from davidslater

Assignees

@pelikhan pelikhan

@davidslater davidslater

Copilot code review Copilot

Labels

ai-inspected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pelikhan @davidslater