From 5195f8286ac2d70a00595af2cbd98bb830b4eddd Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sun, 4 Jan 2026 03:31:42 +0000
Subject: [PATCH] Security Fix: Restrict file permissions in copilot-agents.go
 (Alert #383)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Changed file permissions from 0644 to 0600 in ensureFileMatchesTemplate()
- Applies to agent templates and Copilot instructions files
- Follows principle of least privilege and security best practices
- Fixes gosec alert #383 (G306 - Incorrect Default Permissions)

🤖 Generated with gh-aw security fix agent
Triggered by: @pelikhan
Workflow Run: #20686947569
---
 pkg/cli/copilot-agents.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkg/cli/copilot-agents.go b/pkg/cli/copilot-agents.go
index 71d99fd7117..fb6860e1906 100644
--- a/pkg/cli/copilot-agents.go
+++ b/pkg/cli/copilot-agents.go
@@ -49,8 +49,9 @@ func ensureFileMatchesTemplate(subdir, fileName, templateContent, fileType strin
 		return nil
 	}
 
-	// Write the file
-	if err := os.WriteFile(targetPath, []byte(templateContent), 0644); err != nil {
+	// Write the file with restrictive permissions (0600) to follow security best practices
+	// Agent files and instructions may contain sensitive configuration
+	if err := os.WriteFile(targetPath, []byte(templateContent), 0600); err != nil {
 		copilotAgentsLog.Printf("Failed to write file: %s, error: %v", targetPath, err)
 		return fmt.Errorf("failed to write %s: %w", fileType, err)
 	}