feat: add agent-shield.yml workflow for compliance #83
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| # AgentShield — Agent configuration security validation | ||
| # See: standards/agent-standards.md | ||
| # | ||
| # Two-layer approach: | ||
| # 1. affaan-m/agentshield action — deep security scan (102 rules across | ||
| # secrets, permissions, hooks, MCP servers, and agent config) | ||
| # 2. Org-specific structural checks — required files, cross-references, | ||
| # SKILL.md frontmatter validation | ||
|
|
||
| name: AgentShield | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main] | ||
| pull_request: | ||
| branches: [main] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| agent-shield: | ||
| name: AgentShield | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
|
|
||
| # --- Deep security scan via AgentShield CLI --- | ||
| # Uses ecc-agentshield (https://github.com/affaan-m/agentshield) | ||
| # 102 rules: secrets, permissions, hooks, MCP servers, agent config | ||
| - name: AgentShield Security Scan | ||
| run: | | ||
| npx ecc-agentshield@1.4.0 scan \ | ||
| --path . \ | ||
| --min-severity high \ | ||
| --format terminal | ||
|
|
||
| # --- Org-specific structural checks --- | ||
| - name: Check required agent files exist | ||
| run: | | ||
| status=0 | ||
|
|
||
| if [ ! -f "CLAUDE.md" ]; then | ||
| echo "::error::Missing CLAUDE.md" | ||
| status=1 | ||
| fi | ||
|
|
||
| if [ ! -f "AGENTS.md" ]; then | ||
| echo "::error::Missing AGENTS.md" | ||
| status=1 | ||
| fi | ||
|
|
||
| exit $status | ||
|
|
||
| - name: Validate cross-references | ||
| run: | | ||
| status=0 | ||
|
|
||
| if [ -f "CLAUDE.md" ] && \ | ||
| ! grep -qi 'AGENTS.md' CLAUDE.md; then | ||
| echo "::error file=CLAUDE.md::Must reference AGENTS.md" | ||
| status=1 | ||
| fi | ||
|
|
||
| if [ -f "AGENTS.md" ] && \ | ||
| ! grep -qi 'petry-projects/\.github' AGENTS.md; then | ||
| echo "::error file=AGENTS.md::Must reference org standards" | ||
| status=1 | ||
| fi | ||
|
|
||
| exit $status | ||
|
|
||
| - name: Validate SKILL.md frontmatter | ||
| run: | | ||
| status=0 | ||
|
|
||
| while IFS= read -r file; do | ||
| frontmatter=$(awk \ | ||
| '/^---$/{n++; next} n==1{print} n>=2{exit}' \ | ||
| "$file") | ||
|
|
||
| if [ -z "$frontmatter" ]; then | ||
| echo "::error file=$file::Missing YAML frontmatter" | ||
| status=1 | ||
| continue | ||
| fi | ||
|
|
||
| if ! echo "$frontmatter" | grep -q '^name:'; then | ||
|
There was a problem hiding this comment. The frontmatter/key detection is overly strict: it only recognizes |
||
| echo "::error file=$file::Missing 'name' field" | ||
| status=1 | ||
| fi | ||
| if ! echo "$frontmatter" | grep -q '^description:'; then | ||
|
There was a problem hiding this comment. The frontmatter/key detection is overly strict: it only recognizes |
||
| echo "::error file=$file::Missing 'description' field" | ||
| status=1 | ||
| fi | ||
| done < <(find . -name 'SKILL.md' \ | ||
| -not -path '*/node_modules/*' \ | ||
| -not -path '*/.git/*') | ||
|
|
||
| if [ "$status" -eq 0 ]; then | ||
| echo "All SKILL.md frontmatter validated." | ||
| fi | ||
| exit $status | ||
|
Comment on lines
+73
to
+103
There was a problem hiding this comment. 🧹 Nitpick | 🔵 Trivial LGTM with minor suggestion. The awk-based frontmatter extraction and field validation logic is correct. The process substitution For explicit clarity and cross-platform safety, consider adding - name: Validate SKILL.md frontmatter
shell: bash
run: |🤖 Prompt for AI Agents |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The frontmatter/key detection is overly strict: it only recognizes
---with no surrounding whitespace and keys that start at column 1. If anySKILL.mduses common variations (e.g.,---with trailing spaces, or indentedname:/description:), this will incorrectly fail validation. Consider relaxing the patterns (e.g., allow leading/trailing whitespace around---and optional indentation before keys) to avoid false negatives.