Skip to content

[ASI05] Dependency-lockfile-poisoning guard (low) — close ASI05 residual #234

Description

@initializ-mk

Problem

An agent that regenerates dependency lockfiles could silently introduce a poisoned or downgraded dependency (the nx/debug class), which then executes on the next build.

Current state

The cli_execute sandbox, binary allowlist, and egress allowlist already contain most execution/exfil impact (forge-cli/tools/cli_execute.go, forge-core/security/resolver.go). There is no specific guard for agents that regenerate lockfiles. This is a low residual after the existing controls. See docs/security/owasp-asi-conformance.md (ASI05).

Proposed control

Optional lockfile-change detection/approval in the build or skill path (diff the lockfile, flag or require approval on change).

Acceptance criteria

  • A lockfile change during an agent run is detected and flagged with an instrumented event.
  • Behavior is opt-in and does not break normal builds.

Conformance test

TestASI05_LockfileChangeFlagged (low priority).

Out of scope

Full dependency vulnerability scanning (overlaps SBOM/AIBOM issue). Non-lockfile RCE surfaces (already Enforced).

Guideline reference

ASI05 residual, mitigation #4/#7 (OWASP Agentic Top 10 2026).

Metadata

Metadata

Assignees

No one assigned

    Labels

    asi05OWASP ASI05forge-coreAffects the forge-core library (runtime, security, types, llm, mcp, auth)owasp-asiOWASP Top 10 for Agentic Applications 2026 conformancesecuritySecurity vulnerability fixes

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions