[Security Review] Daily Security Review — AWF Firewall (2026-06-29)

[github-actions[bot]]

📊 Executive Summary

Overall Security Posture: STRONG — AWF implements multiple independent layers of egress control and credential isolation. The architecture demonstrates mature security engineering: iptables DNAT as a backstop for proxy-unaware tools, per-session CA certificates for optional SSL inspection, capability isolation via capsh, and 14+ credential files hidden via /dev/null overlays.

Metrics:

• ~32,000 lines of security-critical code analyzed (359 TypeScript files + containers)
• 5 independent enforcement layers (iptables NAT → filter → Squid ACL → raw-IP deny → DNS whitelist)
• Findings: 0 Critical · 0 High · 2 Medium · 2 Low
• Escape test result: ✅ No secrets exfiltrated (April 2026)

---

🔍 Findings from Firewall Escape Test

The pre-fetched escape test file contains CI logs from the Secret Digger (Copilot) workflow (April 11, 2026, run 24273493151). Result: no secrets found.

Key indicators:

• GH_AW_SECRET_VERIFICATION_RESULT: success
• Only noop safe-output calls emitted — no secrets to report
• GH_AW_INFERENCE_ACCESS_ERROR: false

This validates that credential isolation (API key env exclusion + /dev/null overlays) is functioning correctly under active adversarial probing.

---

🛡️ Architecture Security Analysis

Network Security

The firewall enforces a 5-layer stack (evidence: containers/agent/setup-iptables.sh, src/host-iptables-rules.ts):

Layer	Mechanism	File
NAT BYPASS	localhost, self-IP, Squid, sidecars → RETURN	setup-iptables.sh:configure_nat_bypasses()
NAT DNAT	Port 80/443 → Squid:3128 (proxy-unaware fallback)	setup-iptables.sh:configure_http_dnat()
NAT BLOCK	DANGEROUS_PORTS (22,25,445,3306,5432,6379...) → RETURN → REJECT	setup-iptables.sh:configure_host_access_rules()
FILTER REJECT	Default deny + LOG [FW_BLOCKED_UDP]/[FW_BLOCKED_OTHER]	src/host-iptables-rules.ts:addBlockRules()
Squid ACL	Domain allowlist, raw-IP CONNECT deny	src/squid/config-generator.ts

Strengths confirmed by evidence:

• IPv6 disabled via sysctl net.ipv6.conf.all.disable_ipv6=1 — prevents proxy bypass via IPv6
• 169.254.0.0/16 blocked at host iptables — cloud metadata (IMDS) access prevented
• Raw-IP CONNECT blocked: acl dst_ipv4 dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ + http_access deny dst_ipv4
• DNS restricted to whitelisted servers only; arbitrary UDP/53 rejected

Container Security

Evidence: src/services/agent-service.ts:76-94, containers/agent/entrypoint.sh:1142

cap_add:  [SYS_CHROOT, SYS_ADMIN]   ← dropped by capsh before user code
cap_drop: [NET_RAW, SYS_PTRACE, SYS_MODULE, SYS_RAWIO, MKNOD]
security_opt: [no-new-privileges:true, seccomp=profile.json, apparmor:unconfined]

• NET_ADMIN absent from agent — only on awf-iptables-init (shares network namespace)
• Seccomp profile with defaultAction: SCMP_ACT_ERRNO — syscall allowlist
• workDir tmpfs (1MB, noexec, nosuid) — prevents agent from reading docker-compose.yml plaintext secrets
• procfs hidepid=2 — prevents /proc/[pid]/environ credential exfiltration
• All sidecar containers (api-proxy, cli-proxy, doh-proxy): cap_drop: ['ALL']

Domain/Input Validation

Evidence: src/domain-validation.ts, src/squid/domain-acl.ts, src/domain-patterns.ts

• Config injection prevention: SQUID_DANGEROUS_CHARS = /[\s\0"';#]/` — rejects whitespace, null bytes, quotes, semicolons, backticks, hash
• ReDoS protection: wildcard * converts to [a-zA-Z0-9.-]* (character class, not .*)
• Over-broad patterns rejected: *, *.*, and wildcard-only patterns blocked at validation
• execa used throughout (array args, no shell string interpolation) — no shell injection risk

Credential Isolation

Evidence: src/services/agent-environment/excluded-vars.ts, src/services/agent-volumes/credential-hiding.ts

When --enable-api-proxy: OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY, COPILOT_GITHUB_TOKEN excluded from agent env.

Always excluded: ACTIONS_RUNTIME_TOKEN, ACTIONS_RESULTS_URL.

14 credential files hidden via /dev/null overlays: .ssh/id_*, .aws/credentials, .kube/config, .azure/credentials, .config/gcloud/credentials.db, .docker/config.json, .npmrc, .cargo/credentials, .config/gh/hosts.yml.

---

⚠️ Threat Model (STRIDE Summary)

Threat	Mitigation	Risk
Agent modifies iptables (Tampering)	Agent has no NET_ADMIN; iptables-init is separate	🟢 Very Low
Agent reads API keys (Info Disclosure)	Keys excluded from env + api-proxy sidecar; escape test passed	🟢 Very Low
Agent reads /proc/[pid]/environ (Info Disclosure)	hidepid=2 on procfs	🟢 Very Low
Domain input injection (Tampering)	SQUID_DANGEROUS_CHARS validation, structural checks	🟢 Very Low
DNS exfiltration (Info Disclosure)	DNS restricted to whitelisted servers	🟢 Very Low
IPv6 proxy bypass (Tampering)	IPv6 disabled in container namespace	🟢 Very Low
Cloud metadata access (Info Disclosure)	169.254.0.0/16 blocked at host iptables	🟢 Very Low
Agent exploits SYS_ADMIN before capsh drop (EoP)	Short window, trusted entrypoint, no-new-privileges	🟡 Low
JSONL audit log injection (Repudiation)	Host/URL fields not JSON-escaped	🟡 Low
Credential file read via mount (Info Disclosure)	14 files hidden; gaps: .pypirc, .netrc	🟡 Low
DinD firewall bypass (EoP)	Off by default; explicit warning logged	🟡 Low (off-by-default)

---

🎯 Attack Surface Map

Surface	Entry Point	Protections	Risk
HTTP/HTTPS egress	Port 80/443 DNAT	Squid ACL, domain validation, raw-IP deny	🟢 Low
Non-standard port egress	Other TCP/UDP	iptables REJECT (not Squid-inspected)	🟡 Low (blocked, unmonitored)
DNS egress	UDP/TCP 53	Whitelisted servers only	🟢 Low
IPv6 egress	All IPv6	Disabled via sysctl	🟢 Very Low
Cloud metadata (IMDS)	169.254.169.254	169.254.0.0/16 REJECT	🟢 Very Low
Domain --allow-domains input	CLI argument	SQUID_DANGEROUS_CHARS, structural validation	🟢 Low
API proxy auth	172.30.0.30:10001	Agent sends no auth; sidecar injects keys	🟢 Low
Credential files	Home dir mounts	14 via /dev/null; gaps: .pypirc, .netrc	🟡 Low
Docker socket	/var/run/docker.sock	/dev/null by default; only with --enable-dind	🟢 Low (default)
workDir secrets	/tmp/awf-(ts)/	tmpfs overlay (1MB, noexec, nosuid)	🟢 Very Low
Audit log integrity	Squid JSONL	Host/URL fields unescaped	🟡 Low
AppArmor MAC	Pre-capsh startup	Unconfined; compensated by seccomp + capsh	🟡 Low

---

✅ Recommendations

🔴 Critical — None

🟠 High — None

🟡 Medium

M-1: Harden JSONL audit log against injection (src/squid/config-generator.ts:97)

The JSONL audit log embeds %{Host}>h and %ru without JSON escaping. Squid's logformat cannot escape strings natively. Mitigations:

1. Add robust JSON parse error handling in src/logs/log-aggregator.ts loadAllLogs() to skip/flag malformed records
2. Document the known injection risk in LOGGING.md
3. Long-term: consider a post-processing pipeline that JSON-escapes log fields before storage

M-2: Expand credential file hiding (src/services/agent-volumes/credential-hiding.ts)

Add /dev/null overlays for files not currently covered:

• ~/.pypirc — PyPI upload tokens
• ~/.netrc — Generic HTTP credential store (git clone https://)
• ~/.gitcredentials — git credential helper store
• ~/.gradle/gradle.properties — Gradle signing keys / API keys

🔵 Low

L-1: Document GITHUB_TOKEN pass-through (src/services/agent-environment/excluded-vars.ts:38)

GITHUB_TOKEN flows to the agent only when difcProxyHost is not configured. Add explicit documentation noting this behavior and provide a --exclude-env GITHUB_TOKEN example for high-sensitivity deployments where agents should not have repository write access.

L-2: Investigate scoped AppArmor profile (src/services/agent-service.ts:92)

apparmor:unconfined is required to allow mount -t proc during entrypoint startup. Investigate whether a minimal AppArmor profile allowing only the target mount operation could replace this. If not feasible, document the accepted risk with a security comment referencing the capsh-drop mitigation.

i️ Informational

• Plain UDP DNS: Default plain UDP DNS is observable. Enable --doh-resolver in high-sensitivity deployments to prevent DNS timing side-channels.
• Non-standard port coverage: Ports 8080/8443/etc. from proxy-unaware tools are correctly blocked by REJECT but not Squid-inspected; correlate via [FW_BLOCKED_OTHER] kernel log prefix.
• workDir tmpfs cap: 1MB cap is correct for its security purpose; ensure this does not cause ENOSPC for legitimate operations inside the container.

---

📈 Security Metrics

Metric	Value
Lines analyzed	~32,000 (TypeScript + shell/JSON)
Source files	359 TypeScript + containers
Enforcement layers	5
Credential files hidden	14 (home + /host paths)
Dangerous ports blocked	22
Capabilities dropped	5 explicit + 2 add-then-drop
Findings	0 Critical · 0 High · 2 Medium · 2 Low
Escape test	✅ No secrets exfiltrated (April 2026)

Generated by Daily Security Review and Threat Modeling · 119.3 AIC · ⊞ 7K · ◷

• expires on Jul 6, 2026, 1:56 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent was here.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir around this discussion. The smoke test agent was here, and the omens are green.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent has passed through these halls. The firewall oracle has observed the run and left this rune behind.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex