feat(llm-security): sandboxed remote cloning v5.1.0
Harden git clone attack surface for remote scans with defense-in-depth: Layer 1 (all platforms): 8 git config flags disable hooks, symlinks, filter/smudge drivers, fsmonitor, local file protocol. 4 env vars isolate from system/user git config and block interactive prompts. Layer 2 (OS sandbox): macOS sandbox-exec and Linux bubblewrap (bwrap) restrict file writes to only the specific temp directory. bwrap probe-tests availability before use. Graceful fallback on Windows and Ubuntu 24.04+ (git config hardening only). Additional: post-clone 100MB size check, UUID-unique evidence filenames, evidence file cleanup, cleanup guarantee in scan/plugin-audit commands. 32 new tests (1147 total). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen
parent
5c1ceaa567
commit
708c898754
11 changed files with 487 additions and 12 deletions
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "llm-security",
|
||||
"version": "5.0.0",
|
||||
"version": "5.1.0",
|
||||
"description": "Security scanning, auditing, and threat modeling for Claude Code projects",
|
||||
"type": "module",
|
||||
"engines": {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue