feat(llm-security): wire TRG scanner into orchestrator and policy

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
This commit is contained in:
Kjell Tore Guttormsen 2026-06-20 09:24:23 +02:00
commit 9f1156866c
4 changed files with 83 additions and 1 deletions

View file

@ -65,6 +65,24 @@ const DEFAULT_POLICY = Object.freeze({
// Substring matches against relative path — plain contains, no glob.
suppress_paths: [],
},
// TRG — trigger/activation-abuse scanner. Lists mirror the scanner defaults
// in scanners/trigger-scanner.mjs; override any of them via policy.json.
trg: {
mode: 'warn',
baiting_phrases: [
'anything', 'everything', 'always', 'whenever', 'no matter what',
'any request', 'any task', 'any file', 'every time',
'all files', 'all messages', 'all requests',
],
builtin_names: [
'read', 'write', 'edit', 'bash', 'glob', 'grep', 'task',
'webfetch', 'websearch', 'notebookedit', 'todowrite',
'ls', 'cat', 'agent', 'search', 'fetch',
],
broad_single_words: [
'run', 'do', 'go', 'help', 'fix', 'use', 'get', 'set', 'all', 'any', 'it', 'this', 'that',
],
},
});
// Cache loaded policy per project root

View file

@ -143,6 +143,7 @@ export const OWASP_MAP = Object.freeze({
SCR: ['LLM03'],
PST: ['LLM01', 'LLM06'],
WFL: ['LLM02', 'LLM06'],
TRG: ['LLM06'],
});
/**
@ -162,6 +163,7 @@ export const OWASP_AGENTIC_MAP = Object.freeze({
SCR: ['ASI04'],
PST: ['ASI02', 'ASI03', 'ASI04', 'ASI05'],
WFL: ['ASI04'],
TRG: [],
});
/**
@ -181,6 +183,7 @@ export const OWASP_SKILLS_MAP = Object.freeze({
SCR: ['AST06'],
PST: ['AST01', 'AST03'],
WFL: [],
TRG: ['AST04'],
});
/**
@ -200,6 +203,7 @@ export const OWASP_MCP_MAP = Object.freeze({
SCR: ['MCP04'],
PST: ['MCP02', 'MCP07'],
WFL: [],
TRG: [],
});
/**

View file

@ -109,6 +109,7 @@ import { scan as memoryScan } from './memory-poisoning-scanner.mjs';
import { scan as supplyChainScan } from './supply-chain-recheck.mjs';
import { scan as workflowScan } from './workflow-scanner.mjs';
import { scan as tfaScan } from './toxic-flow-analyzer.mjs';
import { scan as trgScan } from './trigger-scanner.mjs';
const SCANNERS = [
{ name: 'unicode', fn: unicodeScan },
@ -121,6 +122,7 @@ const SCANNERS = [
{ name: 'memory', fn: memoryScan },
{ name: 'supply-chain', fn: supplyChainScan },
{ name: 'workflow', fn: workflowScan },
{ name: 'trg', fn: trgScan },
{ name: 'toxic-flow', fn: tfaScan, requiresPriorResults: true },
];

View file

@ -6,8 +6,10 @@
import { describe, it, beforeEach } from 'node:test';
import assert from 'node:assert/strict';
import { resolve } from 'node:path';
import { resolve, join } from 'node:path';
import { fileURLToPath } from 'node:url';
import { mkdtempSync, mkdirSync, writeFileSync, rmSync, readFileSync } from 'node:fs';
import { tmpdir } from 'node:os';
import { resetCounter } from '../../scanners/lib/output.mjs';
import { discoverFiles } from '../../scanners/lib/file-discovery.mjs';
import { scan } from '../../scanners/trigger-scanner.mjs';
@ -130,3 +132,59 @@ describe('trigger-scanner: poisoned', () => {
assert.equal(total, result.findings.length);
});
});
// ---------------------------------------------------------------------------
// Wiring — OWASP map + orchestrator registration (Step 2)
// ---------------------------------------------------------------------------
describe('trigger-scanner: OWASP map registration', () => {
it('TRG is present in all four OWASP maps with the right codes', async () => {
const { OWASP_MAP, OWASP_AGENTIC_MAP, OWASP_SKILLS_MAP, OWASP_MCP_MAP } =
await import('../../scanners/lib/severity.mjs');
assert.deepEqual(OWASP_MAP.TRG, ['LLM06']);
assert.deepEqual(OWASP_AGENTIC_MAP.TRG, []);
assert.deepEqual(OWASP_SKILLS_MAP.TRG, ['AST04']);
assert.deepEqual(OWASP_MCP_MAP.TRG, []);
});
});
describe('trigger-scanner: orchestrator registration', () => {
it('scan-orchestrator imports and lists the TRG scanner', () => {
const orchPath = resolve(__dirname, '../../scanners/scan-orchestrator.mjs');
const text = readFileSync(orchPath, 'utf8');
assert.match(text, /import\s+\{\s*scan as trgScan\s*\}\s+from\s+['"]\.\/trigger-scanner\.mjs['"]/);
assert.match(text, /\{\s*name:\s*'trg',\s*fn:\s*trgScan\s*\}/);
});
});
// ---------------------------------------------------------------------------
// Policy — overriding baiting_phrases changes detection
// ---------------------------------------------------------------------------
describe('trigger-scanner: policy override', () => {
it('baiting_phrases from .llm-security/policy.json replaces the defaults', async () => {
const dir = mkdtempSync(join(tmpdir(), 'trg-policy-'));
try {
mkdirSync(join(dir, '.llm-security'), { recursive: true });
writeFileSync(
join(dir, '.llm-security', 'policy.json'),
JSON.stringify({ trg: { baiting_phrases: ['frobnicate'] } }),
);
mkdirSync(join(dir, 'skills', 'x'), { recursive: true });
writeFileSync(
join(dir, 'skills', 'x', 'SKILL.md'),
'---\nname: x-tool\ndescription: This will frobnicate the payload, and also handle anything else.\n---\n\n# x-tool\n',
);
resetCounter();
const discovery = await discoverFiles(dir);
const result = await scan(dir, discovery);
const baiting = result.findings.filter(f => /baiting/i.test(f.title));
assert.ok(baiting.length >= 1, 'the policy-provided phrase should trigger baiting');
assert.ok(baiting.some(f => /frobnicate/i.test(f.evidence)), 'should match the overridden phrase');
// The default phrase list (which includes "anything") was replaced, so it must not match.
assert.ok(!baiting.some(f => /anything/i.test(f.evidence)), 'default phrases must be replaced, not merged');
} finally {
rmSync(dir, { recursive: true, force: true });
}
});
});