From 9f1156866c5b053aa0f94f2a1238db25acdb283c Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Sat, 20 Jun 2026 09:24:23 +0200 Subject: [PATCH] feat(llm-security): wire TRG scanner into orchestrator and policy Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG --- scanners/lib/policy-loader.mjs | 18 ++++++++ scanners/lib/severity.mjs | 4 ++ scanners/scan-orchestrator.mjs | 2 + tests/scanners/trigger-scanner.test.mjs | 60 ++++++++++++++++++++++++- 4 files changed, 83 insertions(+), 1 deletion(-) diff --git a/scanners/lib/policy-loader.mjs b/scanners/lib/policy-loader.mjs index aedfb78..fc7ef08 100644 --- a/scanners/lib/policy-loader.mjs +++ b/scanners/lib/policy-loader.mjs @@ -65,6 +65,24 @@ const DEFAULT_POLICY = Object.freeze({ // Substring matches against relative path — plain contains, no glob. suppress_paths: [], }, + // TRG — trigger/activation-abuse scanner. Lists mirror the scanner defaults + // in scanners/trigger-scanner.mjs; override any of them via policy.json. + trg: { + mode: 'warn', + baiting_phrases: [ + 'anything', 'everything', 'always', 'whenever', 'no matter what', + 'any request', 'any task', 'any file', 'every time', + 'all files', 'all messages', 'all requests', + ], + builtin_names: [ + 'read', 'write', 'edit', 'bash', 'glob', 'grep', 'task', + 'webfetch', 'websearch', 'notebookedit', 'todowrite', + 'ls', 'cat', 'agent', 'search', 'fetch', + ], + broad_single_words: [ + 'run', 'do', 'go', 'help', 'fix', 'use', 'get', 'set', 'all', 'any', 'it', 'this', 'that', + ], + }, }); // Cache loaded policy per project root diff --git a/scanners/lib/severity.mjs b/scanners/lib/severity.mjs index c2bd7c0..8a21a6b 100644 --- a/scanners/lib/severity.mjs +++ b/scanners/lib/severity.mjs @@ -143,6 +143,7 @@ export const OWASP_MAP = Object.freeze({ SCR: ['LLM03'], PST: ['LLM01', 'LLM06'], WFL: ['LLM02', 'LLM06'], + TRG: ['LLM06'], }); /** @@ -162,6 +163,7 @@ export const OWASP_AGENTIC_MAP = Object.freeze({ SCR: ['ASI04'], PST: ['ASI02', 'ASI03', 'ASI04', 'ASI05'], WFL: ['ASI04'], + TRG: [], }); /** @@ -181,6 +183,7 @@ export const OWASP_SKILLS_MAP = Object.freeze({ SCR: ['AST06'], PST: ['AST01', 'AST03'], WFL: [], + TRG: ['AST04'], }); /** @@ -200,6 +203,7 @@ export const OWASP_MCP_MAP = Object.freeze({ SCR: ['MCP04'], PST: ['MCP02', 'MCP07'], WFL: [], + TRG: [], }); /** diff --git a/scanners/scan-orchestrator.mjs b/scanners/scan-orchestrator.mjs index fce1176..af603b1 100644 --- a/scanners/scan-orchestrator.mjs +++ b/scanners/scan-orchestrator.mjs @@ -109,6 +109,7 @@ import { scan as memoryScan } from './memory-poisoning-scanner.mjs'; import { scan as supplyChainScan } from './supply-chain-recheck.mjs'; import { scan as workflowScan } from './workflow-scanner.mjs'; import { scan as tfaScan } from './toxic-flow-analyzer.mjs'; +import { scan as trgScan } from './trigger-scanner.mjs'; const SCANNERS = [ { name: 'unicode', fn: unicodeScan }, @@ -121,6 +122,7 @@ const SCANNERS = [ { name: 'memory', fn: memoryScan }, { name: 'supply-chain', fn: supplyChainScan }, { name: 'workflow', fn: workflowScan }, + { name: 'trg', fn: trgScan }, { name: 'toxic-flow', fn: tfaScan, requiresPriorResults: true }, ]; diff --git a/tests/scanners/trigger-scanner.test.mjs b/tests/scanners/trigger-scanner.test.mjs index beb5b82..d589c3e 100644 --- a/tests/scanners/trigger-scanner.test.mjs +++ b/tests/scanners/trigger-scanner.test.mjs @@ -6,8 +6,10 @@ import { describe, it, beforeEach } from 'node:test'; import assert from 'node:assert/strict'; -import { resolve } from 'node:path'; +import { resolve, join } from 'node:path'; import { fileURLToPath } from 'node:url'; +import { mkdtempSync, mkdirSync, writeFileSync, rmSync, readFileSync } from 'node:fs'; +import { tmpdir } from 'node:os'; import { resetCounter } from '../../scanners/lib/output.mjs'; import { discoverFiles } from '../../scanners/lib/file-discovery.mjs'; import { scan } from '../../scanners/trigger-scanner.mjs'; @@ -130,3 +132,59 @@ describe('trigger-scanner: poisoned', () => { assert.equal(total, result.findings.length); }); }); + +// --------------------------------------------------------------------------- +// Wiring — OWASP map + orchestrator registration (Step 2) +// --------------------------------------------------------------------------- + +describe('trigger-scanner: OWASP map registration', () => { + it('TRG is present in all four OWASP maps with the right codes', async () => { + const { OWASP_MAP, OWASP_AGENTIC_MAP, OWASP_SKILLS_MAP, OWASP_MCP_MAP } = + await import('../../scanners/lib/severity.mjs'); + assert.deepEqual(OWASP_MAP.TRG, ['LLM06']); + assert.deepEqual(OWASP_AGENTIC_MAP.TRG, []); + assert.deepEqual(OWASP_SKILLS_MAP.TRG, ['AST04']); + assert.deepEqual(OWASP_MCP_MAP.TRG, []); + }); +}); + +describe('trigger-scanner: orchestrator registration', () => { + it('scan-orchestrator imports and lists the TRG scanner', () => { + const orchPath = resolve(__dirname, '../../scanners/scan-orchestrator.mjs'); + const text = readFileSync(orchPath, 'utf8'); + assert.match(text, /import\s+\{\s*scan as trgScan\s*\}\s+from\s+['"]\.\/trigger-scanner\.mjs['"]/); + assert.match(text, /\{\s*name:\s*'trg',\s*fn:\s*trgScan\s*\}/); + }); +}); + +// --------------------------------------------------------------------------- +// Policy — overriding baiting_phrases changes detection +// --------------------------------------------------------------------------- + +describe('trigger-scanner: policy override', () => { + it('baiting_phrases from .llm-security/policy.json replaces the defaults', async () => { + const dir = mkdtempSync(join(tmpdir(), 'trg-policy-')); + try { + mkdirSync(join(dir, '.llm-security'), { recursive: true }); + writeFileSync( + join(dir, '.llm-security', 'policy.json'), + JSON.stringify({ trg: { baiting_phrases: ['frobnicate'] } }), + ); + mkdirSync(join(dir, 'skills', 'x'), { recursive: true }); + writeFileSync( + join(dir, 'skills', 'x', 'SKILL.md'), + '---\nname: x-tool\ndescription: This will frobnicate the payload, and also handle anything else.\n---\n\n# x-tool\n', + ); + resetCounter(); + const discovery = await discoverFiles(dir); + const result = await scan(dir, discovery); + const baiting = result.findings.filter(f => /baiting/i.test(f.title)); + assert.ok(baiting.length >= 1, 'the policy-provided phrase should trigger baiting'); + assert.ok(baiting.some(f => /frobnicate/i.test(f.evidence)), 'should match the overridden phrase'); + // The default phrase list (which includes "anything") was replaced, so it must not match. + assert.ok(!baiting.some(f => /anything/i.test(f.evidence)), 'default phrases must be replaced, not merged'); + } finally { + rmSync(dir, { recursive: true, force: true }); + } + }); +});