Assay is security-critical infrastructure for AI agents. We take vulnerabilities seriously.
| Version | Status |
|---|---|
| v2.x | ✅ Supported |
| v1.x | |
| v0.x | ❌ EOL |
Do not report security issues through public GitHub issues.
Report privately:
- Email: security@assay.dev
- GitHub: Use "Report a vulnerability" tab
Response time: 24 hours acknowledgment, 72 hours triage.
Assay runs in untrusted environments (CI/CD, agent sandboxes).
| Category | Examples |
|---|---|
| Policy Bypass | Circumventing deny lists, regex constraints |
| RCE | Code execution via malicious config/trace |
| MCP Violations | Unauthorized tool calls through proxy |
| Evidence Tampering | Bundle modification, manifest spoofing |
| Terminal Injection | ANSI escape attacks in evidence explore |
- Physical access attacks
- DoS (lower priority than integrity)
- Social engineering
- Content-addressed bundle IDs (SHA-256)
- JCS canonicalization (RFC 8785)
- Verification gate before any processing
x-assay-sigextension field- Sigstore/Rekor transparency logging
- Trust policy enforcement
- Landlock (rootless containment)
- eBPF/LSM (kernel enforcement)
- Environment scrubbing
| Component | Protection |
|---|---|
| Crates.io | Trusted Publishing (OIDC) |
| PyPI | Trusted Publishing |
| Dependencies | cargo-deny audit in CI |
| Releases | GitHub Actions, no manual tokens |
MCP registry token files named .mcpregistry_* are local-only secrets. They are
ignored by git and must never be committed, copied into logs, or uploaded as CI
artifacts. If such files may have appeared in shell history, terminal logs, or
shared artifacts, rotate the underlying credentials before continuing.
Run scripts/ci/check-mcpregistry-secret-hygiene.sh before publishing changes
that touch registry auth or release workflows. Set
ASSAY_FAIL_ON_LOCAL_MCPREGISTRY_TOKENS=1 when a hard-fail local preflight is
preferred.