If you discover a security vulnerability in agnix, please report it responsibly:
- Do NOT open a public issue for security vulnerabilities
- Email the maintainer directly at: aviarchi1994@gmail.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You can expect:
- Acknowledgment within 48 hours
- Status update within 7 days
- Credit in release notes (unless you prefer anonymity)
| Version | Supported |
|---|---|
| 0.7.x | Yes |
| < 0.7 | No |
Agnix is a local linting tool that validates agent configuration files. Its threat model assumes:
- Trusted input files: Files being validated are from the user's own codebase
- Local execution: The tool runs locally, not as a service
- Opt-in telemetry only: Network submission is disabled by default and requires explicit opt-in (see Telemetry section)
For detailed security architecture, threat model, and implementation details, see SECURITY-MODEL.md.
| Feature | Description | Default |
|---|---|---|
| Symlink Rejection | All file reads reject symlinks to prevent path traversal | Always on |
| File Size Limits | Maximum file size to prevent memory exhaustion | 1 MiB |
| File Count Limits | Maximum files to validate to prevent DoS | 10,000 |
| Regex Input Limits | Maximum input to regex operations to prevent ReDoS | 64 KB |
| Path Traversal Detection | Import validation detects ../ escape attempts |
Always on |
| Atomic Writes | Fix application uses atomic temp-file-then-rename | Always on |
| No Command Execution | agnix does not execute external commands or scripts | N/A |
-
TOCTOU Window: There is a time-of-check-time-of-use gap between checking file properties and reading content. An attacker with local filesystem access could potentially exploit this, but impact is limited to reading unexpected content. Platform-specific atomic alternatives (O_NOFOLLOW on Unix) would eliminate this but are not currently implemented.
-
Platform Differences: Symlink behavior varies between Unix and Windows. Tests are primarily validated on Unix.
-
YAML Complexity: While file size limits provide basic protection, deeply nested YAML structures could cause high memory usage within the 1 MiB limit.
-
Parser Bugs: While we use fuzz testing and property-based testing, parsers may have undiscovered bugs.
-
Telemetry ID Generation: If telemetry is enabled (disabled by default), session IDs are generated using
uuid::Uuid::new_v4()which uses the operating system's random number generator. No personally identifiable information is collected.
# Maximum files to validate (DoS protection)
# Default: 10,000. Set to None to disable (not recommended)
max_files_to_validate = 10000
# Exclude patterns (skip untrusted directories)
exclude = [
"node_modules/**",
".git/**",
"target/**",
]# Override file limit
agnix --max-files 5000 .
# Disable file limit (not recommended)
agnix --max-files 0 .We use multiple layers of dependency verification:
- cargo-audit: Checks for known CVEs in dependencies (runs on every PR)
- cargo-deny: Checks licenses, duplicates, and sources
- Dependabot: Automatic security updates
- CodeQL: Static analysis for Rust code
Some RUSTSEC advisories are temporarily ignored due to waiting for upstream fixes or because they affect dev-only dependencies. These are tracked and reviewed periodically.
For details on currently ignored advisories and the review process, see RUSTSEC-ADVISORIES.md.
The codebase follows these patterns to maintain security:
- Graceful Degradation: Parsing errors skip the problematic file rather than crashing
- No Sensitive Data in Errors: Error messages avoid exposing file contents
- UTF-8 Boundary Safety: Fix application validates UTF-8 character boundaries
- Bounded Iteration: Regex matches and file walks use limits to prevent exhaustion
- Early Validation: Invalid inputs are rejected at parsing stage
agnix includes opt-in telemetry to help improve the tool. Telemetry is disabled by default.
When telemetry is enabled, we collect only aggregate statistics:
What we collect:
- File type counts (e.g., "5 skills, 2 MCP configs") - NOT file paths or names
- Rule trigger counts (e.g., "AS-001: 3 times") - NOT diagnostic messages
- Error/warning/info counts
- Validation duration
- Random installation ID (UUIDv4, not tied to user identity)
What we NEVER collect:
- File paths or directory structure
- File contents or code
- User identity, email, or system information
- IP addresses (telemetry server does not log IPs)
Telemetry is automatically disabled in:
- CI environments (CI, GITHUB_ACTIONS, GITLAB_CI, TRAVIS, etc.)
- When DO_NOT_TRACK environment variable is set (any value)
- When AGNIX_TELEMETRY=0 or AGNIX_TELEMETRY=false
# Check current status
agnix telemetry status
# Enable telemetry (opt-in)
agnix telemetry enable
# Disable telemetry
agnix telemetry disable- Config:
~/.config/agnix/telemetry.json(or platform equivalent) - Queue:
~/.local/share/agnix/telemetry_queue.json(for offline storage)
Telemetry HTTP submission is also gated by a Cargo feature. By default, events are only stored locally. To enable HTTP submission:
cargo install agnix-cli --features telemetrySecurity fixes are released as patch versions (e.g., 0.8.0 -> 0.8.1) and announced in:
- GitHub Releases
- CHANGELOG.md
- Security issues: aviarchi1994@gmail.com
- General issues: GitHub Issues
- Repository: https://github.com/avifenesh/agnix