2026-02-05 · Authensor

SafeClaw Policy Recipe: CI/CD Pipeline Agent

This policy is for AI agents running inside CI/CD pipelines — GitHub Actions, GitLab CI, CircleCI, or Jenkins. It allows the agent to execute build and test commands, read source code, and write build artifacts while blocking direct deployment, production database access, and secret exfiltration. Install SafeClaw with npx @authensor/safeclaw and drop this config into your pipeline's safeclaw.config.yaml.

Use Case

A CI/CD pipeline agent automates code quality checks: linting, testing, building, and generating reports. It may also trigger deployments or modify infrastructure. The risks are significant in this context — an agent in a pipeline typically has access to deployment credentials, cloud provider tokens, and production endpoints. Without gating, a compromised or misconfigured agent could deploy broken code, leak secrets via network requests, or modify pipeline config to escalate privileges. This policy constrains the agent to build/test operations and requires human approval for any deployment action.

The Policy

# safeclaw.config.yaml — CI/CD Pipeline Agent For: GitHub Actions, GitLab CI, CircleCI, Jenkins Install: npx @authensor/safeclaw version: "1.0" agent: ci-pipeline defaultAction: deny rules: # --- FILE READ RULES --- # Block reading CI secrets and tokens - id: deny-read-secrets action: file_read target: "*/.env" decision: deny description: "Block reading environment secret files" # Block reading cloud credentials - id: deny-read-cloud-creds action: file_read target: "~/.aws/**" decision: deny description: "Block reading AWS credential files" # Block reading GCP service account keys - id: deny-read-gcp-keys action: file_read target: "*/service-account*.json" decision: deny description: "Block reading GCP service account key files" # Allow reading all source code - id: allow-read-source action: file_read target: "./src/**" decision: allow description: "Allow reading source code for builds and tests" # Allow reading test files - id: allow-read-tests action: file_read target: "./tests/**" decision: allow description: "Allow reading test files" # Allow reading project config - id: allow-read-config action: file_read target: "./*.{json,yaml,yml,toml,xml}" decision: allow description: "Allow reading build and project config files" # Allow reading CI config - id: allow-read-ci-config action: file_read target: "./.github/**" decision: allow description: "Allow reading GitHub Actions workflow files" # --- FILE WRITE RULES --- # Block writing to source code (CI should not modify source) - id: deny-write-source action: file_write target: "./src/**" decision: deny description: "Block CI agent from modifying source code" # Block writing to CI config (prevent pipeline escalation) - id: deny-write-ci-config action: file_write target: "./.github/**" decision: deny description: "Block modifying CI workflow files" # Allow writing build artifacts - id: allow-write-dist action: file_write target: "./dist/**" decision: allow description: "Allow writing compiled output to dist/" # Allow writing test reports - id: allow-write-reports action: file_write target: "./reports/**" decision: allow description: "Allow writing test coverage and lint reports" # Allow writing build logs - id: allow-write-logs action: file_write target: "./logs/**" decision: allow description: "Allow writing build log files" # --- SHELL EXEC RULES --- # Block deployment commands without approval - id: gate-deploy action: shell_exec target: "deploy" decision: require_approval description: "Require human approval for any deploy command" # Block kubectl apply (production changes) - id: gate-kubectl-apply action: shell_exec target: "kubectl apply*" decision: require_approval description: "Require approval for Kubernetes deployments" # Block terraform apply - id: gate-terraform-apply action: shell_exec target: "terraform apply*" decision: require_approval description: "Require approval for infrastructure changes" # Block destructive commands - id: deny-rm-rf action: shell_exec target: "rm -rf *" decision: deny description: "Block recursive force-delete" # Block sudo - id: deny-sudo action: shell_exec target: "sudo *" decision: deny description: "Block privilege escalation" # Allow npm/yarn build and test - id: allow-build action: shell_exec target: "{npm,yarn,pnpm} run build*" decision: allow description: "Allow build commands" # Allow test execution - id: allow-test action: shell_exec target: "{npm,yarn,pnpm} test*" decision: allow description: "Allow test execution" # Allow lint commands - id: allow-lint action: shell_exec target: "{npm,yarn,pnpm} run lint*" decision: allow description: "Allow linting" # Allow installing dependencies - id: allow-install action: shell_exec target: "{npm,yarn,pnpm} install*" decision: allow description: "Allow dependency installation" # Allow git commands (for status, diff in CI) - id: allow-git action: shell_exec target: "git *" decision: allow description: "Allow git operations for CI checks" # --- NETWORK RULES --- # Allow npm registry - id: allow-npm-registry action: network target: "https://registry.npmjs.org/*" decision: allow description: "Allow npm package downloads" # Allow GitHub API (for PR comments, status checks) - id: allow-github-api action: network target: "https://api.github.com/*" decision: allow description: "Allow GitHub API calls for status reporting"

# Block all other network access - id: deny-network-default action: network target: "*" decision: deny description: "Block all other outbound network requests"

What This Policy Allows

Reading source code, test files, and project configuration
Running npm run build, npm test, and npm run lint
Installing dependencies with npm install
Writing build artifacts to ./dist/ and reports to ./reports/
Git operations for diff checks and status
Network access to npm registry and GitHub API
Writing build logs to ./logs/

What This Policy Blocks

Reading .env files, AWS credentials, or GCP service account keys
Writing to source code (CI should not modify ./src/)
Modifying CI workflow files (prevents pipeline poisoning)
Running rm -rf or sudo commands
Network requests to any domain not explicitly allowed
Writing to any directory outside dist/, reports/, and logs/

What Requires Approval

Any command containing "deploy" (e.g., npm run deploy, ./scripts/deploy.sh)
kubectl apply commands for Kubernetes cluster changes
terraform apply commands for infrastructure modifications
Approval is handled through the SafeClaw dashboard at safeclaw.onrender.com

Customization Guide

Add your deployment tool commands. If you use aws ecs update-service, gcloud app deploy, or helm upgrade, add require_approval rules for those specific commands. Place them above the catch-all deny to ensure first-match-wins evaluation picks them up.

Allow additional registries. For private package registries (Artifactory, GitHub Packages, AWS CodeArtifact), add network allow rules for those domains above deny-network-default.

Restrict to specific branches. Combine this policy with your CI provider's branch rules. For extra safety, create a stricter policy variant for main/production branches where even build commands require approval.

Example Session

1. ALLOW — Agent installs dependencies:

{
  "actionType": "shell_exec",
  "target": "npm install",
  "agentId": "ci-pipeline",
  "decision": "ALLOW",
  "rule": "allow-install",
  "evaluationTime": "0.3ms"
}

2. ALLOW — Agent runs the test suite:

{
  "actionType": "shell_exec",
  "target": "npm test -- --coverage",
  "agentId": "ci-pipeline",
  "decision": "ALLOW",
  "rule": "allow-test",
  "evaluationTime": "0.2ms"
}

3. ALLOW — Agent writes a coverage report:

{
  "actionType": "file_write",
  "target": "./reports/coverage.xml",
  "agentId": "ci-pipeline",
  "decision": "ALLOW",
  "rule": "allow-write-reports",
  "evaluationTime": "0.3ms"
}

4. REQUIRE_APPROVAL — Agent attempts deployment:

{
  "actionType": "shell_exec",
  "target": "npm run deploy:production",
  "agentId": "ci-pipeline",
  "decision": "REQUIRE_APPROVAL",
  "rule": "gate-deploy",
  "evaluationTime": "0.2ms"
}

5. DENY — Agent tries to read AWS credentials:

{
  "actionType": "file_read",
  "target": "~/.aws/credentials",
  "agentId": "ci-pipeline",
  "decision": "DENY",
  "rule": "deny-read-cloud-creds",
  "evaluationTime": "0.2ms"
}

All decisions are logged to SafeClaw's tamper-proof audit trail (SHA-256 hash chain). Run simulation mode in a test pipeline before enforcing. SafeClaw has zero third-party dependencies, 446 tests in TypeScript strict mode, and evaluates policies in sub-millisecond time.

Cross-References

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw