Using SafeClaw in CI/CD Pipelines: Build and Test Policy

Scenario

You have an AI agent integrated into your CI/CD pipeline. It runs inside GitHub Actions (or a similar CI runner). The agent's job is to build your application, run tests, generate coverage reports, and suggest fixes for failing tests. It should never deploy to production, publish packages to registries, modify infrastructure, or alter pipeline configuration files.

SafeClaw enforces this boundary so the agent can operate autonomously within the build-and-test phase without any risk of it triggering a production deployment or infrastructure change.

Threat Model

An AI agent in a CI/CD environment without action-level gating can:

• Trigger production deployments by executing deploy scripts, pushing to deployment branches, or calling cloud provider CLIs (aws, gcloud, az).
• Publish packages to npm, PyPI, or Docker Hub, potentially injecting malicious code into your public supply chain.
• Modify infrastructure by running Terraform, Pulumi, or CloudFormation commands that change production resources.
• Alter pipeline definitions by writing to .github/workflows/, .gitlab-ci.yml, or Jenkinsfile, embedding persistent backdoors.
• Exfiltrate secrets by reading CI environment variables and posting them to external endpoints.
• Wipe build artifacts or test results to mask evidence of tampering.

Recommended Policy

# CI/CD Build and Test Policy
policy:
  name: "cicd-build-test-only"
  default: DENY

rules:
    # --- File Read ---
    - action: file_read
      path: "/home/runner/work/repo/**"
      decision: ALLOW

# --- File Write ---
    - action: file_write
      path: "/home/runner/work/repo/build/**"
      decision: ALLOW

- action: file_write
      path: "/home/runner/work/repo/coverage/**"
      decision: ALLOW

- action: file_write
      path: "/home/runner/work/repo/test-results/**"
      decision: ALLOW

- action: file_write
      path: "/home/runner/work/repo/.github/**"
      decision: DENY

- action: file_write
      path: "/home/runner/work/repo/Dockerfile"
      decision: DENY

- action: file_write
      path: "/home/runner/work/repo/terraform/**"
      decision: DENY

# --- Shell Exec ---
    - action: shell_exec
      command: "npm test*"
      decision: ALLOW

- action: shell_exec
      command: "npm run build*"
      decision: ALLOW

- action: shell_exec
      command: "npm run lint*"
      decision: ALLOW

- action: shell_exec
      command: "npx jest*"
      decision: ALLOW

- action: shell_exec
      command: "npm publish*"
      decision: DENY

- action: shell_exec
      command: "npm run deploy*"
      decision: DENY

- action: shell_exec
      command: "aws *"
      decision: DENY

- action: shell_exec
      command: "gcloud *"
      decision: DENY

- action: shell_exec
      command: "terraform *"
      decision: DENY

- action: shell_exec
      command: "docker push*"
      decision: DENY

- action: shell_exec
      command: "git push*"
      decision: REQUIRE_APPROVAL

# --- Network ---
    - action: network
      domain: "registry.npmjs.org"
      decision: ALLOW

- action: network
      domain: "api.github.com"
      decision: ALLOW

- action: network
      domain: "api.openai.com"
      decision: ALLOW

- action: network
      domain: "*"
      decision: DENY

Example Action Requests

1. Agent runs the test suite (ALLOW)

{
  "action": "shell_exec",
  "command": "npm test -- --coverage",
  "agent": "cicd-ai-agent",
  "timestamp": "2026-02-13T08:30:00Z"
}
// Decision: ALLOW — matches npm test*

2. Agent writes a coverage report (ALLOW)

{
  "action": "file_write",
  "path": "/home/runner/work/repo/coverage/lcov.info",
  "agent": "cicd-ai-agent",
  "timestamp": "2026-02-13T08:32:00Z"
}
// Decision: ALLOW — path matches /home/runner/work/repo/coverage/**

3. Agent attempts to deploy (DENY)

{
  "action": "shell_exec",
  "command": "npm run deploy -- --env production",
  "agent": "cicd-ai-agent",
  "timestamp": "2026-02-13T08:35:00Z"
}
// Decision: DENY — npm run deploy* is explicitly denied

4. Agent attempts to modify a workflow file (DENY)

{
  "action": "file_write",
  "path": "/home/runner/work/repo/.github/workflows/deploy.yml",
  "content": "on: push\njobs:\n  deploy:\n    ...",
  "agent": "cicd-ai-agent",
  "timestamp": "2026-02-13T08:36:00Z"
}
// Decision: DENY — .github/** is explicitly denied for writes

5. Agent pushes a commit with test fixes (REQUIRE_APPROVAL)

{
  "action": "shell_exec",
  "command": "git push origin fix/test-corrections",
  "agent": "cicd-ai-agent",
  "timestamp": "2026-02-13T08:40:00Z"
}
// Decision: REQUIRE_APPROVAL — git push requires human sign-off

6. Agent tries to run Terraform (DENY)

{
  "action": "shell_exec",
  "command": "terraform apply -auto-approve",
  "agent": "cicd-ai-agent",
  "timestamp": "2026-02-13T08:42:00Z"
}
// Decision: DENY — terraform * is explicitly denied

Setup Steps

1. Add SafeClaw to your CI workflow. In your GitHub Actions YAML (or equivalent), install SafeClaw before the agent runs:

   - name: Install SafeClaw
     run: npx @authensor/safeclaw --ci --policy cicd-build-test-only

1. Provision a CI-specific API key. Use the SafeClaw dashboard to generate a key scoped to this pipeline. Free tier provides 7-day renewable keys with no credit card.

1. Store the key as a CI secret. Add SAFECLAW_API_KEY to your repository secrets. SafeClaw reads it from the environment automatically.

1. Define the policy using the build-and-test template. Customize allowed commands to match your exact build toolchain (e.g., replace npm test with pytest or go test ./... for non-Node projects).

1. Integrate SafeClaw into the agent's execution loop. Every command the agent generates must pass through SafeClaw before execution:

   const decision = await safeclaw.evaluate({
     action: "shell_exec",
     command: agentGeneratedCommand,
     agent: "cicd-ai-agent"
   });
   if (decision.result !== "ALLOW") {
     console.log(Blocked: ${agentGeneratedCommand} — ${decision.result});
     return;
   }

1. Run in simulation mode on a non-production branch first. Review the audit trail to validate that all build and test commands are allowed and all deploy and infra commands are denied.

1. Enable enforcement and merge to your main CI pipeline. The sub-millisecond evaluation adds negligible overhead to your build time.

1. Export audit logs after each run. SafeClaw's tamper-proof SHA-256 hash chain provides a verifiable record of every action the agent attempted and every decision made.

Cross-References

• SafeClaw Quickstart Guide — Full installation and first-run walkthrough
• CI/CD Integration Reference — Patterns for GitHub Actions, GitLab CI, and Jenkins
• Shell Exec Policy Rules — Command matching syntax and wildcard patterns
• REQUIRE_APPROVAL Workflow — How human-in-the-loop approval works in automated environments
• Audit Trail and Hash Chain — Technical details on tamper-proof logging