4.6. Security
What is the attack surface?
- User prompts and A2A messages can contain injection, PII, oversized content, or malicious identifiers.
- Model output can request unsafe tools or arguments.
- Tool/log/runbook/skill content can inject instructions back into the model.
- MCP, A2A, gateway, OTLP, and provider routes cross network/trust boundaries.
- Dependencies, images, manifests, CI, model weights, and cloud identity form a software supply chain.
- Session, incident, audit, trace, metric, and MLflow stores retain sensitive evidence.
Threat modeling asks what each identity can read/write, which data crosses the model boundary, and what happens when a component is compromised.
How does the application reduce authority?
- Read tools are narrow; setting
AGENT_MCP_URLsends them through an allowlisted gateway route. - Write tools remain in-process, require confirmation, validate targets, and audit identity.
- Skills expose only instruction discovery/loading.
- Paths accept only validated slugs; ids accept only
INC-<digits>. - A2A requests replace ADK's broad default with a bounded model-call budget.
- Telemetry content capture defaults to
false. - Kubernetes workloads run non-root with dropped capabilities, read-only root filesystems, service accounts, and network policy.
Least privilege limits damage; it does not make untrusted model output trustworthy.
What does mise run redteam actually do?
It runs deterministic, offline adversarial regression tests:
The current cases assert path-traversal strings fail at identifiers, nested PII is removed from structured output, and every state-changing tool retains confirmation. This is a fast regression gate, not live-model red teaming or a penetration test. The course intentionally makes no garak/LiteLLM claim.
When does the red-team suite run in CI?
On every push and pull request: .github/workflows/ci.yml runs mise run redteam as a dedicated step after the offline tests, next to mise run eval:validate for evalset consistency. Both are deterministic and need no model or key, so a safety regression blocks the merge with a named signal. Model-backed evaluation stays on the separate scheduled workflow described in 4.4. Evaluations.
How should live-model security testing be added?
Use an OSS scanner only after reviewing its code, probes, model transport, license, data handling, and reproducibility. Run it against a disposable local/staging target, capture model/prompt/tool versions, and convert confirmed findings into deterministic regressions. Never send production secrets or user conversations to a scanning service by default.
How are secrets protected?
.env is ignored and loaded only by explicit configuration, interactive, and live-evaluation tasks; install, check, and test do not inherit it. GKE uses Workload Identity Federation for Vertex and GCS rather than service-account keys. Gitleaks scans staged changes/history, and examples use markers rather than real tokens.
If a secret reaches Git, revoke/rotate it first; deleting the visible line is not remediation because history, forks, caches, and logs may retain it.
How are dependencies and infrastructure scanned?
The root task runs gitleaks over Git history and Trivy over vulnerabilities, secrets, licenses, and misconfiguration. Vulnerabilities fail at HIGH/CRITICAL; licenses use a separate UNKNOWN/HIGH/CRITICAL gate so unclassified terms cannot disappear behind vulnerability severity. trivy.yaml explicitly permits only reviewed OSS entries: the GPL/LGPL runtime licenses plus valid SPDX expressions, legacy metadata labels, and public-domain grants that Trivy does not classify itself. Non-commercial and any other unreviewed high-risk or unknown terms still fail. mise run check:licenses separately inventories each locked Python environment with an exact reviewed-license allowlist and verifies embedded texts when package metadata is incomplete. Python mise run check:vuln runs pip-audit. CI repeats these repository gates. Any suppression must name one finding, explain reachability/risk, and be revisited when a fix ships.
What remains out of scope?
The default course path has no public ingress, TLS termination, multi-tenant authentication, external immutable audit sink, HA database, image signature enforcement, or production incident response. The optional local gateway security profile and lab-grade backup/restore drill teach those mechanisms without turning the lab into a public or disaster-recovery-ready platform. Its single Spot-node GKE path is intentionally interruptible. These are explicit residual risks, not future-looking guarantees.
What is the security checkpoint?
Record tool/database/image findings and their disposition. Do not weaken a scanner, test, or assertion to make the gate green; fix the root cause or document a narrow, evidence-backed exception.