Coding Agent Security

We talk through which agents are in active use across your engineering org — sanctioned, tolerated, or known shadow usage — and how that distributes across teams, geographies, and seniority. We go through deployment modes (IDE plugin, CLI, web, code-review bot, autonomous CI/CD agent) and, separately, runtime locations (local IDE process, local CLI, corporate-hosted runner, vendor cloud background agent, browser-based cloud workspace). The runtime location distinction is doing most of the work here: a local plugin keeps code on the dev machine; a vendor cloud background agent clones the repo into vendor infrastructure. That single difference reshapes the downstream risk picture.

We also cover adoption scale, shadow visibility (do you actually know who is using what), corporate-versus-personal account split, repository scope rules, and the environments where agents run (laptop, devcontainer, Codespaces/Gitpod/Coder, CI/CD, production debugging, customer environments).

We discuss whether you have a formal AI coding policy, whether new agents and MCP servers go through a real approval gate or are self-service, how risk is classified, and what vendor due diligence has happened on the agent vendors holding your source code. Training and awareness coverage is part of this domain too: secret handling in prompts, prompt injection in pasted content, IP and license risk, social engineering of agents through poisoned documents, slopsquatting awareness, and destructive-action awareness all belong here.

Many engagements find this domain at “ad hoc” while pipeline-side controls are already mature. That asymmetry tends to show up later, when someone asks for evidence.

We discuss the predominant identity model (corporate SSO versus personal vendor accounts versus shared service accounts), SSO and SCIM enforcement across agent vendors, and secret-redaction controls on agent traffic. We capture where dev-side secrets actually live (centralized secret manager, OS keychain, .env files, IDE config, shell history, source) because a coding agent with file or shell tools can read whatever the developer can read.

Token scope and lifetime get specific attention. Many environments default to full repo write with mixed or indefinite lifetimes. That is a one-line finding with a measurable remediation. We also cover chat-history leakage risk, MCP server credential provisioning, and session isolation across users, repos, and projects.

We take stock of the MCP servers in active use (GitHub, Slack, Atlassian, internal forks, and so on), go through source vetting before adoption, hosting models (local on dev machine, devcontainer, central internal service, vendor SaaS), and network egress posture. Tool description audits and rug-pull detection are part of this domain: a benign MCP server today can become malicious tomorrow through an upstream change.

The capability surface is the other half. We go through which tool categories your agents can invoke (shell execution, file write inside or outside the workspace, network requests, browser automation, database access, cloud SDK and IaC tools, email or messaging send, code execution sandboxes) and the tool approval defaults. The difference between “every action requires confirmation” and “full auto mode” reshapes your blast radius more than any other single setting.

Third-party marketplaces (Cursor extensions, IDE plugin stores, MCP directories) get their own item because they are a discovery layer with limited safety guarantees.

For the threat lens this domain draws on, see my blog post on securing MCP with a defense-first architecture.

Different products send different amounts of code. Inline completions send small windows. Chat with project context can send entire open files. Background agents clone the repo into vendor infrastructure. We discuss which of these paths your teams actually use and whether sensitive repositories (PCI, PHI, customer crypto material, critical business logic) get special handling or are treated like everything else.

We walk through what is documented around vendor data handling (training opt-out, zero-retention modes, region pinning, DPA, BYOK), prompt telemetry scope, the availability of self-hosted options for sensitive workloads, agent long-term memory controls, and the IP classification driving repo-level rules. Customer-data exposure through agent prompts is a common pain point and gets its own line.

We discuss whether human review of AI-generated code is mandatory, optional, or skipped, and whether AI-authored code is attributed (tag, comment, or commit trailer). Then we walk through the security scanning stack actually wired into the pipeline (SAST, secret scanning, SCA, IaC, container, license compliance) because AI-generated code concentrates certain bug classes: weak crypto, broad CORS, eval/exec, SQL string concatenation, unsafe deserialization, TLS verification disabled.

Prompt-injection defenses for source inputs (issues, PR comments, code comments, retrieved documents that the agent consumes) are part of this domain. So are destructive-action controls (pre-execution diff or preview, confirmation prompts, allowlists, sandbox execution, snapshots), test coverage requirements for AI-generated changes, commit signing and attribution for agent-authored commits, and license-contamination checks.

Slopsquatting (AI-hallucinated or recently-registered typosquatted packages) is the highest-traffic operational risk in this domain. We go through the controls that matter here: internal registry or proxy with allowlist, lockfile enforcement, pre-install scanning, cooling periods on newly-published packages, and human review for AI-suggested dependencies.

Beyond packages, the agent itself is a binary that runs with developer privileges. We discuss how agent binaries reach machines (vendor-signed installer, corporate app store, internal mirror, public marketplace, direct web download), and how MCP servers themselves are pulled in (signing, version pinning, internal fork or mirror, update review). Third-party rule packs, system prompts, and personas (Cursor rules, CLAUDE.md fragments, Copilot custom instructions, agent persona libraries) get their own item because they are unsigned text fragments that shape agent behavior and can carry hidden instructions.

SBOM coverage of AI-introduced dependencies and the contractual stance on whether your code trains vendor models complete this domain.

We discuss where shell commands and code that the agent runs actually execute (laptop host OS, local devcontainer, remote dev environment, vendor-hosted runner, CI/CD runner, production read-only, production with write), the strength of shell sandboxing (microVM, container with restricted privileges, container with default privileges, process-only, none), and dev-environment network egress controls.

Dev-machine hardening (EDR, full-disk encryption, MDM, host firewall, least-privilege local user, application allowlisting) gets explicit coverage because the agent inherits the host’s containment. Agent access to production, the use of coding agents inside the CI/CD pipeline (PR review bots, autonomous bug fixes, test generation, security-finding triage), and whether agents can bypass branch protections or CODEOWNERS round out this domain.

We discuss what is logged centrally (prompts, completions, tool and MCP invocations with arguments, network traffic from MCP servers, commits and PRs authored by agents, authentication and session events), retention policy, whether logs are SIEM-integrated, and whether anomaly detection is tuned to agent behavior (unusual tool sequences, exfiltration patterns, destructive-action spikes, off-hours activity, cross-repo activity from one session).

We also cover whether an incident response playbook exists for the four most common agent-specific scenarios (poisoned MCP server, leaked agent token, prompt-injection-induced destructive action, vendor data exposure) and whether credential revocation has been timed end-to-end against a tabletop. Forensic capability (full session replay, transcript export, tool-call audit log, network capture) gets its own item because reconstruction is what turns an incident into a postmortem rather than a guess.

The category closes with a self-assessed maturity score from 0 to 10. It anchors the report and gives you a measurable baseline to improve against.