Skip to content

Add egress-controlled code execution sample#1769

Merged
evandrofranco merged 3 commits into
awslabs:mainfrom
balancin:feat/egress-coding-execution
Jul 14, 2026
Merged

Add egress-controlled code execution sample#1769
evandrofranco merged 3 commits into
awslabs:mainfrom
balancin:feat/egress-coding-execution

Conversation

@balancin

Copy link
Copy Markdown
Contributor

What this adds

A new advanced sample: Egress-Controlled Code Execution (01-features/02-host-your-agent/01-runtime/03-advanced/12-egress-coding-execution).

It demonstrates running untrusted code securely inside an AgentCore Runtime microVM using a three-container pattern:

  • Supervisor (trusted) — the image the runtime starts; a BedrockAgentCoreApp command router that drives containerd (ctr) to launch the other two containers.
  • Broker (trusted) — egress proxy that validates every request against a runtime-configurable allowlist.
  • Agent (untrusted) — network-isolated sandbox (no --net-host, no credentials, non-root); it can only reach the broker over a Unix-domain socket.

The Phase 1 operation is ping_domain, exercising the full supervisor → agent → broker → egress path. The allow-vs-deny contrast (amazon.com permitted, aws.amazon.com denied by the exact-match allowlist) is the security boundary.

Contents

  • deploy.py / invoke.py / cleanup.py following the folder convention (create-or-reuse runtime + IAM role, run the demo, tear down).
  • Three linux/arm64 Dockerfiles (pip-based) for supervisor / broker / agent.
  • Unit tests for the length-prefixed IPC framing and the broker allowlist.
  • Architecture diagram, and a row added to the 03-advanced index.

Testing

Validated end to end on a real account (deploy.pyinvoke.pycleanup.py): images built and pushed to ECR, runtime reached READY, the allowed ping executed while the disallowed domain was blocked by the broker, and cleanup removed the runtime, ECR repos, and role. Unit tests pass (pytest), and ruff check / ruff format --check are clean.

Notes

Phase 1 only — HTTP/secret proxying, rate limits, and explicit namespace/capability/cgroup hardening are documented as deferred to Phase 2. Sample is experimental/educational (disclaimer included in the README).

Fabio Balancin and others added 3 commits July 10, 2026 04:08
A multi-container security sample under 03-advanced: a trusted supervisor
container (started by AgentCore Runtime) launches a broker and an untrusted
agent container inside the same microVM via containerd. All agent egress is
mediated by the broker, which enforces a runtime-configurable allowlist.

The Phase 1 operation is ping_domain, exercising the full
supervisor -> agent -> broker -> egress path. The allow-vs-deny contrast
(amazon.com permitted, aws.amazon.com denied) demonstrates the security
boundary end to end.

Includes deploy.py / invoke.py / cleanup.py (matching the folder convention),
three arm64 Dockerfiles, unit tests for the IPC framing and broker allowlist,
and an architecture diagram. Also adds the row to the 03-advanced index.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add Fabio Balancin (balancin) and Varun Gunda (vvargu) for the
egress-controlled code execution sample.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-coding-execution README

Consolidate into the existing Current status section and drop the broken
Roadmap anchor link.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

Latest scan for commit: d794cc0 | Updated: 2026-07-14 18:59:41 UTC

Security Scan Results

Scan Metadata

  • Project: ASH
  • Scan executed: 2026-07-14T18:59:28+00:00
  • ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

  • Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
  • Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
  • High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
  • Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
  • Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
  • Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

  • Time: Duration taken by each scanner to complete its analysis
  • Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

  • PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
  • FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
  • MISSING: Scanner could not run because required dependencies/tools are not installed or available
  • SKIPPED: Scanner was intentionally disabled or excluded from this scan
  • ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

  • CRITICAL: Only Critical severity findings cause scanner to fail
  • HIGH: High and Critical severity findings cause scanner to fail
  • MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
  • LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
  • ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

  • (g) = global: Set in the global_settings section of ASH configuration
  • (c) = config: Set in the individual scanner configuration section
  • (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold
Scanner S C H M L I Time Action Result Thresh
bandit 0 3 0 0 38 0 830ms 3 FAILED MED (g)
cdk-nag 0 0 0 0 0 0 6.9s 0 PASSED MED (g)
cfn-nag 0 0 0 0 0 0 7ms 0 PASSED MED (g)
checkov 0 0 0 0 0 0 5.4s 0 PASSED MED (g)
detect-secrets 0 1 0 0 0 0 810ms 1 FAILED MED (g)
grype 0 0 0 0 0 0 45.9s 0 PASSED MED (g)
npm-audit 0 0 0 0 0 0 173ms 0 PASSED MED (g)
opengrep 0 0 0 0 0 0 <1ms 0 SKIPPED MED (g)
semgrep 0 0 0 0 0 0 <1ms 0 MISSING MED (g)
syft 0 0 0 0 0 0 2.3s 0 PASSED MED (g)

Detailed Findings

Show 4 actionable findings

Finding 1: SECRET-BASE64-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
  • Location: 01-features/02-host-your-agent/01-runtime/03-advanced/12-egress-coding-execution/supervisor/src/profiles.py:24

Description:
Secret of type 'Base64 High Entropy String' detected in file '01-features/02-host-your-agent/01-runtime/03-advanced/12-egress-coding-execution/supervisor/src/profiles.py' at line 24

Code Snippet:

Secret of type Base64 High Entropy String detected

Finding 2: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 01-features/02-host-your-agent/01-runtime/03-advanced/12-egress-coding-execution/agent/src/agent_main.py:15-17

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

SUPERVISOR_SOCKET = os.environ.get("SUPERVISOR_SOCKET_PATH", "/tmp/ipc/supervisor.sock")
BROKER_SOCKET = os.environ.get("BROKER_SOCKET_PATH", "/tmp/ipc/broker.sock")

Finding 3: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 01-features/02-host-your-agent/01-runtime/03-advanced/12-egress-coding-execution/agent/src/agent_main.py:16-18

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

SUPERVISOR_SOCKET = os.environ.get("SUPERVISOR_SOCKET_PATH", "/tmp/ipc/supervisor.sock")
BROKER_SOCKET = os.environ.get("BROKER_SOCKET_PATH", "/tmp/ipc/broker.sock")

Finding 4: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 01-features/02-host-your-agent/01-runtime/03-advanced/12-egress-coding-execution/broker/src/main.py:17-19

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

def main():
    socket_path = os.environ.get("IPC_SOCKET_PATH", "/tmp/ipc/broker.sock")
    logger.info("Starting broker, socket=%s", socket_path)

Report generated by Automated Security Helper (ASH) at 2026-07-14T18:59:24+00:00

@evandrofranco evandrofranco left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@evandrofranco evandrofranco merged commit 790838a into awslabs:main Jul 14, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants