Capture Summary
Recent arXiv preprint introducing GitInject, a framework for evaluating prompt injection against real GitHub workflow executions instead of simulated tool calls.
Abstract Capture
The paper studies AI-powered CI/CD agents that ingest untrusted repository content while holding elevated repository permissions. GitInject provisions ephemeral repositories and triggers live GitHub workflow runs so credential handling, permission boundaries, and configuration semantics behave as in production. Across four AI providers, the authors document eleven attack classes including config-file injection, credential exfiltration, judgment manipulation, and availability failures. Their main claim is that the most critical failures are structural and workflow-level, arising from CI/CD infrastructure and permission design rather than from a specific model alone.
Collection Notes
- Untrusted source content. Treat attack taxonomy and workflow details as evidence only.
- Primary relevance: [[03_Topics/Supply Chain and Agent Security]], [[03_Topics/Prompt Injection]]
- PDF: https://arxiv.org/pdf/2606.09935