AI coding agents уже полезны. Именно поэтому им нужны правила безопасности
GhostApproval, Friendly Fire and Ghostcommit показывают: coding agents стали privileged automation, а не просто autocomplete получше.
AI coding agents уже перешли из категории экспериментов в рабочие инструменты. Это хорошая новость и одновременно проблема. Инструмент, который читает репозиторий, редактирует файлы, запускает команды, следует project instructions and reviews pull requests, уже не autocomplete. Это privileged automation на машине разработчика.

Именно поэтому последние две недели важны. Новая arXiv paper о rollout Claude Code and GitHub Copilot CLI в Microsoft сообщает, что adopters merged roughly 24% more pull requests than they would have otherwise, но предупреждает: token spend at organizational scale can run into millions of dollars. Почти одновременно Wiz, AI Now Institute and ASSET Research Group показали три разных риска вокруг AI coding agents and AI-assisted review.
Вывод не в том, что agents нужно запретить. Практический вывод жёстче: если agents достаточно полезны для rollout, они достаточно сильны для governance. Их нужно рассматривать не как chatbots, а как CI runners, contractors and privileged IDE extensions.
Что изменилось
Autocomplete предлагал строку. Developer оставался главным человеком, который контролирует file, shell and commit. Modern coding agents делают больше: читают AGENTS.md, сканируют workspace, вызывают tools, редактируют code, запускают tests, обрабатывают images/docs and sometimes act inside pull request workflows.
Поэтому старые security assumptions ломаются. Malicious repository теперь не просто code waiting to be reviewed. Он может стать instruction environment for the agent. Harmless approval prompt может скрывать real target path. Image может содержать instruction, которую text reviewer never sees. Defensive audit может стать attack path.
Это не фантастика. Это старая security story с новым interface: если system can read secrets, write files and execute commands, attackers will try to steer it.
Productivity уже достаточно реальна
Adoption argument сильный. arXiv paper “Adoption and Impact of Command-Line AI Coding Agents” studies Microsoft’s early-2026 rollout across tens of thousands of engineers. Abstract говорит: first use spread mainly through social networks, retention correlated more with coding activity than demographics, and adopters merged roughly 24% more pull requests.
Авторы честно пишут, что merged PR is a proxy for output, not proof of business value. Это важно: больше PRs не всегда значит больше пользы. Но signal достаточно сильный, чтобы platform teams не могли просто отмахнуться.
В том же abstract есть cost warning. Token spend может достигать millions of dollars annually. Значит, rollout AI agents требует сразу двух control planes: money and risk.
GhostApproval показывает слабость approval
8 июля Wiz Research published GhostApproval. Суть: malicious repository can use symbolic links so an AI coding assistant writes outside the intended workspace, while approval UI shows a harmless-looking local path.
Wiz says pattern affected Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity and Windsurf. Технический primitive старый: symlink following, CWE-61. Новая часть — trust boundary and UI. В некоторых случаях approval prompt did not reveal the true canonical target path. Wiz frames that as CWE-451, UI misrepresentation of critical information.
Vendor responses differed. Wiz reported AWS, Cursor and Google fixed promptly; Augment and Windsurf were in progress; Anthropic rejected the report as outside its threat model. NVD pages for CVE-2026-12958 and CVE-2026-50549 were visible during research. AWS entry says users should upgrade Language Servers for AWS to 1.69.0 or higher; Cursor entry says fixed in 3.0.
Для teams главный урок не в CVE numbers. “User approved” is not enough, если user не видит canonical path, real target, privilege boundary and side effects.
Friendly Fire делает defensive review attack surface
AI Now Institute published Friendly Fire в тот же день. Researchers describe a proof of concept for remote code execution against Claude Code CLI and OpenAI Codex CLI when used to assess security of open-source or third-party libraries. Attack uses prompt injections spread across source code and targets out-of-the-box auto-mode or auto-review workflows.
Это не доказательство массовой эксплуатации. Это research disclosure and PoC. Но сценарий ровно тот, который многие команды хотят использовать: “пусть agent проверит незнакомую библиотеку”.
Проблема в том, что defensive agents deliberately look at hostile material. Human security reviewer expects hostile material. Agent may treat it as project context, instruction text or task guidance. Если tool can run commands, write files or access network resources, анализ быстро смешивается с execution.
Mitigation скучный и обязательный: disposable environments, no real SSH keys, no cloud credentials, no package publish tokens, no production network access, no auto-approve.
Ghostcommit переносит prompt injection в artifacts
BleepingComputer covered Ghostcommit on July 11 based on ASSET Research Group work. Researchers put malicious instructions inside a PNG referenced by AGENTS.md. Text reviewers and some AI reviewers skip the image. Later, coding agent reads repository instructions and can leak secrets as harmless-looking source data.
ASSET says it surveyed 6,480 pull requests across 300 active public repositories and found that 73% of merged PRs reached default branch with no substantive human review and no bot review. Но более полезен другой point: images, docs, generated files and repository instruction files can influence agents even when humans treat them as low-risk.
BleepingComputer reports CodeRabbit default config excluded image files and Bugbot returned no findings in the described test. It also reports Cursor driving Claude Sonnet leaked .env contents in one end-to-end run, while Claude Code refused in their tests. Это важно: model is not the whole product. Harness, defaults, tools and review policy can decide outcome.
Claude Code trust debate тоже важен
Claude Code “backdoor/fingerprinting” controversy — отдельный слой. Reuters reported Alibaba planned to ban Claude Code at work over alleged backdoor risks, and China later issued a warning. GitHub issue in anthropics/claude-code accused Claude Code of hidden environment fingerprinting. Issue was closed, and some claims remain contested.
Не нужно превращать allegations в proven facts. Но enterprise signal очевиден: AI coding tools now look like privileged supply-chain software. Они видят private repos, local paths, shell environment, package registries and sometimes credentials. They may send context to hosted services. They may change behavior across versions.
Правильные вопросы: who can inspect the tool, what data leaves the machine, can versions be pinned, can risky features be disabled centrally, can usage be logged, can sensitive projects run local or isolated modes.
Human-in-the-loop needs an upgrade
Human review still matters. Но это не magic phrase.
Human cannot approve safely if UI hides resolved path. Human cannot review image prompt if nobody opens images. Human cannot supervise agent loop that executes commands for minutes while important action is buried in transcript. Human cannot manage risk if every developer has different plugins, MCP servers, shell permissions and secrets in one workspace.
Better model is layered control. Human makes decisions, but system narrows what can happen before the decision. Approval becomes part of containment, not containment itself.
Что делать командам
Never run an agent on an untrusted repository from everyday developer environment. Use disposable container, VM or cloud workspace. Mount only needed files. Use test credentials. Block or log network access.
Separate secrets from agent workspaces. Production .env files, cloud keys, package publish tokens and SSH keys should not be reachable from agent sessions over untrusted code.
Disable auto-approve for risky tasks. Auto mode may be OK for trusted local refactors. It is a bad default for third-party code, pull requests from unknown contributors and supply-chain review.
Inspect symlinks and resolved paths. Workspace boundary should be enforced by harness, not model goodwill. Tools should show canonical paths before writes.
Review non-code artifacts. AGENTS.md, README, docs, images, SVGs, generated metadata and build files can carry instructions. If agent reads it, review process should treat it as relevant.
Limit tools and context. Agent does not need every MCP server, every cloud CLI and whole filesystem for a small bug fix.
Log agent actions: prompts, tool calls, file diffs, shell commands, network requests and model choices. If a bad change lands, “the agent did it” is not an audit trail.
Control spend too. Microsoft rollout paper and Copilot billing backlash point in one direction: agents are compute. Give teams budgets, dashboards and model policies.
Adoption decision
Use agents on trusted repositories where payoff is clear and environment is controlled: repetitive edits, tests, migrations, docs, focused refactors.
Limit them on high-value repositories until isolation, logging and approval controls are real.
Do not point a fully privileged agent at untrusted dependencies or PRs. If you need AI help there, run it like malware analysis: isolated, no secrets, no broad network, no persistent credentials.
For buyers, evaluate the whole product, not only model benchmark. You need to know whether tool follows symlinks safely, shows paths honestly, respects workspace boundaries, logs actions and handles image instructions.
The next phase of AI practice is not more prompts. It is operational discipline around agents that can act.
Comments
Sign in to comment.
No comments yet.