Security Features#

Git proxy addon#

The Git Proxy addon lets a bot access upstream Git repositories without storing the upstream Git credentials directly in the bot filesystem. The bot uses a single Runabot-issued proxy token, and the proxy decides at request time whether the bot may read or write a specific repository path.

This reduces the blast radius of leaked credentials:

  • a stolen bot token is valid only against the Runabot git proxy
  • access can be limited to selected repository paths
  • read-only and read-write permissions are separated
  • permissions can be changed centrally without modifying the bot filesystem
(click to read) Use case example: Read-only git proxy to github.com

A useful pattern is to configure a read-only proxy path for github.com, then rewrite ordinary GitHub clone URLs through the proxy.

Example:

git config --global url."https://git-proxy.kuka.runa.bot/github/".insteadOf "https://github.com/"

With that rule in place, a command such as:

git clone https://github.com/someorg/repo.git

is transparently rewritten by Git to:

git clone https://git-proxy.kuka.runa.bot/github/someorg/repo.git

The bot then reaches GitHub through the Runabot git proxy instead of talking to github.com directly.

Runabot configures the proxy token on the bot for https://git-proxy.kuka.runa.bot. The addon writes the token into the Git credential config and installs a URL-scoped credential helper for the proxy host, so the token stays out of the rewritten repository URL while Git can still authenticate to the proxy.

Recommended setup in the Runabot UI:

  1. Open the Git Proxy addon settings.
  2. Create an Upstream Git credentials entry for GitHub.
  3. Set the proxy path prefix to github.
  4. Set the type to Generic HTTPS.
  5. Set the hostname to github.com.
  6. Choose an authentication mode.
  7. Add a repository path rule, for example someorg/repo.git or a regex covering a controlled set of repositories.
  8. Grant that path rule to a Repo access profile with read access.
  9. Assign that repo access profile to the target bot.

For public repositories, you can use Auth type = None. In that case the proxy forwards read-only requests to public GitHub repositories without sending upstream credentials.

Why this is useful:

  • the bot can fetch source code from GitHub without having direct GitHub credentials
  • the proxy can enforce read-only access even if the bot runs attacker-controlled prompts
  • prompt injection cannot turn a read-only proxy rule into a write-capable GitHub credential
  • a supply-chain attack inside the bot can at most reuse the Runabot proxy token against the allowed proxy paths
  • outbound Git access becomes auditable and centrally revocable

This is especially helpful for coding agents that need to inspect repositories but should never be able to push code, create tags, or access unrelated repositories.