Skip to content

Add access review non-human credential gates#1689

Open
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/access-review-nonhuman-credential-gates
Open

Add access review non-human credential gates#1689
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/access-review-nonhuman-credential-gates

Conversation

@yanziwei
Copy link
Copy Markdown

@yanziwei yanziwei commented Jun 8, 2026

Skill Improvement ($50-150 Bounty)

Closes #1688

Skill Modified

Skill name: access-review
Skill path: skills/identity/access-review/SKILL.md

What Was Wrong

The access-review skill included service accounts in scope and flagged service accounts without owners, but it did not require reviewers to inspect each non-human credential attached to those identities. That can over-score an account as reviewed while API keys, PATs, OAuth grants, deploy keys, webhook secrets, or CI/CD tokens remain stale, over-scoped, unrotated, human-owned, or stored outside approved secret storage.

What This PR Fixes

  • Adds a Non-Human Credential and API Access Review step.
  • Requires evidence for credential type, owner and backup owner, system/integration, exact scope, created/last-used dates, rotation/expiry, secret storage, and approval evidence.
  • Adds AR-NHI-* findings for missing owner, missing review coverage, broad scopes, missing rotation/expiry, dormant active credentials, stale OAuth/third-party integrations, weak storage, and human-owned automation credentials.
  • Extends severity examples, findings category output, and adds a Non-Human Credential Review table.
  • Adds a common pitfall warning against reviewing the account but not its credentials.

Test Cases Added/Updated

  • Added vulnerable test cases (tests/vulnerable/)
  • Added benign test cases (tests/benign/)
  • Existing tests still pass

Docs/skill-guidance update; no executable test fixtures exist for this skill.

Validation completed locally:

  • git diff --check
  • Markdown fence-balance check (20 balanced)
  • Marker checks for version 1.1.0, Non-Human Credential and API Access Review, AR-NHI-01, OAuth app, PAT, Non-Human Credential Review, and the credential-review pitfall

Bounty Tier

  • Minor ($50) — Doc update, small logic tweak, typo fix
  • Moderate ($100) — New edge case coverage, FP reduction with evidence
  • Substantial ($150) — Rewritten detection logic, major coverage expansion

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: Can be provided privately after acceptance

@michaelapollopimentel-svg michaelapollopimentel-svg mentioned this pull request Jun 8, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] access-review: add non-human credential evidence gates

1 participant

@yanziwei