Subprocess sandbox policy guidance

harness-hardening:subprocess-sandbox

HarnessHardeningGuidancesecurity/harness-hardening/harness-hardening-guidance.yaml·Open in Graph →

{
  "id": "harness-hardening:subprocess-sandbox",
  "_kind": "HarnessHardeningGuidance",
  "_file": "security/harness-hardening/harness-hardening-guidance.yaml",
  "_cluster": "security",
  "attributes": {
    "displayName": "Subprocess sandbox policy guidance",
    "guidance": "Run agent subprocesses with workspace-write sandbox policy; deny network egress except to advertised tool servers.",
    "appliesTo": "agent-session",
    "severity": "recommended"
  },
  "outgoingEdges": [],
  "incomingEdges": []
}