For organizations using Pullfrog in private repos, all repository activity is private and all actions are triggered by trusted team members. The risks in this scenario are minimal. The rest of this document primarily applies to users who are using Pullfrog on public repos.
| Layer | Protection |
|---|---|
| System prompt | Instructs agents to refuse exfiltration attempts |
| Secret masking | Redacts secrets from all logs |
| Secret isolation | Repo secrets not passed to actions by default |
| Environment whitelisting | Only minimal env vars reach the agent subprocess |
| Short-lived tokens | GitHub tokens expire and are revoked after each run |
| Permission checks | Only collaborators can trigger runs by default |
| Protected branches | Agents cannot push directly to main/master/production |
System prompt
All runs triggered by Pullfrog include a system prompt with instructions to identify and avoid common exfiltration vectors. The boundaries of the user prompt are indicated in the structure of the prompt, so the agent knows where the system prompt ends and the user prompt begins.Secret masking
All secrets are auto-masked using GitHub’s first-party secret masking feature, so they cannot be publicly logged in GitHub Actions logs by accident.Secret isolation
Repository secrets are not passed through to the Pullfrog action whole cloth. This is a limitation wisely imposed by GitHub Actions itself—when you call an action withuses:, it does not automatically receive your repository secrets. Instead, secrets are passed into actions as inputs using the with key.
Environment whitelisting
When spawning an agent, Pullfrog passes through the bare minimum set of API keys through to the subprocess’s environment. No unnecesssary keys are ever written into the environment (even if they are passed into the Pullfrog action).PATH,HOME,NODE_ENV,LOG_LEVELGITHUB_TOKEN(short-lived installation token)- The specific API key for the agent being run
process.env is never passed through.
Short-lived tokens
Pullfrog uses GitHub OIDC to acquire installation tokens that are scoped to the repository and short-lived. Moreover, they are explicitly revoked at the end of each run.Permission checks
Pullfrog provides the ability to trigger agent runs in response to actions performed by non-collaborators, like mentions, new issues, and new PRs.- By default, these triggers are all disabled. This means agent runs cannot be triggered by non-collaborators unless explicitly enabled.
- Any agent runs triggered by external actions are automatically run with limited permissions. This cannot be disabled.
Protected branches
Agents cannot push directly tomain, master, or production. They must create feature branches and open pull requests.