Repository exposure benchmark

Six synthetic risks. One reproducible scanner test.

CapitalGuard 1.3.0 identified all six declared exposure classes in a disposable synthetic repository, while zero fixture marker values appeared in the six emitted evidence artifacts.

This proves scanner behavior on these exact fixtures only. It does not compare AI vendors, estimate every possible miss, execute an exploit, or guarantee that a repository is secure.

CapitalGuard Security Research · Version 1.1.0 · Tested July 16, 2026

6 / 6

Declared cases passed

0

Fixture markers emitted

6

Evidence artifacts checked

Case-level results

Every pass has a fixture, expected signal, and digest.

Each case starts with one inert marker. A pass requires the scanner to produce the declared exposure signal and keep that marker out of the report, A-BOM, event chain, evidence bundle, and AccessGraph.

CaseSynthetic surfaceDetected signalControlsResult
CGO-TV-001

Secret-like environment file

.env.production

Secret-like files in agent-readable scopeCGS-SEC-001 · CGS-DATA-001 Pass
CGO-TV-002

Untrusted repository instruction

docs/untrusted-instruction.fixture.md

Prompt-injection indicators in repo-readable textCGS-INJ-001 Pass
CGO-TV-003

Broad workflow authority

.github/workflows/broad-permissions.fixture.yml

Broad workflow permissionsCGS-PRIV-001 · CGS-HUMAN-001 Pass
CGO-TV-004

Synthetic customer export

customer_exports/customer-records.synthetic.json

Customer export folders in agent-readable scopeCGS-DATA-001 Pass
CGO-TV-005

MCP tool bridge

.mcp.json

MCP/tool bridge configuration requiring reviewCGS-TOOL-001 · CGS-PRIV-001 Pass
CGO-TV-006

Package lifecycle authority

package.json

Package lifecycle scripts requiring reviewCGS-HUMAN-001 · CGS-PRIV-001 Pass

Reproduction method

A real scan, without a real target.

The harness uses only invalid credentials, example.invalid records, inert instruction text, and commands that are declared but never executed.

  1. 1

    Reconstruct

    Create the six-file repository from the published fixture pack and verify each SHA-256 digest.

  2. 2

    Isolate

    Copy it into a disposable directory, install CapitalGuard policy files, and keep fixture commands inert.

  3. 3

    Scan

    Run CapitalGuard local scanner 1.3.0 and capture six privacy-safe evidence artifacts.

  4. 4

    Verify

    Require every declared signal, reject any fixture marker in emitted evidence, and bind the case results to one run digest.

Digest-bound release

Inspect the exact evidence behind the result.

SHA-256 9bd53d701cc080d6247c029a3d424de2ca4b72bd48ee5a07a59717f4815c4830

What this does not prove

Six passes are evidence, not immunity.

The benchmark does not measure vendor safety, exploitability, false negatives outside the fixture, runtime enforcement, incident likelihood, compliance, or complete repository security. It does not use customer code, real credentials, live AI agents, or external systems.

Move from fixture to authorized evidence

Test your real repository boundary without publishing its contents.

Review CapitalGuard Pro