Security Program
A rigorous, defense-in-depth approach to AI agent governance. Documented controls, transparent incident response, and zero-compromise engineering.
Expert Led
Founder with 10+ years across Security Operations, Detection & Response, Security Engineering, and Incident Response.
Self-Contained Engine
The ssg engine is compiled Rust and Zig — memory safe — and ships as a single self-contained binary. No runtime npm install and no node_modules tree on the user's machine, closing off install-time supply chain attacks.
Local-First, Zero Logs
All governance evaluations run locally. We collect zero logs of your commands or files. Opt-out crash telemetry via SSG_TELEMETRY=0.
Enterprise SSO & Isolation
SAML/OIDC IdP selector, custom RBAC, org IP/CIDR allowlists, service accounts, and per-org isolated D1 with regional residency.
Cryptographic Integrity
Ed25519 offline signing on fleet bundles, SHA-256 content hashes on every ruleset, and a Merkle-chain audit log — tamper-evident end to end.
Edge-First Infrastructure
All services run on Cloudflare Workers (V8 isolates, 300+ POPs). AES-256 at rest, TLS 1.3 (A grade), HSTS, WAF with OWASP CRS, and Cloudflare-managed DDoS protection.
Defense in Depth
Twenty controls across identity, cryptography, data protection, application hardening, and data-subject rights — each shipped, each linked to the code that implements it. See the Trust Center for the full audit evidence.
SAML + OIDC SSO
Interactive IdP selector. Okta, Google Workspace, and custom IdPs. SSO takes priority over ambient credentials.
Custom RBAC Roles
Org admins define fine-grained permission sets. All role checks enforced server-side on every request.
IP Allowlists + Service Accounts
Org-level IP/CIDR allowlists gate requests pre-auth. Non-human service accounts with scoped API tokens for CI/CD.
Tenant Isolation Guard
Every fleet API call is gated by a per-request org guard. Cross-tenant access is structurally impossible.
Ed25519 Bundle Signing
Fleet rule bundles signed offline with Ed25519. CLI verifies the embedded public key on every load.
SHA-256 Content Hashes
Every published ruleset carries a content hash computed at publish time. CLI aborts install on mismatch.
Merkle-Chain Audit Log
Every governance event is hash-chained to the previous. Any tampering breaks the chain on verification.
Tamper-Evident R2 Archival
Archived audit batches live in content-addressed R2 objects with a Merkle root over each batch.
AES-256 at Rest
Cloudflare D1 and KV encrypt all stored data at rest. User records, sessions, rulesets, billing.
AES-GCM OAuth Tokens
GitHub OAuth tokens encrypted with AES-GCM and a 12-byte random IV before KV storage.
TLS 1.3 + HSTS
TLS 1.3 enforced minimum. HSTS max-age 1 year with includeSubDomains. Qualys SSL Labs A grade.
Regional Data Residency
Enterprise orgs provisioned with isolated D1 instances. Regional residency honored at database creation.
Nonce-Based CSP
Fresh 128-bit nonce per request for script-src. Plus X-Frame-Options DENY, nosniff, strict Referrer-Policy.
Injection Prevention
All D1 queries parameterized — zero string concatenation. All subprocess calls use array-based spawn, no shell.
WAF + DDoS + Turnstile
Cloudflare WAF (OWASP CRS), automatic L3/L4/L7 DDoS mitigation, and Turnstile challenges on auth + contact paths.
Rate Limiting + ReDoS Guard
KV rate limits keyed on non-spoofable CF-Connecting-IP. Rust linear-time regex engine — no catastrophic backtracking.
Self-Service DSR Intake
POST /api/v1/dsr accepts GDPR Art. 15–21 / UK GDPR / FADP / CCPA requests. Email is HMAC-hashed at intake — never stored in plaintext. 5/hr/IP rate limit; opaque token returned for status lookup.
Public Sub-Processor Feed
GET /api/v1/sub-processors.json publishes the Article 28(2) inventory as a machine-readable feed (id, name, url, category, data_access). Customer DPA Annex III links here. 10-minute edge cache.
RoPA + TIA Automation
Monthly Article 30 Record of Processing Activities + quarterly Transfer Impact Assessments per EDPB 01/2020. Both are derived from the canonical system-description.ts + vendor register — no duplicate inventory.
Breach Notification SLAs
72h to controllers under Art. 33(2); 14d to data subjects under Art. 34. The breach-notification-record collector tracks every incident and opens a gap automatically when either SLA is missed.
Content Integrity Verification
Every ruleset on the Hub has a SHA-256 content hash computed at publish time. The CLI refuses to install any ruleset if the hash of the downloaded payload doesn't match exactly.
Publish & Hash
Author submits ruleset. Hub computes SHA-256 over all rule bodies and stores it securely.
Secure Transport
Rulesets are served exclusively over Cloudflare-enforced strict HTTPS/TLS.
Local Verification
CLI independently hashes the received payload. If computed ≠ expected, installation instantly aborts.
➜ sigmashake-mono git:(main) ✗ ssg hub pull rules-typescript
Fetching ruleset rules-typescript...
TypeScript v1 by @sigmashakeinc — 11 rules
github.com/sigmashakeinc/rules-typescript
Verifying integrity... OK (sha256:45e18192c93b102b...)
Installed: TypeScript v1
Integrity: sha256:45e18192c93b102b... VERIFIED
Technologies: ts, Front-end
Files written:
.sigmashake/rules/ts.rules
Run 'ssg sync' to load the new rules into the evaluation engine.
Threat Model & Mitigations
| Attack Vector | Our Mitigation | Residual Risk |
|---|---|---|
| Database Compromise Attacker modifies rules in Cloudflare D1 |
Tampered rules produce a mismatched SHA-256 hash. The CLI automatically rejects the installation. Fleet bundles are signed with Ed25519 offline keys; every load verifies the signature before execution. | Attacker also overwrites the hash column. Mitigated at fleet layer by Ed25519 bundle signing (offline keys, verified at load). |
| MITM / Interception Payload modified in transit |
End-to-end TLS enforcement via Cloudflare + local hash verification. | Compromised Root CA. |
| Malicious / Weak Rules Rules designed to bypass safety |
Author identity is linked to GitHub OAuth. Hub prominently displays source repo and author handle. | Users must review third-party rules. No automated vetting (yet). |
| ReDoS Attacks Catastrophic regex backtracking |
The CLI utilizes Rust's linear-time regex engine, which mathematically guarantees immunity to catastrophic backtracking. | None. |
| Cross-Tenant Data Leakage One tenant accesses another's data or fleet rules |
Per-org isolated Cloudflare D1 databases with regional residency. Tenant isolation guard (WS-21/22) enforced at every API call in the fleet layer — cross-org data access is structurally impossible at the application layer. | Platform-level Cloudflare isolation boundary. |
| Motivated Adversary with Shell Access Attacker intentionally crafts inputs to bypass rule matching |
Out of scope by design. SigmaShake is a guardrail for honest agents — preventing accidental harm from agents that are trying to do the right thing. It is not a sandbox and does not claim adversarial resistance. For this threat, compose with OS-level isolation (Docker with seccomp, Apple Sandbox, VM confinement). | Addressed by complementary OS sandboxing layer. |
| Rule Bypass via Encoding / Whitespace Obfuscated commands evade pattern matching |
Rules support layered operators (CONTAINS, REGEX, WORD, GLOB, LINE_REGEX) with priority ordering. High-priority deny rules can stack multiple condition groups. The DSL is a policy surface for honest agents, not an adversarial parser — for adversarial bypass resistance, pair with shell-level sandboxing. | Encoding-aware rules can be authored for known evasion patterns. Full adversarial resistance is out of scope. |
Security Roadmap
| Initiative | Description | Status |
|---|---|---|
| Ed25519 Signed Manifests | Fleet rule bundles are signed offline with an Ed25519 private key. The CLI verifies via an embedded public key on every load, neutralizing DB-compromise and MITM vectors. | Shipped |
| Transparency Log | Append-only Merkle-chain audit log: each governance event is chained to the previous entry via a hash. Tampering breaks the chain and is immediately detectable on verification. | Shipped |
| SIEM Log Forwarding | Fleet-side dual-mode stream-and-archive pipeline exports audit events to Splunk HEC, Cribl HTTP-in, Confluent Cloud Kafka REST, and generic HMAC-signed webhook sinks. Offline queue with replay-on-reconnect. | Shipped |
| SOC 2 Type II | Formal third-party audit against trust service criteria. Readiness package published; audit firm selection underway. | In Progress |
| ISO 27001:2022 | All 93 Annex A controls catalogued and internally evidenced. 54 collectors dual-tag evidence with ISO control IDs. SoA live at compliance.sigmashake.com/compliance/iso27001. No external certification body engaged. | Self-Assessed |
| GDPR Control Family + DSR Pipeline | 31 GDPR articles catalogued (25 applicable across Ch. II–V, 6 documented not-applicable); 9 GDPR-specific collectors (DSR log, RoPA, sub-processor freshness, breach SLAs, privacy-notice currency, residency attestation, consent register, TIA, DPIA register); 11 policies; public DSR intake + sub-processor JSON feed. Covers EU GDPR, UK GDPR, Swiss FADP. | Shipped |
| Compliance Worker Pen-Test (Claude Opus 4.7) | Code-level sweep of sigmashake-compliance — 3 defense-in-depth hardenings shipped: open-redirect normalisation in staff login, strict hex/charset validation on /api/v1/verify, public sub-processor feed minimisation. SQL injection, CSRF, SSRF, HMAC replay, and signing key flow reviewed clean. | Shipped |
Compliance Frameworks
| Framework | Coverage | Status |
|---|---|---|
| ISO 27001:2022 Annex A | 93 controls across A.5 Organisational (37), A.6 People (8), A.7 Physical (14, inherited), A.8 Technological (34). Daily signed evidence, SoA, nonconformity register, internal audit record. | Self-Assessed |
| SOC 2 Type II | 43 Trust Services Criteria across CC, A, C, PI families. Continuous evidence collection; daily Merkle-chained manifests; Ed25519 signed audit packages exportable on demand. | In Progress |
| GDPR (EU 2016/679) | 31 articles catalogued across Chapters II–V — 25 applicable, 6 documented not-applicable. Self-service DSR intake at POST /api/v1/dsr (HMAC-hashed email, 5/hr/IP rate limit). Public Article 28(2) sub-processor JSON feed. Customer DPA template incorporating SCCs 2021/914 (Module Two). 9 GDPR-specific collectors: DSR log, RoPA (Art. 30), sub-processor freshness, breach SLAs (72h DPA / 14d data subject), TIAs (Schrems II), DPIA register (WP-248), privacy-notice currency, consent register, residency attestation. |
Self-Assessed |
| UK GDPR & Swiss FADP | Covered by the GDPR control set with the UK Addendum / IDTA and Swiss FADP-adequacy modular addenda available on request. UK ICO is the lead supervisory authority for UK transfers; FDPIC for Swiss. | Self-Assessed |
| CCPA / CPRA | California corporation; no sale or share of personal information; right-to-know, right-to-delete, right-to-correct, non-discrimination; no cross-context behavioral advertising. | Self-Assessed |
| HIPAA | Not applicable — SigmaShake does not process, store, or transmit Protected Health Information. | Not Applicable |
| PCI DSS | Delegated to Stripe (Level 1). SigmaShake never processes cardholder data. Webhook signatures verified via HMAC-SHA256. | Delegated |
Full compliance evidence and the Statement of Applicability are available at trust.sigmashake.com. Staff-gated audit packages (ISO 27001 or SOC 2) can be exported on request.
Security Advisories
When a CVE or security event affects the ssg CLI, SigmaShake Fleet, or the platform, we publish a numbered advisory and notify customers directly. Every SigmaShake account is enrolled in the advisory notification channel automatically at signup; fleet and enterprise administrators are always notified.
Read past advisories, subscribe by email, or follow the machine-readable feeds:
- Advisory index — every published advisory
- RSS feed —
security.sigmashake.com/advisories.xml - JSON feed —
security.sigmashake.com/advisories.json
Responsible Disclosure
If you discover a security vulnerability in the Hub, the ssg CLI, or any SigmaShake service, please disclose it responsibly. We appreciate the work of the security community and will work closely with you to validate and resolve issues.
Scope
- All websites under
*.sigmashake.com - The
ssgCLI binary - The
@sigmashake/ssgnpm package
Out of Scope
The following issues are considered out of scope:
- Vulnerabilities in third-party services (e.g., Cloudflare, Stripe, GitHub OAuth)
- Social engineering or phishing attacks against SigmaShake employees
- Denial of Service (DoS/DDoS) attacks
Reporting Process
Please submit vulnerability reports via email to security@sigmashake.com or use our vulnerability report form.
Please include a detailed description of the issue, steps to reproduce it, and your assessment of its impact.
Response Timeline
We are committed to a timely response:
- Acknowledgment: Within 48 hours of receipt.
- Triage: Within 5 business days.
- Remediation: Dependent upon severity (typically within 30 days for Critical/High, 90 days for Medium/Low).
Safe Harbor
SigmaShake considers activities conducted consistent with this policy to constitute "authorized" conduct. We will not initiate legal action against security researchers who report vulnerabilities in good faith and in compliance with this disclosure policy. If legal action is initiated by a third party against you, we will take steps to make it known that your actions were conducted in compliance with this policy.
Recognition
Security researchers who report valid, in-scope vulnerabilities will be credited in our resulting security advisories and release notes (opt-in).