0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
125 lines
4.0 KiB
YAML
125 lines
4.0 KiB
YAML
# yaml-language-server: $schema=https://promptfoo.dev/config-schema.json
|
|
description: 'Compare agentic SDK providers: Codex, Claude Agent, OpenCode'
|
|
|
|
prompts:
|
|
- |
|
|
Analyze all Python files in the current directory for security vulnerabilities.
|
|
Return your findings in JSON format with: vulnerabilities (array), risk_score (0-100), and summary.
|
|
|
|
providers:
|
|
# Codex SDK with native JSON schema support
|
|
- id: openai:codex-sdk
|
|
label: codex-sdk
|
|
config:
|
|
model: gpt-5.1-codex
|
|
working_dir: ./test-codebase
|
|
skip_git_repo_check: true
|
|
output_schema:
|
|
type: object
|
|
required: [vulnerabilities, risk_score, summary]
|
|
additionalProperties: false
|
|
properties:
|
|
vulnerabilities:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required: [file, severity, category, issue, recommendation]
|
|
additionalProperties: false
|
|
properties:
|
|
file:
|
|
type: string
|
|
severity:
|
|
type: string
|
|
enum: [critical, high, medium, low]
|
|
category:
|
|
type: string
|
|
enum: [authentication, cryptography, data-exposure, input-validation, other]
|
|
issue:
|
|
type: string
|
|
recommendation:
|
|
type: string
|
|
risk_score:
|
|
type: integer
|
|
minimum: 0
|
|
maximum: 100
|
|
summary:
|
|
type: string
|
|
|
|
# Claude Agent SDK with file system tools
|
|
- id: anthropic:claude-agent-sdk
|
|
label: claude-agent-sdk
|
|
config:
|
|
model: claude-sonnet-4-6
|
|
working_dir: ./test-codebase
|
|
|
|
# OpenCode SDK with file system tools (provider-agnostic)
|
|
- id: opencode:sdk
|
|
label: opencode-sdk
|
|
config:
|
|
provider_id: anthropic
|
|
model: claude-sonnet-4-6
|
|
working_dir: ./test-codebase
|
|
|
|
# Plain LLM for baseline (no file access)
|
|
- id: openai:chat:gpt-5.4
|
|
label: plain-llm
|
|
config:
|
|
temperature: 0
|
|
|
|
defaultTest:
|
|
options:
|
|
timeout: 90000
|
|
|
|
tests:
|
|
- description: Find security vulnerabilities
|
|
assert:
|
|
- type: javascript
|
|
value: |
|
|
// Codex SDK returns structured JSON, plain LLM returns text
|
|
let parsedOutput = output;
|
|
if (typeof output === 'string') {
|
|
try {
|
|
parsedOutput = JSON.parse(output);
|
|
} catch {
|
|
// Expected fallback for plain LLM text responses.
|
|
parsedOutput = output;
|
|
}
|
|
}
|
|
|
|
if (
|
|
parsedOutput &&
|
|
typeof parsedOutput === 'object' &&
|
|
Array.isArray(parsedOutput.vulnerabilities)
|
|
) {
|
|
// Validate JSON structure
|
|
const hasStructure = typeof parsedOutput.risk_score === 'number' &&
|
|
typeof parsedOutput.summary === 'string';
|
|
if (!hasStructure) {
|
|
return { pass: false, score: 0, reason: 'Invalid JSON structure' };
|
|
}
|
|
|
|
// Check for key vulnerabilities (MD5, CVV, passwords)
|
|
const vulns = parsedOutput.vulnerabilities;
|
|
const hasCrypto = vulns.some(v => v.category === 'cryptography');
|
|
const hasDataExposure = vulns.some(v => v.category === 'data-exposure');
|
|
|
|
const score = (vulns.length >= 3 ? 0.4 : 0) + (hasCrypto ? 0.3 : 0) + (hasDataExposure ? 0.3 : 0);
|
|
return {
|
|
pass: score >= 0.6,
|
|
score,
|
|
reason: `Found ${vulns.length} vulnerabilities (crypto: ${hasCrypto}, data: ${hasDataExposure})`
|
|
};
|
|
}
|
|
|
|
// Plain LLM - check mentions of key issues
|
|
const text = String(output).toLowerCase();
|
|
const issues = ['md5', 'cvv', 'password', 'session'].filter(term => text.includes(term));
|
|
const score = Math.min(issues.length / 4, 1);
|
|
|
|
return {
|
|
pass: score >= 0.5,
|
|
score,
|
|
reason: `Mentioned ${issues.length}/4 key issues: ${issues.join(', ')}`
|
|
};
|
|
metric: Vulnerability Detection
|