Files
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

125 lines
4.0 KiB
YAML

# yaml-language-server: $schema=https://promptfoo.dev/config-schema.json
description: 'Compare agentic SDK providers: Codex, Claude Agent, OpenCode'
prompts:
- |
Analyze all Python files in the current directory for security vulnerabilities.
Return your findings in JSON format with: vulnerabilities (array), risk_score (0-100), and summary.
providers:
# Codex SDK with native JSON schema support
- id: openai:codex-sdk
label: codex-sdk
config:
model: gpt-5.1-codex
working_dir: ./test-codebase
skip_git_repo_check: true
output_schema:
type: object
required: [vulnerabilities, risk_score, summary]
additionalProperties: false
properties:
vulnerabilities:
type: array
items:
type: object
required: [file, severity, category, issue, recommendation]
additionalProperties: false
properties:
file:
type: string
severity:
type: string
enum: [critical, high, medium, low]
category:
type: string
enum: [authentication, cryptography, data-exposure, input-validation, other]
issue:
type: string
recommendation:
type: string
risk_score:
type: integer
minimum: 0
maximum: 100
summary:
type: string
# Claude Agent SDK with file system tools
- id: anthropic:claude-agent-sdk
label: claude-agent-sdk
config:
model: claude-sonnet-4-6
working_dir: ./test-codebase
# OpenCode SDK with file system tools (provider-agnostic)
- id: opencode:sdk
label: opencode-sdk
config:
provider_id: anthropic
model: claude-sonnet-4-6
working_dir: ./test-codebase
# Plain LLM for baseline (no file access)
- id: openai:chat:gpt-5.4
label: plain-llm
config:
temperature: 0
defaultTest:
options:
timeout: 90000
tests:
- description: Find security vulnerabilities
assert:
- type: javascript
value: |
// Codex SDK returns structured JSON, plain LLM returns text
let parsedOutput = output;
if (typeof output === 'string') {
try {
parsedOutput = JSON.parse(output);
} catch {
// Expected fallback for plain LLM text responses.
parsedOutput = output;
}
}
if (
parsedOutput &&
typeof parsedOutput === 'object' &&
Array.isArray(parsedOutput.vulnerabilities)
) {
// Validate JSON structure
const hasStructure = typeof parsedOutput.risk_score === 'number' &&
typeof parsedOutput.summary === 'string';
if (!hasStructure) {
return { pass: false, score: 0, reason: 'Invalid JSON structure' };
}
// Check for key vulnerabilities (MD5, CVV, passwords)
const vulns = parsedOutput.vulnerabilities;
const hasCrypto = vulns.some(v => v.category === 'cryptography');
const hasDataExposure = vulns.some(v => v.category === 'data-exposure');
const score = (vulns.length >= 3 ? 0.4 : 0) + (hasCrypto ? 0.3 : 0) + (hasDataExposure ? 0.3 : 0);
return {
pass: score >= 0.6,
score,
reason: `Found ${vulns.length} vulnerabilities (crypto: ${hasCrypto}, data: ${hasDataExposure})`
};
}
// Plain LLM - check mentions of key issues
const text = String(output).toLowerCase();
const issues = ['md5', 'cvv', 'password', 'session'].filter(term => text.includes(term));
const score = Math.min(issues.length / 4, 1);
return {
pass: score >= 0.5,
score,
reason: `Mentioned ${issues.length}/4 key issues: ${issues.join(', ')}`
};
metric: Vulnerability Detection