Clyra

Security checklist

AI coding agent security checklist

Use this checklist before AI coding workflows get broad write access, CI/CD authority, MCP tools, secrets, deploy paths, or production-adjacent reach.

Last updated: May 20, 2026

The useful security review is not a generic AI inventory. It is a concrete pass over the action paths AI coding workflows can reach: repo writes, workflow edits, CI/CD jobs, secrets, MCP tools, package publishing, cloud actions, deploy paths, approval, and proof.

First-pass checklist

  • List the AI coding tools and workflows in use: IDE agents, cloud agents, repo bots, MCP configs, CI bots, and internal assistants.
  • Pick one repo or workflow that is close to CI/CD, release, deploy, package publishing, or internal tools.
  • Identify the human owner, team owner, repo, branch, PR path, workflow file, and relevant package scripts.
  • Classify what the workflow can do: read, write, execute, call tools, use credentials, publish, deploy, delete, or affect production.
  • Record what evidence already exists and what evidence is missing.

Repo and PR review

Write surface

Can the agent or workflow edit source, config, scripts, workflow files, dependency files, infra files, or release manifests?

Review boundary

Does PR review cover only code, or does it explicitly cover downstream actions like workflow execution, deploy, publish, and tool calls?

Protected paths

Are workflow files, package scripts, IaC, deploy manifests, and secrets configuration protected by owner review?

Proof

Can the team reconstruct who requested the change, which agent acted, who approved it, and what changed afterward?

CI/CD and credential review

  • Check whether the workflow can trigger GitHub Actions, GitLab CI, Buildkite, CircleCI, Harness, or release automation.
  • List reachable secrets: CI secrets, `GITHUB_TOKEN`, package tokens, cloud roles, signing keys, service accounts, and PATs.
  • Identify jobs that can publish packages, deploy, sign artifacts, run migrations, call cloud APIs, or reach customer-adjacent systems.
  • Check whether approval happens before merge, before workflow execution, before environment access, or after the action already occurred.
  • Prefer scoped, short-lived credentials for high-impact paths where possible.

MCP and tool-call review

  • Inventory MCP servers and declared tools connected to AI coding workflows.
  • For each tool, record operation, credential, target system, owner, approval point, and evidence location.
  • Treat write-capable tools differently from read-only tools.
  • Require explicit review for tools that can create tickets, send messages, write code, change cloud state, query sensitive data, or call internal APIs.
  • Block ownerless tools and unmanaged token passthrough for high-impact actions.

Approval and evidence review

Action class Default decision Evidence to retain
Read, search, test, explain Allow with owner and logs. Requester, workflow, run, and output location.
Write code or config Review through normal PR process. PR, reviewer, changed files, tests, and merge outcome.
Workflow, credential, tool, deploy, publish, destructive Require action-specific approval. Approval reason, credential scope, target, validation, and final outcome.

Internal review prompt

Can this AI coding workflow write, execute, use credentials, call tools, deploy, publish, or touch production?

Send that question to the owner of platform, DevEx, CI/CD, release engineering, AI tooling, or security review. The goal is not to block AI coding. It is to decide which paths stay fast and which paths need approval and proof.

Source notes

Turn the checklist into one mapped path.

Clyra maps selected workflows into an action-control graph, Agent Action BOM, and evidence packet.

Map one workflow