Skip to content

docs: expand security documentation in README and SECURITY.md#30

Merged
mkmeral merged 1 commit into
strands-agents:mainfrom
max-rattray-aws:security-docs-update
Jun 16, 2026
Merged

docs: expand security documentation in README and SECURITY.md#30
mkmeral merged 1 commit into
strands-agents:mainfrom
max-rattray-aws:security-docs-update

Conversation

@max-rattray-aws

@max-rattray-aws max-rattray-aws commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Improves security guidance for users and vulnerability reporters by expanding both README.md and SECURITY.md.

SECURITY.md

  • Adds 6 vulnerability classes to the in-scope definition: parser DoS, credential leakage, symlink/path traversal, URL parsing differentials, credential injection on redirects, MCP session isolation
  • Adds Security Architecture section describing the Kernel trait boundary and its four enforcement layers (filesystem isolation, SSRF guard, credential injection, no-syscall)
  • Adds explicit Out of Scope section aligned with the documented threat model

README.md

  • Adds security disclaimer callout at the top of the Security Model section clarifying that Strands Shell is a mediation layer, not a hardened sandbox
  • Adds Secure Defaults subsection with least-privilege guidance (copy > direct, narrow binds, explicit URL allowlists, timeouts, output limits)
  • Adds warning about mode: "direct" mounts in the Configuration section

Testing

Documentation-only change.

@maxrat-aws
Expand security documentation in README and SECURITY.md
8341c28 
- SECURITY.md: Add 6 vulnerability classes to in-scope definition (parser
  DoS, credential leakage, symlink traversal, URL parsing differentials,
  credential injection on redirects, MCP session isolation)
- SECURITY.md: Add Security Architecture section describing the Kernel trait
  boundary and its four enforcement layers
- SECURITY.md: Add explicit Out of Scope section aligned with threat model
- README.md: Add security disclaimer callout at top of Security Model section
- README.md: Add Secure Defaults subsection with least-privilege guidance for
  binds, URL allowlists, timeouts, and output limits
- README.md: Add warning about mode: "direct" mounts in Configuration
@max-rattray-aws max-rattray-aws requested a review from mkmeral June 16, 2026 16:24
@mkmeral mkmeral changed the title Expand security documentation in README and SECURITY.md docs: expand security documentation in README and SECURITY.md Jun 16, 2026
@mkmeral mkmeral merged commit 9bf907c into strands-agents:main Jun 16, 2026
19 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zastrowm zastrowm zastrowm approved these changes
@mkmeral mkmeral mkmeral approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@max-rattray-aws @zastrowm @mkmeral @maxrat-aws