Skip to Content
Alprina is in active development. Join us in building the future of security scanning.
Security AgentsGuardrails Agent

Guardrails Agent

Safety and compliance checking to ensure scans follow ethical guidelines and don’t cause harm.

Overview

Agent Name: GuardrailsAgent Scan Type: safety-check Credit Cost: 0 credits (automatic) Target Types: All scan targets (runs automatically)

Purpose

The Guardrails Agent acts as a safety layer that:

  • Prevents harmful or unethical scans
  • Enforces security policies
  • Ensures compliance with regulations
  • Protects against accidental damage
  • Validates authorization

Capabilities

Safety Checks

  • Target Validation

    • Verify scan authorization
    • Check target ownership
    • Validate permissions
    • Prevent production targeting

  • Policy Enforcement

    • Allowlist/blocklist checking
    • Rate limiting
    • Scope validation
    • Time-based restrictions

  • Compliance Validation

    • GDPR compliance
    • Data privacy rules
    • Industry regulations
    • Legal requirements

  • Harm Prevention

    • DoS prevention
    • Data integrity protection
    • Availability safeguards
    • Destructive action blocking

Automatic Execution

Guardrails runs automatically before every scan:

# User initiates scan
alprina scan https://example.com --type red-team
 
# Guardrails checks run first:
# ✓ Target is in allowlist
# ✓ User has permission
# ✓ Scan type is authorized
# ✓ No policy violations
 
# Scan proceeds...

Safety Policy

Default Restrictions

Blocked by Default:

  • Production databases
  • Financial systems
  • Healthcare systems
  • Critical infrastructure
  • Third-party services (without authorization)

Safe by Default:

# Always runs in safe mode unless explicitly disabled
alprina scan ./local-code  # Safe: local files
alprina scan https://staging.example.com  # Requires auth
alprina scan https://production.example.com  # Blocked without explicit policy

Configuration

Policy File

Create .alprina-policy.yaml:

# Allowed targets
allowed_targets:
  - "https://staging.example.com/*"
  - "https://dev.example.com/*"
  - "192.168.1.0/24"
  - "./src/**"
 
# Blocked targets
blocked_targets:
  - "https://production.example.com/*"
  - "https://*.bank.com/*"
  - "https://api.thirdparty.com/*"
 
# Scan type permissions
allowed_scan_types:
  - code
  - red-team
  - blue-team
 
# Rate limits
rate_limits:
  scans_per_hour: 50
  scans_per_day: 500
 
# Time restrictions
allowed_hours:
  start: "09:00"
  end: "17:00"
  timezone: "America/New_York"
  days: ["monday", "tuesday", "wednesday", "thursday", "friday"]
 
# Safe mode
safe_mode:
  enabled: true
  allow_override: false  # Cannot disable safe mode

Example Outputs

Scan Blocked

{
  "success": false,
  "error": {
    "code": "policy_violation",
    "message": "Target is not in allowlist",
    "details": {
      "target": "https://production.example.com",
      "reason": "Production systems require explicit authorization",
      "policy_file": ".alprina-policy.yaml",
      "action": "Add target to allowed_targets or get approval"
    }
  }
}

Scan Allowed with Warnings

{
  "success": true,
  "warnings": [
    {
      "level": "info",
      "message": "Scan running in safe-only mode",
      "details": "Potentially harmful tests are disabled"
    }
  ]
}

Safety Features

1. Authorization Validation

# Checks before scanning:
# - Do you own the target?
# - Do you have written permission?
# - Is this a test/staging environment?

2. Scope Limiting

# Prevents scope creep
allowed_targets:
  - "https://staging.example.com/api/*"  # Only API endpoints
 
# This would be blocked:
alprina scan https://staging.example.com/admin

3. Rate Limiting

# Prevents accidental DoS
rate_limits:
  scans_per_hour: 10
 
# After 10 scans in an hour:
Error: Rate limit exceeded. Wait 45 minutes.

4. Destructive Action Prevention

# Blocks potentially harmful operations
safe_mode:
  enabled: true
  blocked_actions:
    - delete
    - modify
    - exploit
    - brute_force

Testing Policy

# Test if target is allowed
alprina policy test https://example.com
 
# Output:
# ✓ Target allowed
# ✓ Scan type permitted
# ✓ Within rate limits
# ✓ Safe to proceed

Override Process

For authorized testing that violates policy:

  1. Get Approval

    • Written authorization
    • Documented approval
    • Clear scope

  2. Update Policy

    # Add to policy file
allowed_targets:
  - "https://special-target.com/*"
 
# Or use override flag (requires admin)
alprina scan https://special-target.com --policy-override --auth-token abc123

  3. Document

    • Log override reason
    • Record approval
    • Set expiration

Compliance Requirements

GDPR

  • Data minimization
  • Purpose limitation
  • Storage limitation
  • Consent validation

Industry Standards

  • PCI DSS: Protect cardholder data
  • HIPAA: Protect healthcare data
  • SOC 2: Security controls
  • ISO 27001: Information security

Best Practices

1. Maintain Policy Files

# Keep policy in version control
git add .alprina-policy.yaml
git commit -m "Update security scan policy"

2. Regular Reviews

# Monthly policy review
# - Remove expired authorizations
# - Update target lists
# - Review blocked scans

3. Audit Trail

# Log all policy decisions
{
  "timestamp": "2025-01-05T10:30:00Z",
  "action": "scan_blocked",
  "target": "https://production.example.com",
  "user": "user@example.com",
  "reason": "policy_violation"
}

4. Training

  • Educate team on policies
  • Explain authorization process
  • Document approval workflows
  • Regular compliance training

Error Handling

Policy Violation

Error: Target blocked by policy
Solution: Add to .alprina-policy.yaml or get authorization

Missing Authorization

Error: Remote scan requires authentication
Solution: Run 'alprina auth login' first

Rate Limit Exceeded

Error: Too many scans in time window
Solution: Wait or upgrade plan for higher limits
Last updated on
DFIR AgentLLM Security Agent