Can this agent read secrets?
If yes, can it read all secrets or only scoped temporary credentials?
Checklist
AI coding agent security checklist.
Before AI coding agents touch repositories, terminals, Git, network, or cloud tooling, use this checklist to reduce blast radius and create audit evidence.
Assign every agent an identity and owner.
Track agent ID, owner, repo, branch, provider, model, tool, session, expiration, and lifecycle status.
Deny secret access by default.
Block `.env`, `.env.*`, `*.pem`, `*.key`, `id_rsa`, `secrets.*`, cloud credentials, database URLs, and SaaS tokens.
Block dangerous terminal commands.
Start with `rm -rf`, `DROP DATABASE`, `TRUNCATE`, `terraform destroy`, `kubectl delete`, force push, and `curl unknown | bash`.
Approval-gate sensitive code paths.
Require review for auth, payments, infra, CI/CD, production configs, migrations, backups, and customer-data exports.
Route network through policy.
Log outbound requests, enforce allowlists, flag unknown domains, detect uploads, and classify model/tool endpoints.
Protect Git and PR workflows.
Deny protected-branch pushes, force pushes, tag deletion, and secret-containing pushes. Attach PR audit reports.
Redact before logging.
Never store raw secrets in audit logs, PR reports, terminal transcripts, or prompt/tool context.
Generate reviewable evidence.
Record session start/end, file access, commands, network requests, policy decisions, approvals, denials, redactions, and reports.
Buyer readiness
Ask these questions before rollout.
If the answer is no, the agent is probably inheriting too much trust from the human developer or local machine.
Can this agent touch production?
If yes, what policy denies destructive operations and who approves exceptions?
Can we prove what happened?
If no, the adoption path is weak for SOC 2, incident response, and enterprise security reviews.