Spacelift Agent Security Risks

Platform Operations Agents spacelift.io Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (8) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
7.22
Medium
Attack Surface
4.8
Medium
Blast Radius
6.75
High
Defense Controls
8
Medium
About The Agent

Spacelift is a cloud-hosted infrastructure orchestration platform that translates both traditional IaC code and natural language prompts into governed infrastructure deployments across multiple cloud providers. The same control plane manages Terraform, OpenTofu, Ansible, and Kubernetes workflows while exposing an MCP server that grants external AI coding assistants direct access to infrastructure mutation under OAuth-scoped policy governance, giving operators a unified deployment surface with shared credentials, audit trail, and OPA-based approval workflows.

About the AI Risk Quadrant

Tight Operators placement reflects an attack surface held below the midpoint by OPA policy governance and scoped MCP OAuth grants, combined with a moderate blast radius bounded by containerized workers and short-lived cloud credentials. Defense controls contribute meaningfully through approval policies, container isolation, and SOC 2-audited audit trails, but the absence of dedicated prompt-injection filtering on the natural language path and operator-managed monitoring leave the composite below the fortified threshold.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Spacelift concentrates risk at the intersection of natural language infrastructure provisioning, broad cloud credential delegation, and an operator-managed monitoring boundary.

Key Input Risks
Untrusted content from VCS repositories, community Terraform modules, and natural language prompts via MCP reaches the control plane without dedicated prompt-injection filtering. OPA policies evaluate infrastructure plan outputs but do not inspect the natural language instruction path that drives Intent provisioning. Deploy a prompt-injection classifier on the MCP path or restrict OAuth write grants to mitigate.
Key Execution Risks
Workers execute arbitrary Terraform providers, shell hooks, and cloud API calls inside ephemeral Docker containers scoped to operator-supplied IAM roles. Container isolation bounds the blast within a single run, but no microVM or OS-level sandbox constrains provider code beyond the container boundary.
Key Action Risks
Drift reconciliation and VCS-triggered runs can apply infrastructure changes without per-run operator approval when auto-deploy is enabled. Short-lived cloud credentials grant the worker full IAM-scoped access to production accounts during execution.
Key Output Risks
Worker logs mask secret environment variables and cloud credentials by default, but no dedicated DLP or exfiltration-blocking layer inspects outbound data from Terraform provider outputs or Intent resource responses. Audit trail captures resource-change events but not data-plane content.
Key Monitoring Risks
Audit trail logs all control-plane operations with webhook forwarding to external SIEM, but retention is limited to thirty days in the built-in UI. Anomaly detection and behavioral alerting are operator-managed responsibilities outside the platform boundary.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Spacelift balances broad infrastructure authority against documented policy governance, placing it in the lower-risk quadrant with meaningful but incomplete default defenses.

AIRQ Metrics

Attack surface sits just below the midpoint and blast radius just below the upper threshold, while defense controls contribute eight of fifteen possible points from policy gates and container isolation.

Each axis measures a distinct dimension: attack surface exposure out of ten, blast radius reach out of ten, defense controls out of fifteen, and AIRQ as the composite. Higher composites indicate greater residual risk requiring more operator investment in hardening before production deployment.

Metric Score Comments
AIRQ Score 7.22 Composite reflects moderate capability governed by policy-based controls that reduce but do not eliminate operator risk. [5]
Blast Radius 6.75 / 10 Infrastructure deployment authority and cloud credential delegation drive the upper bands across most factors. [12]
Attack Surface 4.8 / 10 Surfaces cluster at the moderate band with policy validation on infrastructure changes but no dedicated NL input filtering. [6]
Defense Controls 8 / 15 OPA approval policies, container isolation, and SOC 2-audited logging contribute the majority of defense points. [4][8][10]

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures are the model-agnostic reasoning path via MCP, full shell execution in worker containers, and scheduled background orchestration without per-run gating.

Attack Surface Metrics

Three surfaces reach the upper band where external LLM delegation, shell execution, and cron-based orchestration each carry unfiltered authority within their policy boundary.

Each row scores the architectural exposure of one interaction surface, the penalty from agent-specific confirmed exploitation, and the analyst commentary grounding the band assignment.

Surface Score Comments
User Input 2 / 4 Multiple validated channels including web UI, GraphQL API, CLI, and MCP with OPA policy evaluation on resulting operations. [5][7]
External Data 2 / 4 Reads VCS repositories, Terraform registries, and provider schemas with plan-policy evaluation before execution. [6][9]
Memory 1 / 4 Infrastructure state persists per-stack but carries no cross-session learning loop or vector store. [11]
Reasoning 3 / 4 Model-agnostic architecture delegates reasoning to interchangeable external LLMs via MCP without intermediate filtering, extending the Intelligence platform. [6][7][17]
Planning 2 / 4 Multi-step planning visible through plan output with explicit approval policies before execution begins. [8][14]
Tool Execution 3 / 4 Worker containers run IaC providers, custom shell scripts, and remote API operations with approval-gated access under operator-scoped IAM roles. [9][12]
Orchestration 3 / 4 Stack dependencies, drift detection schedules, and VCS webhook triggers drive background execution without per-event approval. [14]
Inter-Agent 2 / 4 MCP server exposes tools to external AI agents with OAuth-scoped access grants separating read from write authority including resource deletion. [7][18]
Output Processing 1 / 4 Text-based plan and apply outputs with automatic credential masking in logs and UI. [5]
Configuration 2 / 4 Configuration through validated settings UI, Terraform provider, and API with OPA policies governing deployment behavior. [8][13]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Spacelift ingests VCS-authored content and community modules, holds short-lived cloud credentials scoped to production accounts, and transmits infrastructure mutations to cloud provider APIs within the same worker execution context. [6][9][12]

Lethal Trifecta · Complete (3 of 3)

Spacelift exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — VCS repository content, community Terraform modules, and natural language prompts from external MCP clients reach the control plane. [6][7]
  • Sensitive data — Workers hold short-lived IAM credentials, API tokens from contexts, and SSH keys granting access to production cloud accounts. [11][12]
  • External egress — Workers make unrestricted outbound connections to cloud provider APIs, package registries, and VCS endpoints during execution. [9]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Compromise of a worker execution context reaches cloud provider APIs with IAM-scoped credentials, enabling infrastructure modification within the operator's production accounts.

Blast Radius Metrics

Four of six factors sit at the upper band where cloud credential access, network reach, shell execution, and deployment authority each carry broad infrastructure scope.

Each row ties a blast factor to the documented capability evidence showing what a compromised worker can reach during a single run.

Factor Score Comments
Code execution 3 / 4 Workers execute shell commands, Terraform providers, and custom hooks with operator-level privileges inside ephemeral containers. [9]
File system access 2 / 4 Container-scoped read-write access to the working directory with mounted files from contexts during run lifetime. [11]
Network access 3 / 4 Unrestricted outbound connectivity from workers to cloud APIs, VCS providers, and package registries. [9]
Credential access 3 / 4 Short-lived STS credentials, environment variable secrets, and API tokens injected into the worker runtime per run. [12]
Autonomous action 2 / 4 Drift reconciliation and VCS-triggered runs execute with configurable approval gates; auto-deploy defaults to off. [14]
Deployment access 3 / 4 Direct infrastructure provisioning via Terraform apply and Intent resource lifecycle management across cloud accounts. [6][16]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The default configuration ships OPA policy evaluation, Docker container isolation, OAuth-scoped MCP access, and SOC 2-audited audit trails, while prompt-injection filtering and behavioral alerting remain operator responsibilities.

Defense Controls Metrics

Higher scores indicate stronger vendor-implemented safeguards; Spacelift contributes eight of fifteen points through policy governance, container isolation, and structured audit logging. The remaining seven unearned points represent gaps in prompt filtering and behavioral alerting that require operator investment.

Each component is scored on what the vendor implements at the default configuration versus what requires operator action to enable.

Component Score Comments
Input Guardrails 1 / 3 OPA plan policies evaluate infrastructure changes but no dedicated prompt shield or injection detection exists for the MCP natural language path, leaving the class-level indirect prompt injection vector unmitigated. [2][3][5][8]
Execution Isolation 2 / 3 Workers run in ephemeral Docker containers or Kubernetes pods with end-to-end encryption of run state for private worker pools. [9]
Action Controls 2 / 3 Approval policies enforce human review workflows with RBAC via Spaces; no single-step bypass documented and auto-deploy defaults to off. [8][13]
Output Guardrails 1 / 3 Secret environment variables and cloud credentials are masked in logs and hidden in UI/API; no dedicated DLP layer inspects outbound content. [5][11]
Monitoring 2 / 3 Built-in audit trail with webhook forwarding to SIEM, signed payloads, and thirty-day retention; SOC 2 Type II certified annually with responsible disclosure program. [1][4][10][15]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize prompt-injection filtering on the MCP path, network-level egress controls on private workers, and SIEM-based alerting to extend built-in audit coverage.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require OPA plan policies on all stacks that evaluate MCP-originated runs for suspicious resource patterns — counters unfiltered natural language input reaching the provisioning path.
  • Configuration Restrict MCP OAuth grants to mcp:read scope for all non-infrastructure-team users — counters broad write authority on the Intent path.
  • Engineering Deploy a prompt-injection classifier between MCP client requests and the Intent engine — counters absence of dedicated NL input validation.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate private worker pools for all production stacks to keep execution within the operator's network boundary — counters shared public worker exposure.
  • Configuration Configure Kubernetes network policies on private workers to restrict egress to known cloud API endpoints — counters unrestricted outbound from containers.
  • Engineering Wrap worker containers in gVisor or Firecracker microVMs to add OS-level isolation beyond Docker namespace boundaries — counters container-escape risk.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require approval policies on every stack that mandate at least two human approvals for tracked runs — counters single-approver risk on critical infrastructure.
  • Configuration Disable auto-deploy on all production stacks and enable drift detection warn policies — counters unattended reconciliation applying changes without review.
  • Engineering Implement custom approval policy logic that cross-references change scope against a resource-sensitivity registry — counters flat approval thresholds across varying risk levels.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Establish data classification rules requiring Terraform output values containing credentials to be marked sensitive — counters accidental secret exposure in plan outputs.
  • Configuration Enable the audit trail Include runs option to capture run state change events for downstream DLP inspection — counters silent data movement through run outputs.
  • Engineering Build a webhook consumer that inspects audit trail payloads for credential patterns before they reach downstream systems — counters absence of native DLP.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Define retention and alerting SLAs that extend beyond the thirty-day built-in window using external log aggregation — counters short retention limiting forensic capability.
  • Configuration Configure audit trail webhooks to forward all events including run state changes to a SIEM with automated correlation rules — counters passive log storage without active detection.
  • Engineering Build anomaly detection on audit trail event patterns to flag unusual resource creation velocity or scope escalation — counters absence of behavioral alerting.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. Spacelift Responsible Disclosure Program Vendor operates a private bug bounty with rewards for valid reports; no public advisories published to date

Selected Research

  1. In-the-Wild Indirect Prompt Injection Payloads Lyrie Research documents ten recovered IPI payloads targeting agentic AI with infrastructure access
  2. Comment and Control Prompt Injection Cross-vendor credential exfiltration from AI agents processing VCS metadata

Vendor Documentation

  1. Spacelift Trust Center SOC 2 Type II reports and security control documentation
  2. Spacelift Security Documentation Encryption posture and SSO and FIDO2 MFA and OPA policy engine
  3. Spacelift Intent Documentation MCP-based natural language provisioning with policy governance
  4. Spacelift MCP Server Integration Hosted MCP endpoint with five tools and OAuth-scoped access
  5. Spacelift Approval Policy OPA/Rego approval workflows requiring human review
  6. Spacelift Worker Pools Public and private worker execution with Docker/Kubernetes isolation
  7. Spacelift Audit Trail Built-in audit logging with webhook forwarding and SHA256 signatures
  8. Spacelift Contexts Write-only secret environment variables hidden from UI and API
  9. Spacelift AWS Integration Short-lived STS credentials via IAM role assumption
  10. Spacelift RBAC Access Control Spaces-based role hierarchy with inheritance and login policies
  11. Spacelift Drift Detection Scheduled drift detection obeying approval policy constraints

Other Sources

  1. What Makes Spacelift Secure SOC 2 Type II certification and security-first development
  2. Spacelift Intent Product Overview AI infrastructure provisioning with policy enforcement
  3. Spacelift Intelligence Platform AI assistant for infrastructure understanding and governance
  4. Spacelift Intent MCP Server Repository Open-source MCP server with all tool definitions for resource lifecycle