Add Inspect-native evaluation foundation for CodeGuard#87
Draft
thomas-bartlett wants to merge 2 commits into
Draft
Add Inspect-native evaluation foundation for CodeGuard#87thomas-bartlett wants to merge 2 commits into
thomas-bartlett wants to merge 2 commits into
Conversation
bact
reviewed
Jun 2, 2026
| "codeguard-1-crypto-algorithms", | ||
| "codeguard-1-hardcoded-credentials", | ||
| ) | ||
| DISCUSSION_URL = "https://github.com/cosai-oasis/project-codeguard/discussions/70" |
There was a problem hiding this comment.
Suggested change
| DISCUSSION_URL = "https://github.com/cosai-oasis/project-codeguard/discussions/70" |
We probably don't need this but can keep for the purpose of being a seed.
bact
reviewed
Jun 2, 2026
| "execution": "none", | ||
| "guidance_delivery": "prompt_block", | ||
| "codeguard_rule_ids": list(CODEGUARD_RULE_IDS), | ||
| "discussion_url": DISCUSSION_URL, |
There was a problem hiding this comment.
Suggested change
| "discussion_url": DISCUSSION_URL, |
We probably don't need this but can keep for the purpose of being a seed.
|
Thank you. Looks solid for the job and we can build further on this. Btw, to have this eval registered on Inspect Evals at https://ukgovernmentbeis.github.io/inspect_evals/ we need a small YAML file in the Inspect Eval Register. Something like this: title: "CodeGuard Password Storage Eval"
description: |
Evaluate password storage security practice
contributors:
- thomas-bartlett
tags: # optional; the upstream repo name is added automatically
- CodeGuard
- Coding
- Password
- Security
tasks:
- name: password_storage # must match the @task function name
task_path: evaluations/codeguard-inspect/codeguard_harness/tasks/password_storage.py
source:
repository_url: https://github.com/cosai-oasis/project-codeguard
repository_commit: <40-char SHA> # grab from the commit page on GitHub; tags and branches aren't accepted
comment: "Project CodeGuard is an open-source, model-agnostic security framework that embeds secure-by-default practices into AI coding agent workflows."(use example from https://github.com/UKGovernmentBEIS/inspect_evals/blob/main/register/example_eval.yaml ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an Inspect-native foundation for evaluating how Project CodeGuard affects model-generated code.
Inspect owns model execution, logs, and metrics. This project adds the small reusable pieces needed to load CodeGuard guidance, validate generated output, and attach benchmark-specific security scoring. New benchmarks can be added as focused sibling adapters without building a separate execution or reporting harness.
SecurityEval is the first adapter. The initial experiment compares baseline, generic secure-coding, and CodeGuard-guided outputs on 23 cases where pinned Bandit reliably detects the reference implementation's target CWE. This calibrated slice keeps the initial metric interpretable; it is not the intended limit. Future work can expand SecurityEval with additional analyzers or scorers and add other benchmarks through the same Inspect-native structure.
Safety and Current Limitations
Validation
pip-auditfound no known vulnerabilitiesgit diff --checkpassedRelated