Snowflake red-team iter 3 - corpus expansion, streaming-ingest config, platform comparison#46
Merged
Merged
Conversation
…g, platform comparison
Builds on iter-2. Closes the iter-3 handoff items that did not require
live-tenant access; iter-4 picks up the empirical-validation items the
sandbox tenant wasn't available for this cycle.
Guardrails FP/FN harness — corpus expansion (Task 1)
- corpus.py adds MCP / MemoryInjection / MarkdownRender / Multimodal /
encoded-payload / context-boundary / approval-bypass / SnowflakeNative /
citation-poisoning / JSON-schema / tool-truncation classes plus benign
controls for each new class
- mock_guardrails.py picks up a few more regex patterns (still
intentionally weak); the re-baseline shows the regex-tier recall
collapsing on the expanded corpus, concentrated in the classes a
pattern matcher cannot meaningfully reach — the empirical breakdown
the assessment appendix called for
CVE inventory refresh (Task 2)
- Re-scrape stamp through 2026-05-15; no new Snowflake-attributed CVEs
in window
- Python connector 4.5.0 vendor-fix entries (Okta SAML port-comparison
redirect + OCSP cache deserialization) flagged pending formal CVE
assignment
- Anodot third-party-SaaS-token-theft incident added as ecosystem
context; same mitigation shape as Chain A
Databricks ↔ Snowflake platform comparison (Task 3)
- docs/analysis/databricks-vs-snowflake-platform-comparison.md
- Primitive map, chain-by-chain mapping (Snowflake A–I → Databricks
analogues), divergence analysis, detection-reuse notes; stays
inside the existing "no build step" framing for both reports
Streaming-ingest concrete config (Task 4)
- detection/snowflake/streaming-ingest/ — Python poller, Azure Function
wrapper, Terraform infra, and a docker-compose lab harness
- End-to-end smoke against the mock-Snowflake service: COPY INTO @stage
seeded → mock query history → poller projects into Sentinel CL schema
- terraform validate passes
Visual regression test for the Snowflake report (Task 5)
- reports/snowflake-platform-assessment/tests/ — Playwright screenshot
suite; per-page baselines committed; re-run passes
Hygiene
- .gitignore adds .pytest_cache/, .terraform/, *.tfstate*
- CLAUDE.md index gets the new doc + streaming-ingest pointers
- All repo CI gates pass locally: snowflake report integrity, snowflake
tools syntax, detection pairing, no committed drivers, no real tenants
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Builds on PR #45 (iter-2). Closes the iter-3 handoff items that did not require live-tenant access; iter-4 picks up the empirical-validation work the sandbox tenant wasn't available for this cycle.
tools/llm-attacks/cortex/guardrails-harness/corpus.pycovers the documented IPI class spectrum - MCP / memory-injection / markdown-render / multimodal / encoded / context-boundary / approval-bypass / Snowflake-native / citation / JSON-schema / tool-truncation - plus benign controls for each new class. Re-baseline against the regex mock shows recall collapsing on the expanded corpus, concentrated in the classes a regex matcher cannot reach. That breakdown is the empirical artifact the assessment appendix called for.docs/analysis/databricks-vs-snowflake-platform-comparison.md- primitive map, chain-by-chain mapping (Snowflake A-I to Databricks analogues), divergence analysis, detection-reuse notes. Stays inside the "no build step" framing for both reports.detection/snowflake/streaming-ingest/ships the producer side of the pattern referenced by the existing KQL hunt: Python poller, Azure Function App wrapper, Terraform infra, and adocker-composelab harness. End-to-end smoke against the mock-Snowflake service shows aCOPY INTO @stageflowing into the Sentinel CL projection.reports/snowflake-platform-assessment/tests/adds a Playwright screenshot suite; per-page baselines committed; the test pattern mirrors the existing Databricks one.Test plan
check_snowflake_report_integrity.pypasses on the new appendix.html nav additioncheck_snowflake_tools_syntax.pypasses on the corpus + mock + poller editscheck_detection_pairing.pyunaffected (streaming-ingest is underdetection/, nottools/)python3 -m pip install -e ".[test]"+pytest tests/fromreports/snowflake-platform-assessment/re-runs and passes against the committed baselinesterraform -chdir=detection/snowflake/streaming-ingest/terraform validate(no provider creds needed)docker-compose -f detection/snowflake/streaming-ingest/docker-compose.yml upbrings the lab pipeline up end-to-end against the mock Snowflake on127.0.0.1:9600(smoke-tested locally)python3 tools/llm-attacks/cortex/guardrails-harness/mock_guardrails.py &thenpython3 tools/llm-attacks/cortex/guardrails-harness/run_harness.py --target mock --json-out /tmp/r.jsonshows the re-baselined recall / specificity / per-family / per-category breakdownGenerated with Claude Code