We take security seriously. Please do not open a public GitHub issue for security vulnerabilities.

Instead, please report via GitHub Security Advisories.

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

strands-compose-agentcore enforces the following (via Bandit + code review):

• No eval() or exec() — config is parsed through strands-compose's Pydantic pipeline, never executed as code
• No subprocess with shell=True — all external commands use direct invocation
• No hardcoded secrets — all credentials resolved from environment variables or AWS IAM
• No pickle — serialization uses JSON only
• Strict input validation — all YAML config validated through strands-compose's Pydantic schema
• Bandit scanning — automated static security analysis (uv run just check-security)
• Dependency auditing — dependencies are pinned and regularly reviewed for known vulnerabilities