Skip to content

docs: add defense-in-depth security analyzer section#402

Open
Fieldnote-Echo wants to merge 7 commits intoOpenHands:mainfrom
Fieldnote-Echo:feat/defense-in-depth-security-analyzer
Open

docs: add defense-in-depth security analyzer section#402
Fieldnote-Echo wants to merge 7 commits intoOpenHands:mainfrom
Fieldnote-Echo:feat/defense-in-depth-security-analyzer

Conversation

@Fieldnote-Echo
Copy link
Copy Markdown

@Fieldnote-Echo Fieldnote-Echo commented Mar 17, 2026
edited
Loading

Summary

Documents the defense-in-depth security analyzer family now in openhands.sdk.security.defense_in_depth. Updated to match the SDK promotion in OpenHands/software-agent-sdk#2472.

What this covers

  • Three SDK analyzers: PatternSecurityAnalyzer, PolicyRailSecurityAnalyzer, EnsembleSecurityAnalyzer
  • Quick start with explicit ConfirmRisky pairing (analyzer selection does not automatically change confirmation policy)
  • Composition with LLMSecurityAnalyzer for deeper coverage
  • Design rationale: two-corpus scanning, max-severity fusion, UNKNOWN as first-class
  • Known limitations table
  • Reference to thin example at examples/01_standalone_sdk/47_defense_in_depth_security.py

Structure

Content follows adult learning theory: problem first, then solution, then quick start, then composition, then rationale, then limitations.

All imports use from openhands.sdk.security import ... — no example-file imports.

Companion to OpenHands/software-agent-sdk#2472.

@Fieldnote-Echo Fieldnote-Echo mentioned this pull request Mar 17, 2026
Open
6 tasks
Fieldnote-Echo and others added 6 commits March 30, 2026 18:03
@Fieldnote-Echo
docs: update defense-in-depth section for SDK promotion
848c404 
Analyzers now live in openhands.sdk.security, not an example file.
Rewritten for adult learning theory: problem first, then solution,
then composition, then design rationale, then limitations.

Import paths updated, every example pairs analyzer with ConfirmRisky,
old example/noisy-OR references removed.
@Fieldnote-Echo
fix: clarify threshold-dependent confirmation behavior, add agent com…
05b416a 
…ment
@Fieldnote-Echo
fix: add example file reference for check-documented-examples CI
f8f4904
@Fieldnote-Echo
Merge branch 'main' into feat/defense-in-depth-security-analyzer
e16c966
@Fieldnote-Echo
fix: use HIGH as default confirmation threshold, show MEDIUM as stric…
a3c33cd 
…ter option
@Fieldnote-Echo @openhands-agent
docs: polish defense-in-depth section for clarity
15d4401 
- Add UX description of what user sees when prompt triggers
- Move Warning about execute_tool() bypass to quick start section
- Make two-corpus explanation more concrete with example

Co-authored-by: openhands <openhands@all-hands.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xingyaoww xingyaoww Awaiting requested review from xingyaoww xingyaoww is a code owner

@enyst enyst Awaiting requested review from enyst enyst is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Fieldnote-Echo