Skip to content

dokugent security

Performs a lightweight static scan of your project for unsafe patterns using blacklists and optional whitelists. Ideal for early detection of prompt injection or output hijacking before preview or certification.

What It Does

  • Loads .dokugent/overrides/blacklist.txt and whitelist.txt
  • Runs runSecurityCheck() with requireApprovals: true
  • Recursively scans your project (default path: workspace root)
  • Flags any violations of denylist patterns or unapproved elements

Behavior Overview

  • Scans files across the full workspace by default
  • Compares content against blacklist and optionally whitelist
  • Uses regex patterns to match threats (prompt injection, SQLi, etc.)
  • Does not generate output files — only terminal logs
  • Recommends running dokugent preview for full validation
dokugent security

⚠️ Possible injection pattern found in plan.md
✅ No violations found in criteria.md
🔒 For a complete security + validation workflow, run `dokugent preview`.

What’s in the Blacklist?

Dokugent enforces a built-in security checklist Internal denylist patterns (e.g., prompt injection, SQLi, role hijacking). These checks help protect against unsafe agent behaviors.

Additionally, when you run dokugent init, a blank override file is created here:

.dokugent/overrides/blacklist.txt

You can extend Dokugent's security by adding your own regex patterns. This allows each team to build on top of our baseline protections without revealing internal logic.

Example CLI Flow

🧠 Estimated Token Usage: 4321

🔍 Running security scan in: .dokugent/data

📄 Found 70 files to scan:
   .dokugent/data/plans/latest/plan.bak.json
   .dokugent/data/plans/latest/plan.bak.md
   .dokugent/data/plans/latest/plan.index.md
   ...
   .dokugent/data/previews/latest/happybot@2025-05-24_19-15-55-492_preview.json

🔢 Total files scanned: 70

⚠️  Missing approval metadata in .dokugent/data/plans/latest/plan.bak.json
⚠️  Missing approval metadata in .dokugent/data/plans/latest/plan.bak.md
...
⚠️  Missing approval metadata in .dokugent/data/previews/latest/happybot@2025-05-24_19-15-55-492_preview.json

🔎 Review complete: 70 potential issue(s) found.

🔒 For a complete security + validation workflow, run `dokugent preview`.
       It includes automated security scans before generating output artifacts.