Menu
Start
CLI
Scenarios
Attack Packs
Reports
Workbench
Reference
Sign inGet started now
Public documentation

Security

Security

Scenarios, hidden context, transcripts, and reports can contain sensitive information.

  • Use --target mock only for explicit local smoke tests.
  • Avoid real customer data in scenarios.
  • Store secrets in environment variables, not YAML files.
  • Do not commit .roleplay/runs unless you intentionally want to share run artifacts.
  • Prefer sanitized_findings for workbench uploads.
  • Enable full transcript upload only for projects where the team has approved that data flow.
  • Review CLI target scenarios before running them.

CLI Targets

CLI targets execute local commands. By default, Roleplay parses commands without a shell. Set shell: true only when shell behavior is required.

Use --yes to acknowledge local command execution in automated runs.

Workbench Uploads

Sanitized mode does not upload full transcript, scenario YAML, or metadata.

Full transcript mode requires:

  • project policy opt-in
  • CLI --mode full_transcript_opt_in

Vulnerability Reporting

See the repository SECURITY.md for vulnerability reporting and data-handling guidance.