Skip to content
/ BlockAgentAccessHookDemo Public

A small demo repository that shows how to use Copilot CLI Hooks to prevent the agent from accessing sentivie files.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ellismg/BlockAgentAccessHookDemo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github
.github
 
 
secrets
secrets
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Block Agent File Access Hook Demo

⚠️ Important: This demo requires GitHub Copilot CLI version 0.0.396 or later (released January 27, 2026). Earlier versions do not support using pre-tool-use hooks to block tools.

This repository demonstrates how to use GitHub Copilot CLI hooks to prevent the agent from accessing certain files. This is useful for protecting sensitive files like credentials, private keys, or proprietary code that you don't want the AI to read or use.

How It Works

  1. A preToolUse hook intercepts all tool calls before they execute
  2. For file-accessing tools (view, edit, create, grep, glob), the hook extracts the file path
  3. The path is checked against patterns in .github/blocked-files.txt
  4. If matched, the tool call is denied with an explanatory message
  5. The agent sees the denial and should respect it

Repository Structure

.github/
├── hooks/
│   └── block-files.json       # Hook configuration
├── scripts/
│   ├── check-file-access.sh   # Bash implementation (macOS/Linux)
│   └── check-file-access.ps1  # PowerShell implementation (Windows)
└── blocked-files.txt          # Patterns for blocked files

secrets/                        # Example blocked directory
├── api-credentials.txt
└── database.key

src/
└── app.js                      # Example allowed file

Pattern Syntax

The blocked-files.txt file supports a simplified glob syntax:

Pattern Meaning Example
* Any characters except / *.key matches secret.key but not dir/secret.key
** Any characters including / secrets/** matches secrets/foo/bar.txt
? Exactly one character (not /) file?.txt matches file1.txt
literal Exact path match config.yml matches only config.yml

Lines starting with # are comments. Empty lines are ignored.

Example blocked-files.txt

# Block all files in the secrets directory
secrets/**

# Block private key files
*.pem
*.key

# Block specific sensitive files
.env.production
config/database.yml

Testing the Hook

  1. Open this repository with GitHub Copilot CLI
  2. Ask the agent to read a blocked file: 
    Show me the contents of secrets/api-credentials.txt
  3. The agent should receive a denial message and refuse to read the file
  4. Ask the agent to read an allowed file: 
    Show me the contents of src/app.js
  5. This should work normally

Limitations

  • Bash commands: The hook checks paths passed to file tools, but cannot parse arbitrary bash commands like cat secrets/file.txt
  • Indirect access: The agent could potentially work around this by using bash to read files directly
  • Pattern matching: The simplified glob syntax doesn't support {a,b} alternation or [abc] character classes

Extending the Hook

To add more robust protection:

  1. Block bash access to sensitive paths: Modify the hook to inspect bash commands for blocked paths
  2. Add more tools: Extend the tool list in the scripts to cover additional file-accessing tools
  3. Support more patterns: Enhance glob_to_regex to support character classes and alternation

Requirements

  • macOS/Linux: bash, jq
  • Windows: PowerShell 5.1+

License

MIT

About

A small demo repository that shows how to use Copilot CLI Hooks to prevent the agent from accessing sentivie files.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages