Search papers, labs, and topics across Lattice.
This paper introduces CodeSentinel, a robust three-layer defense mechanism designed to mitigate the risks of indirect prompt injection in code contexts by large language models. By leveraging Tree-sitter for high-risk node extraction and employing a combination of syntax-guided pre-filtering, CST-guided Dynamic Min-K% scoring, and node perturbation analysis, CodeSentinel effectively identifies and neutralizes adversarial triggers. The approach demonstrates a significant improvement in detection accuracy, achieving an average node-level F1 score of 0.80 across six recent attack families, surpassing existing defenses like CodeGarrison and DePA.
CodeSentinel outperforms existing defenses by achieving an impressive 0.80 F1 score in detecting indirect prompt injections in code contexts.
Code large language models increasingly retrieve external code context from repositories, documentation, issue threads, and coding-agent environments, creating an indirect prompt-injection surface where attackers hide instructions in comments, strings, identifiers, or decoy code. We propose CodeSentinel, a three-layer inference-time sanitizer. It uses Tree-sitter to extract high-risk model-facing CST nodes, then combines syntax-guided pre-filtering, CST-guided Dynamic Min-K\% scoring, and node perturbation analysis to detect adversarial and natural-looking semantic triggers. Detected nodes are removed or neutralized before reaching the downstream Code LLM. Across six recent attack families, \CodeSentinel achieves 0.80 average node-level F1, outperforming CodeGarrison, DePA, and KillBadCode.