Glyphward

Platform guide · Oracle Cloud AI

Prompt injection scanner for Oracle Cloud AI

Oracle Cloud AI is unique among enterprise AI platforms in one critical respect: the documents it processes as images are not help-desk screenshots or product photos — they are invoices, purchase orders, goods receipts, and financial records. OCI AI Vision extracts structured fields from supplier documents uploaded to Oracle Object Storage, feeding extracted line items directly into Oracle Fusion Accounts Payable and ERP workflows. OCI Generative AI Service (hosting Llama 3.2 Vision, Cohere Command R+, and Meta models on OCI infrastructure) can receive image input from customer-facing portals or internal analyst tools. Oracle Digital Assistant — Oracle's enterprise chatbot embedded in Fusion Cloud — accepts file attachments from HR staff, procurement teams, and help-desk users. Oracle Integration Cloud (OIC) acts as the integration layer connecting third-party ERP, SCM, and supplier systems to Oracle AI services, passing image bytes from external systems without inspecting their content. An adversarial invoice image — one that renders as a normal PDF to a human reviewer but contains typographic injection text positioned to instruct a downstream language model — can cause OCI AI Vision to pass corrupted field values into Oracle Fusion, cause an LLM to approve a fraudulent payment, or cause Oracle Digital Assistant to exfiltrate data from the conversation context. The financial and audit consequences of a compromised AP approval workflow are categorically more severe than in most other AI deployments: financial restatement risk, SOX audit findings, and direct monetary loss from fraudulent disbursements.

TL;DR

For Oracle Cloud AI, scan images at four points: (1) before OCI AI Vision document analysis jobs on supplier invoice and PO images from Object Storage; (2) before OCI Generative AI Service multimodal API calls when image input arrives from external portals; (3) on file attachments received by Oracle Digital Assistant before the assistant processes them; (4) in Oracle Integration Cloud AI connector flows before image bytes reach Oracle Fusion or any Oracle AI service. Call POST https://glyphward.com/v1/scan via the OCI Python SDK or REST with HMAC auth; reject images with score ≥ 65 and quarantine to a separate Object Storage bucket for manual review. Free tier — 10 scans/day, no card required.

The four multimodal attack surfaces in Oracle Cloud AI

1. OCI AI Vision document analysis — supplier invoices and purchase orders. Oracle's standard Accounts Payable automation pattern routes supplier invoices through OCI Object Storage, triggers an OCI AI Vision document analysis job (using pre-trained or custom-trained document classification and key-value extraction models), and feeds the extracted JSON — vendor name, invoice number, line items, totals — directly into Oracle Fusion Cloud Financials for three-way matching and approval routing. The image arrives from a supplier: it may be emailed, uploaded via a supplier portal, or delivered through EDI. A supplier (or an attacker who compromises a supplier's email) can craft an invoice image where injected text in a very small or low-contrast font instructs the downstream LLM used for summarisation, anomaly detection, or approval recommendation to classify the invoice as already verified, to suppress the line-item mismatch flag, or to recommend immediate payment. Because the extraction result is treated as structured data — not raw text that a human has vetted — the injected instruction propagates through the Fusion AP workflow as if it were a legitimate field value.

2. OCI Generative AI Service with image input — Llama 3.2 Vision and Cohere multimodal endpoints. OCI Generative AI Service offers Llama 3.2 Vision and Cohere's multimodal models as managed endpoints on OCI infrastructure, callable via the oci.generative_ai_inference Python SDK or REST API. Applications built on this service often accept image uploads from customer-facing portals — insurance claim photos, product defect reports, identity verification scans — and send them directly to the multimodal endpoint. Because the model is hosted on OCI and invoked over a private VCN endpoint, many teams assume the transport security (TLS + OCI IAM) constitutes content security. It does not. An adversarial image arriving from a customer or external system reaches the model with its injected payload intact. The LLM's response — which may trigger further agentic actions, write to a database, or generate a document — then carries the attacker's instruction rather than a faithful analysis of the image.

3. Oracle Digital Assistant with file attachment capability. Oracle Digital Assistant (ODA) is Oracle's enterprise conversational AI platform, embedded in Oracle Fusion HCM, Oracle Service Cloud, and Oracle Field Service. ODA supports file attachment in conversations — procurement staff attach purchase requisition scans, HR teams upload policy documents for the assistant to summarise, and help-desk users attach screenshots. ODA routes the conversation and attachments to a configured LLM skill (which may call OCI Generative AI or a configured third-party model). A malicious attachment — for example, a screenshot of a "system message" styled to look like a legitimate help-desk template — can instruct the LLM skill to produce incorrect guidance, leak prior conversation context, or change the routing logic for subsequent messages. Because Digital Assistant conversations can span multiple turns and involve multiple users in the same tenant, a persistent injected document in a shared knowledge base can affect conversations across the organisation.

4. Oracle Integration Cloud AI connector — the unexamined integration layer. Oracle Integration Cloud (OIC) connects Oracle ERP, SCM, and CX applications to each other and to third-party systems using pre-built adapters and a low-code integration designer. OIC's AI-related integration patterns include: pushing images from third-party supplier portals into OCI AI Vision; routing document extraction results from Vision into Oracle Fusion; calling OCI Generative AI from integration flows triggered by ERP events; and receiving image data from external systems (logistics providers, customs authorities, freight forwarders) that attach scanned documents to Oracle SCM transactions. The OIC integration layer does not inspect image byte content — it passes MIME payloads between connected systems according to the integration flow definition. An adversarial image injected at any upstream system — a connected supplier portal, a third-party logistics system, a customs document API — traverses OIC untouched and reaches Oracle AI services with its payload intact.

Integration: OCI AI Vision scan gate with oci Python SDK

"""
Glyphward scan gate for OCI AI Vision document analysis jobs.

Pattern: intercept the image from Object Storage before creating
the AI Vision job. If the scan score >= 65, quarantine the object
to a separate bucket and raise an exception (fail-closed).

Dependencies: oci, requests
OCI config: ~/.oci/config or instance principal auth
"""

import oci
import requests
import base64
import os
import json
from datetime import datetime, timezone

# --- Configuration ---
GLYPHWARD_API_KEY   = os.environ["GLYPHWARD_API_KEY"]
GLYPHWARD_SCAN_URL  = "https://glyphward.com/v1/scan"
INJECTION_THRESHOLD = 65

OCI_NAMESPACE       = os.environ["OCI_OBJECT_STORAGE_NAMESPACE"]
INVOICE_BUCKET      = "ap-invoice-inbox"          # incoming supplier invoices
QUARANTINE_BUCKET   = "ap-invoice-quarantine"     # adversarial images go here
OCI_REGION          = os.environ.get("OCI_REGION", "eu-frankfurt-1")

# OCI clients
config = oci.config.from_file()
object_storage_client = oci.object_storage.ObjectStorageClient(config)
ai_vision_client      = oci.ai_vision.AIServiceVisionClient(config)


def glyphward_scan(image_bytes: bytes, source_label: str) -> dict:
    """Call Glyphward /v1/scan and return the full response dict."""
    b64_image = base64.b64encode(image_bytes).decode("utf-8")
    response = requests.post(
        GLYPHWARD_SCAN_URL,
        headers={
            "Authorization": f"Bearer {GLYPHWARD_API_KEY}",
            "Content-Type": "application/json",
        },
        json={"image": b64_image, "source": source_label},
        timeout=10,
    )
    response.raise_for_status()
    return response.json()


def quarantine_object(object_name: str) -> None:
    """Copy the object to the quarantine bucket then delete from inbox."""
    # Get the object
    get_resp = object_storage_client.get_object(
        namespace_name=OCI_NAMESPACE,
        bucket_name=INVOICE_BUCKET,
        object_name=object_name,
    )
    image_bytes = get_resp.data.content

    # Write to quarantine bucket with timestamp prefix
    ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
    quarantine_name = f"quarantine/{ts}/{object_name}"
    object_storage_client.put_object(
        namespace_name=OCI_NAMESPACE,
        bucket_name=QUARANTINE_BUCKET,
        object_name=quarantine_name,
        put_object_body=image_bytes,
    )

    # Delete from inbox so it does not get reprocessed
    object_storage_client.delete_object(
        namespace_name=OCI_NAMESPACE,
        bucket_name=INVOICE_BUCKET,
        object_name=object_name,
    )
    print(f"Quarantined: {object_name} -> {QUARANTINE_BUCKET}/{quarantine_name}")


def scan_and_submit_vision_job(object_name: str) -> dict:
    """
    1. Download the invoice image from Object Storage.
    2. Scan with Glyphward. If adversarial, quarantine and raise.
    3. If clean, create an OCI AI Vision document analysis job.
    Returns the AI Vision job response dict.
    """
    # Step 1: download image bytes
    get_resp = object_storage_client.get_object(
        namespace_name=OCI_NAMESPACE,
        bucket_name=INVOICE_BUCKET,
        object_name=object_name,
    )
    image_bytes = get_resp.data.content

    # Step 2: scan with Glyphward (fail-closed on exception)
    try:
        scan_result = glyphward_scan(
            image_bytes,
            source_label=f"oci-object-storage:{INVOICE_BUCKET}/{object_name}",
        )
    except Exception as exc:
        # Scanner unreachable — fail closed, do not submit Vision job
        quarantine_object(object_name)
        raise RuntimeError(
            f"Glyphward scan failed for {object_name}: {exc}. "
            "Image quarantined; Vision job not submitted."
        ) from exc

    score = scan_result.get("score", 100)
    scan_id = scan_result.get("scan_id", "unknown")

    if score >= INJECTION_THRESHOLD:
        quarantine_object(object_name)
        raise ValueError(
            f"Prompt injection detected in {object_name} "
            f"(score={score}, scan_id={scan_id}). "
            "Image quarantined; AP workflow halted."
        )

    print(f"Scan passed: {object_name} score={score} scan_id={scan_id}")

    # Step 3: submit OCI AI Vision document analysis job
    create_job_details = oci.ai_vision.models.CreateDocumentJobDetails(
        input_location=oci.ai_vision.models.ObjectListInlineInputLocation(
            source_type="OBJECT_LIST_INLINE_INPUT_LOCATION",
            object_locations=[
                oci.ai_vision.models.ObjectLocation(
                    namespace_name=OCI_NAMESPACE,
                    bucket_name=INVOICE_BUCKET,
                    object_name=object_name,
                )
            ],
        ),
        features=[
            oci.ai_vision.models.DocumentKeyValueExtractionFeature(
                feature_type="KEY_VALUE_EXTRACTION"
            ),
            oci.ai_vision.models.DocumentTextExtractionFeature(
                feature_type="TEXT_EXTRACTION"
            ),
        ],
        output_location=oci.ai_vision.models.OutputLocation(
            namespace_name=OCI_NAMESPACE,
            bucket_name="ap-vision-results",
            prefix=f"results/{object_name}/",
        ),
        compartment_id=os.environ["OCI_COMPARTMENT_ID"],
        is_zip_output_enabled=False,
    )

    job_response = ai_vision_client.create_document_job(
        create_document_job_details=create_job_details
    )
    print(f"Vision job created: {job_response.data.id}")
    return {"vision_job": job_response.data.__dict__, "scan": scan_result}


# Example: process all new objects in the invoice inbox
# (call this from an OCI Events Rule -> Functions trigger)
def process_new_invoice(event: dict) -> None:
    object_name = event["data"]["resourceName"]
    result = scan_and_submit_vision_job(object_name)
    print(json.dumps({"status": "submitted", "object": object_name,
                      "vision_job_id": result["vision_job"]["id"]}))

This pattern runs as an OCI Function triggered by an OCI Events Rule on the com.oraclecloud.objectstorage.createobject event for the invoice inbox bucket. Every image lands in Object Storage, triggers the Function, which downloads the bytes, calls Glyphward, and either quarantines the image (fail-closed) or submits the OCI AI Vision document analysis job. The AI Vision job result — extracted key-value pairs for invoice number, vendor, line items, and totals — is then available for Oracle Fusion AP automation to consume. If Glyphward is unreachable for any reason, the function raises and the Vision job is never created, preventing an unscanned image from entering the Fusion workflow.

Get early access

Coverage matrix

Defence layer OCI AI Vision document analysis OCI Generative AI image input Oracle Digital Assistant attachments OIC AI connector flows
Oracle Cloud Guard Cloud security posture — misconfiguration and IAM anomalies, not image content inspection No image content inspection No image content inspection No image content inspection
Oracle Data Safe Database security and sensitive data discovery in Oracle DB — does not cover Object Storage image content No No No
Oracle Access Governance RBAC and identity governance — controls who can submit jobs, not what image content contains Controls API caller identity — not image payload content Controls who can use ODA — not attachment content Controls integration user permissions — not image bytes in transit
OCI AI Vision content moderation Detects obscene or harmful imagery (NSFW) — does not detect adversarial typographic prompt injection N/A (separate service) N/A N/A
Glyphward scan gate Yes — scans image bytes before Vision job creation; quarantine on detection Yes — scans before OCI Generative AI multimodal API call Yes — scans attachment before ODA routes to LLM skill Yes — scans image bytes in OIC integration flow before Fusion or AI service receives them

Related questions

What is the difference between OCI AI Vision and OCI Generative AI Service?

These are two distinct Oracle Cloud services with different purposes and separate API endpoints. OCI AI Vision is a computer-vision service offering pre-trained and custom-trained models for image classification, object detection, and — most relevant here — document analysis (key-value extraction, text extraction from invoices, receipts, and identity documents). It does not use a general-purpose large language model; it uses Oracle-managed vision models fine-tuned for document understanding. The output is structured JSON: field names and extracted values. OCI Generative AI Service is a separate managed LLM service offering Cohere Command R+, Llama 3.2 Vision, and Meta models via a unified API. It supports general-purpose text generation, embeddings, and — for multimodal models like Llama 3.2 Vision — image-plus-text inference. Both services can be involved in the same Oracle AP automation pipeline: Vision extracts structured fields, Generative AI summarises or classifies the document or answers questions about it. Both surfaces require a scan gate because both accept image input from external sources.

Does Oracle have a built-in content filter that detects adversarial prompt injection in images?

No. OCI AI Vision includes a content moderation feature that detects harmful, violent, or sexually explicit imagery — it is designed to flag NSFW content in user-generated media, not to detect adversarial typographic instruction payloads embedded in business documents. A supplier invoice containing injected text at 4pt font in a light grey on white, or encoded in a QR-code-like pattern, will not trigger OCI Vision content moderation because the image is not harmful or explicit — it is a normal-looking financial document. The NIST AI Risk Management Framework (NIST AI RMF 1.0) classifies this kind of data-integrity attack as a supply-chain risk that platform content moderation is not designed to address. Oracle's platform documentation does not claim Vision content moderation covers adversarial prompt injection.

What Oracle Fusion ERP workflows are most at risk from image prompt injection?

The two highest-risk Oracle Fusion workflows are Accounts Payable (AP) invoice automation and receiving (goods receipt) automation. In AP automation, supplier invoices are scanned, field-extracted by OCI AI Vision, and routed through Oracle Fusion's three-way matching (PO, receipt, invoice) and approval workflow. An adversarial invoice can inject values that suppress the mismatch flag, force a "matched" status, or insert a recommendation to approve and pay — any of which can result in a fraudulent disbursement that satisfies all automated checks. In receiving automation, goods receipt documents (packing slips, delivery notes, and image-based inspection reports) are processed by AI to confirm quantities and conditions. An adversarial goods receipt image can cause the AI to report a quantity or condition that triggers inventory updates and payment release. Both workflows have direct financial consequences and are subject to SOX internal control requirements, making an injection event a potential audit finding in addition to a monetary loss.

Can this scan gate work with Oracle APEX applications?

Yes. Oracle APEX (Application Express) applications that handle image uploads — for example, a supplier portal, an employee expense submission app, or an internal document review tool — can call the Glyphward scan endpoint using the APEX built-in APEX_WEB_SERVICE.MAKE_REST_REQUEST or the lower-level UTL_HTTP / APEX_WEB_SERVICE package. The image bytes are base64-encoded in PL/SQL using UTL_RAW.CAST_TO_VARCHAR2(UTL_ENCODE.BASE64_ENCODE(blob_value)), posted to https://glyphward.com/v1/scan with the API key in the Authorization header, and the JSON response parsed with APEX_JSON.get_number to extract the score. If the score meets the threshold, the APEX application can reject the upload with a validation error before the file is committed to the database or routed to an OCI AI Vision job. This pattern keeps the scan entirely within the APEX application layer without requiring an OCI Function or separate microservice.

How does Glyphward scanning interact with Oracle's GDPR compliance posture?

Oracle Cloud Infrastructure offers EU Sovereign Cloud regions (Frankfurt, Amsterdam) and is certified under the EU Cloud Code of Conduct. Oracle Fusion Cloud's data residency commitments are region-specific. If your Oracle Fusion deployment processes personal data of EU data subjects (e.g., supplier contacts on invoices, employee documents in HR workflows), you need to ensure that any third-party service receiving those images also meets EU data-processing requirements. Glyphward offers an EU data-processing option: the scan endpoint routes to EU-hosted infrastructure, processes the image bytes in-region, and does not retain the image after the scan response is returned. No image content is stored, logged to a data lake, or used for model training. A Data Processing Agreement (DPA) is available on request. If your Oracle deployment uses the EU Sovereign Cloud, configure your APEX or OCI Function integration to call Glyphward's EU endpoint to keep image bytes within the EU throughout the scan.

Further reading