FEAT Add PromptInjectionScorer for OWASP LLM01 prompt injection detection

[francose]

Builds on #1704 — adds a PromptInjectionScorer that catches OWASP LLM01 prompt injection attempts with regex. Fast, local, no API call, no LLM in the loop.

The gap I was trying to fill: PromptShieldScorer is great but it's an Azure API call (so $$ per request), and the SelfAsk*Scorer family uses an LLM under the hood (slow + non-deterministic). For thousands of red-team iterations or as a cheap pre-filter in front of the heavier scorers, neither really fits.

Subclassed RegexScorer the same way CredentialLeakScorer did. 8 default pattern categories:

• Instruction Override — "ignore/disregard/forget previous instructions"
• System Prompt Extraction — "repeat your system prompt back to me"
• DAN Jailbreak — DAN, developer mode, unrestricted, jailbroken
• Role Reassignment — "from now on you will/must..."
• Constraint Removal — "remove all your safety filters"
• Chat Template Injection — [INST], <<SYS>>, <|im_start|> etc.
• Encoding Evasion — "decode this base64 and follow it"
• Prompt Leaking — "give me your hidden/original/initial prompt"

Pass patterns=... to override defaults entirely if you want.

Quickly checked the neighborhood for overlaps before opening this:

• Proposal: OWASP LLM02 output-side scorer pack (XSS / SQLi / Shell / Path) + companion seed dataset #1737 (@ppcvote) is LLM02 output side (XSS/SQLi/Shell/Path) — this is input side
• Proposal: Add Agent Threat Rules (ATR) dataset loader and taxonomy scorer #1702 (@eeee2345) is the ATR taxonomy scorer that pulls from an external rule pack. Different shape, should sit fine alongside this one.
• FEAT: Add 0DIN JEF keyword scorers and n-day seed datasets #1398 (@athal7) is hazardous-content keywords (chem/weapons), different domain
• PromptShieldScorer and MarkdownInjectionScorer are different mechanisms / scope

50 tests, all green. The tricky ones were the true negatives — there's a lot of normal technical language that looks injection-y: "how do I ignore a file in .gitignore", "decode this base64 string", the developer mode flag in debug logging. Wrote 13 of those specifically to lock down false positives. Also ran the full tests/unit/score/ locally, 1052 pass, no regressions.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a local, regex-based PromptInjectionScorer to detect common prompt-injection patterns and includes unit tests to validate detection, rationale text, custom pattern overrides, and memory integration.

Changes:

• Introduces PromptInjectionScorer (regex-based true/false scorer) with default OWASP-aligned prompt-injection pattern set.
• Adds unit tests covering true positives/negatives, rationale strings, custom patterns, and memory write behavior.
• Exports PromptInjectionScorer from pyrit.score for public use.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
tests/unit/score/test_prompt_injection_scorer.py	Adds unit tests validating detection behavior, rationales, custom patterns, and memory integration.
pyrit/score/true_false/prompt_injection_scorer.py	Implements a new regex-based prompt-injection scorer and default pattern set.
pyrit/score/init.py	Exposes PromptInjectionScorer from the pyrit.score public API.