Skip to main content

Zero-config, fully local static security analyzer for AI agents

Project description

๐Ÿ›ก๏ธ Agent Risk Analyzer (ARA)

Zero-config, fully local static security scanner for AI agents.

CI PyPI Python License

ARA detects 20 vulnerability categories across LangChain, CrewAI, AutoGen, and MCP agent projects โ€” no API keys, no cloud, no LLM required.

$ ara scan ./my-agent

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ Agent Risk Analyzer โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  Target:  /path/to/my-agent
  Files:   3 scanned  |  Duration: 0.04s  |  Framework: langchain

  Grade   Score   ๐Ÿ”ด Critical   ๐ŸŸ  High   ๐ŸŸก Medium   โšช Low   Total
    F      116         6            9          3          5       23

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ Grade F  Score: 116  โ€”  Unsafe for production โ€” critical issues must be     โ”‚
โ”‚ fixed immediately.                                                           โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

โœจ Features

  • ๐Ÿ”’ Fully local โ€” no data leaves your machine, no API keys needed
  • โšก Zero config โ€” point at a directory, get a graded report
  • ๐ŸŽฏ 20 vulnerability rules mapped to MITRE ATLAS and OWASP LLM Top 10 2025
  • ๐Ÿง  AST + regex โ€” two-tier detection with CONFIRMED / SUSPECTED confidence levels
  • ๐Ÿ“Š Aโ€“F grading โ€” weighted severity scoring for instant risk posture
  • ๐Ÿ”Œ Multi-format output โ€” terminal (Rich), JSON, Markdown
  • ๐Ÿค– CI/CD ready โ€” --ci flag returns exit code 1 on findings

๐Ÿ“ฆ Installation

pip install arascan

Requires Python 3.11+

For development:

git clone https://github.com/Prnvlol/agent-risk-analyzer.git
cd agent-risk-analyzer
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"

๐Ÿš€ Usage

Basic scan

ara scan ./my-agent-project

JSON report (for CI pipelines)

ara scan ./my-agent --format json --output report.json

Markdown report

ara scan ./my-agent --format markdown --output report.md

CI mode (fail on findings)

ara scan ./my-agent --ci --min-severity HIGH

Filter options

# Only show CONFIRMED findings (hide heuristic checks)
ara scan ./my-agent --no-suspected

# Disable specific rules
ara scan ./my-agent --disable VULN-017,VULN-019

# Set minimum severity threshold
ara scan ./my-agent --min-severity MEDIUM

List all rules

ara list-rules

๐ŸŽฏ What ARA Detects

ID Vulnerability Severity ATLAS OWASP
VULN-001 Direct Prompt Injection CRITICAL AML.T0051.000 LLM01
VULN-002 Indirect Prompt Injection CRITICAL AML.T0051.001 LLM01
VULN-003 Unrestricted Code Execution CRITICAL AML.T0050 LLM06
VULN-005 Over-Permissioned Tools HIGH AML.T0053 LLM06
VULN-006 Unbounded Agent Autonomy HIGH AML.T0053 LLM06
VULN-007 Tool Result Poisoning HIGH AML.T0097 LLM06
VULN-008 Memory / Context Poisoning HIGH AML.T0087 LLM04
VULN-009 Insecure MCP Configuration HIGH AML.T0088 LLM03
VULN-010 System Prompt Leakage HIGH AML.T0056.001 LLM07
VULN-011 Insecure Tool Input MEDIUM AML.T0053 LLM06
VULN-012 Sensitive Data in Logs HIGH AML.T0048 LLM02
VULN-013 Missing Rate Limiting MEDIUM AML.T0054 LLM10
VULN-014 Hardcoded Credentials MEDIUM AML.T0037 LLM02
VULN-015 Insecure Multi-Agent Trust MEDIUM AML.T0087 LLM06
VULN-016 Verbose Error Messages LOW AML.T0048 LLM02
VULN-017 Missing Output Filtering LOW AML.T0048 LLM05
VULN-018 Missing Human-in-the-Loop LOW AML.T0053 LLM06
VULN-019 Unversioned Prompts LOW AML.T0088 LLM07
VULN-020 Third-Party Plugin Risk LOW AML.T0010.003 LLM03

๐Ÿ“Š Grading System

Findings are scored by severity weight, then mapped to a letter grade:

Weight Severity
10 CRITICAL
5 HIGH
2 MEDIUM
1 LOW
Grade Score Range Meaning
A 0 No findings
B 1 โ€“ 5 Minor issues
C 6 โ€“ 15 Needs attention
D 16 โ€“ 30 Significant risk
F 31+ Unsafe for production

๐Ÿ—๏ธ Architecture

src/
โ”œโ”€โ”€ cli.py               # Typer CLI (scan, list-rules, version)
โ”œโ”€โ”€ scanner.py           # File discovery, AST parsing, detector dispatch
โ”œโ”€โ”€ models.py            # Pydantic models (Finding, ScanResult, grades)
โ”œโ”€โ”€ report.py            # Rich terminal, JSON, Markdown renderers
โ””โ”€โ”€ detectors/
    โ”œโ”€โ”€ base.py          # BaseDetector ABC + ScanContext
    โ”œโ”€โ”€ credentials.py   # VULN-014: hardcoded secrets (15 regex patterns)
    โ”œโ”€โ”€ code_execution.py    # VULN-003: exec/eval/subprocess (AST)
    โ”œโ”€โ”€ prompt_injection.py  # VULN-001/002/010/017/019
    โ”œโ”€โ”€ tool_permissions.py  # VULN-005/007/011/018/020
    โ”œโ”€โ”€ mcp_config.py    # VULN-009: MCP misconfigurations
    โ”œโ”€โ”€ multi_agent.py   # VULN-006/008/015
    โ”œโ”€โ”€ framework_specific.py  # VULN-003/006/015/020: LangChain/CrewAI/AutoGen
    โ”œโ”€โ”€ logging_detector.py  # VULN-012/016
    โ””โ”€โ”€ rate_limiting.py     # VULN-013

0.2.0 framework coverage:

  • LangChain โ€” unsafe FAISS deserialization and explicit unbounded agent loops
  • CrewAI โ€” unsafe code execution and delegation without runtime boundaries
  • AutoGen โ€” unsandboxed code execution and explicit unbounded group chat rounds

Design principles:

  • No LLM dependency โ€” all detection is deterministic (AST + regex)
  • Two-tier confidence โ€” CONFIRMED (pattern exists verbatim) vs SUSPECTED (absence-of-safeguard heuristic)
  • Single-pass scan โ€” files read once into ScanContext, shared across all detectors
  • Fail-safe detectors โ€” a crashing detector never stops the scan

๐Ÿงช Development

# Install dev dependencies
pip install -e ".[dev]"

# Run tests
pytest

# Run with coverage
pytest --cov=src --cov-report=term-missing

# Lint
ruff check src/ tests/

# Type check
mypy src/

๐Ÿ“‹ Exit Codes

Code Meaning
0 Scan completed (no findings, or non-CI mode)
1 Findings detected (CI mode only)
2 Error (bad arguments, scan failure)

๐Ÿ—บ๏ธ Roadmap

  • Framework-specific detectors โ€” LangChain, CrewAI, and AutoGen security patterns
  • --deep mode โ€” optional local LLM analysis via Ollama for semantic prompt review
  • GitHub Actions workflow โ€” pre-built CI action
  • PyPI release โ€” pip install arascan
  • VS Code extension โ€” inline findings in the editor

๐Ÿ”— Related

Tool What it does
ARA (this) Static scanner โ€” find vulnerabilities before deployment
parry-ai Runtime guardrail โ€” block threats while your agent is running

Use ARA to find the issues. Use parry to fix them at runtime.


๐Ÿค Community

  • Contributing โ€” setup, checks, detector guidelines, and pull request expectations
  • Security policy โ€” private vulnerability reporting process
  • Issues โ€” bug reports, rule requests, and framework support requests

ARA is early alpha. Reports with minimal vulnerable examples are especially useful: false negatives, false positives, framework-specific patterns, and CI/reporting friction all help shape the roadmap.


๐Ÿ“„ License

MIT


Built with ๐Ÿ Python โ€” no clouds, no APIs, no excuses.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

arascan-0.2.0.tar.gz (38.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

arascan-0.2.0-py3-none-any.whl (41.3 kB view details)

Uploaded Python 3

File details

Details for the file arascan-0.2.0.tar.gz.

File metadata

  • Download URL: arascan-0.2.0.tar.gz
  • Upload date:
  • Size: 38.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.3

File hashes

Hashes for arascan-0.2.0.tar.gz
Algorithm Hash digest
SHA256 1c6f5b041226f5dd5a85a9e9336c34649656b8be7326ba4b6c0e55e9a9c4e579
MD5 1c0f287aad46de6da1efc468d914931e
BLAKE2b-256 d60424bc8de312cef7b8fd953e9dc0edda47054a06ea13c4bfd8ef32d19c6a16

See more details on using hashes here.

File details

Details for the file arascan-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: arascan-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 41.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.3

File hashes

Hashes for arascan-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 339fa1a61e9d99c99a49453b2de71359f6e0c554aea4870d6017884c5df84895
MD5 81ce75ca639b9bd1764586b3292868f9
BLAKE2b-256 e9443cc740a0a16ade34dec91392079979a3a758fd5adac05ed5c0606a5c982f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page