Argus — AI threat-modeling agent (multi-agent, skills)
Project description
Argus - ADK Threat-Modeling Agent
The Problem
In modern enterprise development, security engineers are often a bottleneck. They do not have the bandwidth to manually threat-model every single PRD, design doc, or RFC before a sprint begins. Discovering design flaws late in the SDLC leads to expensive architectural refactoring, delayed releases, or catastrophic security breaches.
The Solution
Argus solves this by acting as an autonomous Security Champion. It turns raw PRDs, design docs, feature docs, RFCs, and architecture notes into developer-facing, STRIDE-categorized, OWASP-risk-rated threat model reports using an ADK-only multi-agent workflow. This allows development teams to securely "shift left" without friction.
Architecture
Input document
-> ingestion_agent
-> architecture_zone_agent
-> entry_point_agent
-> scenario_enumeration_agent
-> schema_validation_agent
-> element_binding_agent
-> false_positive_validation_agent
-> control_challenge_agent
-> risk_rating_agent
-> report_agent
-> Markdown report
Agents drive the threat-modeling decisions. Narrow tools remain authoritative for schema validation, model element binding, deterministic OWASP severity calculation, and Markdown rendering.
Components
| Area | Description |
|---|---|
agents |
ADK Workflow (formerly SequentialAgent) and tool bridge |
threats |
Shared candidate and verified threat schemas |
rating + risk |
Deterministic OWASP factor-to-severity matrix |
skill_corpus |
Packaged exact-reference OWASP, ATLAS, AIUC-1, and risk-rating corpora |
cli |
argus run for document input with optional --out |
Installation
Install the package from PyPI. Note that while the package is named argus-agent, the CLI command remains argus:
# Recommended: install globally with uv
uv tool install argus-agent
# Or with pip
pip install argus-agent
Usage
You must provide a Gemini API key via the GEMINI_API_KEY environment variable:
export GEMINI_API_KEY="your-api-key"
argus run path/to/design.md
# Or securely using 1Password CLI (Recommended)
op run --env-file=.env -- argus run path/to/design.md
Local Development
If you want to clone the repository to run it locally or contribute:
uv sync
# Run tests
uv run pytest
Project Layout
argus/
.github/ - CI/CD workflows, issue templates, CODEOWNERS
argus/
agents/ - ADK workflow, stage schemas, runner, and tools
models.py - SystemModel, Actor, Component, DataFlow, Control
threats.py - ProposedThreats, VerifiedThreats, element binding
rating.py - RatedThreat, ThreatStatus, rate_threats
risk.py - OWASP Risk Rating factor-to-severity matrix
context.py - SystemModel -> structured agent context
security/ - prompt input guard
skill_corpus/ - packaged exact-reference skills
skills.py - skill loader (SKILL.md + resources/list.yaml)
skills_router.py - just-in-time skill selection from SystemModel tags
report.py - Markdown report renderer
config.py - Gemini model IDs and API key lookup
cli.py - Typer CLI
tests/ - unit and integration tests
renovate.json - Automated dependency updates
SECURITY.md - Vulnerability reporting policy
CONTRIBUTING.md - Contribution guidelines
Security Design
- Agent-driven scenario flow: agents map zones, entry points, scenarios, attack paths, control challenges, and risk factors.
- Element binding gate: candidate threats not tied to real model elements are filtered before verification.
- Risk-rating gate: the risk agent assigns OWASP factor scores using the risk-rating skill, and the deterministic rating tool calculates severity.
- Report gate: the report agent calls the renderer tool; it does not freehand final Markdown.
Environment Variables
| Variable | Default | Description |
|---|---|---|
GEMINI_API_KEY |
- | Gemini/AI Studio API key |
ARGUS_PRO_MODEL |
gemini-2.5-pro |
Model for deeper reasoning stages |
ARGUS_FLASH_MODEL |
gemini-2.5-flash |
Model for lighter stages |
ARGUS_TEMPERATURE |
0.1 |
LLM temperature |
Contributing & Security
- We welcome contributions! Please see our Contributing Guide for details on setting up your development environment, testing, and submitting PRs.
- Security: If you discover a vulnerability, please see our Security Policy for instructions on responsible disclosure via GitHub Security Advisories. Do NOT open a public issue.
Releasing a New Version
We use the built-in uv version tool so that versions stay command-driven and consistent.
- Bump the version:
# Option A: Bump by semantic component (patch, minor, major) uv version --bump patch # Option B: Set an explicit version uv version 0.1.1
License
This project is licensed under the MIT License - see the LICENSE file for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file argus_agent-0.2.0.tar.gz.
File metadata
- Download URL: argus_agent-0.2.0.tar.gz
- Upload date:
- Size: 48.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
93e5c28794e8f6cb92dd570a018071e310638181032fd1318cf6194118aed177
|
|
| MD5 |
f084d0cb95d3ccad3197070b89ea7fad
|
|
| BLAKE2b-256 |
3cdcc5253bbd6218f3cf277b87cab3c246ec36430a355d05f20a0ef8605941db
|
Provenance
The following attestation bundles were made for argus_agent-0.2.0.tar.gz:
Publisher:
release.yml on thedevappsecguy/argus
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
argus_agent-0.2.0.tar.gz -
Subject digest:
93e5c28794e8f6cb92dd570a018071e310638181032fd1318cf6194118aed177 - Sigstore transparency entry: 1955616078
- Sigstore integration time:
-
Permalink:
thedevappsecguy/argus@27c3cbbba73fbda9d35030810f39de29230fae30 -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/thedevappsecguy
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@27c3cbbba73fbda9d35030810f39de29230fae30 -
Trigger Event:
release
-
Statement type:
File details
Details for the file argus_agent-0.2.0-py3-none-any.whl.
File metadata
- Download URL: argus_agent-0.2.0-py3-none-any.whl
- Upload date:
- Size: 48.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
137cfc712e236df8c83fdd7b72de816dba8706948a0eb8c21b1cacf1f97fa081
|
|
| MD5 |
48d0fae71e3392cd869e6ba6499d9f4a
|
|
| BLAKE2b-256 |
83c0299f1d75cc416d02c393a6d202afdfb51cf58fecc89b748aa4ebd292f051
|
Provenance
The following attestation bundles were made for argus_agent-0.2.0-py3-none-any.whl:
Publisher:
release.yml on thedevappsecguy/argus
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
argus_agent-0.2.0-py3-none-any.whl -
Subject digest:
137cfc712e236df8c83fdd7b72de816dba8706948a0eb8c21b1cacf1f97fa081 - Sigstore transparency entry: 1955616255
- Sigstore integration time:
-
Permalink:
thedevappsecguy/argus@27c3cbbba73fbda9d35030810f39de29230fae30 -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/thedevappsecguy
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@27c3cbbba73fbda9d35030810f39de29230fae30 -
Trigger Event:
release
-
Statement type: