Skip to main content

Pre-deployment compliance scanner for AI agents — 27 security checks, SARIF output, signed audit packets

Project description

blastcontain-verify

Pre-deployment compliance scanner for AI agents. 27 security checks across 14 categories. Outputs Markdown reports, signed JSON audit packets, and SARIF for GitHub Code Scanning.

pip install blastcontain-verify
blastcontain-verify --agent-id my-agent --env prod --search-path ./src

What it checks

Group Checks
Environment kernel isolation, egress restriction, model weight mutability
Filesystem workstation rootfs, container rootfs
Credentials secrets on disk, secrets in process env, wildcard API capability
Process running as root, dangerous Linux capabilities
Network DNS exfiltration channel, external listeners
Persistence writable startup/cron paths
Memory unmasked PII in context, vector store tenant isolation, viable PII exfil path
Skills exfiltration-capable tools, Cisco AI Skill Scanner findings
APIs destructive endpoints, unauthenticated endpoints
MCP unapproved tools, missing auth, dangerous tool combinations
Code dangerous execution patterns (eval/exec/pickle/yaml.load)
Supply chain unattested model weights
Transport plaintext HTTP endpoints
Local developer workstation indicators

Every check is mapped to the MIT AI Risk Repository taxonomy.

Two checks are conditional: SKILL-02 (Cisco AI Skill Scanner) needs the opt-in [cisco] extra — see Augmentation; MCP-01 (unapproved tools) is not yet implemented and currently SKIPs. The rest run out of the box.

Container (recommended)

The official image bundles [full] with the spaCy en_core_web_lg model. The image copies both verify/ and the sibling core/, so the build context is the blastcontain-oss repo root:

# from the blastcontain-oss/ root
podman build -t blastcontain-verify:latest -f verify/Containerfile .
podman run --rm \
  --read-only --cap-drop ALL --security-opt no-new-privileges \
  --network none --tmpfs /tmp:rw,noexec,nosuid,size=64m \
  -v "$PWD:/scan:ro,z" -v "$PWD/reports:/reports:rw,z" \
  blastcontain-verify:latest \
  --agent-id my-agent --env prod \
  --search-path /scan --report /reports/report.md \
  --output /reports/audit.json --sarif /reports/scan.sarif \
  --acknowledge-risk

CLI flags (most common)

--agent-id              Agent identifier (required)
--env                   dev | uat | staging | prod | local_developer_workstation
--search-path           Root walked for source/secret/code/TLS scanning
--skills-dir            Skill code directory (SKILL-01/02)
--api-spec              OpenAPI 3.0 YAML/JSON path (API-01/02)
--mcp-config            MCP server config JSON (MCP-01/02/03)
--model-dir             Model weights directory (ENV-03, SUP-01)
--context-file          Session context text for PII scanning (MEM-01)
--output PATH           Write signed JSON audit packet
--report PATH           Write Markdown report
--sarif PATH            Write SARIF 2.1.0 for GitHub Code Scanning
--skip-checks IDs       Comma-separated check IDs to suppress
--api-live-probe        Enable live OPTIONS probe in API-01 (off by default)
--egress-probe-target   host:port for ENV-02/NET-01 probes
--acknowledge-risk      Exit 0 even on CRITICAL
--require-signing       Exit 3 unless a real signing key is set (no advisory packet)

Usage guide & examples: docs/usage.md · Full spec: docs/spec.md · Design notes: docs/architecture.md · Custom checks: docs/plugins.md

GitHub Code Scanning integration

--agent-id should be a stable logical identifier for the agent being scanned (e.g. support-bot-prod), not the repository slug — it is the key your audit packets are attributed to over time, so it must stay constant even if the repo is renamed or forked. Store it as a repository or org Actions variable (Settings → Secrets and variables → Actions → Variables):

# .github/workflows/security.yml
- name: BlastContain Verify
  run: blastcontain-verify --sarif scan.sarif --agent-id "${{ vars.AGENT_ID }}"
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: scan.sarif

Augmentation

Verify works standalone; optional packages unlock deeper checks. Every augmentation — default and opt-in — is CVE-clean as of 2026-06.

Extra Adds Clean
[pii] Microsoft Presidio NER for MEM-01
[agt] Agent Governance Toolkit
[full] [pii] + [agt] — the default supported set
[skill] / [cisco] Cisco AI Skill Scanner (SKILL-02)
pip install "blastcontain-verify[full]"          # default: Presidio + AGT
pip install "blastcontain-verify[full,cisco]"     # + SKILL-02 (Cisco skill scanner)

The Cisco MCP scanner (the MCP-01 backend) is not currently packaged — it still pins a CVE-bearing litellm and MCP-01 is dormant without a Charter. See SECURITY.md.

Without the relevant extra, the dependent check SKIPs with a hint on how to enable it.

Suppressing findings — .blastcontainignore

Drop a .blastcontainignore at the root of --search-path:

tests/fixtures/      # entire directory tree
*.mock.json          # filename glob
**/snapshots/**      # path glob

Honoured by CRED-01, CODE-01, TLS-01.

Verifying audit packets

import json
from blastcontain_core.signing import verify_packet

packet = json.load(open("audit.json"))
assert verify_packet(packet)

Ed25519 packets carry their public key inline — verification needs nothing else. HMAC packets require BLASTCONTAIN_SIGNING_KEY in the environment.

Be clear about what the default signature means: with no key configured, packets are signed with a built-in key and marked "advisory": true — that proves integrity (the packet wasn't modified), not attestation (anyone can produce one). Attestation requires an Ed25519 key you manage. CI pipelines that must never emit an advisory packet should pass --require-signing, which exits 3 before scanning if no real key is configured.

License

Apache 2.0. See NOTICE and THIRD_PARTY_NOTICES.txt.

Contributing

See CONTRIBUTING.md. All contributions require a DCO sign-off (git commit -s).

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

blastcontain_verify-0.4.0.tar.gz (121.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

blastcontain_verify-0.4.0-py3-none-any.whl (69.0 kB view details)

Uploaded Python 3

File details

Details for the file blastcontain_verify-0.4.0.tar.gz.

File metadata

  • Download URL: blastcontain_verify-0.4.0.tar.gz
  • Upload date:
  • Size: 121.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for blastcontain_verify-0.4.0.tar.gz
Algorithm Hash digest
SHA256 a0fceca3feeadec2fc931fd267fa6a5eef702ce0c2332194015b85d7c438269d
MD5 3b3035a78ab336803294e57736c0ffda
BLAKE2b-256 39d8ecf16eedb80b9f1c3b39a97c35844fca4a5f343b41b8aaa4d54761a5bd39

See more details on using hashes here.

Provenance

The following attestation bundles were made for blastcontain_verify-0.4.0.tar.gz:

Publisher: release.yml on gdeudney/blastcontain-oss

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file blastcontain_verify-0.4.0-py3-none-any.whl.

File metadata

File hashes

Hashes for blastcontain_verify-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b122daa54ceaf5222b45d4b3c901e8f78c2674de9a435ac567c71a82227b19eb
MD5 952ce292cf1d8ceb4e3d408a885361f1
BLAKE2b-256 98b97dfb40c958084286d4dd9a20043cb413e0b7cd8b2b710b4c55b6943fcbe7

See more details on using hashes here.

Provenance

The following attestation bundles were made for blastcontain_verify-0.4.0-py3-none-any.whl:

Publisher: release.yml on gdeudney/blastcontain-oss

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page