Pre-deployment compliance scanner for AI agents — 27 security checks, SARIF output, signed audit packets
Project description
blastcontain-verify
Pre-deployment compliance scanner for AI agents. 27 security checks across 14 categories. Outputs Markdown reports, signed JSON audit packets, and SARIF for GitHub Code Scanning.
pip install blastcontain-verify
blastcontain-verify --agent-id my-agent --env prod --search-path ./src
What it checks
| Group | Checks |
|---|---|
| Environment | kernel isolation, egress restriction, model weight mutability |
| Filesystem | workstation rootfs, container rootfs |
| Credentials | secrets on disk, secrets in process env, wildcard API capability |
| Process | running as root, dangerous Linux capabilities |
| Network | DNS exfiltration channel, external listeners |
| Persistence | writable startup/cron paths |
| Memory | unmasked PII in context, vector store tenant isolation, viable PII exfil path |
| Skills | exfiltration-capable tools, Cisco AI Skill Scanner findings |
| APIs | destructive endpoints, unauthenticated endpoints |
| MCP | unapproved tools, missing auth, dangerous tool combinations |
| Code | dangerous execution patterns (eval/exec/pickle/yaml.load) |
| Supply chain | unattested model weights |
| Transport | plaintext HTTP endpoints |
| Local | developer workstation indicators |
Every check is mapped to the MIT AI Risk Repository taxonomy.
Two checks are conditional: SKILL-02 (Cisco AI Skill Scanner) needs the opt-in
[cisco]extra — see Augmentation; MCP-01 (unapproved tools) is not yet implemented and currently SKIPs. The rest run out of the box.
Container (recommended)
The official image bundles [full] with the spaCy en_core_web_lg model. The image copies both verify/ and the sibling core/, so the build context is the blastcontain-oss repo root:
# from the blastcontain-oss/ root
podman build -t blastcontain-verify:latest -f verify/Containerfile .
podman run --rm \
--read-only --cap-drop ALL --security-opt no-new-privileges \
--network none --tmpfs /tmp:rw,noexec,nosuid,size=64m \
-v "$PWD:/scan:ro,z" -v "$PWD/reports:/reports:rw,z" \
blastcontain-verify:latest \
--agent-id my-agent --env prod \
--search-path /scan --report /reports/report.md \
--output /reports/audit.json --sarif /reports/scan.sarif \
--acknowledge-risk
CLI flags (most common)
--agent-id Agent identifier (required)
--env dev | uat | staging | prod | local_developer_workstation
--search-path Root walked for source/secret/code/TLS scanning
--skills-dir Skill code directory (SKILL-01/02)
--api-spec OpenAPI 3.0 YAML/JSON path (API-01/02)
--mcp-config MCP server config JSON (MCP-01/02/03)
--model-dir Model weights directory (ENV-03, SUP-01)
--context-file Session context text for PII scanning (MEM-01)
--output PATH Write signed JSON audit packet
--report PATH Write Markdown report
--sarif PATH Write SARIF 2.1.0 for GitHub Code Scanning
--skip-checks IDs Comma-separated check IDs to suppress
--api-live-probe Enable live OPTIONS probe in API-01 (off by default)
--egress-probe-target host:port for ENV-02/NET-01 probes
--acknowledge-risk Exit 0 even on CRITICAL
--require-signing Exit 3 unless a real signing key is set (no advisory packet)
Usage guide & examples: docs/usage.md · Full spec: docs/spec.md · Design notes: docs/architecture.md · Custom checks: docs/plugins.md
GitHub Code Scanning integration
--agent-id should be a stable logical identifier for the agent being scanned (e.g. support-bot-prod), not the repository slug — it is the key your audit packets are attributed to over time, so it must stay constant even if the repo is renamed or forked. Store it as a repository or org Actions variable (Settings → Secrets and variables → Actions → Variables):
# .github/workflows/security.yml
- name: BlastContain Verify
run: blastcontain-verify --sarif scan.sarif --agent-id "${{ vars.AGENT_ID }}"
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: scan.sarif
Augmentation
Verify works standalone; optional packages unlock deeper checks. Every augmentation — default and opt-in — is CVE-clean as of 2026-06.
| Extra | Adds | Clean |
|---|---|---|
[pii] |
Microsoft Presidio NER for MEM-01 | ✅ |
[agt] |
Agent Governance Toolkit | ✅ |
[full] |
[pii] + [agt] — the default supported set |
✅ |
[skill] / [cisco] |
Cisco AI Skill Scanner (SKILL-02) | ✅ |
pip install "blastcontain-verify[full]" # default: Presidio + AGT
pip install "blastcontain-verify[full,cisco]" # + SKILL-02 (Cisco skill scanner)
The Cisco MCP scanner (the MCP-01 backend) is not currently packaged — it still pins a CVE-bearing
litellmand MCP-01 is dormant without a Charter. See SECURITY.md.
Without the relevant extra, the dependent check SKIPs with a hint on how to enable it.
Suppressing findings — .blastcontainignore
Drop a .blastcontainignore at the root of --search-path:
tests/fixtures/ # entire directory tree
*.mock.json # filename glob
**/snapshots/** # path glob
Honoured by CRED-01, CODE-01, TLS-01.
Verifying audit packets
import json
from blastcontain_core.signing import verify_packet
packet = json.load(open("audit.json"))
assert verify_packet(packet)
Ed25519 packets carry their public key inline — verification needs nothing else. HMAC packets require BLASTCONTAIN_SIGNING_KEY in the environment.
Be clear about what the default signature means: with no key configured,
packets are signed with a built-in key and marked "advisory": true — that
proves integrity (the packet wasn't modified), not attestation (anyone
can produce one). Attestation requires an Ed25519 key you manage. CI pipelines
that must never emit an advisory packet should pass --require-signing, which
exits 3 before scanning if no real key is configured.
License
Apache 2.0. See NOTICE and THIRD_PARTY_NOTICES.txt.
Contributing
See CONTRIBUTING.md. All contributions require a DCO sign-off (git commit -s).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file blastcontain_verify-0.4.0.tar.gz.
File metadata
- Download URL: blastcontain_verify-0.4.0.tar.gz
- Upload date:
- Size: 121.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a0fceca3feeadec2fc931fd267fa6a5eef702ce0c2332194015b85d7c438269d
|
|
| MD5 |
3b3035a78ab336803294e57736c0ffda
|
|
| BLAKE2b-256 |
39d8ecf16eedb80b9f1c3b39a97c35844fca4a5f343b41b8aaa4d54761a5bd39
|
Provenance
The following attestation bundles were made for blastcontain_verify-0.4.0.tar.gz:
Publisher:
release.yml on gdeudney/blastcontain-oss
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
blastcontain_verify-0.4.0.tar.gz -
Subject digest:
a0fceca3feeadec2fc931fd267fa6a5eef702ce0c2332194015b85d7c438269d - Sigstore transparency entry: 2072636732
- Sigstore integration time:
-
Permalink:
gdeudney/blastcontain-oss@399eb04063b7b426f93a07fdaaa520d3c7c1e915 -
Branch / Tag:
refs/tags/verify-v0.4.0 - Owner: https://github.com/gdeudney
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@399eb04063b7b426f93a07fdaaa520d3c7c1e915 -
Trigger Event:
push
-
Statement type:
File details
Details for the file blastcontain_verify-0.4.0-py3-none-any.whl.
File metadata
- Download URL: blastcontain_verify-0.4.0-py3-none-any.whl
- Upload date:
- Size: 69.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b122daa54ceaf5222b45d4b3c901e8f78c2674de9a435ac567c71a82227b19eb
|
|
| MD5 |
952ce292cf1d8ceb4e3d408a885361f1
|
|
| BLAKE2b-256 |
98b97dfb40c958084286d4dd9a20043cb413e0b7cd8b2b710b4c55b6943fcbe7
|
Provenance
The following attestation bundles were made for blastcontain_verify-0.4.0-py3-none-any.whl:
Publisher:
release.yml on gdeudney/blastcontain-oss
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
blastcontain_verify-0.4.0-py3-none-any.whl -
Subject digest:
b122daa54ceaf5222b45d4b3c901e8f78c2674de9a435ac567c71a82227b19eb - Sigstore transparency entry: 2072636763
- Sigstore integration time:
-
Permalink:
gdeudney/blastcontain-oss@399eb04063b7b426f93a07fdaaa520d3c7c1e915 -
Branch / Tag:
refs/tags/verify-v0.4.0 - Owner: https://github.com/gdeudney
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@399eb04063b7b426f93a07fdaaa520d3c7c1e915 -
Trigger Event:
push
-
Statement type: