Skip to main content

Autonomous security scanner for AI agents — detects prompt injection, tool abuse, data exfiltration, and OWASP ASI Top 10 vulnerabilities.

Project description

AgentGuard

Autonomous security scanner for AI agents. Detects prompt injection, tool abuse, data exfiltration, and OWASP ASI Top 10 vulnerabilities in agent code.

PyPI Python 3.10+ License: MIT CI OWASP ASI


Why AgentGuard?

AI agents are being deployed at scale - in coding tools, customer support, trading bots, and autonomous systems. Nobody is scanning their code for security vulnerabilities.

Existing tools (Bandit, Semgrep, CodeQL) scan for traditional vulnerabilities. AgentGuard scans for agent-specific attack vectors:

  • " Prompt Injection " untrusted input reaching LLM prompts
  • " Tool Abuse " agents with unrestricted shell/exec access
  • " Data Exfiltration " agents leaking data to external URLs
  • "' Credential Exposure " hardcoded API keys and wallet seeds
  • Unsafe Eval " eval(), exec(), subprocess(shell=True) with user input
  • Context Manipulation " unbounded context window attacks
  • Trust Boundary Violations " agents running as root, accessing host filesystem

Quick Start

pip install dfx-agentguard

# Scan a directory
agentguard .

# JSON output for CI/CD
agentguard src/ --format json

# SARIF for GitHub Code Scanning
agentguard . --format sarif > results.sarif

# Only show HIGH and above
agentguard . --min-severity HIGH

CLI Usage

agentguard [OPTIONS] [TARGET]

Arguments:
 TARGET Directory or file to scan (default: current directory)

Options:
 --format [text|json|sarif] Output format (default: text)
 --exit-code / --no-exit-code Exit non-zero if findings found (default: on)
 --min-severity [CRITICAL|HIGH|MEDIUM|LOW|INFO] Minimum severity to report
 --help Show help

OWASP ASI Top 10 Coverage

ID Vulnerability Status
ASI01 Prompt Injection ...
ASI02 Tool Abuse / Unintended Tool Use ...
ASI03 Data Exfiltration / Sensitive Data Leakage ...
ASI04 Unauthorized Actions / Excessive Agency ...
ASI05 Supply Chain / Untrusted Components ...
ASI06 Insecure Output Handling ...
ASI07 Credential / Secret Exposure ...
ASI08 Context Window Manipulation ...
ASI09 Agent Loop Exploitation ...
ASI10 Trust Boundary Violation ...

CI/CD Integration

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
 agentguard:
 runs-on: ubuntu-latest
 steps:
 - uses: actions/checkout@v4
 - uses: actions/setup-python@v5
 with:
 python-version: '3.12'
 - run: pip install dfx-agentguard
 - run: agentguard . --format sarif > results.sarif
 - uses: github/codeql-action/upload-sarif@v3
 with:
 sarif_file: results.sarif

Pre-commit Hook

repos:
 - repo: https://github.com/dockfixlabs/agentguard
 rev: v0.1.0
 hooks:
 - id: agentguard
 args: ["--min-severity", "HIGH"]

Programmatic Usage

from agentguard.scanner import scan_directory
from agentguard.reporter import json_report

result = scan_directory("src/")

print(f"Found {len(result.findings)} issues")
print(f"Critical: {result.critical_count}")
print(f"High: {result.high_count}")

for finding in result.findings:
 print(f" [{finding.severity}] {finding.rule_name} at {finding.file}:{finding.line}")

Detection Rules

ASI01 " Prompt Injection

Detects untrusted user input being concatenated into LLM prompts via f-strings, .format(), or string concatenation.

ASI02 " Tool Abuse

Flags agents with access to exec(), subprocess, os.system(), shell tools, unrestricted tool registration, and missing rate limits.

ASI03 " Data Exfiltration

Detects outbound HTTP requests to external URLs, webhook configurations, DNS exfiltration patterns, and secret+network correlation.

ASI06 " Unsafe Eval

Flags eval(), exec(), compile() with user input, pickle.load(), yaml.load() without SafeLoader, subprocess(shell=True).

ASI07 " Credential Exposure

Detects hardcoded API keys (sk-, ghp_, AKIA), private keys, connection strings with passwords, and crypto wallet seeds.

ASI08 " Context Manipulation

Flags missing token limits, unbounded context accumulation, and large files loaded directly into LLM context.

ASI10 " Trust Boundary Violation

Detects agents running as root, host filesystem access, self-modifying code, and direct database access with user input.

MCP Server Mode

Scan agent code directly from Claude Code, Cursor, or any MCP-compatible client:

// ~/.claude/claude_code_config.json
{
 "mcpServers": {
 "agentguard": {
 "command": "python3",
 "args": ["-m", "agentguard.mcp_server"]
 }
 }
}

Then ask Claude: "Scan my agent code for security vulnerabilities"

MCP Tools

  • scan_agent_code " Scan a directory/file for vulnerabilities
  • list_rules " List all detection rules and OWASP mapping
  • get_finding_details " Get remediation guidance for a specific rule

Roadmap

  • OWASP ASI Top 10 " all 10 categories covered
  • MCP server mode " scan from Claude Code/Cursor
  • SARIF output " GitHub Code Scanning integration
  • PyPI publication " dfx-agentguard
  • VS Code extension " AgentGuard VS Code
  • GitHub App for automated PR reviews " AgentGuard App
  • Benchmark suite " AgentGuard Benchmark
  • Semantic analysis with LLM-assisted code review " v0.3.0
  • GitHub Action (drop-in CI/CD) " v0.3.0
  • Pre-commit hook
  • Language support: Rust, Go, Java

See the full ROADMAP.md.

Contributing

See CONTRIBUTING.md. Bug reports and feature requests welcome.

Security

See SECURITY.md. Report vulnerabilities privately " do not open public issues.

License

MIT " see LICENSE.


Built by Dockfix Labs. Built for the AI agent era.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dfx_agentguard-0.3.4.tar.gz (28.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dfx_agentguard-0.3.4-py3-none-any.whl (34.0 kB view details)

Uploaded Python 3

File details

Details for the file dfx_agentguard-0.3.4.tar.gz.

File metadata

  • Download URL: dfx_agentguard-0.3.4.tar.gz
  • Upload date:
  • Size: 28.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dfx_agentguard-0.3.4.tar.gz
Algorithm Hash digest
SHA256 e81c5023ae5377eb7beb3f42bf2a230ff9cf650495aa76b8b40b4ef6cfe462f5
MD5 a3b6fc1e2aae345ac210aa628188748a
BLAKE2b-256 d7742f6a54b067fe1140d777a7c6ff7129b645fbf7b9e41cc72f0b8b6bfc116b

See more details on using hashes here.

Provenance

The following attestation bundles were made for dfx_agentguard-0.3.4.tar.gz:

Publisher: publish.yml on dockfixlabs/agentguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dfx_agentguard-0.3.4-py3-none-any.whl.

File metadata

  • Download URL: dfx_agentguard-0.3.4-py3-none-any.whl
  • Upload date:
  • Size: 34.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dfx_agentguard-0.3.4-py3-none-any.whl
Algorithm Hash digest
SHA256 73a994f0744c53fcc7d3a555d93de9e527af744ce0164112b2df66e6a0890783
MD5 593f7b7ca9f28b349a7605fb1af0b870
BLAKE2b-256 e4797e440448e10da361171bcc95a9bae9e86f0d7d22ff92a8b3efe225e2ddbc

See more details on using hashes here.

Provenance

The following attestation bundles were made for dfx_agentguard-0.3.4-py3-none-any.whl:

Publisher: publish.yml on dockfixlabs/agentguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page