Autonomous security scanner for AI agents — detects prompt injection, tool abuse, data exfiltration, and OWASP ASI Top 10 vulnerabilities.
Project description
AgentGuard
Autonomous security scanner for AI agents. Detects prompt injection, tool abuse, data exfiltration, and OWASP ASI Top 10 vulnerabilities in agent code.
Why AgentGuard?
AI agents are being deployed at scale -- in coding tools, customer support, trading bots, and autonomous systems. Nobody is scanning their code for security vulnerabilities.
Existing tools (Bandit, Semgrep, CodeQL) scan for traditional vulnerabilities. AgentGuard scans for agent-specific attack vectors that traditional SAST tools miss.
Comparison
| Feature | AgentGuard | Semgrep | CodeQL | Bandit |
|---|---|---|---|---|
| Prompt Injection (ASI01) | Yes | No | No | No |
| Tool Abuse (ASI02) | Yes | No | No | Partial |
| Data Exfiltration (ASI03) | Yes | No | No | No |
| Excessive Agency (ASI04) | Yes | No | No | No |
| Supply Chain (ASI05) | Yes | No | No | No |
| Insecure Output (ASI06) | Yes | No | No | No |
| Credential Exposure (ASI07) | Yes | Partial | Partial | Yes |
| Context Manipulation (ASI08) | Yes | No | No | No |
| Agent Loop Exploitation (ASI09) | Yes | No | No | No |
| Trust Boundary (ASI10) | Yes | No | No | No |
| OWASP ASI Top 10 Coverage | 10/10 | 1/10 | 1/10 | 2/10 |
| MCP Server Mode | Yes | No | No | No |
| SARIF Output | Yes | Yes | Yes | No |
| Pre-commit Hook | Yes | Yes | No | No |
| GitHub Action | Yes | Yes | Yes | No |
Quick Start
pip install dfx-agentguard
# Scan a directory
agentguard .
# JSON output for CI/CD
agentguard src/ --format json
# SARIF for GitHub Code Scanning
agentguard . --format sarif > results.sarif
# Only show HIGH and above
agentguard . --min-severity HIGH
# Include test files in scan
agentguard . --include-tests
CLI Usage
agentguard [OPTIONS] [TARGET]
Arguments:
TARGET Directory or file to scan (default: current directory)
Options:
--format [text|json|sarif] Output format (default: text)
--exit-code / --no-exit-code Exit non-zero if findings found (default: on)
--min-severity [CRITICAL|HIGH|MEDIUM|LOW|INFO] Minimum severity to report
--include-tests Include test files in scan (default: skip)
--help Show help
OWASP ASI Top 10 Coverage
| ID | Vulnerability | Status | Detection Method |
|---|---|---|---|
| ASI01 | Prompt Injection | Detected | f-string, .format(), messages array, context stuffing, tool description poisoning |
| ASI02 | Tool Abuse / Unintended Tool Use | Detected | os.system, subprocess, shell tools, unrestricted registration |
| ASI03 | Data Exfiltration | Detected | External URLs, variable URL correlation, fetch/axios, subprocess curl, DNS exfil |
| ASI04 | Unauthorized Actions / Excessive Agency | Detected | Auto-execute, no confirmation, autonomous actions |
| ASI05 | Supply Chain / Untrusted Components | Detected | Dynamic import, unpinned deps, untrusted pip install |
| ASI06 | Insecure Output Handling | Detected | LLM output in HTML/JSX/DOM, innerHTML, document.write, markdown.render |
| ASI07 | Credential / Secret Exposure | Detected | API keys (sk-, ghp_, AKIA, AIza, xox), private keys, passwords, connection strings |
| ASI08 | Context Window Manipulation | Detected | Unbounded context, token stuffing, missing limits |
| ASI09 | Agent Loop Exploitation | Detected | Recursive calls without depth limit, while True, no max iterations |
| ASI10 | Trust Boundary Violation | Detected | Root access, host filesystem mounts, no sandbox, self-modification |
CI/CD Integration
GitHub Action
name: Security Scan
on: [push, pull_request]
jobs:
agentguard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- run: pip install dfx-agentguard
- run: agentguard . --format sarif > results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Drop-in GitHub Action
- uses: dockfixlabs/agentguard@v0.4.0
with:
path: src/
format: sarif
Pre-commit Hook
repos:
- repo: https://github.com/dockfixlabs/agentguard
rev: v0.4.0
hooks:
- id: agentguard
args: ["--min-severity", "HIGH"]
Programmatic Usage
from agentguard.scanner import scan_directory
result = scan_directory("src/")
print(f"Found {len(result.findings)} issues")
print(f"Critical: {result.critical_count}")
print(f"High: {result.high_count}")
for finding in result.findings:
print(f" [{finding.severity}] {finding.rule_name} at {finding.file}:{finding.line}")
MCP Server Mode
Scan agent code directly from Claude Code, Cursor, or any MCP-compatible client:
{
"mcpServers": {
"agentguard": {
"command": "python3",
"args": ["-m", "agentguard.mcp_server"]
}
}
}
Then ask Claude: "Scan my agent code for security vulnerabilities"
Benchmark Results
Tested against 28 vulnerable code samples + 8 real-world attack patterns:
Category Total Detected Rate FP
ASI01 6 6 100% 0
ASI02 5 5 100% 0
ASI03 4 4 100% 0
ASI07 6 6 100% 0
ASI10 5 5 100% 0
clean 2 0 - 0
TOTAL 28 26 100% 0
100% detection rate, 0% false positives.
Project Ecosystem
| Repository | Description |
|---|---|
| agentguard | Core scanner + CLI + MCP server |
| mcp-scanner | MCP server configuration scanner |
| agentguard-app | GitHub App for automated PR reviews |
| agentguard-vscode | VS Code extension |
| agentguard-benchmark | Benchmark suite (28 samples) |
Roadmap
- OWASP ASI Top 10 -- all 10 categories covered
- MCP server mode -- scan from Claude Code/Cursor
- SARIF output -- GitHub Code Scanning integration
- PyPI publication -- dfx-agentguard
- VS Code extension
- GitHub App for PR reviews
- Benchmark suite (28 samples, 100% detection)
- Pre-commit hook (.pre-commit-hooks.yaml)
- GitHub Action (action.yml)
- Dockerfile for agentguard-app
- PyPI Trusted Publishing (OIDC)
- AST-based taint tracking (v0.5.0)
- Language support: Rust, Go, Java
- Web dashboard (SaaS)
- REST API (Scan-as-a-Service)
See the full ROADMAP.md.
Contributing
See CONTRIBUTING.md. Bug reports and feature requests welcome.
Security
See SECURITY.md. Report vulnerabilities privately -- do not open public issues.
License
MIT -- see LICENSE.
Built by Dockfix Labs. Built for the AI agent era.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dfx_agentguard-0.5.0.tar.gz.
File metadata
- Download URL: dfx_agentguard-0.5.0.tar.gz
- Upload date:
- Size: 33.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
de306912959e7afc95a7a10aa43494e76af8017a1bf977e09fc42ba222a6fd23
|
|
| MD5 |
4266aed19ecb2b7766bc707f6e5d6b97
|
|
| BLAKE2b-256 |
779fa2da4e4bc24a9088ee7c57a3d99eb39b6b77a821af3779a2425f2168fce2
|
Provenance
The following attestation bundles were made for dfx_agentguard-0.5.0.tar.gz:
Publisher:
publish.yml on dockfixlabs/agentguard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dfx_agentguard-0.5.0.tar.gz -
Subject digest:
de306912959e7afc95a7a10aa43494e76af8017a1bf977e09fc42ba222a6fd23 - Sigstore transparency entry: 2029642752
- Sigstore integration time:
-
Permalink:
dockfixlabs/agentguard@77c95c1453621fb15abe622dc903fc7c2892fef4 -
Branch / Tag:
refs/tags/v0.5.0 - Owner: https://github.com/dockfixlabs
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@77c95c1453621fb15abe622dc903fc7c2892fef4 -
Trigger Event:
release
-
Statement type:
File details
Details for the file dfx_agentguard-0.5.0-py3-none-any.whl.
File metadata
- Download URL: dfx_agentguard-0.5.0-py3-none-any.whl
- Upload date:
- Size: 39.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
074b91963a8ff2c9bb45dda1ccce5ee48994e2f7d173f071afb6654a314087e5
|
|
| MD5 |
9d98f2dae1c407f6f2e3866b34ffdf71
|
|
| BLAKE2b-256 |
baed60408e7f10d4e5b9aa8fca4c057a0ecf4f004d2550e3d96a1ca90b1234b4
|
Provenance
The following attestation bundles were made for dfx_agentguard-0.5.0-py3-none-any.whl:
Publisher:
publish.yml on dockfixlabs/agentguard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dfx_agentguard-0.5.0-py3-none-any.whl -
Subject digest:
074b91963a8ff2c9bb45dda1ccce5ee48994e2f7d173f071afb6654a314087e5 - Sigstore transparency entry: 2029642865
- Sigstore integration time:
-
Permalink:
dockfixlabs/agentguard@77c95c1453621fb15abe622dc903fc7c2892fef4 -
Branch / Tag:
refs/tags/v0.5.0 - Owner: https://github.com/dockfixlabs
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@77c95c1453621fb15abe622dc903fc7c2892fef4 -
Trigger Event:
release
-
Statement type: