AI Agent Security Testing Framework โ multi-phase scan campaigns with knowledge graph tracking
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
ZIRAN ๐ง
AI Agent Security Testing
Find vulnerabilities in AI agents โ not just LLMs, but agents with tools, memory, and multi-step reasoning.
Install ยท Quick Start ยท Examples ยท Docs
Why ZIRAN?
Most security tools test the LLM (prompt injection, jailbreaks) or the web app (XSS, SQLi). ZIRAN tests the AI agent โ the system that wields tools, retains memory, and chains reasoning. That's a fundamentally different attack surface.
| Capability | ZIRAN | Garak | Promptfoo | PyRIT | Shannon |
|---|---|---|---|---|---|
| Agent-aware (tools + memory) | Yes | โ | Partial | โ | โ |
| Tool chain analysis | Yes | โ | โ | โ | โ |
| Multi-phase campaigns | Yes | โ | โ | Partial | Yes |
| Knowledge graph tracking | Yes | โ | โ | โ | โ |
| CI/CD quality gate | Yes | โ | Yes | โ | Pro |
| Open source | Apache-2.0 | Apache-2.0 | MIT | MIT | AGPL-3.0 |
Key differentiators:
- Tool Chain Analysis โ Detects dangerous tool combinations (
read_fileโhttp_request= data exfiltration). No other tool does this. - Romance Scan โ Multi-phase campaigns that build trust before testing boundaries, like a real attacker.
- Knowledge Graph โ Every discovered capability, relationship, and attack path is tracked in a live graph.
- Framework Agnostic โ LangChain, CrewAI, MCP, or write your own adapter.
Install
pip install ziran
# with framework adapters
pip install ziran[langchain] # LangChain support
pip install ziran[crewai] # CrewAI support
pip install ziran[all] # everything
Quick Start
CLI
# scan a LangChain agent
ziran scan --framework langchain --agent-path my_agent.py
# view the interactive HTML report
open reports/campaign_*_report.html
Python API
import asyncio
from ziran.application.agent_scanner.scanner import AgentScanner
from ziran.application.attacks.library import AttackLibrary
from ziran.infrastructure.adapters.langchain_adapter import LangChainAdapter
adapter = LangChainAdapter(agent=your_agent)
scanner = AgentScanner(adapter=adapter, attack_library=AttackLibrary())
result = asyncio.run(scanner.run_campaign())
print(f"Vulnerabilities found: {result.total_vulnerabilities}")
print(f"Dangerous tool chains: {len(result.dangerous_tool_chains)}")
See examples/ for 14 runnable demos โ from static analysis to multi-agent supervisor scans.
What ZIRAN Finds
Prompt-level โ injection, system prompt extraction, memory poisoning, chain-of-thought manipulation.
Tool-level โ tool manipulation, privilege escalation, data exfiltration chains.
Tool chains (unique to ZIRAN) โ automatic graph analysis of dangerous tool compositions:
โโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Risk โ Type โ Tools โ Description โ
โโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ critical โ data_exfiltration โ read_file โ http_request โ File contents sent to external serverโ
โ critical โ sql_to_rce โ sql_query โ execute_code โ SQL results executed as code โ
โ high โ pii_leakage โ get_user_info โ external_apiโ User PII sent to third-party API โ
โโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
How It Works
flowchart LR
subgraph agent["๐ค Your Agent"]
direction TB
T["๐ง Tools"]
M["๐ง Memory"]
P["๐ Permissions"]
end
agent -->|"adapter layer"| D
subgraph ziran["โฉ๏ธ ZIRAN Pipeline"]
direction TB
D["1 ยท DISCOVER\nProbe tools, permissions,\ndata access"]
MAP["2 ยท MAP\nBuild knowledge graph\n(NetworkX MultiDiGraph)"]
A["3 ยท ANALYZE\nWalk graph for dangerous\nchains (30+ patterns)"]
ATK["4 ยท ATTACK\nMulti-phase exploits\ninformed by the graph"]
R["5 ยท REPORT\nScored findings with\nremediation guidance"]
D --> MAP --> A --> ATK --> R
end
R --> HTML["๐ HTML\nInteractive graph"]
R --> MD["๐ Markdown\nCI/CD tables"]
R --> JSON["๐ฆ JSON\nMachine-parseable"]
style agent fill:#1a1a2e,stroke:#e94560,color:#fff,stroke-width:2px
style ziran fill:#0f3460,stroke:#e94560,color:#fff,stroke-width:2px
style D fill:#16213e,stroke:#0ea5e9,color:#fff
style MAP fill:#16213e,stroke:#0ea5e9,color:#fff
style A fill:#16213e,stroke:#0ea5e9,color:#fff
style ATK fill:#16213e,stroke:#e94560,color:#fff
style R fill:#16213e,stroke:#10b981,color:#fff
style HTML fill:#1e293b,stroke:#10b981,color:#fff
style MD fill:#1e293b,stroke:#10b981,color:#fff
style JSON fill:#1e293b,stroke:#10b981,color:#fff
style T fill:#2d2d44,stroke:#e94560,color:#fff
style M fill:#2d2d44,stroke:#e94560,color:#fff
style P fill:#2d2d44,stroke:#e94560,color:#fff
Romance Scan Phases
| Phase | Goal |
|---|---|
| Reconnaissance | Discover capabilities and data sources |
| Trust Building | Establish rapport with the agent |
| Capability Mapping | Map tools, permissions, data access |
| Vulnerability Discovery | Identify attack paths |
| Exploitation Setup | Position without triggering defences |
| Execution | Execute the exploit chain |
| Persistence | Maintain access across sessions (opt-in) |
| Exfiltration | Extract sensitive data (opt-in) |
Each phase builds on the knowledge graph from previous phases.
Reports
Three output formats, generated automatically:
- HTML โ Interactive knowledge graph with attack path highlighting
- Markdown โ CI/CD-friendly summary tables
- JSON โ Machine-parseable for programmatic consumption
CI/CD Integration
Use ZIRAN as a quality gate in your pipeline:
# GitHub Actions
- uses: taoq-ai/ziran@v1
with:
agent-path: my_agent.py
framework: langchain
fail-on: high # fail the build on high+ findings
Or with the Python API โ see 07-cicd-quality-gate.
Development
git clone https://github.com/taoq-ai/ziran.git && cd ziran
uv sync --group dev
uv run ruff check . # lint
uv run mypy ziran/ # type-check
uv run pytest --cov=ziran # test
Contributing
See CONTRIBUTING.md. Ways to help:
- Report bugs
- Request features
- Submit Skill CVEs for tool vulnerabilities
- Add attack vectors (YAML) or adapters
License
Apache License 2.0 โ See NOTICE for third-party attributions.
Built by TaoQ AI
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
ziran-0.1.1.tar.gz
(974.5 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
ziran-0.1.1-py3-none-any.whl
(175.8 kB
view details)
File details
Details for the file ziran-0.1.1.tar.gz.
File metadata
- Download URL: ziran-0.1.1.tar.gz
- Upload date:
- Size: 974.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
82d4b3dfadc4c9281d118cef962d09ef8e60b46c52a22b1f4c6a399b9f3bae6f
|
|
| MD5 |
685266c1cd0f4b2b848520a082992fdf
|
|
| BLAKE2b-256 |
0ac609cb21846d37600e756f48a23aa0dd97425f35abd81f52ac5c75d00b4c63
|
Provenance
The following attestation bundles were made for ziran-0.1.1.tar.gz:
Publisher:
release.yml on taoq-ai/ziran
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ziran-0.1.1.tar.gz -
Subject digest:
82d4b3dfadc4c9281d118cef962d09ef8e60b46c52a22b1f4c6a399b9f3bae6f - Sigstore transparency entry: 943831446
- Sigstore integration time:
-
Permalink:
taoq-ai/ziran@1d88cef9dfc6b4657b80598f0d2ca35af856c3e8 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/taoq-ai
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@1d88cef9dfc6b4657b80598f0d2ca35af856c3e8 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ziran-0.1.1-py3-none-any.whl.
File metadata
- Download URL: ziran-0.1.1-py3-none-any.whl
- Upload date:
- Size: 175.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6e3c0cd42a3f58a34e28e6428d67c6c5f64be97d59e2596f40f4763cb4d21bb1
|
|
| MD5 |
5a2fc8e4a65c7ad287aea6669b9a59fb
|
|
| BLAKE2b-256 |
20124bb5477e139e3cd04746417cc5b02069f98953e838f206db16579ce62cbd
|
Provenance
The following attestation bundles were made for ziran-0.1.1-py3-none-any.whl:
Publisher:
release.yml on taoq-ai/ziran
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ziran-0.1.1-py3-none-any.whl -
Subject digest:
6e3c0cd42a3f58a34e28e6428d67c6c5f64be97d59e2596f40f4763cb4d21bb1 - Sigstore transparency entry: 943831460
- Sigstore integration time:
-
Permalink:
taoq-ai/ziran@1d88cef9dfc6b4657b80598f0d2ca35af856c3e8 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/taoq-ai
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@1d88cef9dfc6b4657b80598f0d2ca35af856c3e8 -
Trigger Event:
push
-
Statement type:
