{"id":35878418,"url":"https://github.com/dotsetlabs/hardpoint","last_synced_at":"2026-01-13T21:59:08.528Z","repository":{"id":332059259,"uuid":"1131708531","full_name":"dotsetlabs/hardpoint","owner":"dotsetlabs","description":"Detect Rules File Backdoor attacks in AI config files. Scans CLAUDE.md, .cursorrules, mcp.json for hidden prompt injection with 80+ obfuscation-resistant patterns.","archived":false,"fork":false,"pushed_at":"2026-01-10T21:27:28.000Z","size":157,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-12T17:38:27.724Z","etag":null,"topics":["ai-safety","ai-security","cicd-security","claude","cli","code-security","copilot","cursor","devsecops","golang","jailbreak-detection","llm-security","mcp","prompt-injection","rules-file-backdoor","sarif","security-scanner","semantic-analysis","static-analysis","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://dotsetlabs.com/hardpoint","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dotsetlabs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-10T14:46:11.000Z","updated_at":"2026-01-10T21:27:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/dotsetlabs/hardpoint","commit_stats":null,"previous_names":["dotsetlabs/hardpoint"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/dotsetlabs/hardpoint","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dotsetlabs%2Fhardpoint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dotsetlabs%2Fhardpoint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dotsetlabs%2Fhardpoint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dotsetlabs%2Fhardpoint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dotsetlabs","download_url":"https://codeload.github.com/dotsetlabs/hardpoint/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dotsetlabs%2Fhardpoint/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28400397,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-safety","ai-security","cicd-security","claude","cli","code-security","copilot","cursor","devsecops","golang","jailbreak-detection","llm-security","mcp","prompt-injection","rules-file-backdoor","sarif","security-scanner","semantic-analysis","static-analysis","supply-chain-security"],"created_at":"2026-01-08T17:20:05.729Z","updated_at":"2026-01-13T21:59:08.519Z","avatar_url":"https://github.com/dotsetlabs.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hardpoint\n\n[![Build](https://github.com/dotsetlabs/hardpoint/actions/workflows/ci.yml/badge.svg)](https://github.com/dotsetlabs/hardpoint/actions/workflows/ci.yml)\n[![Go Version](https://img.shields.io/github/go-mod/go-version/dotsetlabs/hardpoint)](https://go.dev/)\n[![License](https://img.shields.io/github/license/dotsetlabs/hardpoint)](LICENSE)\n[![Release](https://img.shields.io/github/v/release/dotsetlabs/hardpoint)](https://github.com/dotsetlabs/hardpoint/releases)\n\n**The Rules File Backdoor Detector**\n\nStatic security scanner that detects AI configuration file attacks. Hardpoint finds malicious instructions hidden in `.cursorrules`, `CLAUDE.md`, `mcp.json`, and other AI config files that traditional security tools miss.\n\n## The Threat: Rules File Backdoor\n\nThe Rules File Backdoor attack (24 CVEs in 2025) exploits AI configuration files to persist malicious instructions. Attackers hide commands in:\n\n- **HTML comments** that appear invisible to human reviewers\n- **JSON `_comment` fields** that look like documentation\n- **Content after benign introductions** that creates false trust\n\nTraditional security scanners don't detect these attacks because they don't understand AI config file semantics. Snyk finds bugs in code. GitHub Advanced Security finds secrets. **Hardpoint finds backdoors in AI behavior.**\n\n## Installation\n\n```bash\ngo install github.com/dotsetlabs/hardpoint/cmd/hardpoint@latest\n```\n\n## Usage\n\n### Scan for Backdoors\n\n```bash\n# Scan current directory\nhardpoint scan\n\n# Scan specific path\nhardpoint scan /path/to/project\n\n# Output as SARIF for CI/CD integration\nhardpoint scan --format sarif --output results.sarif\n```\n\n### Trust Verified Configs\n\n```bash\n# Trust a verified AI config file (creates hash)\nhardpoint trust CLAUDE.md\n\n# Verify file hasn't changed\nhardpoint verify\n\n# List trusted files\nhardpoint trust --list\n```\n\n## Core Detections\n\n### AI-008: Semantic Hijacking (FLAGSHIP)\n\nDetection of malicious instructions hidden in file structure. This is Hardpoint's flagship detection for Rules File Backdoor attacks.\n\n| Detection | Description |\n|-----------|-------------|\n| Comment Divergence | Malicious patterns in comments while visible content looks benign |\n| Hidden Sections | Instructions in HTML `\u003c!-- --\u003e` or JSON `_comment` fields |\n| Length Anomaly | Hidden content exceeds visible content by 2x+ |\n| Pattern After Benign | Malicious content after 10+ lines of legitimate content |\n\n### AI-005: MCP Command Injection\n\nDetection of shell metacharacters in MCP server configurations that could allow command injection attacks.\n\n| Detection | Description |\n|-----------|-------------|\n| Command Substitution | `$(...)` and backtick patterns |\n| Command Chaining | `\u0026\u0026`, `\\|\\|`, `;` operators |\n| Process Substitution | `\u003e(...)` and `\u003c(...)` patterns |\n\n### AI-004: Encoded Instructions\n\nDetection of Base64 or otherwise encoded content that may hide malicious instructions.\n\n### Git Hook Security\n\nDetection of malicious commands in git hooks that could compromise developer environments.\n\n| Rule | Description |\n|------|-------------|\n| GIT-001 | Malicious command patterns (curl\\|sh, /dev/tcp, nc -e) |\n| GIT-002 | Credential exfiltration attempts |\n| GIT-003 | Unexpected network access |\n| GIT-004 | Obfuscated content in hooks |\n| GIT-005 | Suspicious git remote URLs |\n| GIT-006 | Suspicious credential helpers |\n\n## Files Scanned\n\n| File | Description |\n|------|-------------|\n| `.cursorrules` | Cursor editor AI rules |\n| `CLAUDE.md` | Claude Code project context |\n| `AGENTS.md` | Multi-agent instructions |\n| `mcp.json` | MCP server configuration |\n| `.github/copilot-instructions.md` | Copilot custom instructions |\n| `.windsurfrules` | Windsurf AI rules |\n| `.aider*` | Aider configuration |\n\n## Rule Reference\n\n| Rule ID | Category | Severity | Description |\n|---------|----------|----------|-------------|\n| AI-004 | Encoded Content | Medium | Base64 or otherwise encoded instructions |\n| AI-005 | MCP Injection | Critical | Command injection in MCP configs |\n| AI-008 | Semantic Hijacking | Critical | Hidden instructions in comments/structure |\n| GIT-001 | Git Hooks | Critical | Malicious commands in git hooks |\n| GIT-002 | Git Hooks | Critical | Credential exfiltration in hooks |\n| GIT-003 | Git Hooks | Medium | Unexpected network access |\n| GIT-004 | Git Hooks | High | Obfuscated content in hooks |\n| GIT-005 | Git Hooks | Medium | Suspicious git remote URLs |\n| GIT-006 | Git Hooks | High | Suspicious credential helpers |\n\n## CI/CD Integration\n\n### GitHub Actions\n\n```yaml\n- name: Hardpoint Security Scan\n  run: |\n    go install github.com/dotsetlabs/hardpoint/cmd/hardpoint@latest\n    hardpoint scan --format sarif --output hardpoint.sarif\n\n- name: Upload SARIF\n  uses: github/codeql-action/upload-sarif@v3\n  with:\n    sarif_file: hardpoint.sarif\n```\n\n### GitLab CI\n\n```yaml\nhardpoint:\n  script:\n    - go install github.com/dotsetlabs/hardpoint/cmd/hardpoint@latest\n    - hardpoint scan --format sarif --output gl-code-quality-report.json\n  artifacts:\n    reports:\n      codequality: gl-code-quality-report.json\n```\n\n### Pre-commit Hook\n\n```bash\n# Install hook\nhardpoint hook install\n\n# Or run manually before commit\nhardpoint scan --exit-code\n```\n\n## Configuration\n\n```yaml\n# .hardpoint.yaml\nscan:\n  paths:\n    - .\n  exclude:\n    - node_modules\n    - vendor\n\ntrust:\n  verify_on_scan: true\n\noutput:\n  format: terminal  # terminal, json, sarif\n```\n\n## Why Hardpoint?\n\n| What Hardpoint Does | What Other Tools Do |\n|---------------------|---------------------|\n| Scans AI-specific config files | Scan general source code |\n| Detects semantic hijacking in comments | Pattern match without context |\n| Understands Rules File Backdoor attack | Unaware of AI config threats |\n| Config hash verification workflow | No AI config trust model |\n\n## Performance\n\nHardpoint is designed for speed. Benchmarks run against popular open-source repositories:\n\n| Repository | Files | AI Configs | Scan Time | Findings |\n|------------|-------|------------|-----------|----------|\n| [next.js](https://github.com/vercel/next.js) | 26,568 | 2 | 33ms | 0 |\n| [supabase](https://github.com/supabase/supabase) | 13,808 | 0 | 66ms | 0 |\n| [shadcn/ui](https://github.com/shadcn-ui/ui) | 8,022 | 0 | 4ms | 0 |\n| [react](https://github.com/facebook/react) | 6,982 | 0 | 4ms | 0 |\n| [langchain](https://github.com/langchain-ai/langchain) | 2,975 | 2 | 26ms | 0 |\n| [openai-python](https://github.com/openai/openai-python) | 1,220 | 0 | 4ms | 0 |\n| [anthropic-cookbook](https://github.com/anthropics/anthropic-cookbook) | 417 | 3 | 8ms | 0 |\n| [mcp/servers](https://github.com/modelcontextprotocol/servers) | 156 | 1 | 4ms | 0 |\n\n**Total: 60,148 files scanned in ~150ms across 8 repositories with 8 AI config files.**\n\n### False Positive Analysis\n\nTested against real-world AI configuration files from major open-source projects:\n\n- **8 AI config files** scanned (CLAUDE.md, AGENTS.md) from Next.js, LangChain, Anthropic Cookbook, and MCP servers\n- **0 false positives** on legitimate configuration content\n- All files contained standard project documentation and AI assistant instructions\n\nThe semantic hijacking detector (AI-008) uses a confidence scoring system to minimize false positives while catching real attacks. Findings below the threshold are not reported.\n\n## Part of Dotset Labs\n\nHardpoint focuses on **static analysis** of AI configuration files. For runtime protection of AI tool operations, see [Overwatch](https://github.com/dotsetlabs/overwatch).\n\n```\nSCAN (Hardpoint)  →  CONTROL (Overwatch)\nDefend against       Stop Tool Shadowing\nRules File Backdoor  and Rogue Agents\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdotsetlabs%2Fhardpoint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdotsetlabs%2Fhardpoint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdotsetlabs%2Fhardpoint/lists"}