{"id":46242023,"url":"https://github.com/inkog-io/inkog","last_synced_at":"2026-04-13T13:01:35.617Z","repository":{"id":325115319,"uuid":"1083580491","full_name":"inkog-io/inkog","owner":"inkog-io","description":"The pre-flight check for AI agents","archived":false,"fork":false,"pushed_at":"2026-03-21T12:20:13.000Z","size":1144,"stargazers_count":33,"open_issues_count":9,"forks_count":6,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-03-22T03:15:45.118Z","etag":null,"topics":["agent-testing","ai-security","cli","devsecops","golang","llm-security","owasp","owasp-llm-top-10","sast","security-tools","static-analysis"],"latest_commit_sha":null,"homepage":"https://inkog.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/inkog-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-26T10:15:55.000Z","updated_at":"2026-03-21T23:21:50.000Z","dependencies_parsed_at":"2026-02-06T14:00:50.233Z","dependency_job_id":null,"html_url":"https://github.com/inkog-io/inkog","commit_stats":null,"previous_names":["inkog-io/inkog"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/inkog-io/inkog","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inkog-io%2Finkog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inkog-io%2Finkog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inkog-io%2Finkog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inkog-io%2Finkog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/inkog-io","download_url":"https://codeload.github.com/inkog-io/inkog/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inkog-io%2Finkog/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31753551,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-13T09:16:15.125Z","status":"ssl_error","status_checked_at":"2026-04-13T09:16:05.023Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-testing","ai-security","cli","devsecops","golang","llm-security","owasp","owasp-llm-top-10","sast","security-tools","static-analysis"],"created_at":"2026-03-03T20:31:58.290Z","updated_at":"2026-04-13T13:01:35.612Z","avatar_url":"https://github.com/inkog-io.png","language":"Go","funding_links":[],"categories":["Agent Security","Tools"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"logo.png\" width=\"200\" alt=\"Inkog\"\u003e\n\u003c/p\u003e\n\n\u003ch3 align=\"center\"\u003eThe security co-pilot for AI agent development.\u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\n  Build secure AI agents from the start. Scan for logic bugs, prompt injection, missing guardrails, and compliance gaps — before they reach production.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"README.md\"\u003eEnglish\u003c/a\u003e ·\n  \u003ca href=\"docs/i18n/README.zh-CN.md\"\u003e简体中文\u003c/a\u003e ·\n  \u003ca href=\"docs/i18n/README.ja.md\"\u003e日本語\u003c/a\u003e ·\n  \u003ca href=\"docs/i18n/README.ko.md\"\u003e한국어\u003c/a\u003e ·\n  \u003ca href=\"docs/i18n/README.es.md\"\u003eEspañol\u003c/a\u003e ·\n  \u003ca href=\"docs/i18n/README.pt-BR.md\"\u003ePortuguês\u003c/a\u003e ·\n  \u003ca href=\"docs/i18n/README.de.md\"\u003eDeutsch\u003c/a\u003e ·\n  \u003ca href=\"docs/i18n/README.fr.md\"\u003eFrançais\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/inkog-io/inkog/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/inkog-io/inkog?label=release\" alt=\"Release\"\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-Apache%202.0-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/inkog-io/inkog\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/inkog-io/inkog\" alt=\"Go Report Card\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/inkog-io/inkog/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/inkog-io/inkog/actions/workflows/ci.yml/badge.svg\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://join.slack.com/t/inkog-io/shared_invite/zt-3jrzztm28-cXyokCXO8KjKC6nBI0l4Gw\"\u003e\u003cimg src=\"https://img.shields.io/badge/Slack-Join%20us-4A154B?logo=slack\u0026logoColor=white\" alt=\"Slack\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"demo.gif\" width=\"800\" alt=\"Inkog scanning AI agent code for vulnerabilities\"\u003e\n\u003c/p\u003e\n\n---\n\nAI agents can loop forever, drain your API budget in minutes, execute arbitrary code from user input, or make high-stakes decisions with zero human oversight. Most of these flaws pass code review because they look like normal code — the danger is in the runtime behavior.\n\nInkog scans your agent code statically and catches these problems before deployment. One command, works across 20+ frameworks, maps findings to EU AI Act and OWASP LLM Top 10.\n\n## When to Use Inkog\n\n- **Building an AI agent** — Scan during development to catch infinite loops, prompt injection, and missing guardrails before they ship\n- **Adding security to CI/CD** — Add `inkog-io/inkog@v1` to GitHub Actions for automated security gates on every PR\n- **Preparing for EU AI Act** — Generate compliance reports mapping your agent to Article 14, NIST AI RMF, OWASP LLM Top 10\n- **Reviewing agent code** — Use from Claude Code, Cursor, or any MCP client to get security analysis while you code\n- **Auditing MCP servers** — Check any MCP server for tool poisoning, privilege escalation, or data exfiltration before installing\n- **Verifying AGENTS.md** — Validate that governance declarations match actual code behavior\n- **Scanning Skill packages** — Audit SKILL.md packages for tool poisoning, command injection, and excessive permissions before adding to your agent\n- **Generating an MLBOM** — Create a Machine Learning Bill of Materials documenting your agent's components, tools, and data flows\n- **Building multi-agent systems** — Detect delegation loops, privilege escalation, and unauthorized handoffs between agents (A2A audit)\n\n## Quick Start\n\nNo install needed:\n\n```bash\nnpx -y @inkog-io/cli scan .\n```\n\nOr install permanently:\n\n| Method | Command |\n|--------|---------|\n| **Install script** | `curl -fsSL https://inkog.io/install.sh \\| sh` |\n| **Homebrew** | `brew tap inkog-io/inkog \u0026\u0026 brew install inkog` |\n| **Go** | `go install github.com/inkog-io/inkog/cmd/inkog@latest` |\n| **Binary** | [Download from Releases](https://github.com/inkog-io/inkog/releases) |\n\n```bash\n# Get your free API key at https://app.inkog.io\nexport INKOG_API_KEY=sk_live_...\n\ninkog .\n```\n\n## What It Catches\n\n| Category | Examples | Why it matters |\n|----------|----------|----------------|\n| **Infinite loops** | Agent re-calls itself with no exit condition, LLM output fed back as input without a cap | Your agent runs forever and racks up API costs |\n| **Prompt injection** | User input flows into system prompt unsanitized, tainted data reaches tool calls | Attackers can hijack your agent's behavior |\n| **Missing guardrails** | No human-in-the-loop for destructive actions, no rate limits on LLM calls, unconstrained tool access | One bad decision and your agent goes rogue |\n| **Hardcoded secrets** | API keys, tokens, and passwords in source code (detected locally, never uploaded) | Credentials leak when you push to GitHub |\n| **Compliance gaps** | Missing human oversight (EU AI Act Article 14), no audit logging, missing authorization checks | You're legally required to have these controls by August 2026 |\n\n[Full detection catalog →](https://docs.inkog.io/vulnerabilities)\n\n## Supported Frameworks\n\n**Code-first:** LangChain · LangGraph · CrewAI · AutoGen · AG2 · OpenAI Agents · Semantic Kernel · Azure AI Foundry · LlamaIndex · Haystack · DSPy · Phidata · Smolagents · PydanticAI · Google ADK\n\n**No-code:** n8n · Flowise · Langflow · Dify · Microsoft Copilot Studio · Salesforce Agentforce\n\n## GitHub Actions\n\n```yaml\n- uses: inkog-io/inkog@v1\n  with:\n    api-key: ${{ secrets.INKOG_API_KEY }}\n    sarif-upload: true   # Shows findings in GitHub Security tab\n```\n\n[Full CI/CD docs →](https://docs.inkog.io/ci-cd/github-action) | [Complete workflow example →](examples/ci/github-actions.yml)\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDeep scan\u003c/strong\u003e\u003c/summary\u003e\n\nRun an advanced orchestrator-based analysis with enriched findings, an agent profile, compliance coverage, and a premium HTML report:\n\n```bash\ninkog -deep .\ninkog -deep -output html . \u003e deep-report.html\n```\n\nRequires the Inkog Deep role. [Deep scan docs →](https://docs.inkog.io/cli/deep-scan)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSkill \u0026 MCP scan\u003c/strong\u003e\u003c/summary\u003e\n\nScan SKILL.md packages, agent tools, and MCP servers for vulnerabilities:\n\n```bash\n# Scan a skill package\ninkog skill-scan .\ninkog skill-scan --repo https://github.com/org/repo\n\n# Scan an MCP server by registry name\ninkog mcp-scan github\ninkog mcp-scan github --repo https://github.com/org/mcp-server\n\n# Deep scan either\ninkog skill-scan --deep .\ninkog mcp-scan --deep --repo https://github.com/org/mcp-server\n```\n\n[Skill \u0026 MCP scan docs →](https://docs.inkog.io/cli/skill-scan)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eScan policies\u003c/strong\u003e\u003c/summary\u003e\n\n```bash\ninkog . --policy low-noise        # Only proven vulnerabilities\ninkog . --policy balanced          # Vulnerabilities + risk patterns (default)\ninkog . --policy comprehensive     # Everything including hardening tips\ninkog . --policy governance        # Article 14 controls, authorization, audit trails\ninkog . --policy eu-ai-act         # EU AI Act compliance report\n```\n\n[Policy reference →](https://docs.inkog.io/cli/policies)\n\n\u003c/details\u003e\n\n## MCP Server\n\nScan agent code directly from Claude, ChatGPT, or Cursor:\n\n```bash\nnpx -y @inkog-io/mcp\n```\n\n7 tools including MCP server auditing, Skill package scanning, and multi-agent topology analysis. [MCP docs →](https://docs.inkog.io/integrations/mcp)\n\n## Inkog Red — Coming Soon\n\nAutomated adversarial testing for AI agents. Inkog Red probes your running agents with prompt injection, jailbreaks, and tool misuse attacks to validate that defenses hold under real-world conditions.\n\n[Join the waitlist →](https://inkog.io/red)\n\n## Community\n\n- [Documentation](https://docs.inkog.io) — CLI reference, detection patterns, integrations\n- [Slack](https://join.slack.com/t/inkog-io/shared_invite/zt-3jrzztm28-cXyokCXO8KjKC6nBI0l4Gw) — Questions, feedback, feature requests\n- [Issues](https://github.com/inkog-io/inkog/issues) — Bug reports and feature requests\n- [Contributing](CONTRIBUTING.md) — We welcome PRs\n\n## Star History\n\n\u003ca href=\"https://star-history.com/#inkog-io/inkog\u0026Date\"\u003e\n \u003cpicture\u003e\n   \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://api.star-history.com/svg?repos=inkog-io/inkog\u0026type=Date\u0026theme=dark\" /\u003e\n   \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://api.star-history.com/svg?repos=inkog-io/inkog\u0026type=Date\" /\u003e\n   \u003cimg alt=\"Star History Chart\" src=\"https://api.star-history.com/svg?repos=inkog-io/inkog\u0026type=Date\" /\u003e\n \u003c/picture\u003e\n\u003c/a\u003e\n\n## License\n\nApache 2.0 — See [LICENSE](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finkog-io%2Finkog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finkog-io%2Finkog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finkog-io%2Finkog/lists"}