{"id":50372438,"url":"https://github.com/mughal-baig/agentic-workflow-guard","last_synced_at":"2026-05-30T08:00:40.455Z","repository":{"id":361127946,"uuid":"1253184477","full_name":"Mughal-Baig/agentic-workflow-guard","owner":"Mughal-Baig","description":"Scan GitHub Actions workflows for AI-agent injection and unsafe prompt flows","archived":false,"fork":false,"pushed_at":"2026-05-29T08:48:07.000Z","size":33,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-29T10:22:31.487Z","etag":null,"topics":["ai-agents","code-scanning","devsecops","github-actions","llm","prompt-injection","sarif","security"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mughal-Baig.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/roadmap.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-29T08:15:32.000Z","updated_at":"2026-05-29T08:47:46.000Z","dependencies_parsed_at":"2026-05-30T08:00:38.159Z","dependency_job_id":null,"html_url":"https://github.com/Mughal-Baig/agentic-workflow-guard","commit_stats":null,"previous_names":["mughal-baig/agentic-workflow-guard"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/Mughal-Baig/agentic-workflow-guard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mughal-Baig%2Fagentic-workflow-guard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mughal-Baig%2Fagentic-workflow-guard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mughal-Baig%2Fagentic-workflow-guard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mughal-Baig%2Fagentic-workflow-guard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mughal-Baig","download_url":"https://codeload.github.com/Mughal-Baig/agentic-workflow-guard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mughal-Baig%2Fagentic-workflow-guard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33684413,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","code-scanning","devsecops","github-actions","llm","prompt-injection","sarif","security"],"created_at":"2026-05-30T08:00:33.272Z","updated_at":"2026-05-30T08:00:40.437Z","avatar_url":"https://github.com/Mughal-Baig.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Agentic Workflow Guard\n\n[![Test](https://github.com/Mughal-Baig/agentic-workflow-guard/actions/workflows/test.yml/badge.svg)](https://github.com/Mughal-Baig/agentic-workflow-guard/actions/workflows/test.yml)\n[![Code Scanning](https://github.com/Mughal-Baig/agentic-workflow-guard/actions/workflows/code-scanning.yml/badge.svg)](https://github.com/Mughal-Baig/agentic-workflow-guard/actions/workflows/code-scanning.yml)\n[![GitHub release](https://img.shields.io/github/v/release/Mughal-Baig/agentic-workflow-guard)](https://github.com/Mughal-Baig/agentic-workflow-guard/releases)\n[![npm](https://img.shields.io/npm/v/awguard)](https://www.npmjs.com/package/awguard)\n[![AWI risk](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Mughal-Baig/agentic-workflow-guard/main/docs/awguard-badge.json)](docs/awguard-badge.json)\n[![Project site](https://img.shields.io/badge/site-live-0f766e)](https://mughal-baig.github.io/agentic-workflow-guard/)\n[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)\n\n![Agentic Workflow Guard terminal demo](docs/assets/terminal-demo.svg)\n\n`agentic-workflow-guard` is a small, zero-dependency scanner for GitHub Actions workflows, persistent agent instruction files, and MCP configs used by AI coding agents, LLMs, or automated review bots.\n\nIt looks for a new class of CI/CD risk: untrusted issue, pull request, comment, or branch text flowing into an AI agent prompt, then into write-capable tools, secrets, shell scripts, persistent instructions that weaken review boundaries, or MCP servers that expand agent authority.\n\nIts unique output is an **Agentic Workflow Injection attack graph**:\n\n```mermaid\nflowchart LR\n  s[\"GitHub issue/comment/PR text\"] --\u003e p[\"AI agent prompt\"]\n  p --\u003e c[\"agent tools or shell\"]\n  c --\u003e a[\"secrets / write token\"]\n  a --\u003e i[\"repo modification or secret exposure\"]\n```\n\n## Why This Project Can Reach People\n\nDevelopers want AI speed, but they also want a safety net. Stack Overflow's 2025 Developer Survey found that agent users report productivity gains, while 81% of respondents still worry about security and data privacy for AI agents. GitHub's Octoverse 2025 says AI is now standard in development, with more than 1.1 million public repositories using an LLM SDK and 80% of new developers using Copilot in their first week.\n\nThe missing piece is a tool that is easy enough for maintainers to add before they fully understand the security problem. This project gives them one command and one GitHub Action.\n\n## Install\n\nFor local development:\n\n```bash\nnpm test\nnode ./bin/awguard.js .\n```\n\nInstall from npm:\n\n```bash\nnpx awguard .\n```\n\nGenerate a starter config, GitHub Action, baseline command, and badge snippet:\n\n```bash\nnpx awguard init\n```\n\nCheck your local setup, config discovery, scan target, and GitHub Actions summary support:\n\n```bash\nnpx awguard doctor\n```\n\nExplain a rule, print README badge snippets, or run the built-in vulnerable lab demo:\n\n```bash\nnpx awguard explain AWG001\nnpx awguard badges --repo OWNER/REPO --site https://OWNER.github.io/REPO/\nnpx awguard demo\n```\n\n## Use In GitHub Actions\n\nAfter you upload this repository to GitHub, users can add:\n\n```yaml\nname: Agentic Workflow Guard\n\non:\n  pull_request:\n  workflow_dispatch:\n\npermissions:\n  contents: read\n\njobs:\n  scan-agent-workflows:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v6\n      - uses: Mughal-Baig/agentic-workflow-guard@v0\n        with:\n          config: awguard.config.json\n          preset: strict\n          fail-on: high\n```\n\nWhen AWGuard runs inside GitHub Actions it also writes a job summary with scanned file count, finding count, highest severity, top findings, and follow-up commands.\n\nTo adopt the scanner without breaking CI on old findings, commit a baseline file and use:\n\n```yaml\n      - uses: Mughal-Baig/agentic-workflow-guard@v0\n        with:\n          baseline: awguard.baseline.json\n          fail-on: high\n```\n\n## Use With GitHub Code Scanning\n\nGenerate SARIF and upload it with GitHub's official CodeQL SARIF upload action:\n\n```yaml\nname: Agentic Workflow Guard Code Scanning\n\non:\n  push:\n  schedule:\n    - cron: '22 5 * * 1'\n  workflow_dispatch:\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v6\n      - uses: Mughal-Baig/agentic-workflow-guard@v0\n        with:\n          format: sarif\n          output: awguard.sarif\n          fail-on: none\n      - uses: github/codeql-action/upload-sarif@v4\n        with:\n          sarif_file: awguard.sarif\n          category: agentic-workflow-guard\n```\n\n## CLI\n\n```bash\nawguard [path] [--config file] [--preset name] [--format text|json|markdown|github|sarif|graph|html|migration|score|badge|inventory|inventory-json] [--output file] [--baseline file] [--write-baseline file] [--fix-dry-run] [--fix] [--fail-on none|low|medium|high|critical]\nawguard init\nawguard doctor [path] [--config file] [--preset name]\nawguard explain [AWG###]\nawguard badges [--repo OWNER/REPO] [--branch main] [--badge-file docs/awguard-badge.json] [--site URL]\nawguard demo\nawguard templates [all|github|code-scanning|gitlab|pre-commit|vscode]\nawguard policy-pack [oss|strict|enterprise]\nawguard policy-wizard [path] [--dry-run] [--format markdown|json] [--output awguard.config.json]\nawguard baseline-review [path] --baseline awguard.baseline.json [--format text|json] [--prune]\nawguard --compare previous.json current.json\n```\n\nExamples:\n\n```bash\nnode ./bin/awguard.js doctor\nnode ./bin/awguard.js explain AWG013\nnode ./bin/awguard.js badges --repo Mughal-Baig/agentic-workflow-guard --site https://mughal-baig.github.io/agentic-workflow-guard/\nnode ./bin/awguard.js demo\nnode ./bin/awguard.js templates github\nnode ./bin/awguard.js policy-pack strict\nnode ./bin/awguard.js policy-wizard . --dry-run\nnode ./bin/awguard.js baseline-review . --baseline awguard.baseline.json\nnode ./bin/awguard.js examples/unsafe-agent.yml\nnode ./bin/awguard.js . --config awguard.config.json\nnode ./bin/awguard.js . --preset strict --format graph\nnode ./bin/awguard.js . --format html --output awguard-report.html\nnode ./bin/awguard.js . --format migration --output awguard-migration.md\nnode ./bin/awguard.js . --format inventory\nnode ./bin/awguard.js . --format inventory-json --output awguard-inventory.json\nnode ./bin/awguard.js . --format score\nnode ./bin/awguard.js . --format badge --output awguard-badge.json\nnode ./bin/awguard.js . --fix-dry-run\nnode ./bin/awguard.js . --fix\nnode ./bin/awguard.js . --format markdown --fail-on medium\nnode ./bin/awguard.js . --format sarif --output awguard.sarif --fail-on none\nnode ./bin/awguard.js . --write-baseline awguard.baseline.json\nnode ./bin/awguard.js . --baseline awguard.baseline.json --fail-on high\nnode ./bin/awguard.js --compare old-awguard.json new-awguard.json\nnode ./bin/awguard.js . --format github --fail-on high\n```\n\n## Baseline Mode\n\nBaseline mode lets a project start using the scanner without failing CI for already-known issues.\n\nCreate a baseline:\n\n```bash\nnode ./bin/awguard.js . --write-baseline awguard.baseline.json --fail-on none\n```\n\nThen fail only on findings that are not in the baseline:\n\n```bash\nnode ./bin/awguard.js . --baseline awguard.baseline.json --fail-on high\n```\n\nThe baseline stores stable finding fingerprints, not secrets or workflow contents.\n\nReview and prune stale baseline entries:\n\n```bash\nnode ./bin/awguard.js baseline-review . --baseline awguard.baseline.json\nnode ./bin/awguard.js baseline-review . --baseline awguard.baseline.json --format json\nnode ./bin/awguard.js baseline-review . --baseline awguard.baseline.json --prune\n```\n\n`baseline-review` never rewrites the baseline unless `--prune` is present.\n\n## Configuration\n\nAgentic Workflow Guard automatically loads `awguard.config.json` or `.awguard.json` from the scan root. You can also pass `--config`.\n\n```json\n{\n  \"$schema\": \"https://raw.githubusercontent.com/Mughal-Baig/agentic-workflow-guard/main/schemas/awguard.config.schema.json\",\n  \"scan\": {\n    \"include\": [\".github/workflows/*\", \"AGENTS.md\", \".mcp.json\"],\n    \"exclude\": [\"node_modules/*\", \"dist/*\", \"build/*\"],\n    \"maxFiles\": 250,\n    \"maxFileBytes\": 262144\n  },\n  \"rules\": {\n    \"AWG010\": \"off\",\n    \"AWG008\": \"low\",\n    \"AWG004\": {\n      \"severity\": \"critical\"\n    }\n  },\n  \"suppressions\": {\n    \"allowedRules\": [\"AWG001\", \"AWG002\"],\n    \"minimumReasonLength\": 20\n  }\n}\n```\n\nRule values can be `\"off\"`, `\"low\"`, `\"medium\"`, `\"high\"`, or `\"critical\"`.\nSee `examples/awguard.config.example.json` for a complete template.\nThe config schema is published at `schemas/awguard.config.schema.json` for editor completion and validation.\n`scan.maxFiles` and `scan.maxFileBytes` are optional guardrails for very large repositories; leave them out if you do not want hard limits.\n\nGenerate starter policy packs:\n\n```bash\nnode ./bin/awguard.js policy-pack oss\nnode ./bin/awguard.js policy-pack strict\nnode ./bin/awguard.js policy-pack enterprise\n```\n\nGenerate a starter policy from the current repository surfaces:\n\n```bash\nnode ./bin/awguard.js policy-wizard . --dry-run\nnode ./bin/awguard.js policy-wizard . --format json --output awguard.config.json\n```\n\nReview the generated allowlists before committing them. The wizard preserves existing config fields when you pass `--config`.\n\nGenerate CI and editor templates:\n\n```bash\nnode ./bin/awguard.js templates all\nnode ./bin/awguard.js templates code-scanning\nnode ./bin/awguard.js templates pre-commit\n```\n\nPR comment bot starter:\n\n- Copy `examples/pr-comment-bot.yml` to `.github/workflows/awguard-pr-comment.yml`.\n- It uses `pull_request`, `contents: read`, and `pull-requests: write`.\n- It only posts comments for same-repository pull requests; forked pull requests still get the scan job without exposing secrets or privileged `pull_request_target` behavior.\n\nDocker usage:\n\n```bash\ndocker run --rm -v \"$PWD:/repo\" ghcr.io/mughal-baig/agentic-workflow-guard:latest . --preset strict\n```\n\nGitHub Actions Docker job:\n\n```yaml\njobs:\n  awguard:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v6\n      - run: docker run --rm -v \"$PWD:/repo\" ghcr.io/mughal-baig/agentic-workflow-guard:latest . --preset strict --fail-on high\n```\n\nGitLab CI container job:\n\n```yaml\nawguard:\n  image:\n    name: ghcr.io/mughal-baig/agentic-workflow-guard:latest\n    entrypoint: [\"\"]\n  script:\n    - awguard . --preset strict --fail-on high\n```\n\nBuilt-in presets:\n\n- `strict`\n- `claude-code`\n- `codex`\n- `aider`\n- `triage-bot`\n\nUse them with `--preset strict` or in config with `\"extends\": [\"strict\"]`.\n\n## Attack Graph And HTML Reports\n\nGenerate a Mermaid attack graph:\n\n```bash\nnode ./bin/awguard.js examples/unsafe-agent.yml --format graph\n```\n\nGenerate a standalone HTML report:\n\n```bash\nnode ./bin/awguard.js examples/unsafe-agent.yml --format html --output awguard-report.html\n```\n\nThe report maps source, prompt boundary, capability, authority, and impact for each finding.\n\n## Safe-Output Migration Plans\n\nGenerate a migration checklist for converting unsafe agent workflows into read-only agent jobs plus validated safe outputs or approved apply jobs:\n\n```bash\nnode ./bin/awguard.js examples/unsafe-agent.yml --format migration --output awguard-migration.md\n```\n\nThe migration report groups findings by workflow file, explains the risk shape, suggests allowed GitHub operations, and gives a reference two-stage pattern:\n\n```text\nuntrusted GitHub event text\n  -\u003e read-only agent job\n  -\u003e structured proposal artifact\n  -\u003e schema and policy validation\n  -\u003e safe outputs or approved apply job\n```\n\n## AWI Score And Badge\n\nGenerate a shareable Agentic Workflow Injection scorecard:\n\n```bash\nnode ./bin/awguard.js . --format score\n```\n\nGenerate a Shields.io endpoint badge JSON:\n\n```bash\nnode ./bin/awguard.js . --format badge --output docs/awguard-badge.json\n```\n\nThen add a badge to your README:\n\n```markdown\n[![AWI risk](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/OWNER/REPO/main/docs/awguard-badge.json)](docs/awguard-badge.json)\n```\n\nOr print all common badge snippets:\n\n```bash\nnode ./bin/awguard.js badges --repo OWNER/REPO\n```\n\nThe score starts at 100 and subtracts risk for critical, high, medium, and low findings. This makes AWGuard easy to show in a README without hiding the detailed SARIF, graph, and migration reports.\n\n## Agentic Surface Inventory\n\nGenerate a repository map of agent-related surfaces:\n\n```bash\nnode ./bin/awguard.js . --format inventory\n```\n\nThe inventory groups scanned files into GitHub Actions workflows, persistent agent context files, and MCP configs. It shows which surfaces exist, which rules fired, and what to review next. This is useful before a team enables new coding agents because it answers: \"Where can agents read instructions, get tools, or act in CI?\"\n\nFor dashboards, use JSON:\n\n```bash\nnode ./bin/awguard.js . --format inventory-json --output awguard-inventory.json\n```\n\n## Compare Reports\n\nTrack newly introduced agentic risk across branches or releases:\n\n```bash\nnode ./bin/awguard.js . --format json --output current-awguard.json\nnode ./bin/awguard.js --compare previous-awguard.json current-awguard.json\nnode ./bin/awguard.js --compare previous-awguard.json current-awguard.json --format json\n```\n\nThe comparison report shows introduced findings, resolved findings, added scanned files, removed scanned files, and agentic surface drift by workflows, agent context files, MCP configs, and other scanned files.\n\nMachine-readable report schemas are documented in [docs/schemas.md](docs/schemas.md).\n\n## Policy Mode\n\nPolicy mode makes new agent surfaces visible during review. Add allowlists to `awguard.config.json`:\n\n```json\n{\n  \"policy\": {\n    \"approvedFiles\": [\"AGENTS.md\", \".github/workflows/*\"],\n    \"approvedMcpServers\": [\"github\"],\n    \"approvedMcpPackages\": [\"@modelcontextprotocol/server-github@1.2.3\"],\n    \"approvedMcpPackageScopes\": [\"@modelcontextprotocol/\"],\n    \"approvedMcpCommands\": [\"npx\", \"node\"]\n  }\n}\n```\n\nAnything outside the policy is reported as `AWG015`.\n\n## Agent Context Guard\n\nAWGuard also scans persistent agent instruction files:\n\n- `AGENTS.md`\n- `CLAUDE.md`\n- `CODEX.md`\n- `GEMINI.md`\n- `.github/copilot-instructions.md`\n- `.github/instructions/*.instructions.md`\n- `.github/agents/*.md`\n- `.github/prompts/*.prompt.md`\n- `.github/skills/**/SKILL.md`\n- `.cursor/rules/*.{md,mdc,txt}`\n- `.cursorrules`, `.windsurfrules`, and `.clinerules`\n\nIt flags instruction files that tell agents to bypass approvals, skip permission prompts, obey issue or PR text as commands, or expose secrets.\n\n## MCP Trust Boundary Guard\n\nAWGuard also scans project-scoped MCP config files without starting the configured servers:\n\n- `.mcp.json`\n- `mcp.json`\n- `.vscode/mcp.json`\n- `.cursor/mcp.json`\n- `.windsurf/mcp_config.json`\n- `.codeium/windsurf/mcp_config.json`\n- `cline_mcp_settings.json`\n- `.cline/mcp_settings.json`\n- `.roo/mcp.json`\n- `.kilocode/mcp.json`\n- `claude_desktop_config.json`\n\nIt flags MCP configs that start mutable packages such as `npx package`, `uvx package@latest`, or unpinned Docker images, and configs that commit tokens, API keys, passwords, or authorization headers.\nWhen `policy.approvedMcpPackageScopes` is configured, it also reports MCP packages outside reviewed publisher scopes as `AWG019` without contacting package registries.\n\n## Fix Dry Run\n\nPrint remediation guidance without editing files:\n\n```bash\nnode ./bin/awguard.js examples/unsafe-agent.yml --fix-dry-run\n```\n\nApply only narrow, deterministic workflow hardening edits:\n\n```bash\nnode ./bin/awguard.js . --fix\n```\n\nAutofix currently handles safe `permissions: write-all` replacement, missing top-level `permissions: contents: read`, and `actions/checkout` `persist-credentials: false`. Review `git diff` before committing.\n\n## Explain And Demo\n\nExplain any rule:\n\n```bash\nnode ./bin/awguard.js explain AWG004\n```\n\nRun the built-in unsafe-to-fixed lab walkthrough without network access:\n\n```bash\nnode ./bin/awguard.js demo\n```\n\n## Inline Suppressions\n\nSuppressions are for reviewed false positives. They must include a reason after `--`.\n\n```yaml\n# awguard-disable-next-line AWG001,AWG002 -- Reviewed: this workflow only runs after maintainer approval.\n- run: openai --prompt \"${{ github.event.comment.body }}\"\n\npermissions: write-all # awguard-disable-line AWG004 -- Reviewed: release job needs tag write access.\n```\n\nIf you omit rule ids, the suppression applies to all findings on the target line. Suppression comments without a clear reason are reported as `AWG011`.\n\n## What It Detects\n\n| Rule | Severity | What it finds |\n| --- | --- | --- |\n| AWG001 | High/Critical | Untrusted GitHub event text passed into an AI agent prompt |\n| AWG002 | High | Untrusted GitHub context interpolated in a shell script |\n| AWG003 | Critical | `pull_request_target` checking out PR head code |\n| AWG004 | High | AI-agent workflows with broad write permissions |\n| AWG005 | High | Secrets exposed to untrusted agent workflows |\n| AWG006 | High | Agent flags such as `--dangerously-skip-permissions` or `--yolo` |\n| AWG007 | High | Model/agent output names flowing into command execution |\n| AWG008 | Medium | Agent workflow missing explicit `permissions` |\n| AWG009 | Medium | `workflow_run` consuming artifacts before scripts |\n| AWG010 | Low | Third-party actions in agent workflows not pinned to a SHA |\n| AWG011 | Medium | Invalid suppression comments |\n| AWG012 | High/Critical | Agent instruction files that weaken approval, permission, or secret boundaries |\n| AWG013 | High | MCP configs that start mutable packages, unpinned containers, or shell wrappers |\n| AWG014 | Critical | MCP configs that hardcode secrets, tokens, passwords, or auth headers |\n| AWG015 | Medium | Agentic surfaces, MCP servers, packages, or commands not approved by policy |\n| AWG016 | High | Checkout credentials persisting in elevated agent workflows |\n| AWG017 | Critical | Agent writeback without branch, PR, or artifact containment |\n| AWG018 | High/Critical | Untrusted GitHub event text passed into MCP tool inputs or environment |\n| AWG019 | Medium | MCP packages outside configured trusted package scopes |\n\nJSON and SARIF outputs also include a stable `remediationCode` such as `permissions.tighten-token`, `mcp.pin-server`, or `writeback.use-pr-branch`. Use these codes for dashboards, routing, and automation that should not depend on free-text suggestions.\n\n## How It Compares\n\nSee [docs/comparison.md](docs/comparison.md) for how AWGuard fits beside `zizmor`, `actionlint`, OpenSSF Scorecard, secret scanners, and MCP runtime scanners.\n\n## Adoption Docs\n\n- [Setup recipes](docs/setup-recipes.md): Claude Code, Codex, Cursor, GitHub Copilot, Cline, and safe PR comment bots.\n- [Report gallery](docs/report-gallery.md): text, GitHub annotations, SARIF, inventory, attack graph, HTML, migration, score, badge, compare, and policy wizard outputs.\n- [Rule authoring](docs/rule-authoring.md): how to add high-signal AWGuard rules and fixtures.\n- [npm publishing](docs/npm-publishing.md): trusted publishing, OIDC, and provenance setup.\n- [Release checklist](docs/release-checklist.md): Marketplace screenshots, package checks, and release steps.\n- [VS Code extension POC](examples/vscode-extension/README.md): command palette scan, diagnostics, and `$awguard` problem matcher.\n- [Dashboard POC](examples/dashboard/README.md): local trend dashboard for AWI score, findings, and agentic surface growth.\n\n## Example Corpus\n\nThe [real-world pattern corpus](examples/corpus/README.md) contains intentionally unsafe fixtures for PR review agents, `pull_request_target`, persistent instructions, reusable prompts, Cursor rules, and MCP configs.\n\nRun it locally:\n\n```bash\nnode ./bin/awguard.js examples/corpus --format inventory\nnode ./bin/awguard.js examples/corpus --format migration\n```\n\n## Example Finding\n\n```text\n[CRITICAL] AWG001 Untrusted text reaches an AI agent prompt\n  .github/workflows/ai-triage.yml:24\n  User-controlled GitHub event text appears to be used as prompt/input for an AI agent.\n  Fix: Keep issue, PR, comment, and branch text out of privileged agent prompts unless it is reviewed, delimited, and sanitized.\n```\n\n## Roadmap\n\n- Hosted AWI score API for dynamic cross-repository badges.\n- Agent capability SBOM for prompts, tools, MCP servers, permissions, and write paths.\n- Trend reports that show newly added agent surfaces and newly introduced findings.\n- GitHub App integration for always-on repository monitoring.\n\n## Contributing And Security\n\nContributions are welcome. Start with [CONTRIBUTING.md](CONTRIBUTING.md) and [docs/rule-authoring.md](docs/rule-authoring.md), and report sensitive security issues using [SECURITY.md](SECURITY.md).\n\n## Research Backing\n\nSee [docs/market-analysis.md](docs/market-analysis.md) for the demand analysis, gap, audience, and launch plan.\nSee [docs/roadmap.md](docs/roadmap.md) for the scope expansion roadmap.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmughal-baig%2Fagentic-workflow-guard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmughal-baig%2Fagentic-workflow-guard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmughal-baig%2Fagentic-workflow-guard/lists"}