{"id":49354955,"url":"https://github.com/sattyamjjain/agent-audit-kit","last_synced_at":"2026-05-23T06:14:03.433Z","repository":{"id":349372738,"uuid":"1202079505","full_name":"sattyamjjain/agent-audit-kit","owner":"sattyamjjain","description":"Static scanner for MCP-connected AI agent pipelines — 194 rules across 11 categories, 12 compliance frameworks, OWASP Agentic 10/10 + MCP 10/10, GitHub Action, SARIF, 48h CVE-to-rule SLA.","archived":false,"fork":false,"pushed_at":"2026-05-09T06:46:34.000Z","size":1825,"stargazers_count":5,"open_issues_count":16,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-09T08:43:05.738Z","etag":null,"topics":["ai-agent","ai-agent-security","ai-safety","ai-security","claude-code","github-action","mcp","mcp-security","owasp","sarif","scanner","security","security-scanner","static-analysis","supply-chain-security","tool-poisoning"],"latest_commit_sha":null,"homepage":"https://github.com/sattyamjjain/agent-audit-kit#readme","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sattyamjjain.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.cves.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP_2026.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"sattyamjjain"}},"created_at":"2026-04-05T15:12:41.000Z","updated_at":"2026-05-09T06:46:13.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sattyamjjain/agent-audit-kit","commit_stats":null,"previous_names":["sattyamjjain/agent-audit-kit"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/sattyamjjain/agent-audit-kit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sattyamjjain%2Fagent-audit-kit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sattyamjjain%2Fagent-audit-kit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sattyamjjain%2Fagent-audit-kit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sattyamjjain%2Fagent-audit-kit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sattyamjjain","download_url":"https://codeload.github.com/sattyamjjain/agent-audit-kit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sattyamjjain%2Fagent-audit-kit/sbom","scorecard":{"id":1245660,"data":{"date":"2026-04-05T16:58:07Z","repo":{"name":"github.com/sattyamjjain/agent-audit-kit","commit":"3efcfc71497dd1dc09af08ae7e3088d9b646bbc6"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":5.4,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":-1,"reason":"no pull request found","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/14 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":7,"reason":"dependency not pinned by hash detected -- score normalized to 7","details":["Warn: pipCommand not pinned by hash: Dockerfile:10","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:26","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:27","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:36","Info:  13 out of  13 GitHub-owned GitHubAction dependencies pinned","Info:   8 out of   8 third-party GitHubAction dependencies pinned","Info:   1 out of   1 containerImage dependencies pinned","Info:   0 out of   4 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool detected: CodeQL","details":["Info: SAST configuration detected: CodeQL","Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:17","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:18","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:50","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:119","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:18","Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:9","Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yml:10","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:9"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-04-05T17:28:48.758Z","repository_id":349372738,"created_at":"2026-04-05T17:28:48.758Z","updated_at":"2026-04-05T17:28:48.758Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33129104,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-16T18:38:32.183Z","status":"online","status_checked_at":"2026-05-17T02:00:05.366Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agent","ai-agent-security","ai-safety","ai-security","claude-code","github-action","mcp","mcp-security","owasp","sarif","scanner","security","security-scanner","static-analysis","supply-chain-security","tool-poisoning"],"created_at":"2026-04-27T13:00:36.414Z","updated_at":"2026-05-23T06:14:03.425Z","avatar_url":"https://github.com/sattyamjjain.png","language":"Python","funding_links":["https://github.com/sponsors/sattyamjjain"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ch1 align=\"center\"\u003eAgentAuditKit\u003c/h1\u003e\n  \u003cp align=\"center\"\u003e\u003cstrong\u003eThe missing \u003ccode\u003enpm audit\u003c/code\u003e for AI agents.\u003c/strong\u003e\u003c/p\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/sattyamjjain/agent-audit-kit/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/sattyamjjain/agent-audit-kit/actions/workflows/ci.yml/badge.svg\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pypi.org/project/agent-audit-kit/\"\u003e\u003cimg src=\"https://img.shields.io/pypi/v/agent-audit-kit.svg\" alt=\"PyPI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.python.org/downloads/\"\u003e\u003cimg src=\"https://img.shields.io/badge/python-3.9+-blue.svg\" alt=\"Python 3.9+\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-yellow.svg\" alt=\"License: MIT\"\u003e\u003c/a\u003e\n  \u003ca href=\"#what-it-scans\"\u003e\u003cimg src=\"https://img.shields.io/badge/rules-206-blue.svg\" alt=\"Rules: 206\"\u003e\u003c/a\u003e\n  \u003ca href=\"#frameworks--standards\"\u003e\u003cimg src=\"https://img.shields.io/badge/OWASP_Agentic-10%2F10-green.svg\" alt=\"OWASP Agentic: 10/10\"\u003e\u003c/a\u003e\n  \u003ca href=\"#frameworks--standards\"\u003e\u003cimg src=\"https://img.shields.io/badge/OWASP_MCP-10%2F10-green.svg\" alt=\"OWASP MCP: 10/10\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://sattyamjjain.github.io/agent-audit-kit/\"\u003e\u003cimg src=\"https://img.shields.io/badge/MCP_Security_Index-live-blue.svg\" alt=\"MCP Security Index\"\u003e\u003c/a\u003e\n  \u003ca href=\"CHANGELOG.cves.md\"\u003e\u003cimg src=\"https://img.shields.io/badge/CVE%E2%86%92rule_SLA-48h-orange.svg\" alt=\"48h CVE-to-rule SLA\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://asciinema.org/a/9X7N1ztuuIYi9T2P\" target=\"_blank\"\u003e\u003cimg src=\"https://asciinema.org/a/9X7N1ztuuIYi9T2P.svg\" alt=\"AgentAuditKit Demo\" width=\"700\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nSecurity scanner for MCP-connected AI agent pipelines. Finds misconfigurations, hardcoded secrets, tool poisoning, rug pulls, trust boundary violations, and tainted data flows across **13 agent platforms**.\n\n- **\u003c!-- rule-count:total --\u003e206\u003c!-- /rule-count --\u003e rules** across 11 security categories, covering the 2026 CVE wave\n- **\u003c!-- scanner-count:total --\u003e66\u003c!-- /scanner-count --\u003e scanner modules** including AST-based Python taint analysis and regex pattern scanners for TypeScript/JavaScript and Rust\n- **16 CLI commands**: `scan`, `discover`, `pin`, `verify`, `fix`, `score`, `update`, `proxy`, `kill`, `watch`, plus `export-rules`, `verify-bundle`, `sbom`, `report`, `install-precommit`, and the Security-Advisories scan flag\n- **OWASP coverage**: Agentic Top 10 (10/10), MCP Top 10 (10/10), Adversa AI Top 25\n- **Compliance mapping** (12 frameworks): EU AI Act Art. 15 + 55, SOC 2, ISO 27001, ISO/IEC 42001, HIPAA, NIST AI RMF, Singapore Agentic AI, India DPDP 2023, **Alabama Personal Data Protection Act (HB 351, 2026)**, **Tennessee SB 1580 Health Care AI (PRA)**, **MCP 2026 Roadmap (May 2026)** — PDF reports via `agent-audit-kit report --format pdf --framework \u003cname\u003e`\n- **Supply chain**: deterministic rule bundle (`export-rules`), Sigstore-signed releases, CycloneDX + SPDX SBOM (`sbom`)\n- **MCP Security Index**: weekly public leaderboard at [sattyamjjain.github.io/agent-audit-kit](https://sattyamjjain.github.io/agent-audit-kit/) — per-server grade cards (A–F), 90-day [disclosure policy](docs/disclosure-policy.md)\n- **AAK Response SLA**: rule coverage within **48 hours** of any disclosed MCP CVE — ledger in [CHANGELOG.cves.md](CHANGELOG.cves.md)\n- **Zero cloud dependencies** — runs fully offline, zero network calls in the default scan path\n\n### Why This Exists\n\nIn early 2026, [30 MCP CVEs dropped in 60 days](https://www.heyuan110.com/posts/ai/2026-03-10-mcp-security-2026/). [CVE-2026-33032](https://nvd.nist.gov/vuln/detail/CVE-2026-33032) (Nginx-UI MCP auth bypass, CVSS 9.8) exposed a shared-handler pattern that several other servers have. [CVE-2025-59536](https://nvd.nist.gov/vuln/detail/CVE-2025-59536) turned a project-local Claude Code hook into RCE. [CVE-2026-34070](https://nvd.nist.gov/vuln/detail/CVE-2026-34070) hit LangChain's `load_prompt()` with absolute-path and `..` traversal. [CVE-2026-21852](https://nvd.nist.gov/vuln/detail/CVE-2026-21852) demonstrated source-code exfiltration via a single Claude Code config flag. A 2,614-server survey found **82% of public MCP servers** had path-traversal issues. On 2026-05-01, [OX Security disclosed 10+ CVEs](https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) across DocsGPT, GPT-Researcher, Agent-Zero, LettaAI, LiteLLM, LangFlow, Flowise, Bisheng, and Langchain-Chatchat — all rooted in the same MCP STDIO command-injection class `AAK-MCP-STDIO-CMD-INJ-*` covers. Meanwhile, every AI coding assistant adopted MCP with sparse security tooling.\n\nAgentAuditKit is the deterministic, auditor-ready OSS scanner that closes the gap.\n\n\u003e **Architectural note:** AAK rules are multi-arm adjudicators (pin arm + source/config arm + explicit-reject short-circuit + adjudicator log), not single-shot regex matchers. See [docs/notes/adjudicator-pattern.md](docs/notes/adjudicator-pattern.md) for the four-arm structure and the Mozilla / arXiv precedents.\n\n---\n\n## Quick Start\n\n### GitHub Action (Recommended)\n\n```yaml\n# .github/workflows/agent-security.yml\nname: Agent Security Scan\non: [push, pull_request]\n\npermissions:\n  security-events: write\n  contents: read\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: sattyamjjain/agent-audit-kit@v0.3.24\n        with:\n          fail-on: high\n```\n\nFindings appear as **inline PR annotations** in the GitHub Security tab via SARIF.\n\n### CLI\n\n```bash\npip install agent-audit-kit\nagent-audit-kit scan .\n```\n\n### Pre-commit Hook\n\n```yaml\n# .pre-commit-config.yaml\nrepos:\n  - repo: https://github.com/sattyamjjain/agent-audit-kit\n    rev: v0.3.24\n    hooks:\n      - id: agent-audit-kit\n```\n\n### Try It Now\n\nScan a deliberately vulnerable config to see AgentAuditKit in action:\n\n```bash\ngit clone https://github.com/sattyamjjain/agent-audit-kit\ncd agent-audit-kit\npip install -e .\nagent-audit-kit scan examples/vulnerable-configs/04-hook-exfiltration/\n```\n\n11 vulnerability examples covering all security categories in the [examples/](examples/) directory. See also the [damn-vulnerable-MCP-server case study](examples/case-studies/damn-vulnerable-mcp/).\n\n---\n\n## What It Scans\n\n| Category | Rules | What It Detects |\n|----------|:-----:|-----------------|\n| **MCP Configuration** | \u003c!-- category-count:MCP_CONFIG --\u003e39\u003c!-- /category-count --\u003e | Missing auth middleware (CVE-2026-33032 class), empty IP allowlists, wildcard CORS, path traversal in resource handlers, SSRF (CWE-918), OAuth 2.1 misconfig (PKCE/S256/DPoP), Tasks primitive leakage (SEP-1686), shell injection, MCPwn middleware-asymmetry, Azure MCP no-auth (CVE-2026-32211), MCP Inspector vendored fork (CVE-2026-23744) |\n| **Supply Chain** | \u003c!-- category-count:SUPPLY_CHAIN --\u003e40\u003c!-- /category-count --\u003e | Vulnerable LangChain / langchain-text-splitters versions, named pin rules for `astro-mcp-server` / `chatgpt-mcp-server` / `docsgpt` / `gpt-researcher` / `litellm` / `mcp-calculate-server` / `semantic-kernel` / `@anthropic-ai/claude-code` / `apache-doris-mcp-server` / `excel-mcp-server`, OX MCP-STDIO command-injection (Python/TS/Java/Rust) — `AAK-MCP-STDIO-CMD-INJ-001..004` — Stainless-generator lineage, marketplace.json signatures / typosquat / mutable refs, unpinned packages, dangerous install scripts |\n| **Tool Poisoning** | \u003c!-- category-count:TOOL_POISONING --\u003e26\u003c!-- /category-count --\u003e | Invisible Unicode / bidi, skill frontmatter injection, SKILL.md post-install commands, data-exfil primitives, skill name hijacking, cross-tool references, rug-pull (SHA-256 pinning), `@mcp.tool` unsafe-eval (CVE-2026-44717 generalization), OpenAPI smells (Hermes paper LAZY/BLOATED/TANGLED), Metis POMDP refusal-refeed + scoring-sink, SkillsVote lifecycle attribution, MCP Calculate Server pin |\n| **Secret Exposure** | \u003c!-- category-count:SECRET_EXPOSURE --\u003e17\u003c!-- /category-count --\u003e | Anthropic/OpenAI/AWS/GitHub/GitLab/GCP keys, Shannon-entropy detection, `.env` leaks, private-key files, hardcoded credential surface, token-leak via log sinks (CVE-2026-20205) |\n| **Agent Config** | \u003c!-- category-count:AGENT_CONFIG --\u003e15\u003c!-- /category-count --\u003e | Routines permission escalation + schedule injection + audit-log gaps, AGENTS.md/CLAUDE.md/.cursorrules hijacking, hidden Unicode, encoded payloads, internal scanner-fail signal, Project Deal economic-drift detection |\n| **A2A Protocol** | \u003c!-- category-count:A2A_PROTOCOL --\u003e13\u003c!-- /category-count --\u003e | Missing mutual auth, unbounded delegation, transitive trust, replay protection, schema confusion, HTTP endpoints, JWT lifetime/validation, impersonation, multi-agent shared-state without lock (Code-as-Harness) |\n| **Hook Injection** | \u003c!-- category-count:HOOK_INJECTION --\u003e12\u003c!-- /category-count --\u003e | Hook RCE (CVE-2025-59536 class), `shell=True` + interpolation, pre-trust execution, network-capable hooks, credential exfiltration |\n| **Taint Analysis** | \u003c!-- category-count:TAINT_ANALYSIS --\u003e12\u003c!-- /category-count --\u003e | `@tool` param flows to shell/eval/SQL/SSRF/file/deserialization sinks (Python AST), `load_prompt()` user-path reachability, transport-flip MITM (DocsGPT + GPT-Researcher) |\n| **Transport Security** | \u003c!-- category-count:TRANSPORT_SECURITY --\u003e11\u003c!-- /category-count --\u003e | HTTP endpoints, TLS disabled, deprecated SSE, tokens in URL query strings, transport body-size limits (CVE-2026-39313), SSRF redirect bypass (CVE-2026-41481), DNS-rebinding (CVE-2025-66414/66416, CVE-2026-35568/35577) |\n| **Legal Compliance** | \u003c!-- category-count:LEGAL_COMPLIANCE --\u003e11\u003c!-- /category-count --\u003e | Copyleft licenses (AGPL/SSPL), missing licenses, DMCA-flagged packages, India PII surface, US-state consumer privacy (Alabama HB 351, Tennessee SB 1580), Singapore Agentic AI, healthcare AI triggers |\n| **Trust Boundaries** | \u003c!-- category-count:TRUST_BOUNDARY --\u003e10\u003c!-- /category-count --\u003e | `enableAllProjectMcpServers`, API URL redirects, wildcard permissions, missing deny rules, missing allowlists, Claude Code folder-trust bypass (CVE-2026-40068) |\n\n**\u003c!-- rule-count:total --\u003e206\u003c!-- /rule-count --\u003e rules total.** Every finding includes severity, evidence, remediation, OWASP references, Adversa references, and CVE links where applicable.\n\n### Agent Platforms Scanned\n\nClaude Code, Cursor, VS Code Copilot, Windsurf, Amazon Q, Gemini CLI, Goose, Continue, Roo Code, Kiro + user-level global configs.\n\n### Language Support\n\n| Language | Scanning Method | What It Finds |\n|----------|----------------|---------------|\n| **Python** | AST analysis (stdlib `ast`) | `@tool` param flows to dangerous sinks (eval, subprocess, SQL, file I/O, HTTP); LangChain `load_prompt()` user-path reachability |\n| **TypeScript / JS** | Regex pattern scan | `eval()`, `child_process.exec`, `fs.writeFileSync`, SSRF patterns, OAuth token passthrough in MCP server files |\n| **Rust** | Regex pattern scan | `Command::new(format!())`, `unsafe` blocks, SQL macros without parameterization |\n\n_Note: Phase 2 scanners (`ssrf_patterns`, `oauth_misconfig`, `mcp_auth_patterns`, `hook_rce`, `skill_poisoning`, `mcp_tasks`) are regex-based; a tree-sitter AST migration is tracked in [issue #22](https://github.com/sattyamjjain/agent-audit-kit/issues/22)._\n\n---\n\n## CLI Reference\n\n### Commands\n\n| Command | Description |\n|---------|-------------|\n| `agent-audit-kit scan .` | Full security scan |\n| `agent-audit-kit scan . --ci` | CI mode: SARIF + `--fail-on high` |\n| `agent-audit-kit discover` | Find all AI agent configs on the machine |\n| `agent-audit-kit pin .` | Pin tool definitions (SHA-256 hashes) |\n| `agent-audit-kit verify .` | Check tools against pins (detect rug pulls) |\n| `agent-audit-kit fix . --dry-run` | Auto-fix common misconfigurations |\n| `agent-audit-kit score .` | Security grade (A-F) + SVG badge |\n| `agent-audit-kit update` | Update vulnerability database |\n| `agent-audit-kit proxy --port 8765 --target URL` | Start MCP interception proxy |\n| `agent-audit-kit kill` | Terminate running proxy |\n| `agent-audit-kit export-rules --out rules.json` | Write deterministic rule bundle + SHA-256 (Sigstore-signable) |\n| `agent-audit-kit verify-bundle rules.json [--signature sig]` | Verify bundle digest or Sigstore signature |\n| `agent-audit-kit sbom . --format {cyclonedx,spdx}` | Emit CycloneDX 1.5 / SPDX 2.3 SBOM for MCP deps |\n| `agent-audit-kit report . --framework FRAMEWORK --format pdf` | Auditor-ready compliance report (EU AI Act / SOC 2 / ISO 27001 / HIPAA / NIST AI RMF) |\n| `agent-audit-kit install-precommit` | Add the hook to `.pre-commit-config.yaml` |\n\n### Scan Flags\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--format` | `console` | Output: `console`, `json`, `sarif` |\n| `--severity` | `low` | Minimum severity to report |\n| `--fail-on` | `none` | Exit 1 at this severity: `critical`, `high`, `medium`, `low`, `none` |\n| `--output` / `-o` | stdout | Write output to file |\n| `--ci` | | Shorthand: `--format sarif --fail-on high -o agent-audit-results.sarif` |\n| `--config` | | Path to `.agent-audit-kit.yml` |\n| `--rules` | all | Comma-separated rule IDs to include |\n| `--exclude-rules` | | Comma-separated rule IDs to skip |\n| `--ignore-paths` | | Comma-separated paths to exclude |\n| `--include-user-config` | | Also scan `~/.claude/`, `~/.cursor/`, etc. |\n| `--score` | | Show security score and grade |\n| `--owasp-report` | | Generate OWASP coverage matrix |\n| `--compliance FRAMEWORK` | | Compliance report: `eu-ai-act`, `soc2`, `iso27001`, `hipaa`, `nist-ai-rmf`, `mcp-2026-roadmap` |\n| `--verify-secrets` | | Probe APIs to check if leaked keys are live (opt-in) |\n| `--diff BASE_REF` | | Only report findings in files changed since BASE_REF |\n| `--llm-scan` | | Local LLM semantic analysis via Ollama (opt-in) |\n| `--strict-loading` | | Fail loudly if any optional scanner module can't be imported (default: silently skip) |\n| `--verbose` / `-v` | | Detailed scan progress |\n\n### Exit Codes\n\n| Code | Meaning |\n|:----:|---------|\n| 0 | Scan passed — no findings exceed `--fail-on` threshold |\n| 1 | Scan failed — findings meet or exceed `--fail-on` severity |\n| 2 | Error — invalid path, malformed config, etc. |\n\n---\n\n## Configuration\n\nCreate `.agent-audit-kit.yml` in your project root:\n\n```yaml\nseverity: medium\nfail-on: high\nignore-paths:\n  - vendor/\n  - third_party/\nexclude-rules:\n  - AAK-MCP-007    # We intentionally don't pin npx versions\ninclude-user-config: false\n```\n\nCLI flags always take precedence over config file values.\n\n---\n\n## GitHub Action Reference\n\n### Inputs\n\n| Input | Default | Description |\n|-------|---------|-------------|\n| `path` | `.` | Directory to scan |\n| `severity` | `low` | Minimum severity to report |\n| `fail-on` | `high` | Fail at this severity or above (`none` = never fail) |\n| `format` | `sarif` | Output format: `sarif`, `json`, `console` |\n| `upload-sarif` | `true` | Upload SARIF to GitHub Security tab |\n| `include-user-config` | `false` | Scan user-level agent configs |\n| `rules` | | Comma-separated rule IDs to include |\n| `exclude-rules` | | Comma-separated rule IDs to skip |\n| `ignore-paths` | | Comma-separated paths to exclude |\n| `config` | | Path to `.agent-audit-kit.yml` |\n\n### Outputs\n\n| Output | Description |\n|--------|-------------|\n| `findings-count` | Total number of findings |\n| `critical-count` | Count of CRITICAL findings |\n| `high-count` | Count of HIGH findings |\n| `sarif-file` | Path to SARIF output file |\n| `exit-code` | 0 = pass, 1 = findings exceed threshold |\n\n---\n\n## SARIF Integration\n\nWith `upload-sarif: true` (default), findings appear:\n- As **inline annotations** on PR diffs showing exactly which line has the issue\n- In the **Security tab** under Code Scanning with full remediation guidance\n- With **OWASP references** and **CVE links** for each finding\n\nSARIF output conforms to [SARIF 2.1.0](https://json.schemastore.org/sarif-2.1.0.json) with `fingerprints`, `partialFingerprints`, `fixes[]`, `security-severity` scores, and `%SRCROOT%` relative paths.\n\n---\n\n## Security Scoring\n\n```bash\nagent-audit-kit score .\n# Security Score: 85/100  Grade: B\n```\n\n| Grade | Score | Meaning |\n|:-----:|:-----:|---------|\n| A | 90-100 | Excellent — minimal risk |\n| B | 75-89 | Good — minor issues |\n| C | 60-74 | Fair — needs attention |\n| D | 40-59 | Poor — significant risk |\n| F | 0-39 | Critical — immediate action required |\n\nGenerate an SVG badge for your README: `agent-audit-kit score . --badge`\n\n---\n\n## Frameworks \u0026 Standards\n\n| Framework | Coverage |\n|-----------|----------|\n| **OWASP Agentic Top 10** (ASI01-ASI10) | 10/10 (100%) — density by slot below |\n| **OWASP MCP Top 10** (MCP01-MCP10) | 10/10 (100%) |\n\n\u003cdetails\u003e\n\u003csummary\u003eOWASP Agentic Top 10 — density by slot\u003c/summary\u003e\n\n\u003c!-- owasp-coverage:start --\u003e\n| ASI | Title | # rules |\n| --- | --- | --- |\n| **ASI01** | Goal Hijack | 11 |\n| **ASI02** | Tool Misuse | 32 |\n| **ASI03** | Memory Poisoning | 47 |\n| **ASI04** | Identity \u0026 Privilege Abuse | 33 |\n| **ASI05** | Cascading Failures | 30 |\n| **ASI06** | Unauthorized Capability Acquisition | 25 |\n| **ASI07** | Plan Injection | 9 |\n| **ASI08** | Agent Communication Poisoning | 4 |\n| **ASI09** | Resource Abuse | 14 |\n| **ASI10** | Supply-Chain | 20 |\n\u003c!-- owasp-coverage:end --\u003e\n\n\u003c/details\u003e\n\n| **Adversa AI MCP Security Top 25** | Fully mapped |\n| **EU AI Act** | `--compliance eu-ai-act` |\n| **SOC 2 Type II** | `--compliance soc2` |\n| **ISO 27001:2022** | `--compliance iso27001` |\n| **HIPAA Security Rule** | `--compliance hipaa` |\n| **NIST AI RMF 1.0** | `--compliance nist-ai-rmf` |\n| **MCP 2026 Roadmap (May 2026)** | `--compliance mcp-2026-roadmap` |\n\n---\n\n## Tool Pinning \u0026 Rug Pull Detection\n\nMCP servers can silently change tool definitions after you approve them. AgentAuditKit detects this:\n\n```bash\n# Create initial pins (commit tool-pins.json to git)\nagent-audit-kit pin .\n\n# In CI, verify nothing changed\nagent-audit-kit verify .\n```\n\nDetects: tool definitions changed (AAK-RUGPULL-001), new tools added (AAK-RUGPULL-002), tools removed (AAK-RUGPULL-003).\n\n---\n\n## Comparison\n\nSee [`docs/comparisons.md`](docs/comparisons.md) for a fully-sourced version. Verifiable claims only.\n\n| Feature | AgentAuditKit | Microsoft AGT | Snyk Agent Scan | Semgrep Multimodal |\n|---------|:---:|:---:|:---:|:---:|\n| Scope | Static scanner + compliance PDFs | Runtime governance | Static + runtime | Multimodal SAST |\n| Detection rules (static) | **\u003c!-- rule-count:total --\u003e206\u003c!-- /rule-count --\u003e** | Runtime policies, not rules | ~30 | LLM-assisted |\n| OWASP Agentic 10/10 | **Yes** | Yes | Partial | Partial |\n| OWASP MCP 10/10 | **Yes** | No (runtime-focused) | No | No |\n| Auditor-ready PDF compliance | **12 frameworks** | No | 0 | 0 |\n| Regional frameworks (IN/SG/AL/TN) | **Yes** | No | No | No |\n| Sigstore-signed rule bundle | **Yes** | SLSA provenance | No | No |\n| CycloneDX + SPDX SBOM output | **Yes** | No | No | No |\n| Public 48h CVE-to-rule SLA | **Yes** | No | No | No |\n| Public grade leaderboard | **Yes** (MCP Security Index) | No | No | No |\n| Pin + drift verification | **Yes** | Yes (runtime rings) | No | No |\n| Auto-fix CVE dependency bumps | **Yes** (`fix --cve`) | No | No | No |\n| GitHub Security Advisories | **Yes** (`--advisories`) | No | No | No |\n| Secret verification | **Yes** | No | No | No |\n| A2A protocol scanning | **12 rules** | Agent Mesh | No | No |\n| Healthcare-AI legal triggers | **Yes** (TN SB 1580, KS/WA/UT) | No | No | No |\n| Offline / zero cloud | **Yes** | Yes | No | Optional |\n| License | **MIT** | MIT | Proprietary | Proprietary |\n\n**Microsoft AGT is an ally, not a competitor.** It governs agents at\nruntime; agent-audit-kit audits them at CI time and produces the PDF an\nauditor needs. Use both — the overlap is small, the reinforcement is\nhigh. See [docs/comparisons.md](docs/comparisons.md) for the full\npositioning write-up.\n\n---\n\n## VS Code Extension\n\nA VS Code/Cursor extension is available in `vscode-extension/`:\n\n```bash\ncd vscode-extension \u0026\u0026 npm install \u0026\u0026 npm run compile\n```\n\nProvides inline diagnostics on file save with quick-fix suggestions.\n\n---\n\n## MCP Security Index\n\nPublic leaderboard of MCP servers we scan weekly:\n**[sattyamjjain.github.io/agent-audit-kit](https://sattyamjjain.github.io/agent-audit-kit/)**\n\n- Per-server grade cards (A–F)\n- Weekly snapshots in `data/history.json`\n- **90-day coordinated disclosure** before anything lands on a public card — see [`docs/disclosure-policy.md`](docs/disclosure-policy.md)\n- Maintainer-fix earlier gets published the day the fix lands, with credit\n\n## AAK Response SLA\n\nWe publicly commit to shipping rule coverage within **48 hours** of any disclosed MCP CVE. The ledger is [`CHANGELOG.cves.md`](CHANGELOG.cves.md) and a [GitHub Action](.github/workflows/cve-watcher.yml) watches NVD's MCP keyword feed every 6 hours.\n\n## Supply chain\n\nEvery `v*` release publishes:\n\n- **Wheel + sdist** on PyPI via OIDC Trusted Publisher\n- **Docker image** on GHCR (`ghcr.io/sattyamjjain/agent-audit-kit:\u003ctag\u003e`) with SLSA provenance attestation\n- **Sigstore keyless-signed rule bundle** (`rules.json` + `rules.json.sha256`)\n- **CycloneDX + SPDX SBOM** (`sbom.cdx.json`, `sbom.spdx.json`)\n\nVerify a bundle:\n\n```bash\nagent-audit-kit verify-bundle rules.json --signature rules.json.sigstore\n```\n\n---\n\n## Contributing\n\n```bash\ngit clone https://github.com/sattyamjjain/agent-audit-kit\ncd agent-audit-kit\npip install -e \".[dev]\"\npytest -v                          # 504 tests\nruff check .                       # Lint\nmypy agent_audit_kit/              # Type check (52 source files, 0 errors)\nagent-audit-kit scan .             # Self-scan\n```\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for the full development guide.\n\n## Security\n\nReport vulnerabilities via [GitHub Security Advisories](https://github.com/sattyamjjain/agent-audit-kit/security/advisories) or see [SECURITY.md](SECURITY.md).\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsattyamjjain%2Fagent-audit-kit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsattyamjjain%2Fagent-audit-kit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsattyamjjain%2Fagent-audit-kit/lists"}