Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dotsetlabs/hardpoint

Detect Rules File Backdoor attacks in AI config files. Scans CLAUDE.md, .cursorrules, mcp.json for hidden prompt injection with 80+ obfuscation-resistant patterns.
https://github.com/dotsetlabs/hardpoint

ai-safety ai-security cicd-security claude cli code-security copilot cursor devsecops golang jailbreak-detection llm-security mcp prompt-injection rules-file-backdoor sarif security-scanner semantic-analysis static-analysis supply-chain-security

Last synced: 2 months ago
JSON representation

Detect Rules File Backdoor attacks in AI config files. Scans CLAUDE.md, .cursorrules, mcp.json for hidden prompt injection with 80+ obfuscation-resistant patterns.

Awesome Lists containing this project

README 

          
# Hardpoint



[![Build](https://github.com/dotsetlabs/hardpoint/actions/workflows/ci.yml/badge.svg)](https://github.com/dotsetlabs/hardpoint/actions/workflows/ci.yml)

[![Go Version](https://img.shields.io/github/go-mod/go-version/dotsetlabs/hardpoint)](https://go.dev/)

[![License](https://img.shields.io/github/license/dotsetlabs/hardpoint)](LICENSE)

[![Release](https://img.shields.io/github/v/release/dotsetlabs/hardpoint)](https://github.com/dotsetlabs/hardpoint/releases)



**The Rules File Backdoor Detector**



Static security scanner that detects AI configuration file attacks. Hardpoint finds malicious instructions hidden in `.cursorrules`, `CLAUDE.md`, `mcp.json`, and other AI config files that traditional security tools miss.



## The Threat: Rules File Backdoor



The Rules File Backdoor attack (24 CVEs in 2025) exploits AI configuration files to persist malicious instructions. Attackers hide commands in:



- **HTML comments** that appear invisible to human reviewers

- **JSON `_comment` fields** that look like documentation

- **Content after benign introductions** that creates false trust



Traditional security scanners don't detect these attacks because they don't understand AI config file semantics. Snyk finds bugs in code. GitHub Advanced Security finds secrets. **Hardpoint finds backdoors in AI behavior.**



## Installation



```bash

go install github.com/dotsetlabs/hardpoint/cmd/hardpoint@latest

```



## Usage



### Scan for Backdoors



```bash

# Scan current directory

hardpoint scan



# Scan specific path

hardpoint scan /path/to/project



# Output as SARIF for CI/CD integration

hardpoint scan --format sarif --output results.sarif

```



### Trust Verified Configs



```bash

# Trust a verified AI config file (creates hash)

hardpoint trust CLAUDE.md



# Verify file hasn't changed

hardpoint verify



# List trusted files

hardpoint trust --list

```



## Core Detections



### AI-008: Semantic Hijacking (FLAGSHIP)



Detection of malicious instructions hidden in file structure. This is Hardpoint's flagship detection for Rules File Backdoor attacks.



| Detection | Description |

|-----------|-------------|

| Comment Divergence | Malicious patterns in comments while visible content looks benign |

| Hidden Sections | Instructions in HTML `` or JSON `_comment` fields |

| Length Anomaly | Hidden content exceeds visible content by 2x+ |

| Pattern After Benign | Malicious content after 10+ lines of legitimate content |



### AI-005: MCP Command Injection



Detection of shell metacharacters in MCP server configurations that could allow command injection attacks.



| Detection | Description |

|-----------|-------------|

| Command Substitution | `$(...)` and backtick patterns |

| Command Chaining | `&&`, `\|\|`, `;` operators |

| Process Substitution | `>(...)` and `<(...)` patterns |



### AI-004: Encoded Instructions



Detection of Base64 or otherwise encoded content that may hide malicious instructions.



### Git Hook Security



Detection of malicious commands in git hooks that could compromise developer environments.



| Rule | Description |

|------|-------------|

| GIT-001 | Malicious command patterns (curl\|sh, /dev/tcp, nc -e) |

| GIT-002 | Credential exfiltration attempts |

| GIT-003 | Unexpected network access |

| GIT-004 | Obfuscated content in hooks |

| GIT-005 | Suspicious git remote URLs |

| GIT-006 | Suspicious credential helpers |



## Files Scanned



| File | Description |

|------|-------------|

| `.cursorrules` | Cursor editor AI rules |

| `CLAUDE.md` | Claude Code project context |

| `AGENTS.md` | Multi-agent instructions |

| `mcp.json` | MCP server configuration |

| `.github/copilot-instructions.md` | Copilot custom instructions |

| `.windsurfrules` | Windsurf AI rules |

| `.aider*` | Aider configuration |



## Rule Reference



| Rule ID | Category | Severity | Description |

|---------|----------|----------|-------------|

| AI-004 | Encoded Content | Medium | Base64 or otherwise encoded instructions |

| AI-005 | MCP Injection | Critical | Command injection in MCP configs |

| AI-008 | Semantic Hijacking | Critical | Hidden instructions in comments/structure |

| GIT-001 | Git Hooks | Critical | Malicious commands in git hooks |

| GIT-002 | Git Hooks | Critical | Credential exfiltration in hooks |

| GIT-003 | Git Hooks | Medium | Unexpected network access |

| GIT-004 | Git Hooks | High | Obfuscated content in hooks |

| GIT-005 | Git Hooks | Medium | Suspicious git remote URLs |

| GIT-006 | Git Hooks | High | Suspicious credential helpers |



## CI/CD Integration



### GitHub Actions



```yaml

- name: Hardpoint Security Scan

  run: |

    go install github.com/dotsetlabs/hardpoint/cmd/hardpoint@latest

    hardpoint scan --format sarif --output hardpoint.sarif



- name: Upload SARIF

  uses: github/codeql-action/upload-sarif@v3

  with:

    sarif_file: hardpoint.sarif

```



### GitLab CI



```yaml

hardpoint:

  script:

    - go install github.com/dotsetlabs/hardpoint/cmd/hardpoint@latest

    - hardpoint scan --format sarif --output gl-code-quality-report.json

  artifacts:

    reports:

      codequality: gl-code-quality-report.json

```



### Pre-commit Hook



```bash

# Install hook

hardpoint hook install



# Or run manually before commit

hardpoint scan --exit-code

```



## Configuration



```yaml

# .hardpoint.yaml

scan:

  paths:

    - .

  exclude:

    - node_modules

    - vendor



trust:

  verify_on_scan: true



output:

  format: terminal  # terminal, json, sarif

```



## Why Hardpoint?



| What Hardpoint Does | What Other Tools Do |

|---------------------|---------------------|

| Scans AI-specific config files | Scan general source code |

| Detects semantic hijacking in comments | Pattern match without context |

| Understands Rules File Backdoor attack | Unaware of AI config threats |

| Config hash verification workflow | No AI config trust model |



## Performance



Hardpoint is designed for speed. Benchmarks run against popular open-source repositories:



| Repository | Files | AI Configs | Scan Time | Findings |

|------------|-------|------------|-----------|----------|

| [next.js](https://github.com/vercel/next.js) | 26,568 | 2 | 33ms | 0 |

| [supabase](https://github.com/supabase/supabase) | 13,808 | 0 | 66ms | 0 |

| [shadcn/ui](https://github.com/shadcn-ui/ui) | 8,022 | 0 | 4ms | 0 |

| [react](https://github.com/facebook/react) | 6,982 | 0 | 4ms | 0 |

| [langchain](https://github.com/langchain-ai/langchain) | 2,975 | 2 | 26ms | 0 |

| [openai-python](https://github.com/openai/openai-python) | 1,220 | 0 | 4ms | 0 |

| [anthropic-cookbook](https://github.com/anthropics/anthropic-cookbook) | 417 | 3 | 8ms | 0 |

| [mcp/servers](https://github.com/modelcontextprotocol/servers) | 156 | 1 | 4ms | 0 |



**Total: 60,148 files scanned in ~150ms across 8 repositories with 8 AI config files.**



### False Positive Analysis



Tested against real-world AI configuration files from major open-source projects:



- **8 AI config files** scanned (CLAUDE.md, AGENTS.md) from Next.js, LangChain, Anthropic Cookbook, and MCP servers

- **0 false positives** on legitimate configuration content

- All files contained standard project documentation and AI assistant instructions



The semantic hijacking detector (AI-008) uses a confidence scoring system to minimize false positives while catching real attacks. Findings below the threshold are not reported.



## Part of Dotset Labs



Hardpoint focuses on **static analysis** of AI configuration files. For runtime protection of AI tool operations, see [Overwatch](https://github.com/dotsetlabs/overwatch).



```

SCAN (Hardpoint)  →  CONTROL (Overwatch)

Defend against       Stop Tool Shadowing

Rules File Backdoor  and Rogue Agents

```



## License



MIT