hackmyagent 0.9.9 → 0.10.0

package/README.md

@@ -12,7 +12,7 @@ Security scanner and red-team toolkit for AI agents — 147 checks, 55 adversari
 
 Works with Claude Code, Cursor, VS Code, and any MCP server setup.
 
-[Website](https://hackmyagent.com) | [Security Checks Reference](docs/SECURITY_CHECKS.md) | [OpenA2A CLI](https://github.com/opena2a-org/opena2a)
+[Website](https://hackmyagent.com) | [Security Checks Reference](docs/SECURITY_CHECKS.md) | [Demos](https://opena2a.org/demos) | [OpenA2A CLI](https://github.com/opena2a-org/opena2a)
 
 ---
 
@@ -38,7 +38,7 @@ That's it. No config files, no setup, no flags needed.
 
 ```
 ┌──────────────────────────────────────────────────┐
-│  HackMyAgent v0.9.8 — Security Scanner           │
+│  HackMyAgent v0.10.0 — Security Scanner          │
 │  Found: 3 critical · 5 high · 12 medium          │
 │                                                  │
 │  CRED-001  critical  Hardcoded API key in .env   │
@@ -50,6 +50,10 @@ That's it. No config files, no setup, no flags needed.
 └──────────────────────────────────────────────────┘
 ```
 
+![HackMyAgent Demo](docs/hackmyagent-demo.gif)
+
+> See all demos at [opena2a.org/demos](https://opena2a.org/demos)
+
 ---
 
 ## Installation

package/dist/cli.js

@@ -1573,7 +1573,8 @@ Examples:
   $ hackmyagent secure -b oasb-1 -f sarif        SARIF for GitHub
   $ hackmyagent secure -b oasb-1 -f html -o report.html
   $ hackmyagent secure -b oasb-1 --fail-below 80 CI threshold
-  $ hackmyagent secure -b oasb-2               OASB-2 composite (infra + governance)`)
+  $ hackmyagent secure -b oasb-2               OASB-2 composite (infra + governance)
+  $ hackmyagent secure ./my-agent --publish    Scan and publish results to registry`)
     .argument('[directory]', 'Directory to scan (defaults to current directory)', '.')
     .option('--fix', 'Automatically fix issues where possible')
     .option('--dry-run', 'Preview fixes without applying them (use with --fix)')
@@ -1587,10 +1588,11 @@ Examples:
     .option('-l, --level <level>', 'Benchmark level: L1 (Essential), L2 (Standard), L3 (Hardened)', 'L1')
     .option('-c, --category <name>', 'Filter to specific benchmark category')
     .option('--deep', 'Enable LLM-powered semantic analysis (requires ANTHROPIC_API_KEY)')
+    .option('--publish', 'Push scan results to the OpenA2A Registry')
     .option('--registry-report', 'Post results to OpenA2A Registry')
     .option('--no-registry', 'Skip auto-publishing results to OpenA2A Registry')
     .option('--version-id <id>', 'Registry version ID to report against')
-    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)')
+    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://registry.opena2a.org')
     .option('--registry-key <key>', 'Registry API key (default: REGISTRY_API_KEY env)')
     .action(async (directory, options) => {
     try {
@@ -1761,12 +1763,39 @@ Examples:
             return;
         }
         if (format === 'json') {
+            // Run publish in JSON mode and include result in output
+            let publishStatus;
+            if (options.publish && options.registry !== false) {
+                try {
+                    const { publishScanResults } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
+                    const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                    const packageName = resolvePackageName(targetDir);
+                    if (packageName) {
+                        const publishData = {
+                            packageName,
+                            packageVersion: resolvePackageVersion(targetDir) ?? undefined,
+                            directory: targetDir,
+                            hardeningFindings: result.findings,
+                        };
+                        const publishResult = await publishScanResults(publishData, registryUrl);
+                        publishStatus = { ...publishResult, registryUrl };
+                    }
+                    else {
+                        publishStatus = { success: false, error: 'Could not determine package name' };
+                    }
+                }
+                catch (publishErr) {
+                    const msg = publishErr instanceof Error ? publishErr.message : 'unknown error';
+                    publishStatus = { success: false, error: msg };
+                }
+            }
+            const jsonOutput = publishStatus ? { ...result, publish: publishStatus } : result;
             if (options.output) {
-                require('fs').writeFileSync(options.output, JSON.stringify(result, null, 2) + '\n');
+                require('fs').writeFileSync(options.output, JSON.stringify(jsonOutput, null, 2) + '\n');
                 console.error(`Report written to ${options.output}`);
             }
             else {
-                writeJsonStdout(result);
+                writeJsonStdout(jsonOutput);
             }
             const critHigh = result.findings.filter((f) => !f.passed && !f.fixed && (f.severity === 'critical' || f.severity === 'high'));
             if (critHigh.length > 0)
@@ -1945,6 +1974,47 @@ Examples:
                 // Silently ignore registry errors - they are not relevant to local scan results
             }
         }
+        // Publish: push results to registry when --publish is used
+        if (options.publish && options.registry === false) {
+            if (format === 'text') {
+                console.log('\nPublish skipped: --no-registry flag is active.');
+            }
+        }
+        else if (options.publish) {
+            try {
+                const { publishScanResults, formatPublishOutput } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
+                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                const packageName = resolvePackageName(targetDir);
+                if (!packageName) {
+                    console.error('\nCould not determine package name. Publish requires a package.json with a name field.');
+                }
+                else {
+                    if (format === 'text') {
+                        console.log('\nPublishing results to registry...\n');
+                    }
+                    const publishData = {
+                        packageName,
+                        packageVersion: resolvePackageVersion(targetDir) ?? undefined,
+                        directory: targetDir,
+                        hardeningFindings: result.findings,
+                    };
+                    const publishResult = await publishScanResults(publishData, registryUrl);
+                    if (format === 'text') {
+                        console.log(formatPublishOutput(publishResult, publishData, registryUrl));
+                        console.log();
+                    }
+                    else if (format === 'json') {
+                        // Append publish result to JSON output in a separate log
+                        console.error(JSON.stringify({ publish: publishResult }, null, 2));
+                    }
+                }
+            }
+            catch (publishErr) {
+                const msg = publishErr instanceof Error ? publishErr.message : 'unknown error';
+                console.error(`\nFailed to publish to registry: ${msg}`);
+                console.error('Scan results are still available locally.');
+            }
+        }
         // Star prompt (interactive TTY only, text format only)
         if (process.stdout.isTTY) {
             console.log(`${colors.cyan}Helpful?${RESET()} Star the project: https://github.com/opena2a-org/opena2a\n`);
@@ -2338,7 +2408,8 @@ Examples:
   $ hackmyagent attack https://api.example.com --payload-file custom.json
   $ hackmyagent attack https://api.example.com --fail-on-vulnerable medium
   $ hackmyagent attack http://localhost:3010 --target-type mcp --category mcp-exploitation
-  $ hackmyagent attack http://localhost:3020 --target-type a2a --category a2a-attack`)
+  $ hackmyagent attack http://localhost:3020 --target-type a2a --category a2a-attack
+  $ hackmyagent attack https://api.example.com --publish  Attack and publish results to registry`)
     .argument('[target]', 'API endpoint to test (or use --local for simulation)')
     .option('-i, --intensity <level>', 'Attack intensity: passive, active, aggressive', 'active')
     .option('-c, --category <categories>', 'Comma-separated categories to test')
@@ -2360,10 +2431,11 @@ Examples:
     .option('-f, --format <format>', 'Output format: text, json, sarif, html', 'text')
     .option('-o, --output <file>', 'Write output to file')
     .option('-v, --verbose', 'Show detailed output for each payload')
+    .option('--publish', 'Push scan results to the OpenA2A Registry')
     .option('--registry-report', 'Post results to OpenA2A Registry')
     .option('--no-registry', 'Skip auto-publishing results to OpenA2A Registry')
     .option('--version-id <id>', 'Registry version ID to report against')
-    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)')
+    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://registry.opena2a.org')
     .option('--registry-key <key>', 'Registry API key (default: REGISTRY_API_KEY env)')
     .action(async (targetUrl, options) => {
     try {
@@ -2552,6 +2624,42 @@ Examples:
                 // Silently ignore registry errors - they are not relevant to local scan results
             }
         }
+        // Publish: push attack results to registry when --publish is used
+        if (options.publish && options.registry === false) {
+            if (format === 'text') {
+                console.log('\nPublish skipped: --no-registry flag is active.');
+            }
+        }
+        else if (options.publish && targetType === 'local') {
+            if (format === 'text') {
+                console.log('\nPublish skipped: only available for live target scans.');
+            }
+        }
+        else if (options.publish && targetType !== 'local') {
+            try {
+                const { publishScanResults, formatPublishOutput } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
+                const regUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                const packageName = target.url || targetUrl || 'unknown';
+                if (format === 'text') {
+                    console.log('\nPublishing results to registry...\n');
+                }
+                const publishData = {
+                    packageName,
+                    directory: process.cwd(),
+                    attackReport: report,
+                };
+                const publishResult = await publishScanResults(publishData, regUrl);
+                if (format === 'text') {
+                    console.log(formatPublishOutput(publishResult, publishData, regUrl));
+                    console.log();
+                }
+            }
+            catch (publishErr) {
+                const msg = publishErr instanceof Error ? publishErr.message : 'unknown error';
+                console.error(`\nFailed to publish to registry: ${msg}`);
+                console.error('Scan results are still available locally.');
+            }
+        }
         // Exit with non-zero based on fail policy
         if ((0, index_1.shouldFail)(report, options.failOnVulnerable)) {
             process.exit(1);
@@ -3788,7 +3896,8 @@ Examples:
   $ hackmyagent scan-soul --json             Machine-readable output
   $ hackmyagent scan-soul --verbose          Show all controls
   $ hackmyagent scan-soul --profile conversational  Override profile
-  $ hackmyagent scan-soul --deep             Enable LLM semantic analysis`)
+  $ hackmyagent scan-soul --deep             Enable LLM semantic analysis
+  $ hackmyagent scan-soul ./my-agent --publish  Scan and publish results to registry`)
     .argument('[directory]', 'Directory to scan (defaults to current directory)', '.')
     .option('--json', 'Output as JSON')
     .option('-v, --verbose', 'Show individual control results')
@@ -3796,6 +3905,8 @@ Examples:
     .option('--profile <profile>', 'Override agent profile (conversational, code-assistant, tool-agent, autonomous, orchestrator, custom)')
     .option('--fail-below <score>', 'Exit 1 if score below threshold (0-100)')
     .option('--deep', 'Enable LLM semantic analysis for ambiguous controls (requires claude CLI or ANTHROPIC_API_KEY)')
+    .option('--publish', 'Push scan results to the OpenA2A Registry')
+    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://registry.opena2a.org')
     .action(async (directory, options) => {
     try {
         const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
@@ -3813,7 +3924,34 @@ Examples:
         });
         // JSON output
         if (options.json) {
-            writeJsonStdout(result);
+            // Run publish in JSON mode and include result in output
+            let publishStatus;
+            if (options.publish) {
+                try {
+                    const { publishScanResults } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
+                    const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                    const packageName = resolvePackageName(targetDir);
+                    if (packageName) {
+                        const publishData = {
+                            packageName,
+                            packageVersion: resolvePackageVersion(targetDir) ?? undefined,
+                            directory: targetDir,
+                            soulResult: result,
+                        };
+                        const publishResult = await publishScanResults(publishData, registryUrl);
+                        publishStatus = { ...publishResult, registryUrl };
+                    }
+                    else {
+                        publishStatus = { success: false, error: 'Could not determine package name' };
+                    }
+                }
+                catch (publishErr) {
+                    const msg = publishErr instanceof Error ? publishErr.message : 'unknown error';
+                    publishStatus = { success: false, error: msg };
+                }
+            }
+            const jsonOutput = publishStatus ? { ...result, publish: publishStatus } : result;
+            writeJsonStdout(jsonOutput);
             // Check fail threshold
             if (options.failBelow) {
                 const threshold = parseInt(options.failBelow, 10);
@@ -3901,6 +4039,37 @@ Examples:
             process.stdout.write(`\n${colors.green}All ${result.totalControls} governance controls covered.${colors.reset}\n`);
         }
         process.stdout.write('\n');
+        // Publish: push SOUL results to registry when --publish is used
+        if (options.publish) {
+            try {
+                const { publishScanResults, formatPublishOutput } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
+                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                const packageName = resolvePackageName(targetDir);
+                if (!packageName) {
+                    process.stderr.write('Could not determine package name. Publish requires a package.json with a name field.\n');
+                }
+                else {
+                    if (!options.json) {
+                        process.stdout.write('Publishing results to registry...\n\n');
+                    }
+                    const publishData = {
+                        packageName,
+                        packageVersion: resolvePackageVersion(targetDir) ?? undefined,
+                        directory: targetDir,
+                        soulResult: result,
+                    };
+                    const publishResult = await publishScanResults(publishData, registryUrl);
+                    if (!options.json) {
+                        process.stdout.write(formatPublishOutput(publishResult, publishData, registryUrl) + '\n\n');
+                    }
+                }
+            }
+            catch (publishErr) {
+                const msg = publishErr instanceof Error ? publishErr.message : 'unknown error';
+                process.stderr.write(`Failed to publish to registry: ${msg}\n`);
+                process.stderr.write('Scan results are still available locally.\n');
+            }
+        }
         // Check fail threshold
         if (options.failBelow) {
             const threshold = parseInt(options.failBelow, 10);