agent-audit 0.1.0__py3-none-any.whl → 0.2.0__py3-none-any.whl

agent_audit/cli/commands/scan.py

@@ -30,6 +30,7 @@ def run_scan(
     fail_on_severity: str,
     baseline_path: Optional[Path] = None,
     save_baseline_path: Optional[Path] = None,
+    rules_dir: Optional[Path] = None,
     verbose: bool = False,
     quiet: bool = False
 ) -> int:
@@ -42,7 +43,7 @@ def run_scan(
     ignore_manager = IgnoreManager()
     config_loaded = ignore_manager.load(path)
 
-    if verbose and config_loaded:
+    if verbose and config_loaded and output_format == "terminal":
         console.print(f"[dim]Loaded config from: {ignore_manager._loaded_from}[/dim]")
 
     # Get exclude patterns from config
@@ -58,9 +59,9 @@ def run_scan(
 
     # Find rules directory - check multiple possible locations
     possible_rules_dirs = [
-        # Relative to this file (installed package)
-        Path(__file__).parent.parent.parent.parent.parent.parent.parent / "rules" / "builtin",
-        # Relative to project root (development)
+        # Inside the package (installed via pip/wheel)
+        Path(__file__).parent.parent / "rules" / "builtin",
+        # Project root rules dir (development mode, symlink-installed)
         Path(__file__).resolve().parent.parent.parent.parent.parent.parent.parent / "rules" / "builtin",
         # Relative to current working directory
         Path.cwd() / "rules" / "builtin",
@@ -68,59 +69,66 @@ def run_scan(
         Path.cwd().parent.parent / "rules" / "builtin",
     ]
 
-    for rules_dir in possible_rules_dirs:
-        if rules_dir.exists():
-            rule_engine.add_builtin_rules_dir(rules_dir)
+    for builtin_dir in possible_rules_dirs:
+        if builtin_dir.exists():
+            rule_engine.add_builtin_rules_dir(builtin_dir)
             break
 
-    rule_engine.load_rules()
+    # Load custom rules if --rules-dir is specified
+    custom_rules_dirs: Optional[List[Path]] = None
+    if rules_dir and rules_dir.exists():
+        custom_rules_dirs = [rules_dir]
+        if not quiet and output_format == "terminal":
+            console.print(f"[dim]Loading custom rules from: {rules_dir}[/dim]")
+
+    rule_engine.load_rules(additional_dirs=custom_rules_dirs)
 
     # Collect all findings
     all_findings: List[Finding] = []
     scanned_files = 0
 
     # Run Python scanner
-    if not quiet:
+    if not quiet and output_format == "terminal":
         console.print("[dim]Scanning Python files...[/dim]")
 
     python_results = python_scanner.scan(path)
-    for result in python_results:
+    for py_result in python_results:
         scanned_files += 1
 
         # Generate findings from dangerous patterns
         findings = rule_engine.evaluate_dangerous_patterns(
-            result.dangerous_patterns,
-            result.source_file
+            py_result.dangerous_patterns,
+            py_result.source_file
         )
         all_findings.extend(findings)
 
         # Check for credentials in source
         try:
-            source = Path(result.source_file).read_text(encoding='utf-8')
-            cred_findings = rule_engine.evaluate_credentials(source, result.source_file)
+            source = Path(py_result.source_file).read_text(encoding='utf-8')
+            cred_findings = rule_engine.evaluate_credentials(source, py_result.source_file)
             all_findings.extend(cred_findings)
         except Exception:
             pass
 
         # Evaluate tool permissions
-        if result.tools:
+        if py_result.tools:
             perm_findings = rule_engine.evaluate_permission_scope(
-                result.tools,
-                result.source_file
+                py_result.tools,
+                py_result.source_file
             )
             all_findings.extend(perm_findings)
 
     # Run MCP config scanner
-    if not quiet:
+    if not quiet and output_format == "terminal":
         console.print("[dim]Scanning MCP configurations...[/dim]")
 
     mcp_results = mcp_scanner.scan(path)
-    for result in mcp_results:
+    for mcp_result in mcp_results:
         scanned_files += 1
 
         # Convert server configs to dicts for rule engine
         server_dicts = []
-        for server in result.servers:
+        for server in mcp_result.servers:
             server_dict = {
                 'name': server.name,
                 'url': server.url,
@@ -132,16 +140,16 @@ def run_scan(
             }
             server_dicts.append(server_dict)
 
-        mcp_findings = rule_engine.evaluate_mcp_config(server_dicts, result.source_file)
+        mcp_findings = rule_engine.evaluate_mcp_config(server_dicts, mcp_result.source_file)
         all_findings.extend(mcp_findings)
 
     # Run secret scanner
-    if not quiet:
+    if not quiet and output_format == "terminal":
         console.print("[dim]Scanning for secrets...[/dim]")
 
     secret_results = secret_scanner.scan(path)
-    for result in secret_results:
-        for secret in result.secrets:
+    for secret_result in secret_results:
+        for secret in secret_result.secrets:
             from agent_audit.models.risk import Location, Category
             from agent_audit.models.finding import Remediation
 
@@ -153,7 +161,7 @@ def run_scan(
                          Severity.HIGH if secret.severity == "high" else Severity.MEDIUM,
                 category=Category.CREDENTIAL_EXPOSURE,
                 location=Location(
-                    file_path=result.source_file,
+                    file_path=secret_result.source_file,
                     start_line=secret.line_number,
                     end_line=secret.line_number,
                     start_column=secret.start_col,
@@ -175,7 +183,7 @@ def run_scan(
     if baseline_path and baseline_path.exists():
         baseline = load_baseline(baseline_path)
         all_findings = filter_by_baseline(all_findings, baseline)
-        if not quiet:
+        if not quiet and output_format == "terminal":
             console.print(f"[dim]Filtered by baseline: {baseline_path}[/dim]")
 
     # Filter by minimum severity
@@ -191,7 +199,7 @@ def run_scan(
     # Save baseline if requested
     if save_baseline_path:
         save_baseline(all_findings, save_baseline_path)
-        if not quiet:
+        if not quiet and output_format == "terminal":
             console.print(f"[dim]Saved baseline to: {save_baseline_path}[/dim]")
 
     # Output results
@@ -209,7 +217,7 @@ def run_scan(
         if output_path:
             output_path.write_text(json_output, encoding="utf-8")
         else:
-            console.print(json_output)
+            click.echo(json_output)
     elif output_format == "sarif":
         from agent_audit.cli.formatters.sarif import SARIFFormatter
         formatter = SARIFFormatter()
@@ -285,6 +293,8 @@ def _output_markdown(findings: List[Finding], scan_path: str, output_path: Optio
               default='low', help='Minimum severity to report')
 @click.option('--rules', '-r', type=click.Path(exists=True),
               multiple=True, help='Additional rule files')
+@click.option('--rules-dir', type=click.Path(exists=True, file_okay=False),
+              help='Directory containing custom YAML rule files')
 @click.option('--fail-on',
               type=click.Choice(['critical', 'high', 'medium', 'low']),
               default='high', help='Exit with error if findings at this level')
@@ -294,8 +304,8 @@ def _output_markdown(findings: List[Finding], scan_path: str, output_path: Optio
               help='Save current findings as baseline')
 @click.pass_context
 def scan(ctx: click.Context, path: str, output_format: str, output: Optional[str],
-         severity: str, rules: tuple, fail_on: str, baseline: Optional[str],
-         save_baseline: Optional[str]):
+         severity: str, rules: tuple, rules_dir: Optional[str], fail_on: str,
+         baseline: Optional[str], save_baseline: Optional[str]):
     """
     Scan agent code and configurations for security issues.
 
@@ -322,6 +332,7 @@ def scan(ctx: click.Context, path: str, output_format: str, output: Optional[str
         fail_on_severity=fail_on,
         baseline_path=Path(baseline) if baseline else None,
         save_baseline_path=Path(save_baseline) if save_baseline else None,
+        rules_dir=Path(rules_dir) if rules_dir else None,
         verbose=ctx.obj.get('verbose', False),
         quiet=ctx.obj.get('quiet', False)
     )

agent_audit/cli/formatters/json.py

@@ -69,12 +69,12 @@ class JSONFormatter:
         actionable = sum(1 for f in findings if f.is_actionable())
         suppressed = sum(1 for f in findings if f.suppressed)
 
-        by_severity = {}
+        by_severity: Dict[str, int] = {}
         for f in findings:
             sev = f.severity.value
             by_severity[sev] = by_severity.get(sev, 0) + 1
 
-        by_category = {}
+        by_category: Dict[str, int] = {}
         for f in findings:
             cat = f.category.value
             by_category[cat] = by_category.get(cat, 0) + 1

agent_audit/cli/formatters/sarif.py

@@ -93,15 +93,21 @@ class SARIFFormatter:
                     }
 
                 # Add CWE/OWASP tags
-                tags = []
+                tags: List[str] = []
                 if finding.cwe_id:
                     tags.append(f"external/cwe/{finding.cwe_id.lower()}")
                 if finding.owasp_id:
-                    tags.append(f"external/owasp/{finding.owasp_id}")
+                    # Use OWASP-Agentic prefix for ASI-XX identifiers
+                    if finding.owasp_id.startswith("ASI-"):
+                        tags.append(f"OWASP-Agentic-{finding.owasp_id}")
+                    else:
+                        tags.append(f"external/owasp/{finding.owasp_id}")
+                    # Also add owasp-agentic-id to properties
+                    rule["properties"]["owasp-agentic-id"] = finding.owasp_id  # type: ignore[index]
                 if finding.category:
                     tags.append(finding.category.value)
                 if tags:
-                    rule["properties"]["tags"] = tags
+                    rule["properties"]["tags"] = tags  # type: ignore[index]
 
                 rules_map[finding.rule_id] = rule
 

agent_audit/models/finding.py

@@ -7,6 +7,21 @@ from typing import Optional, Dict, Any
 from agent_audit.models.risk import Severity, Category, Location
 
 
+# OWASP Agentic Top 10 (2026) ID to name mapping
+OWASP_AGENTIC_MAP: Dict[str, str] = {
+    "ASI-01": "Agent Goal Hijack",
+    "ASI-02": "Tool Misuse and Exploitation",
+    "ASI-03": "Identity and Privilege Abuse",
+    "ASI-04": "Agentic Supply Chain Vulnerabilities",
+    "ASI-05": "Unexpected Code Execution",
+    "ASI-06": "Memory and Context Poisoning",
+    "ASI-07": "Insecure Inter-Agent Communication",
+    "ASI-08": "Cascading Failures",
+    "ASI-09": "Human-Agent Trust Exploitation",
+    "ASI-10": "Rogue Agents",
+}
+
+
 @dataclass
 class Remediation:
     """Remediation guidance for a finding."""
@@ -77,14 +92,11 @@ class Finding:
         }
 
         # Add column information if available
+        region = result["locations"][0]["physicalLocation"]["region"]  # type: ignore[index]
         if self.location.start_column is not None:
-            result["locations"][0]["physicalLocation"]["region"]["startColumn"] = (
-                self.location.start_column
-            )
+            region["startColumn"] = self.location.start_column
         if self.location.end_column is not None:
-            result["locations"][0]["physicalLocation"]["region"]["endColumn"] = (
-                self.location.end_column
-            )
+            region["endColumn"] = self.location.end_column
 
         # Add fingerprint for deduplication
         result["fingerprints"] = {
@@ -92,7 +104,7 @@ class Finding:
         }
 
         # Add properties for additional metadata
-        properties = {}
+        properties: Dict[str, Any] = {}
         if self.confidence < 1.0:
             properties["confidence"] = self.confidence
         if self.cwe_id:

agent_audit/models/risk.py

@@ -34,6 +34,7 @@ class Severity(Enum):
 
 class Category(Enum):
     """Categories for security findings."""
+    # Original categories
     COMMAND_INJECTION = "command_injection"
     DATA_EXFILTRATION = "data_exfiltration"
     PRIVILEGE_ESCALATION = "privilege_escalation"
@@ -42,6 +43,18 @@ class Category(Enum):
     PROMPT_INJECTION = "prompt_injection"
     EXCESSIVE_PERMISSION = "excessive_permission"
 
+    # OWASP Agentic Top 10 (2026) extended categories
+    GOAL_HIJACK = "goal_hijack"                              # ASI-01
+    TOOL_MISUSE = "tool_misuse"                              # ASI-02
+    IDENTITY_PRIVILEGE_ABUSE = "identity_privilege_abuse"    # ASI-03
+    SUPPLY_CHAIN_AGENTIC = "supply_chain_agentic"            # ASI-04
+    UNEXPECTED_CODE_EXECUTION = "unexpected_code_execution"  # ASI-05
+    MEMORY_POISONING = "memory_poisoning"                    # ASI-06
+    INSECURE_INTER_AGENT_COMM = "insecure_inter_agent_comm"  # ASI-07
+    CASCADING_FAILURES = "cascading_failures"                # ASI-08
+    TRUST_EXPLOITATION = "trust_exploitation"                # ASI-09
+    ROGUE_AGENT = "rogue_agent"                              # ASI-10
+
 
 @dataclass
 class Location:

agent_audit/rules/builtin/owasp_agentic.yaml

@@ -0,0 +1,126 @@
+# OWASP Agentic Security Rules
+# Core rules for agent security scanning
+
+rules:
+  - id: AGENT-001
+    title: Command Injection via Unsanitized Input
+    description: Tool accepts user input passed directly to shell execution without proper sanitization.
+    severity: critical
+    category: command_injection
+    cwe_id: CWE-78
+    owasp_id: OWASP-AGENT-02
+
+    detection:
+      patterns:
+        - type: python_ast
+          match:
+            - "subprocess.run"
+            - "subprocess.Popen"
+            - "subprocess.call"
+            - "os.system"
+            - "os.popen"
+            - "eval"
+            - "exec"
+
+        - type: function_call
+          functions:
+            - subprocess.run
+            - subprocess.Popen
+            - subprocess.call
+          arguments:
+            shell: true
+
+    remediation:
+      description: Use shlex.quote() to escape user input, use argument lists instead of shell strings, implement a command allowlist.
+      code_example: |
+        # Safe: use argument list
+        subprocess.run(["ls", shlex.quote(user_input)])
+      references:
+        - https://owasp.org/www-community/attacks/Command_Injection
+
+  - id: AGENT-002
+    title: Excessive Agent Permissions
+    description: Agent is configured with more permissions than necessary for its intended purpose.
+    severity: medium
+    category: excessive_permission
+    cwe_id: CWE-250
+    owasp_id: OWASP-AGENT-01
+
+    detection:
+      conditions:
+        tool_count_threshold: 15
+        high_risk_permission_threshold: 5
+
+    remediation:
+      description: Apply principle of least privilege, split into specialized agents, require approval for high-risk operations.
+      references:
+        - https://owasp.org/www-community/vulnerabilities/Least_Privilege_Violation
+
+  - id: AGENT-003
+    title: Potential Data Exfiltration Chain
+    description: Agent has access to both sensitive data sources and external network capabilities.
+    severity: high
+    category: data_exfiltration
+    cwe_id: CWE-200
+    owasp_id: OWASP-AGENT-05
+
+    detection:
+      operation_chain:
+        source_permissions:
+          - SECRET_ACCESS
+          - FILE_READ
+          - DATABASE_READ
+        target_permissions:
+          - NETWORK_OUTBOUND
+
+    remediation:
+      description: Implement network egress allowlist, add approval workflow for sensitive operations.
+      references:
+        - https://owasp.org/www-community/attacks/Data_Exfiltration
+
+  - id: AGENT-004
+    title: Hardcoded Credentials in Agent Config
+    description: Agent configuration contains hardcoded API keys, passwords, or other secrets.
+    severity: critical
+    category: credential_exposure
+    cwe_id: CWE-798
+    owasp_id: OWASP-AGENT-03
+
+    detection:
+      patterns:
+        - type: regex
+          patterns:
+            - "AKIA[0-9A-Z]{16}"
+            - "sk-[a-zA-Z0-9]{48,}"
+            - "sk-ant-[a-zA-Z0-9-]{40,}"
+            - "ghp_[a-zA-Z0-9]{36}"
+            - "gho_[a-zA-Z0-9]{36}"
+
+    remediation:
+      description: Use environment variables or a secrets manager instead of hardcoded credentials.
+      code_example: |
+        # Safe: use environment variable
+        api_key = os.environ.get("OPENAI_API_KEY")
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html
+
+  - id: AGENT-005
+    title: Unverified MCP Server
+    description: Agent connects to an MCP server that lacks signature verification.
+    severity: high
+    category: supply_chain
+    cwe_id: CWE-494
+    owasp_id: OWASP-AGENT-04
+
+    detection:
+      mcp_server:
+        verified: false
+        trusted_sources:
+          - "docker.io/mcp-catalog/"
+          - "ghcr.io/anthropics/"
+          - "ghcr.io/modelcontextprotocol/"
+
+    remediation:
+      description: Only use MCP servers from trusted registries, enable signature verification.
+      references:
+        - https://modelcontextprotocol.io/docs/security