agentsec-cli 1.0.3__tar.gz → 1.0.4__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (65) hide show
  1. agentsec_cli-1.0.4/.github/ISSUE_TEMPLATE/bug_report.md +52 -0
  2. agentsec_cli-1.0.4/.github/ISSUE_TEMPLATE/documentation.md +37 -0
  3. agentsec_cli-1.0.4/.github/ISSUE_TEMPLATE/feature_request.md +32 -0
  4. agentsec_cli-1.0.4/.github/ISSUE_TEMPLATE/security_report.md +27 -0
  5. agentsec_cli-1.0.4/.github/PULL_REQUEST_TEMPLATE.md +39 -0
  6. agentsec_cli-1.0.4/.github/labels.yml +51 -0
  7. agentsec_cli-1.0.4/.github/workflows/agentsec.yml +126 -0
  8. agentsec_cli-1.0.4/.github/workflows/docs.yml +54 -0
  9. agentsec_cli-1.0.4/.gitignore +65 -0
  10. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/CHANGELOG.md +21 -0
  11. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/CONTRIBUTING.md +50 -0
  12. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/PKG-INFO +3 -1
  13. agentsec_cli-1.0.4/agentsec/__init__.py +14 -0
  14. agentsec_cli-1.0.4/agentsec/_version.py +24 -0
  15. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/baseline.py +2 -2
  16. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/cli.py +8 -2
  17. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/rules/additional.py +28 -22
  18. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/rules/base.py +12 -0
  19. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/sarif.py +4 -2
  20. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/scanner.py +58 -5
  21. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/PKG-INFO +3 -1
  22. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/SOURCES.txt +28 -1
  23. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/requires.txt +2 -0
  24. agentsec_cli-1.0.4/agentsec_cli.egg-info/scm_file_list.json +57 -0
  25. agentsec_cli-1.0.4/agentsec_cli.egg-info/scm_version.json +8 -0
  26. agentsec_cli-1.0.4/docs/CNAME +1 -0
  27. agentsec_cli-1.0.4/docs/demo-script.md +145 -0
  28. agentsec_cli-1.0.4/docs/docs/cicd.md +97 -0
  29. agentsec_cli-1.0.4/docs/docs/faq.md +88 -0
  30. agentsec_cli-1.0.4/docs/docs/index.md +34 -0
  31. agentsec_cli-1.0.4/docs/docs/installation.md +45 -0
  32. agentsec_cli-1.0.4/docs/docs/owasp.md +55 -0
  33. agentsec_cli-1.0.4/docs/docs/rules.md +106 -0
  34. agentsec_cli-1.0.4/docs/docs/usage.md +103 -0
  35. agentsec_cli-1.0.4/docs/mkdocs.yml +56 -0
  36. agentsec_cli-1.0.4/docs/screenshots.md +172 -0
  37. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/pyproject.toml +11 -2
  38. agentsec_cli-1.0.4/scripts/check_version_policy.py +66 -0
  39. agentsec_cli-1.0.4/scripts/scan_github.py +177 -0
  40. agentsec_cli-1.0.4/tests/fixtures/dangerous_mcp.json +12 -0
  41. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/tests/test_baseline.py +6 -6
  42. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/tests/test_scanner.py +48 -0
  43. agentsec_cli-1.0.4/tests/test_versioning.py +63 -0
  44. agentsec_cli-1.0.3/agentsec/__init__.py +0 -3
  45. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/CODE_OF_CONDUCT.md +0 -0
  46. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/LICENSE +0 -0
  47. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/MANIFEST.in +0 -0
  48. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/README.md +0 -0
  49. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/SECURITY.md +0 -0
  50. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/owasp.py +0 -0
  51. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/__init__.py +0 -0
  52. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/core.py +0 -0
  53. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/json_parser.py +0 -0
  54. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/toml_parser.py +0 -0
  55. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/yaml_parser.py +0 -0
  56. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/report.py +0 -0
  57. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/rules/__init__.py +0 -0
  58. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/utils/__init__.py +0 -0
  59. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/utils/toml_compat.py +0 -0
  60. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/dependency_links.txt +0 -0
  61. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/entry_points.txt +0 -0
  62. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/top_level.txt +0 -0
  63. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/setup.cfg +0 -0
  64. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/tests/test_compat.py +0 -0
  65. {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/tests/test_owasp.py +0 -0
@@ -0,0 +1,52 @@
1
+ ---
2
+ name: Bug Report
3
+ about: Create a report to help us improve AgentSec
4
+ title: "[Bug] "
5
+ labels: bug
6
+ assignees: ''
7
+ ---
8
+
9
+ ## Describe the Bug
10
+
11
+ A clear and concise description of what the bug is.
12
+
13
+ ## To Reproduce
14
+
15
+ Steps to reproduce the behavior:
16
+
17
+ 1. Run command: `agentsec scan ...`
18
+ 2. See error: ...
19
+
20
+ ## Expected Behavior
21
+
22
+ A clear description of what you expected to happen.
23
+
24
+ ## Actual Behavior
25
+
26
+ What actually happened. Include error messages, stack traces, or unexpected output.
27
+
28
+ ## Environment
29
+
30
+ - AgentSec version: <!-- pip show agentsec-cli | grep Version -->
31
+ - Python version: <!-- python3 --version -->
32
+ - Operating system: <!-- e.g., Ubuntu 24.04, macOS 15, Windows 11 -->
33
+ - Installation method: <!-- pip install, pipx, from source -->
34
+
35
+ ## Sample Input
36
+
37
+ If applicable, provide a sanitized sample of the configuration you scanned.
38
+
39
+ ```json
40
+ {
41
+ "mcpServers": {
42
+ "example": {
43
+ "command": "node",
44
+ "args": []
45
+ }
46
+ }
47
+ }
48
+ ```
49
+
50
+ ## Additional Context
51
+
52
+ Add any other context about the problem here.
@@ -0,0 +1,37 @@
1
+ ---
2
+ name: Documentation
3
+ about: Report a documentation issue or suggest improvement
4
+ title: "[Docs] "
5
+ labels: documentation
6
+ assignees: ''
7
+ ---
8
+
9
+ ## Documentation Location
10
+
11
+ Which page or section has the issue?
12
+
13
+ - [ ] README.md
14
+ - [ ] CHANGELOG.md
15
+ - [ ] CONTRIBUTING.md
16
+ - [ ] SECURITY.md
17
+ - [ ] docs/ (MkDocs documentation)
18
+ - [ ] CLI help output
19
+ - [ ] Landing page
20
+ - [ ] Other (specify):
21
+
22
+ ## Issue Type
23
+
24
+ - [ ] Missing documentation
25
+ - [ ] Incorrect documentation
26
+ - [ ] Unclear documentation
27
+ - [ ] Broken link
28
+ - [ ] Typo / grammar
29
+ - [ ] Outdated example
30
+
31
+ ## Description
32
+
33
+ Describe the issue clearly.
34
+
35
+ ## Suggested Fix
36
+
37
+ If you have a suggestion for how to fix it, include it here.
@@ -0,0 +1,32 @@
1
+ ---
2
+ name: Feature Request
3
+ about: Suggest an idea for AgentSec
4
+ title: "[Feature] "
5
+ labels: enhancement
6
+ assignees: ''
7
+ ---
8
+
9
+ ## Problem Statement
10
+
11
+ Is your feature request related to a problem? Please describe what you're trying to achieve.
12
+
13
+ ## Proposed Solution
14
+
15
+ Describe the solution you'd like. Be specific about the CLI interface, flags, or configuration.
16
+
17
+ ```bash
18
+ # Example of how the feature should work
19
+ agentsec scan . --new-flag value
20
+ ```
21
+
22
+ ## Alternative Solutions
23
+
24
+ Describe alternatives you've considered.
25
+
26
+ ## Use Case
27
+
28
+ Describe the real-world scenario where this feature would be useful.
29
+
30
+ ## Additional Context
31
+
32
+ Add any other context, screenshots, or references about the feature request here.
@@ -0,0 +1,27 @@
1
+ ---
2
+ name: Security Report
3
+ about: Report a security vulnerability (private)
4
+ title: "[Security] "
5
+ labels: security
6
+ assignees: ''
7
+ ---
8
+
9
+ **Please do not file a public issue for security vulnerabilities.**
10
+
11
+ AgentSec takes security seriously. To report a vulnerability:
12
+
13
+ 1. **Use GitHub Private Vulnerability Reporting** under the repository's Security tab.
14
+ 2. **OR** email the maintainer directly (see SECURITY.md for contact information).
15
+
16
+ ## Why Private Disclosure
17
+
18
+ Security vulnerabilities that are publicly disclosed without a fix can put users at risk. We will:
19
+
20
+ - Acknowledge receipt within 48 hours
21
+ - Provide a status update within 5 business days
22
+ - Release a fix within 14 days for critical issues
23
+ - Credit you in the security advisory (unless you request anonymity)
24
+
25
+ ## See Also
26
+
27
+ - [SECURITY.md](../blob/main/SECURITY.md) for our full disclosure policy.
@@ -0,0 +1,39 @@
1
+ ## Description
2
+
3
+ Please include a summary of the change and which issue it addresses.
4
+
5
+ Fixes # (issue)
6
+
7
+ ## Type of Change
8
+
9
+ - [ ] Bug fix (non-breaking change that fixes an issue)
10
+ - [ ] New feature (non-breaking change that adds functionality)
11
+ - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
12
+ - [ ] Documentation update
13
+ - [ ] Performance improvement
14
+ - [ ] Refactoring (no functional changes)
15
+ - [ ] Test update
16
+ - [ ] CI/CD or build process
17
+
18
+ ## Checklist
19
+
20
+ - [ ] Tests pass (`pytest`)
21
+ - [ ] New tests added for new functionality
22
+ - [ ] Code follows project style (PEP 8, type hints)
23
+ - [ ] Documentation updated (if applicable)
24
+ - [ ] CHANGELOG entry added (if applicable)
25
+ - [ ] Commits follow [Conventional Commits](https://www.conventionalcommits.org/)
26
+ - [ ] Branch is up-to-date with `main`
27
+ - [ ] No new warnings or errors introduced
28
+
29
+ ## Test Plan
30
+
31
+ Describe how you tested the change:
32
+
33
+ - [ ] Unit tests
34
+ - [ ] Manual testing with `agentsec scan .`
35
+ - [ ] Tested with sample configs (JSON, YAML, TOML)
36
+
37
+ ## Additional Context
38
+
39
+ Add any other context about the PR here (screenshots, benchmarks, etc.).
@@ -0,0 +1,51 @@
1
+ - name: bug
2
+ color: d73a4a
3
+ description: Something isn't working
4
+ - name: critical
5
+ color: b60205
6
+ description: Critical severity issue or finding
7
+ - name: enhancement
8
+ color: a2eeef
9
+ description: New feature or request
10
+ - name: feature
11
+ color: 0e8a16
12
+ description: Accepted feature to implement
13
+ - name: ci
14
+ color: 0366d6
15
+ description: CI/CD related
16
+ - name: build
17
+ color: 5319e7
18
+ description: Build system or packaging
19
+ - name: documentation
20
+ color: 0075ca
21
+ description: Improvements or additions to documentation
22
+ - name: test
23
+ color: 7b55d6
24
+ description: Testing related
25
+ - name: refactor
26
+ color: fbca04
27
+ description: Code refactoring
28
+ - name: performance
29
+ color: 0e8a16
30
+ description: Performance improvement
31
+ - name: good-first-issue
32
+ color: 7057ff
33
+ description: Good for newcomers
34
+ - name: help-wanted
35
+ color: 008672
36
+ description: Extra attention is needed
37
+ - name: question
38
+ color: d876e3
39
+ description: Further information is requested
40
+ - name: wontfix
41
+ color: ffffff
42
+ description: This will not be worked on
43
+ - name: duplicate
44
+ color: cfd3d7
45
+ description: This issue or PR already exists
46
+ - name: invalid
47
+ color: e4e669
48
+ description: This doesn't seem right
49
+ - name: security
50
+ color: b60205
51
+ description: Security vulnerability
@@ -0,0 +1,126 @@
1
+ name: AgentSec CI/CD
2
+
3
+ on:
4
+ push:
5
+ branches: [main]
6
+ tags: ['v*']
7
+ pull_request:
8
+ branches: [main]
9
+
10
+ permissions:
11
+ contents: read
12
+
13
+ jobs:
14
+ test:
15
+ name: test / py${{ matrix.python-version }}
16
+ runs-on: ubuntu-latest
17
+ strategy:
18
+ matrix:
19
+ python-version: ["3.10", "3.11", "3.12", "3.13"]
20
+ fail-fast: false
21
+ steps:
22
+ # fetch-depth: 0 is required so setuptools-scm can see the full tag
23
+ # history and derive the correct version. Do not remove this, and
24
+ # apply the same setting to any future job that installs the package.
25
+ - uses: actions/checkout@v7
26
+ with:
27
+ fetch-depth: 0
28
+ - name: Set up Python ${{ matrix.python-version }}
29
+ uses: actions/setup-python@v6
30
+ with:
31
+ python-version: ${{ matrix.python-version }}
32
+ - name: Install dependencies
33
+ run: |
34
+ python -m pip install --upgrade pip
35
+ pip install -e .[dev]
36
+ - name: Guard against manual versioning regressions
37
+ run: python scripts/check_version_policy.py
38
+ - name: Verify CLI starts
39
+ run: |
40
+ agentsec --help
41
+ agentsec scan --help
42
+ - name: Verify version is Git-derived
43
+ run: |
44
+ agentsec --version
45
+ - name: Run tests
46
+ run: python -m pytest -v
47
+ - name: Smoke test — JSON output
48
+ run: |
49
+ agentsec scan . --include-hidden --format json | python -m json.tool > /dev/null
50
+ - name: Smoke test — SARIF output
51
+ run: |
52
+ agentsec scan . --include-hidden --format sarif | python -c "import sys,json; d=json.loads(sys.stdin.read()); assert d['version']=='2.1.0'; print(f'SARIF OK: {len(d[\"runs\"][0][\"results\"])} findings')"
53
+ - name: Smoke test — TOML parsing
54
+ run: |
55
+ mkdir -p /tmp/test-toml
56
+ printf '[mcpServers]\n[mcpServers.test]\ncommand = "bash"\n' > /tmp/test-toml/mcp.toml
57
+ agentsec scan /tmp/test-toml --format json | python -c "import sys,json; d=json.loads(sys.stdin.read()); assert len(d)>0; print(f'TOML scan OK: {len(d)} findings')"
58
+
59
+ build:
60
+ name: Build package
61
+ needs: test
62
+ if: github.ref_type == 'tag'
63
+ runs-on: ubuntu-latest
64
+ steps:
65
+ - uses: actions/checkout@v7
66
+ with:
67
+ fetch-depth: 0
68
+ - name: Set up Python
69
+ uses: actions/setup-python@v6
70
+ with:
71
+ python-version: "3.12"
72
+ - name: Install build tools
73
+ run: |
74
+ python -m pip install --upgrade pip
75
+ pip install build twine
76
+ - name: Build sdist and wheel
77
+ run: python -m build
78
+ - name: Check package with twine
79
+ run: python -m twine check dist/*
80
+ - name: Verify wheel/sdist filenames match the Git tag
81
+ run: |
82
+ TAG_VERSION="${GITHUB_REF_NAME#v}"
83
+ echo "Expected version from tag: $TAG_VERSION"
84
+ ls dist/
85
+ test -f "dist/agentsec_cli-${TAG_VERSION}-py3-none-any.whl"
86
+ test -f "dist/agentsec_cli-${TAG_VERSION}.tar.gz"
87
+ - name: Install and test wheel
88
+ run: |
89
+ pip install dist/*.whl
90
+ agentsec --version
91
+ agentsec scan . --format json | python -m json.tool > /dev/null
92
+ - name: Upload build artifact
93
+ uses: actions/upload-artifact@v7
94
+ with:
95
+ name: dist
96
+ path: dist/
97
+
98
+ publish:
99
+ name: Publish to PyPI
100
+ needs: build
101
+ if: github.ref_type == 'tag'
102
+ runs-on: ubuntu-latest
103
+ environment:
104
+ name: pypi
105
+ url: https://pypi.org/p/agentsec-cli
106
+ permissions:
107
+ id-token: write
108
+ steps:
109
+ - uses: actions/download-artifact@v8
110
+ with:
111
+ name: dist
112
+ path: dist/
113
+ - name: Publish package to PyPI
114
+ uses: pypa/gh-action-pypi-publish@release/v1
115
+
116
+ github-release:
117
+ name: Create GitHub Release
118
+ needs: publish
119
+ if: github.ref_type == 'tag'
120
+ runs-on: ubuntu-latest
121
+ permissions:
122
+ contents: write
123
+ steps:
124
+ - uses: softprops/action-gh-release@v2
125
+ with:
126
+ generate_release_notes: true
@@ -0,0 +1,54 @@
1
+ name: Deploy Docs
2
+
3
+ on:
4
+ push:
5
+ branches: [main]
6
+ paths:
7
+ - 'docs/**'
8
+ - 'mkdocs.yml'
9
+ - 'docs/CNAME'
10
+ workflow_dispatch:
11
+
12
+ permissions:
13
+ contents: read
14
+ pages: write
15
+ id-token: write
16
+
17
+ concurrency:
18
+ group: pages
19
+ cancel-in-progress: false
20
+
21
+ jobs:
22
+ deploy:
23
+ name: Deploy to GitHub Pages
24
+ runs-on: ubuntu-latest
25
+ environment:
26
+ name: github-pages
27
+ url: ${{ steps.deployment.outputs.page_url }}
28
+ steps:
29
+ - uses: actions/checkout@v7
30
+
31
+ - name: Set up Python
32
+ uses: actions/setup-python@v6
33
+ with:
34
+ python-version: '3.12'
35
+
36
+ - name: Install MkDocs
37
+ run: |
38
+ python -m pip install --upgrade pip
39
+ pip install mkdocs-material
40
+
41
+ - name: Build docs
42
+ run: mkdocs build --config-file docs/mkdocs.yml --site-dir ../site
43
+
44
+ - name: Write CNAME for custom domain
45
+ run: echo "agentsec.work.gd" > site/CNAME
46
+
47
+ - name: Upload Pages artifact
48
+ uses: actions/upload-pages-artifact@v5
49
+ with:
50
+ path: site
51
+
52
+ - name: Deploy to Pages
53
+ id: deployment
54
+ uses: actions/deploy-pages@v5
@@ -0,0 +1,65 @@
1
+ # Virtual environments
2
+ .venv/
3
+ venv/
4
+ env/
5
+
6
+ # Python cache
7
+ __pycache__/
8
+ *.py[cod]
9
+
10
+ # setuptools-scm generated version file (derived from Git tags at build time)
11
+ agentsec/_version.py
12
+
13
+ # Build artifacts
14
+ build/
15
+ dist/
16
+ *.egg-info/
17
+ .eggs/
18
+ pip-wheel-metadata/
19
+
20
+ # Test cache
21
+ .pytest_cache/
22
+ .coverage
23
+ .coverage.*
24
+ htmlcov/
25
+
26
+ # Type checkers / linters
27
+ .mypy_cache/
28
+ .ruff_cache/
29
+ .tox/
30
+ .nox/
31
+
32
+ # IDE
33
+ .vscode/
34
+ .idea/
35
+
36
+ # macOS / Windows
37
+ .DS_Store
38
+ Thumbs.db
39
+
40
+ # Scan outputs
41
+ scan_results.json
42
+ github_scan_results.json
43
+ *.sarif
44
+
45
+ # Temporary
46
+ *.tmp
47
+ *.swp
48
+ *.bak
49
+
50
+ RELEASE_AUDIT.md
51
+ RELEASE_CHECKLIST.md
52
+ RELEASE_NOTES_v1.0.0.md
53
+ RELEASE_VALIDATION_REPORT.md
54
+ CI_REVIEW.md
55
+ mcp-servers/
56
+
57
+ # Internal strategy / one-time audit artifacts — content lives in Second Brain
58
+ # (secondbrain/raw/2026-07-04_agentsec_*.md), synthesized into wiki notes.
59
+ # Not public-repo content; kept out of git if they reappear locally.
60
+ VISION.md
61
+ ROADMAP_V2.md
62
+ NEXT_HIGH_VALUE_TASKS.md
63
+ RESEARCH_GITHUB.md
64
+ RELEASE_AUDIT_vNEXT.md
65
+ RELEASE_INFRASTRUCTURE_REVIEW.md
@@ -5,6 +5,27 @@ All notable changes to AgentSec will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [Unreleased]
9
+
10
+ ### Changed
11
+ - Migrated versioning from manually-edited version strings to
12
+ [`setuptools-scm`](https://setuptools-scm.readthedocs.io/). The Git tag is
13
+ now the single source of truth: `pyproject.toml` no longer hardcodes a
14
+ `version`, `agentsec/__init__.py` no longer hardcodes `__version__`, and
15
+ `agentsec/sarif.py` no longer hardcodes the SARIF `tool.driver.version`.
16
+ All three now derive from the current Git tag at build/install time via
17
+ `agentsec/_version.py` (generated, gitignored).
18
+ - `agentsec --version` and the SARIF output's `tool.driver.version` now
19
+ report the Git-derived version (exact tag on a tagged commit, e.g. `1.0.4`;
20
+ a PEP 440 dev version like `1.0.4.dev5+gabcdef1` on untagged commits).
21
+ - Release process is now exactly: `git tag vX.Y.Z && git push origin main --tags`.
22
+ No file edits are required to cut a release — CI builds, validates,
23
+ publishes to PyPI, and creates the GitHub Release automatically from the tag.
24
+ - `.github/workflows/agentsec.yml`: `actions/checkout` now uses
25
+ `fetch-depth: 0` in the `test` and `build` jobs so `setuptools-scm` can see
26
+ the full tag history; added a step verifying the built wheel/sdist
27
+ filenames match the pushed tag exactly.
28
+
8
29
  ## [1.0.3] - 2026-07-03
9
30
 
10
31
  ### Fixed
@@ -139,6 +139,56 @@ Use hyphens to separate words. Keep names short but descriptive.
139
139
  - [ ] Commits follow conventional commit format
140
140
  - [ ] Branch is up-to-date with `main`
141
141
 
142
+ ## Versioning & Releases
143
+
144
+ AgentSec uses [`setuptools-scm`](https://setuptools-scm.readthedocs.io/) to
145
+ derive its version automatically from Git tags. **The Git tag is the single
146
+ source of truth for the version — there is no version string to edit
147
+ anywhere in the codebase.**
148
+
149
+ ### Hard rule: never edit a version number manually
150
+
151
+ - `pyproject.toml` declares `dynamic = ["version"]` and must **never**
152
+ contain a hardcoded `[project].version` field.
153
+ - `agentsec/__init__.py`, `agentsec/sarif.py`, and every other file that
154
+ reports a version must obtain it dynamically (via the generated
155
+ `agentsec/_version.py` or `importlib.metadata`) — never hardcode a
156
+ version string.
157
+ - If any file reintroduces a manually maintained version, the release
158
+ pipeline is broken by design: that value will inevitably drift out of
159
+ sync with the actual Git tag. CI enforces this automatically (see below).
160
+
161
+ On a tagged commit (e.g. `v1.2.3`), the package version is exactly `1.2.3`.
162
+ On an untagged commit, the version is a PEP 440 development version derived
163
+ from the most recent tag plus commit distance and hash, e.g.
164
+ `1.2.4.dev5+gabcdef1`. There is no other channel for communicating version
165
+ intent — if you need a new version, you push a new tag.
166
+
167
+ ### How to cut a release
168
+
169
+ A maintainer only needs to:
170
+
171
+ ```bash
172
+ git commit
173
+ git tag vX.Y.Z
174
+ git push origin main --tags
175
+ ```
176
+
177
+ Pushing the tag triggers `.github/workflows/agentsec.yml`, which
178
+ automatically:
179
+
180
+ 1. Runs the full test matrix (Python 3.10–3.13).
181
+ 2. Derives the version from the pushed tag via `setuptools-scm`.
182
+ 3. Builds the sdist and wheel.
183
+ 4. Validates the package (`twine check`, filename-vs-tag check, install +
184
+ smoke test of the built wheel).
185
+ 5. Publishes to PyPI via Trusted Publishing (OIDC — no stored tokens).
186
+ 6. Creates the GitHub Release with auto-generated release notes.
187
+
188
+ No manual version editing, no manual PyPI upload, no separate release-notes
189
+ step. The only file a maintainer must keep current by hand is
190
+ `CHANGELOG.md`.
191
+
142
192
  ## Reporting Issues
143
193
 
144
194
  ### Bug Reports
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: agentsec-cli
3
- Version: 1.0.3
3
+ Version: 1.0.4
4
4
  Summary: Static security scanner for AI coding agents and MCP configurations
5
5
  Author: locface
6
6
  License-Expression: MIT
@@ -22,8 +22,10 @@ Requires-Dist: click<9,>=8.0.0
22
22
  Requires-Dist: pyyaml<7,>=6.0
23
23
  Requires-Dist: toml<1,>=0.10.2
24
24
  Requires-Dist: tomli<3,>=2.0.1; python_version < "3.11"
25
+ Requires-Dist: pathspec<2,>=0.12
25
26
  Provides-Extra: dev
26
27
  Requires-Dist: pytest>=7.0.0; extra == "dev"
28
+ Requires-Dist: setuptools-scm>=8; extra == "dev"
27
29
  Dynamic: license-file
28
30
 
29
31
  <picture>
@@ -0,0 +1,14 @@
1
+ """AgentSec: Static security scanner for AI coding agents and MCP configs."""
2
+
3
+ from importlib.metadata import PackageNotFoundError, version
4
+
5
+ try:
6
+ from ._version import __version__
7
+ except ImportError:
8
+ # _version.py is generated by setuptools-scm at build/install time and
9
+ # is not present in a raw source checkout (e.g. before
10
+ # `pip install -e .`). Fall back to installed package metadata.
11
+ try:
12
+ __version__ = version("agentsec-cli")
13
+ except PackageNotFoundError:
14
+ __version__ = "0.0.0.dev0+unknown"
@@ -0,0 +1,24 @@
1
+ # file generated by vcs-versioning
2
+ # don't change, don't track in version control
3
+ from __future__ import annotations
4
+
5
+ __all__ = [
6
+ "__version__",
7
+ "__version_tuple__",
8
+ "version",
9
+ "version_tuple",
10
+ "__commit_id__",
11
+ "commit_id",
12
+ ]
13
+
14
+ version: str
15
+ __version__: str
16
+ __version_tuple__: tuple[int | str, ...]
17
+ version_tuple: tuple[int | str, ...]
18
+ commit_id: str | None
19
+ __commit_id__: str | None
20
+
21
+ __version__ = version = '1.0.4'
22
+ __version_tuple__ = version_tuple = (1, 0, 4)
23
+
24
+ __commit_id__ = commit_id = 'g0550ac9c6'
@@ -7,8 +7,8 @@ from typing import Dict, List, Tuple
7
7
 
8
8
 
9
9
  def compute_finding_id(finding: dict) -> str:
10
- """Compute a stable unique ID for a finding based on rule, file, and server."""
11
- key = f"{finding['rule']}|{finding['file']}|{finding.get('server', '')}"
10
+ """Compute a stable unique ID for a finding based on code, file, and server."""
11
+ key = f"{finding['code']}|{finding['file']}|{finding.get('server', '')}"
12
12
  return hashlib.md5(key.encode()).hexdigest()
13
13
 
14
14
 
@@ -22,13 +22,17 @@ def cli():
22
22
  @click.option("--fail-on", type=click.Choice(["critical", "high", "medium", "low"], case_sensitive=False),
23
23
  help="Exit with code 1 if any finding is at least this severity")
24
24
  @click.option("--include-hidden", is_flag=True, help="Include hidden files and directories")
25
+ @click.option("--exclude", multiple=True, default=None,
26
+ help="Exclude paths matching pattern (can be repeated). E.g., --exclude 'node_modules/**'")
27
+ @click.option("--no-gitignore", is_flag=True, default=False,
28
+ help="Do not automatically respect .gitignore patterns")
25
29
  @click.option("--baseline", type=click.Path(exists=True, dir_okay=False, resolve_path=True),
26
30
  help="Path to baseline JSON file (lockfile). Compare findings against it.")
27
31
  @click.option("--update-baseline", type=click.Path(dir_okay=False, resolve_path=True),
28
32
  help="Save current findings as baseline JSON file and exit.")
29
33
  @click.option("--show-owasp", is_flag=True, default=False,
30
34
  help="Show OWASP Top 10 for LLM mapping IDs for each finding")
31
- def scan(path, format, severity, include_hidden, fail_on=None, baseline=None, update_baseline=None, show_owasp=False):
35
+ def scan(path, format, severity, include_hidden, exclude, no_gitignore, fail_on=None, baseline=None, update_baseline=None, show_owasp=False):
32
36
  """Scan a directory for security risks in AI agent configurations."""
33
37
  # Lazy imports: scanner + parsers are only loaded when scan runs,
34
38
  # not when --help is displayed. This keeps `agentsec --help` fast
@@ -41,7 +45,9 @@ def scan(path, format, severity, include_hidden, fail_on=None, baseline=None, up
41
45
  if format == "terminal":
42
46
  click.echo(f" Scanning {path}...")
43
47
 
44
- scanner = Scanner(Path(path), include_hidden=include_hidden, min_severity=severity)
48
+ scanner = Scanner(Path(path), include_hidden=include_hidden, min_severity=severity,
49
+ exclude_patterns=list(exclude) if exclude else None,
50
+ no_gitignore=no_gitignore)
45
51
  findings = scanner.scan()
46
52
 
47
53
  # If update-baseline is provided, save baseline and exit