agentsec-cli 1.0.3__tar.gz → 1.0.4__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- agentsec_cli-1.0.4/.github/ISSUE_TEMPLATE/bug_report.md +52 -0
- agentsec_cli-1.0.4/.github/ISSUE_TEMPLATE/documentation.md +37 -0
- agentsec_cli-1.0.4/.github/ISSUE_TEMPLATE/feature_request.md +32 -0
- agentsec_cli-1.0.4/.github/ISSUE_TEMPLATE/security_report.md +27 -0
- agentsec_cli-1.0.4/.github/PULL_REQUEST_TEMPLATE.md +39 -0
- agentsec_cli-1.0.4/.github/labels.yml +51 -0
- agentsec_cli-1.0.4/.github/workflows/agentsec.yml +126 -0
- agentsec_cli-1.0.4/.github/workflows/docs.yml +54 -0
- agentsec_cli-1.0.4/.gitignore +65 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/CHANGELOG.md +21 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/CONTRIBUTING.md +50 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/PKG-INFO +3 -1
- agentsec_cli-1.0.4/agentsec/__init__.py +14 -0
- agentsec_cli-1.0.4/agentsec/_version.py +24 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/baseline.py +2 -2
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/cli.py +8 -2
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/rules/additional.py +28 -22
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/rules/base.py +12 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/sarif.py +4 -2
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/scanner.py +58 -5
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/PKG-INFO +3 -1
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/SOURCES.txt +28 -1
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/requires.txt +2 -0
- agentsec_cli-1.0.4/agentsec_cli.egg-info/scm_file_list.json +57 -0
- agentsec_cli-1.0.4/agentsec_cli.egg-info/scm_version.json +8 -0
- agentsec_cli-1.0.4/docs/CNAME +1 -0
- agentsec_cli-1.0.4/docs/demo-script.md +145 -0
- agentsec_cli-1.0.4/docs/docs/cicd.md +97 -0
- agentsec_cli-1.0.4/docs/docs/faq.md +88 -0
- agentsec_cli-1.0.4/docs/docs/index.md +34 -0
- agentsec_cli-1.0.4/docs/docs/installation.md +45 -0
- agentsec_cli-1.0.4/docs/docs/owasp.md +55 -0
- agentsec_cli-1.0.4/docs/docs/rules.md +106 -0
- agentsec_cli-1.0.4/docs/docs/usage.md +103 -0
- agentsec_cli-1.0.4/docs/mkdocs.yml +56 -0
- agentsec_cli-1.0.4/docs/screenshots.md +172 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/pyproject.toml +11 -2
- agentsec_cli-1.0.4/scripts/check_version_policy.py +66 -0
- agentsec_cli-1.0.4/scripts/scan_github.py +177 -0
- agentsec_cli-1.0.4/tests/fixtures/dangerous_mcp.json +12 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/tests/test_baseline.py +6 -6
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/tests/test_scanner.py +48 -0
- agentsec_cli-1.0.4/tests/test_versioning.py +63 -0
- agentsec_cli-1.0.3/agentsec/__init__.py +0 -3
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/CODE_OF_CONDUCT.md +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/LICENSE +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/MANIFEST.in +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/README.md +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/SECURITY.md +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/owasp.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/__init__.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/core.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/json_parser.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/toml_parser.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/parsers/yaml_parser.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/report.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/rules/__init__.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/utils/__init__.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec/utils/toml_compat.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/dependency_links.txt +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/entry_points.txt +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/agentsec_cli.egg-info/top_level.txt +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/setup.cfg +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/tests/test_compat.py +0 -0
- {agentsec_cli-1.0.3 → agentsec_cli-1.0.4}/tests/test_owasp.py +0 -0
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: Bug Report
|
|
3
|
+
about: Create a report to help us improve AgentSec
|
|
4
|
+
title: "[Bug] "
|
|
5
|
+
labels: bug
|
|
6
|
+
assignees: ''
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Describe the Bug
|
|
10
|
+
|
|
11
|
+
A clear and concise description of what the bug is.
|
|
12
|
+
|
|
13
|
+
## To Reproduce
|
|
14
|
+
|
|
15
|
+
Steps to reproduce the behavior:
|
|
16
|
+
|
|
17
|
+
1. Run command: `agentsec scan ...`
|
|
18
|
+
2. See error: ...
|
|
19
|
+
|
|
20
|
+
## Expected Behavior
|
|
21
|
+
|
|
22
|
+
A clear description of what you expected to happen.
|
|
23
|
+
|
|
24
|
+
## Actual Behavior
|
|
25
|
+
|
|
26
|
+
What actually happened. Include error messages, stack traces, or unexpected output.
|
|
27
|
+
|
|
28
|
+
## Environment
|
|
29
|
+
|
|
30
|
+
- AgentSec version: <!-- pip show agentsec-cli | grep Version -->
|
|
31
|
+
- Python version: <!-- python3 --version -->
|
|
32
|
+
- Operating system: <!-- e.g., Ubuntu 24.04, macOS 15, Windows 11 -->
|
|
33
|
+
- Installation method: <!-- pip install, pipx, from source -->
|
|
34
|
+
|
|
35
|
+
## Sample Input
|
|
36
|
+
|
|
37
|
+
If applicable, provide a sanitized sample of the configuration you scanned.
|
|
38
|
+
|
|
39
|
+
```json
|
|
40
|
+
{
|
|
41
|
+
"mcpServers": {
|
|
42
|
+
"example": {
|
|
43
|
+
"command": "node",
|
|
44
|
+
"args": []
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
## Additional Context
|
|
51
|
+
|
|
52
|
+
Add any other context about the problem here.
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: Documentation
|
|
3
|
+
about: Report a documentation issue or suggest improvement
|
|
4
|
+
title: "[Docs] "
|
|
5
|
+
labels: documentation
|
|
6
|
+
assignees: ''
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Documentation Location
|
|
10
|
+
|
|
11
|
+
Which page or section has the issue?
|
|
12
|
+
|
|
13
|
+
- [ ] README.md
|
|
14
|
+
- [ ] CHANGELOG.md
|
|
15
|
+
- [ ] CONTRIBUTING.md
|
|
16
|
+
- [ ] SECURITY.md
|
|
17
|
+
- [ ] docs/ (MkDocs documentation)
|
|
18
|
+
- [ ] CLI help output
|
|
19
|
+
- [ ] Landing page
|
|
20
|
+
- [ ] Other (specify):
|
|
21
|
+
|
|
22
|
+
## Issue Type
|
|
23
|
+
|
|
24
|
+
- [ ] Missing documentation
|
|
25
|
+
- [ ] Incorrect documentation
|
|
26
|
+
- [ ] Unclear documentation
|
|
27
|
+
- [ ] Broken link
|
|
28
|
+
- [ ] Typo / grammar
|
|
29
|
+
- [ ] Outdated example
|
|
30
|
+
|
|
31
|
+
## Description
|
|
32
|
+
|
|
33
|
+
Describe the issue clearly.
|
|
34
|
+
|
|
35
|
+
## Suggested Fix
|
|
36
|
+
|
|
37
|
+
If you have a suggestion for how to fix it, include it here.
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: Feature Request
|
|
3
|
+
about: Suggest an idea for AgentSec
|
|
4
|
+
title: "[Feature] "
|
|
5
|
+
labels: enhancement
|
|
6
|
+
assignees: ''
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Problem Statement
|
|
10
|
+
|
|
11
|
+
Is your feature request related to a problem? Please describe what you're trying to achieve.
|
|
12
|
+
|
|
13
|
+
## Proposed Solution
|
|
14
|
+
|
|
15
|
+
Describe the solution you'd like. Be specific about the CLI interface, flags, or configuration.
|
|
16
|
+
|
|
17
|
+
```bash
|
|
18
|
+
# Example of how the feature should work
|
|
19
|
+
agentsec scan . --new-flag value
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
## Alternative Solutions
|
|
23
|
+
|
|
24
|
+
Describe alternatives you've considered.
|
|
25
|
+
|
|
26
|
+
## Use Case
|
|
27
|
+
|
|
28
|
+
Describe the real-world scenario where this feature would be useful.
|
|
29
|
+
|
|
30
|
+
## Additional Context
|
|
31
|
+
|
|
32
|
+
Add any other context, screenshots, or references about the feature request here.
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: Security Report
|
|
3
|
+
about: Report a security vulnerability (private)
|
|
4
|
+
title: "[Security] "
|
|
5
|
+
labels: security
|
|
6
|
+
assignees: ''
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
**Please do not file a public issue for security vulnerabilities.**
|
|
10
|
+
|
|
11
|
+
AgentSec takes security seriously. To report a vulnerability:
|
|
12
|
+
|
|
13
|
+
1. **Use GitHub Private Vulnerability Reporting** under the repository's Security tab.
|
|
14
|
+
2. **OR** email the maintainer directly (see SECURITY.md for contact information).
|
|
15
|
+
|
|
16
|
+
## Why Private Disclosure
|
|
17
|
+
|
|
18
|
+
Security vulnerabilities that are publicly disclosed without a fix can put users at risk. We will:
|
|
19
|
+
|
|
20
|
+
- Acknowledge receipt within 48 hours
|
|
21
|
+
- Provide a status update within 5 business days
|
|
22
|
+
- Release a fix within 14 days for critical issues
|
|
23
|
+
- Credit you in the security advisory (unless you request anonymity)
|
|
24
|
+
|
|
25
|
+
## See Also
|
|
26
|
+
|
|
27
|
+
- [SECURITY.md](../blob/main/SECURITY.md) for our full disclosure policy.
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
## Description
|
|
2
|
+
|
|
3
|
+
Please include a summary of the change and which issue it addresses.
|
|
4
|
+
|
|
5
|
+
Fixes # (issue)
|
|
6
|
+
|
|
7
|
+
## Type of Change
|
|
8
|
+
|
|
9
|
+
- [ ] Bug fix (non-breaking change that fixes an issue)
|
|
10
|
+
- [ ] New feature (non-breaking change that adds functionality)
|
|
11
|
+
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
|
|
12
|
+
- [ ] Documentation update
|
|
13
|
+
- [ ] Performance improvement
|
|
14
|
+
- [ ] Refactoring (no functional changes)
|
|
15
|
+
- [ ] Test update
|
|
16
|
+
- [ ] CI/CD or build process
|
|
17
|
+
|
|
18
|
+
## Checklist
|
|
19
|
+
|
|
20
|
+
- [ ] Tests pass (`pytest`)
|
|
21
|
+
- [ ] New tests added for new functionality
|
|
22
|
+
- [ ] Code follows project style (PEP 8, type hints)
|
|
23
|
+
- [ ] Documentation updated (if applicable)
|
|
24
|
+
- [ ] CHANGELOG entry added (if applicable)
|
|
25
|
+
- [ ] Commits follow [Conventional Commits](https://www.conventionalcommits.org/)
|
|
26
|
+
- [ ] Branch is up-to-date with `main`
|
|
27
|
+
- [ ] No new warnings or errors introduced
|
|
28
|
+
|
|
29
|
+
## Test Plan
|
|
30
|
+
|
|
31
|
+
Describe how you tested the change:
|
|
32
|
+
|
|
33
|
+
- [ ] Unit tests
|
|
34
|
+
- [ ] Manual testing with `agentsec scan .`
|
|
35
|
+
- [ ] Tested with sample configs (JSON, YAML, TOML)
|
|
36
|
+
|
|
37
|
+
## Additional Context
|
|
38
|
+
|
|
39
|
+
Add any other context about the PR here (screenshots, benchmarks, etc.).
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
- name: bug
|
|
2
|
+
color: d73a4a
|
|
3
|
+
description: Something isn't working
|
|
4
|
+
- name: critical
|
|
5
|
+
color: b60205
|
|
6
|
+
description: Critical severity issue or finding
|
|
7
|
+
- name: enhancement
|
|
8
|
+
color: a2eeef
|
|
9
|
+
description: New feature or request
|
|
10
|
+
- name: feature
|
|
11
|
+
color: 0e8a16
|
|
12
|
+
description: Accepted feature to implement
|
|
13
|
+
- name: ci
|
|
14
|
+
color: 0366d6
|
|
15
|
+
description: CI/CD related
|
|
16
|
+
- name: build
|
|
17
|
+
color: 5319e7
|
|
18
|
+
description: Build system or packaging
|
|
19
|
+
- name: documentation
|
|
20
|
+
color: 0075ca
|
|
21
|
+
description: Improvements or additions to documentation
|
|
22
|
+
- name: test
|
|
23
|
+
color: 7b55d6
|
|
24
|
+
description: Testing related
|
|
25
|
+
- name: refactor
|
|
26
|
+
color: fbca04
|
|
27
|
+
description: Code refactoring
|
|
28
|
+
- name: performance
|
|
29
|
+
color: 0e8a16
|
|
30
|
+
description: Performance improvement
|
|
31
|
+
- name: good-first-issue
|
|
32
|
+
color: 7057ff
|
|
33
|
+
description: Good for newcomers
|
|
34
|
+
- name: help-wanted
|
|
35
|
+
color: 008672
|
|
36
|
+
description: Extra attention is needed
|
|
37
|
+
- name: question
|
|
38
|
+
color: d876e3
|
|
39
|
+
description: Further information is requested
|
|
40
|
+
- name: wontfix
|
|
41
|
+
color: ffffff
|
|
42
|
+
description: This will not be worked on
|
|
43
|
+
- name: duplicate
|
|
44
|
+
color: cfd3d7
|
|
45
|
+
description: This issue or PR already exists
|
|
46
|
+
- name: invalid
|
|
47
|
+
color: e4e669
|
|
48
|
+
description: This doesn't seem right
|
|
49
|
+
- name: security
|
|
50
|
+
color: b60205
|
|
51
|
+
description: Security vulnerability
|
|
@@ -0,0 +1,126 @@
|
|
|
1
|
+
name: AgentSec CI/CD
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches: [main]
|
|
6
|
+
tags: ['v*']
|
|
7
|
+
pull_request:
|
|
8
|
+
branches: [main]
|
|
9
|
+
|
|
10
|
+
permissions:
|
|
11
|
+
contents: read
|
|
12
|
+
|
|
13
|
+
jobs:
|
|
14
|
+
test:
|
|
15
|
+
name: test / py${{ matrix.python-version }}
|
|
16
|
+
runs-on: ubuntu-latest
|
|
17
|
+
strategy:
|
|
18
|
+
matrix:
|
|
19
|
+
python-version: ["3.10", "3.11", "3.12", "3.13"]
|
|
20
|
+
fail-fast: false
|
|
21
|
+
steps:
|
|
22
|
+
# fetch-depth: 0 is required so setuptools-scm can see the full tag
|
|
23
|
+
# history and derive the correct version. Do not remove this, and
|
|
24
|
+
# apply the same setting to any future job that installs the package.
|
|
25
|
+
- uses: actions/checkout@v7
|
|
26
|
+
with:
|
|
27
|
+
fetch-depth: 0
|
|
28
|
+
- name: Set up Python ${{ matrix.python-version }}
|
|
29
|
+
uses: actions/setup-python@v6
|
|
30
|
+
with:
|
|
31
|
+
python-version: ${{ matrix.python-version }}
|
|
32
|
+
- name: Install dependencies
|
|
33
|
+
run: |
|
|
34
|
+
python -m pip install --upgrade pip
|
|
35
|
+
pip install -e .[dev]
|
|
36
|
+
- name: Guard against manual versioning regressions
|
|
37
|
+
run: python scripts/check_version_policy.py
|
|
38
|
+
- name: Verify CLI starts
|
|
39
|
+
run: |
|
|
40
|
+
agentsec --help
|
|
41
|
+
agentsec scan --help
|
|
42
|
+
- name: Verify version is Git-derived
|
|
43
|
+
run: |
|
|
44
|
+
agentsec --version
|
|
45
|
+
- name: Run tests
|
|
46
|
+
run: python -m pytest -v
|
|
47
|
+
- name: Smoke test — JSON output
|
|
48
|
+
run: |
|
|
49
|
+
agentsec scan . --include-hidden --format json | python -m json.tool > /dev/null
|
|
50
|
+
- name: Smoke test — SARIF output
|
|
51
|
+
run: |
|
|
52
|
+
agentsec scan . --include-hidden --format sarif | python -c "import sys,json; d=json.loads(sys.stdin.read()); assert d['version']=='2.1.0'; print(f'SARIF OK: {len(d[\"runs\"][0][\"results\"])} findings')"
|
|
53
|
+
- name: Smoke test — TOML parsing
|
|
54
|
+
run: |
|
|
55
|
+
mkdir -p /tmp/test-toml
|
|
56
|
+
printf '[mcpServers]\n[mcpServers.test]\ncommand = "bash"\n' > /tmp/test-toml/mcp.toml
|
|
57
|
+
agentsec scan /tmp/test-toml --format json | python -c "import sys,json; d=json.loads(sys.stdin.read()); assert len(d)>0; print(f'TOML scan OK: {len(d)} findings')"
|
|
58
|
+
|
|
59
|
+
build:
|
|
60
|
+
name: Build package
|
|
61
|
+
needs: test
|
|
62
|
+
if: github.ref_type == 'tag'
|
|
63
|
+
runs-on: ubuntu-latest
|
|
64
|
+
steps:
|
|
65
|
+
- uses: actions/checkout@v7
|
|
66
|
+
with:
|
|
67
|
+
fetch-depth: 0
|
|
68
|
+
- name: Set up Python
|
|
69
|
+
uses: actions/setup-python@v6
|
|
70
|
+
with:
|
|
71
|
+
python-version: "3.12"
|
|
72
|
+
- name: Install build tools
|
|
73
|
+
run: |
|
|
74
|
+
python -m pip install --upgrade pip
|
|
75
|
+
pip install build twine
|
|
76
|
+
- name: Build sdist and wheel
|
|
77
|
+
run: python -m build
|
|
78
|
+
- name: Check package with twine
|
|
79
|
+
run: python -m twine check dist/*
|
|
80
|
+
- name: Verify wheel/sdist filenames match the Git tag
|
|
81
|
+
run: |
|
|
82
|
+
TAG_VERSION="${GITHUB_REF_NAME#v}"
|
|
83
|
+
echo "Expected version from tag: $TAG_VERSION"
|
|
84
|
+
ls dist/
|
|
85
|
+
test -f "dist/agentsec_cli-${TAG_VERSION}-py3-none-any.whl"
|
|
86
|
+
test -f "dist/agentsec_cli-${TAG_VERSION}.tar.gz"
|
|
87
|
+
- name: Install and test wheel
|
|
88
|
+
run: |
|
|
89
|
+
pip install dist/*.whl
|
|
90
|
+
agentsec --version
|
|
91
|
+
agentsec scan . --format json | python -m json.tool > /dev/null
|
|
92
|
+
- name: Upload build artifact
|
|
93
|
+
uses: actions/upload-artifact@v7
|
|
94
|
+
with:
|
|
95
|
+
name: dist
|
|
96
|
+
path: dist/
|
|
97
|
+
|
|
98
|
+
publish:
|
|
99
|
+
name: Publish to PyPI
|
|
100
|
+
needs: build
|
|
101
|
+
if: github.ref_type == 'tag'
|
|
102
|
+
runs-on: ubuntu-latest
|
|
103
|
+
environment:
|
|
104
|
+
name: pypi
|
|
105
|
+
url: https://pypi.org/p/agentsec-cli
|
|
106
|
+
permissions:
|
|
107
|
+
id-token: write
|
|
108
|
+
steps:
|
|
109
|
+
- uses: actions/download-artifact@v8
|
|
110
|
+
with:
|
|
111
|
+
name: dist
|
|
112
|
+
path: dist/
|
|
113
|
+
- name: Publish package to PyPI
|
|
114
|
+
uses: pypa/gh-action-pypi-publish@release/v1
|
|
115
|
+
|
|
116
|
+
github-release:
|
|
117
|
+
name: Create GitHub Release
|
|
118
|
+
needs: publish
|
|
119
|
+
if: github.ref_type == 'tag'
|
|
120
|
+
runs-on: ubuntu-latest
|
|
121
|
+
permissions:
|
|
122
|
+
contents: write
|
|
123
|
+
steps:
|
|
124
|
+
- uses: softprops/action-gh-release@v2
|
|
125
|
+
with:
|
|
126
|
+
generate_release_notes: true
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
name: Deploy Docs
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches: [main]
|
|
6
|
+
paths:
|
|
7
|
+
- 'docs/**'
|
|
8
|
+
- 'mkdocs.yml'
|
|
9
|
+
- 'docs/CNAME'
|
|
10
|
+
workflow_dispatch:
|
|
11
|
+
|
|
12
|
+
permissions:
|
|
13
|
+
contents: read
|
|
14
|
+
pages: write
|
|
15
|
+
id-token: write
|
|
16
|
+
|
|
17
|
+
concurrency:
|
|
18
|
+
group: pages
|
|
19
|
+
cancel-in-progress: false
|
|
20
|
+
|
|
21
|
+
jobs:
|
|
22
|
+
deploy:
|
|
23
|
+
name: Deploy to GitHub Pages
|
|
24
|
+
runs-on: ubuntu-latest
|
|
25
|
+
environment:
|
|
26
|
+
name: github-pages
|
|
27
|
+
url: ${{ steps.deployment.outputs.page_url }}
|
|
28
|
+
steps:
|
|
29
|
+
- uses: actions/checkout@v7
|
|
30
|
+
|
|
31
|
+
- name: Set up Python
|
|
32
|
+
uses: actions/setup-python@v6
|
|
33
|
+
with:
|
|
34
|
+
python-version: '3.12'
|
|
35
|
+
|
|
36
|
+
- name: Install MkDocs
|
|
37
|
+
run: |
|
|
38
|
+
python -m pip install --upgrade pip
|
|
39
|
+
pip install mkdocs-material
|
|
40
|
+
|
|
41
|
+
- name: Build docs
|
|
42
|
+
run: mkdocs build --config-file docs/mkdocs.yml --site-dir ../site
|
|
43
|
+
|
|
44
|
+
- name: Write CNAME for custom domain
|
|
45
|
+
run: echo "agentsec.work.gd" > site/CNAME
|
|
46
|
+
|
|
47
|
+
- name: Upload Pages artifact
|
|
48
|
+
uses: actions/upload-pages-artifact@v5
|
|
49
|
+
with:
|
|
50
|
+
path: site
|
|
51
|
+
|
|
52
|
+
- name: Deploy to Pages
|
|
53
|
+
id: deployment
|
|
54
|
+
uses: actions/deploy-pages@v5
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
# Virtual environments
|
|
2
|
+
.venv/
|
|
3
|
+
venv/
|
|
4
|
+
env/
|
|
5
|
+
|
|
6
|
+
# Python cache
|
|
7
|
+
__pycache__/
|
|
8
|
+
*.py[cod]
|
|
9
|
+
|
|
10
|
+
# setuptools-scm generated version file (derived from Git tags at build time)
|
|
11
|
+
agentsec/_version.py
|
|
12
|
+
|
|
13
|
+
# Build artifacts
|
|
14
|
+
build/
|
|
15
|
+
dist/
|
|
16
|
+
*.egg-info/
|
|
17
|
+
.eggs/
|
|
18
|
+
pip-wheel-metadata/
|
|
19
|
+
|
|
20
|
+
# Test cache
|
|
21
|
+
.pytest_cache/
|
|
22
|
+
.coverage
|
|
23
|
+
.coverage.*
|
|
24
|
+
htmlcov/
|
|
25
|
+
|
|
26
|
+
# Type checkers / linters
|
|
27
|
+
.mypy_cache/
|
|
28
|
+
.ruff_cache/
|
|
29
|
+
.tox/
|
|
30
|
+
.nox/
|
|
31
|
+
|
|
32
|
+
# IDE
|
|
33
|
+
.vscode/
|
|
34
|
+
.idea/
|
|
35
|
+
|
|
36
|
+
# macOS / Windows
|
|
37
|
+
.DS_Store
|
|
38
|
+
Thumbs.db
|
|
39
|
+
|
|
40
|
+
# Scan outputs
|
|
41
|
+
scan_results.json
|
|
42
|
+
github_scan_results.json
|
|
43
|
+
*.sarif
|
|
44
|
+
|
|
45
|
+
# Temporary
|
|
46
|
+
*.tmp
|
|
47
|
+
*.swp
|
|
48
|
+
*.bak
|
|
49
|
+
|
|
50
|
+
RELEASE_AUDIT.md
|
|
51
|
+
RELEASE_CHECKLIST.md
|
|
52
|
+
RELEASE_NOTES_v1.0.0.md
|
|
53
|
+
RELEASE_VALIDATION_REPORT.md
|
|
54
|
+
CI_REVIEW.md
|
|
55
|
+
mcp-servers/
|
|
56
|
+
|
|
57
|
+
# Internal strategy / one-time audit artifacts — content lives in Second Brain
|
|
58
|
+
# (secondbrain/raw/2026-07-04_agentsec_*.md), synthesized into wiki notes.
|
|
59
|
+
# Not public-repo content; kept out of git if they reappear locally.
|
|
60
|
+
VISION.md
|
|
61
|
+
ROADMAP_V2.md
|
|
62
|
+
NEXT_HIGH_VALUE_TASKS.md
|
|
63
|
+
RESEARCH_GITHUB.md
|
|
64
|
+
RELEASE_AUDIT_vNEXT.md
|
|
65
|
+
RELEASE_INFRASTRUCTURE_REVIEW.md
|
|
@@ -5,6 +5,27 @@ All notable changes to AgentSec will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [Unreleased]
|
|
9
|
+
|
|
10
|
+
### Changed
|
|
11
|
+
- Migrated versioning from manually-edited version strings to
|
|
12
|
+
[`setuptools-scm`](https://setuptools-scm.readthedocs.io/). The Git tag is
|
|
13
|
+
now the single source of truth: `pyproject.toml` no longer hardcodes a
|
|
14
|
+
`version`, `agentsec/__init__.py` no longer hardcodes `__version__`, and
|
|
15
|
+
`agentsec/sarif.py` no longer hardcodes the SARIF `tool.driver.version`.
|
|
16
|
+
All three now derive from the current Git tag at build/install time via
|
|
17
|
+
`agentsec/_version.py` (generated, gitignored).
|
|
18
|
+
- `agentsec --version` and the SARIF output's `tool.driver.version` now
|
|
19
|
+
report the Git-derived version (exact tag on a tagged commit, e.g. `1.0.4`;
|
|
20
|
+
a PEP 440 dev version like `1.0.4.dev5+gabcdef1` on untagged commits).
|
|
21
|
+
- Release process is now exactly: `git tag vX.Y.Z && git push origin main --tags`.
|
|
22
|
+
No file edits are required to cut a release — CI builds, validates,
|
|
23
|
+
publishes to PyPI, and creates the GitHub Release automatically from the tag.
|
|
24
|
+
- `.github/workflows/agentsec.yml`: `actions/checkout` now uses
|
|
25
|
+
`fetch-depth: 0` in the `test` and `build` jobs so `setuptools-scm` can see
|
|
26
|
+
the full tag history; added a step verifying the built wheel/sdist
|
|
27
|
+
filenames match the pushed tag exactly.
|
|
28
|
+
|
|
8
29
|
## [1.0.3] - 2026-07-03
|
|
9
30
|
|
|
10
31
|
### Fixed
|
|
@@ -139,6 +139,56 @@ Use hyphens to separate words. Keep names short but descriptive.
|
|
|
139
139
|
- [ ] Commits follow conventional commit format
|
|
140
140
|
- [ ] Branch is up-to-date with `main`
|
|
141
141
|
|
|
142
|
+
## Versioning & Releases
|
|
143
|
+
|
|
144
|
+
AgentSec uses [`setuptools-scm`](https://setuptools-scm.readthedocs.io/) to
|
|
145
|
+
derive its version automatically from Git tags. **The Git tag is the single
|
|
146
|
+
source of truth for the version — there is no version string to edit
|
|
147
|
+
anywhere in the codebase.**
|
|
148
|
+
|
|
149
|
+
### Hard rule: never edit a version number manually
|
|
150
|
+
|
|
151
|
+
- `pyproject.toml` declares `dynamic = ["version"]` and must **never**
|
|
152
|
+
contain a hardcoded `[project].version` field.
|
|
153
|
+
- `agentsec/__init__.py`, `agentsec/sarif.py`, and every other file that
|
|
154
|
+
reports a version must obtain it dynamically (via the generated
|
|
155
|
+
`agentsec/_version.py` or `importlib.metadata`) — never hardcode a
|
|
156
|
+
version string.
|
|
157
|
+
- If any file reintroduces a manually maintained version, the release
|
|
158
|
+
pipeline is broken by design: that value will inevitably drift out of
|
|
159
|
+
sync with the actual Git tag. CI enforces this automatically (see below).
|
|
160
|
+
|
|
161
|
+
On a tagged commit (e.g. `v1.2.3`), the package version is exactly `1.2.3`.
|
|
162
|
+
On an untagged commit, the version is a PEP 440 development version derived
|
|
163
|
+
from the most recent tag plus commit distance and hash, e.g.
|
|
164
|
+
`1.2.4.dev5+gabcdef1`. There is no other channel for communicating version
|
|
165
|
+
intent — if you need a new version, you push a new tag.
|
|
166
|
+
|
|
167
|
+
### How to cut a release
|
|
168
|
+
|
|
169
|
+
A maintainer only needs to:
|
|
170
|
+
|
|
171
|
+
```bash
|
|
172
|
+
git commit
|
|
173
|
+
git tag vX.Y.Z
|
|
174
|
+
git push origin main --tags
|
|
175
|
+
```
|
|
176
|
+
|
|
177
|
+
Pushing the tag triggers `.github/workflows/agentsec.yml`, which
|
|
178
|
+
automatically:
|
|
179
|
+
|
|
180
|
+
1. Runs the full test matrix (Python 3.10–3.13).
|
|
181
|
+
2. Derives the version from the pushed tag via `setuptools-scm`.
|
|
182
|
+
3. Builds the sdist and wheel.
|
|
183
|
+
4. Validates the package (`twine check`, filename-vs-tag check, install +
|
|
184
|
+
smoke test of the built wheel).
|
|
185
|
+
5. Publishes to PyPI via Trusted Publishing (OIDC — no stored tokens).
|
|
186
|
+
6. Creates the GitHub Release with auto-generated release notes.
|
|
187
|
+
|
|
188
|
+
No manual version editing, no manual PyPI upload, no separate release-notes
|
|
189
|
+
step. The only file a maintainer must keep current by hand is
|
|
190
|
+
`CHANGELOG.md`.
|
|
191
|
+
|
|
142
192
|
## Reporting Issues
|
|
143
193
|
|
|
144
194
|
### Bug Reports
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: agentsec-cli
|
|
3
|
-
Version: 1.0.
|
|
3
|
+
Version: 1.0.4
|
|
4
4
|
Summary: Static security scanner for AI coding agents and MCP configurations
|
|
5
5
|
Author: locface
|
|
6
6
|
License-Expression: MIT
|
|
@@ -22,8 +22,10 @@ Requires-Dist: click<9,>=8.0.0
|
|
|
22
22
|
Requires-Dist: pyyaml<7,>=6.0
|
|
23
23
|
Requires-Dist: toml<1,>=0.10.2
|
|
24
24
|
Requires-Dist: tomli<3,>=2.0.1; python_version < "3.11"
|
|
25
|
+
Requires-Dist: pathspec<2,>=0.12
|
|
25
26
|
Provides-Extra: dev
|
|
26
27
|
Requires-Dist: pytest>=7.0.0; extra == "dev"
|
|
28
|
+
Requires-Dist: setuptools-scm>=8; extra == "dev"
|
|
27
29
|
Dynamic: license-file
|
|
28
30
|
|
|
29
31
|
<picture>
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
"""AgentSec: Static security scanner for AI coding agents and MCP configs."""
|
|
2
|
+
|
|
3
|
+
from importlib.metadata import PackageNotFoundError, version
|
|
4
|
+
|
|
5
|
+
try:
|
|
6
|
+
from ._version import __version__
|
|
7
|
+
except ImportError:
|
|
8
|
+
# _version.py is generated by setuptools-scm at build/install time and
|
|
9
|
+
# is not present in a raw source checkout (e.g. before
|
|
10
|
+
# `pip install -e .`). Fall back to installed package metadata.
|
|
11
|
+
try:
|
|
12
|
+
__version__ = version("agentsec-cli")
|
|
13
|
+
except PackageNotFoundError:
|
|
14
|
+
__version__ = "0.0.0.dev0+unknown"
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# file generated by vcs-versioning
|
|
2
|
+
# don't change, don't track in version control
|
|
3
|
+
from __future__ import annotations
|
|
4
|
+
|
|
5
|
+
__all__ = [
|
|
6
|
+
"__version__",
|
|
7
|
+
"__version_tuple__",
|
|
8
|
+
"version",
|
|
9
|
+
"version_tuple",
|
|
10
|
+
"__commit_id__",
|
|
11
|
+
"commit_id",
|
|
12
|
+
]
|
|
13
|
+
|
|
14
|
+
version: str
|
|
15
|
+
__version__: str
|
|
16
|
+
__version_tuple__: tuple[int | str, ...]
|
|
17
|
+
version_tuple: tuple[int | str, ...]
|
|
18
|
+
commit_id: str | None
|
|
19
|
+
__commit_id__: str | None
|
|
20
|
+
|
|
21
|
+
__version__ = version = '1.0.4'
|
|
22
|
+
__version_tuple__ = version_tuple = (1, 0, 4)
|
|
23
|
+
|
|
24
|
+
__commit_id__ = commit_id = 'g0550ac9c6'
|
|
@@ -7,8 +7,8 @@ from typing import Dict, List, Tuple
|
|
|
7
7
|
|
|
8
8
|
|
|
9
9
|
def compute_finding_id(finding: dict) -> str:
|
|
10
|
-
"""Compute a stable unique ID for a finding based on
|
|
11
|
-
key = f"{finding['
|
|
10
|
+
"""Compute a stable unique ID for a finding based on code, file, and server."""
|
|
11
|
+
key = f"{finding['code']}|{finding['file']}|{finding.get('server', '')}"
|
|
12
12
|
return hashlib.md5(key.encode()).hexdigest()
|
|
13
13
|
|
|
14
14
|
|
|
@@ -22,13 +22,17 @@ def cli():
|
|
|
22
22
|
@click.option("--fail-on", type=click.Choice(["critical", "high", "medium", "low"], case_sensitive=False),
|
|
23
23
|
help="Exit with code 1 if any finding is at least this severity")
|
|
24
24
|
@click.option("--include-hidden", is_flag=True, help="Include hidden files and directories")
|
|
25
|
+
@click.option("--exclude", multiple=True, default=None,
|
|
26
|
+
help="Exclude paths matching pattern (can be repeated). E.g., --exclude 'node_modules/**'")
|
|
27
|
+
@click.option("--no-gitignore", is_flag=True, default=False,
|
|
28
|
+
help="Do not automatically respect .gitignore patterns")
|
|
25
29
|
@click.option("--baseline", type=click.Path(exists=True, dir_okay=False, resolve_path=True),
|
|
26
30
|
help="Path to baseline JSON file (lockfile). Compare findings against it.")
|
|
27
31
|
@click.option("--update-baseline", type=click.Path(dir_okay=False, resolve_path=True),
|
|
28
32
|
help="Save current findings as baseline JSON file and exit.")
|
|
29
33
|
@click.option("--show-owasp", is_flag=True, default=False,
|
|
30
34
|
help="Show OWASP Top 10 for LLM mapping IDs for each finding")
|
|
31
|
-
def scan(path, format, severity, include_hidden, fail_on=None, baseline=None, update_baseline=None, show_owasp=False):
|
|
35
|
+
def scan(path, format, severity, include_hidden, exclude, no_gitignore, fail_on=None, baseline=None, update_baseline=None, show_owasp=False):
|
|
32
36
|
"""Scan a directory for security risks in AI agent configurations."""
|
|
33
37
|
# Lazy imports: scanner + parsers are only loaded when scan runs,
|
|
34
38
|
# not when --help is displayed. This keeps `agentsec --help` fast
|
|
@@ -41,7 +45,9 @@ def scan(path, format, severity, include_hidden, fail_on=None, baseline=None, up
|
|
|
41
45
|
if format == "terminal":
|
|
42
46
|
click.echo(f" Scanning {path}...")
|
|
43
47
|
|
|
44
|
-
scanner = Scanner(Path(path), include_hidden=include_hidden, min_severity=severity
|
|
48
|
+
scanner = Scanner(Path(path), include_hidden=include_hidden, min_severity=severity,
|
|
49
|
+
exclude_patterns=list(exclude) if exclude else None,
|
|
50
|
+
no_gitignore=no_gitignore)
|
|
45
51
|
findings = scanner.scan()
|
|
46
52
|
|
|
47
53
|
# If update-baseline is provided, save baseline and exit
|