agentsentinel-cli 0.8.0__tar.gz → 0.8.3__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- agentsentinel_cli-0.8.3/PKG-INFO +400 -0
- agentsentinel_cli-0.8.3/README.md +366 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/a2a_scanner.py +109 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/scanner.py +89 -1
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/secrets_rules.py +89 -4
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/pyproject.toml +5 -28
- agentsentinel_cli-0.8.0/PKG-INFO +0 -468
- agentsentinel_cli-0.8.0/README.md +0 -421
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/.gitignore +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/DOCUMENTATION.md +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/LICENSE +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/__init__.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/a2a_report.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/a2a_rules.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/cli.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/discover.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/discover_report.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/fingerprint.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/frameworks.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/inspect.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/inspect_report.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/mcp_client.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/mcp_report.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/mcp_rules.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/report.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/rules.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/secrets.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/secrets_report.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/supply_chain_ai.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/supply_chain_report.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/supply_chain_rules.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/agentsentinel_cli/suppress.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/tmp/note.md +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/tmp/test-mcp-agent/README.md +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/tmp/test-mcp-agent/langchain_agent.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/tmp/test-mcp-agent/mcp_server.py +0 -0
- {agentsentinel_cli-0.8.0 → agentsentinel_cli-0.8.3}/tmp/test-mcp-agent/requirements.txt +0 -0
|
@@ -0,0 +1,400 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: agentsentinel-cli
|
|
3
|
+
Version: 0.8.3
|
|
4
|
+
Summary: AI agent and MCP server security scanner — discovery, static analysis, supply chain audit, and multi-agent trust analysis
|
|
5
|
+
Project-URL: Homepage, https://github.com/jaydenaung/agentsentinel-cli
|
|
6
|
+
Project-URL: Repository, https://github.com/jaydenaung/agentsentinel-cli
|
|
7
|
+
Project-URL: Bug Tracker, https://github.com/jaydenaung/agentsentinel-cli/issues
|
|
8
|
+
License: Apache-2.0
|
|
9
|
+
License-File: LICENSE
|
|
10
|
+
Keywords: agent-security,agentic-security,ai-security,cli,devsecops,llm-security,mcp,mcp-security,owasp,red-team,scanner,supply-chain-security
|
|
11
|
+
Classifier: Development Status :: 4 - Beta
|
|
12
|
+
Classifier: Environment :: Console
|
|
13
|
+
Classifier: Intended Audience :: Developers
|
|
14
|
+
Classifier: Intended Audience :: Information Technology
|
|
15
|
+
Classifier: License :: OSI Approved :: Apache Software License
|
|
16
|
+
Classifier: Topic :: Security
|
|
17
|
+
Classifier: Topic :: Software Development :: Libraries :: Python Modules
|
|
18
|
+
Requires-Python: >=3.10
|
|
19
|
+
Requires-Dist: click>=8.0.0
|
|
20
|
+
Requires-Dist: rich>=13.0.0
|
|
21
|
+
Provides-Extra: ai
|
|
22
|
+
Requires-Dist: anthropic>=0.50.0; extra == 'ai'
|
|
23
|
+
Requires-Dist: httpx>=0.24.0; extra == 'ai'
|
|
24
|
+
Provides-Extra: all
|
|
25
|
+
Requires-Dist: anthropic>=0.50.0; extra == 'all'
|
|
26
|
+
Requires-Dist: httpx>=0.24.0; extra == 'all'
|
|
27
|
+
Requires-Dist: psutil>=5.9.0; extra == 'all'
|
|
28
|
+
Provides-Extra: discover
|
|
29
|
+
Requires-Dist: httpx>=0.24.0; extra == 'discover'
|
|
30
|
+
Requires-Dist: psutil>=5.9.0; extra == 'discover'
|
|
31
|
+
Provides-Extra: mcp
|
|
32
|
+
Requires-Dist: httpx>=0.24.0; extra == 'mcp'
|
|
33
|
+
Description-Content-Type: text/markdown
|
|
34
|
+
|
|
35
|
+
# agentsentinel-cli
|
|
36
|
+
|
|
37
|
+
[](https://pypi.org/project/agentsentinel-cli/)
|
|
38
|
+
[](LICENSE)
|
|
39
|
+
[](https://pypi.org/project/agentsentinel-cli/)
|
|
40
|
+
|
|
41
|
+
**The nmap of AI agents and MCP servers. Deterministic. Protocol-based. No API key required.**
|
|
42
|
+
|
|
43
|
+
```bash
|
|
44
|
+
pipx install agentsentinel-cli
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
---
|
|
48
|
+
|
|
49
|
+
## What it does
|
|
50
|
+
|
|
51
|
+
`sentinel` discovers and audits AI agents and MCP servers. Every result is deterministic — same input, same output, every time. No cloud dependency, no API key required for any scan.
|
|
52
|
+
|
|
53
|
+
| Command | What it answers |
|
|
54
|
+
|---------|----------------|
|
|
55
|
+
| `sentinel discover` | What MCP servers are running on this host or network? |
|
|
56
|
+
| `sentinel mcp scan` | How secure is this specific MCP server? |
|
|
57
|
+
| `sentinel supply-chain` | Has this MCP tool manifest been tampered with? |
|
|
58
|
+
| `sentinel scan` | What security risks are in this agent's source code? |
|
|
59
|
+
| `sentinel secrets` | Are credentials or PII exposed in these files? |
|
|
60
|
+
| `sentinel inspect` | What framework, model, and role is this agent? |
|
|
61
|
+
| `sentinel a2a` | Are multi-agent trust boundaries safe? |
|
|
62
|
+
|
|
63
|
+
---
|
|
64
|
+
|
|
65
|
+
## Quick start
|
|
66
|
+
|
|
67
|
+
```bash
|
|
68
|
+
# Discover MCP servers — local and across a network
|
|
69
|
+
sentinel discover
|
|
70
|
+
sentinel discover --host 10.0.1.45
|
|
71
|
+
sentinel discover --subnet 10.0.0.0/24
|
|
72
|
+
sentinel discover --subnet 10.0.0.0/24 --scan # discover + deep audit in one pass
|
|
73
|
+
|
|
74
|
+
# Audit a specific MCP server
|
|
75
|
+
sentinel mcp scan http://localhost:8000/sse --auth-header "Authorization: Bearer token"
|
|
76
|
+
sentinel supply-chain http://localhost:8000/sse
|
|
77
|
+
|
|
78
|
+
# Scan agent source code
|
|
79
|
+
sentinel scan ./agents/
|
|
80
|
+
sentinel a2a ./agents/
|
|
81
|
+
|
|
82
|
+
# Secrets and credentials
|
|
83
|
+
sentinel secrets .
|
|
84
|
+
sentinel secrets ~/.claude/projects/ # scan Claude Code memory
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
---
|
|
88
|
+
|
|
89
|
+
## Install
|
|
90
|
+
|
|
91
|
+
```bash
|
|
92
|
+
# Zero dependencies — sentinel scan and sentinel a2a
|
|
93
|
+
pip install agentsentinel-cli
|
|
94
|
+
|
|
95
|
+
# + sentinel discover (psutil for process scanning)
|
|
96
|
+
pip install "agentsentinel-cli[discover]"
|
|
97
|
+
|
|
98
|
+
# + sentinel mcp scan, supply-chain, inspect (httpx)
|
|
99
|
+
pip install "agentsentinel-cli[mcp]"
|
|
100
|
+
|
|
101
|
+
# Everything
|
|
102
|
+
pip install "agentsentinel-cli[all]"
|
|
103
|
+
|
|
104
|
+
# Recommended — isolated install
|
|
105
|
+
pipx install "agentsentinel-cli[all]"
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
---
|
|
109
|
+
|
|
110
|
+
## Commands
|
|
111
|
+
|
|
112
|
+
### `sentinel discover` — find MCP servers and agent processes
|
|
113
|
+
|
|
114
|
+
Confirms MCP servers via protocol handshake — not just open ports. A result means the MCP `initialize` exchange completed.
|
|
115
|
+
|
|
116
|
+
```bash
|
|
117
|
+
# Local scan — processes + localhost ports
|
|
118
|
+
sentinel discover
|
|
119
|
+
|
|
120
|
+
# Single host
|
|
121
|
+
sentinel discover --host 10.0.1.45
|
|
122
|
+
sentinel discover --host 10.0.1.45 --auth-header "Authorization: Bearer token"
|
|
123
|
+
|
|
124
|
+
# Subnet sweep
|
|
125
|
+
sentinel discover --subnet 10.0.0.0/24
|
|
126
|
+
sentinel discover --subnet 10.0.0.0/24 --auth-header "Authorization: Bearer token"
|
|
127
|
+
|
|
128
|
+
# Discover + deep security audit in one pass
|
|
129
|
+
sentinel discover --host 10.0.1.45 --scan
|
|
130
|
+
sentinel discover --subnet 10.0.0.0/24 --scan
|
|
131
|
+
|
|
132
|
+
# Custom ports, Docker, JSON output
|
|
133
|
+
sentinel discover --ports 8000-9000
|
|
134
|
+
sentinel discover --docker
|
|
135
|
+
sentinel discover --format json
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
**How it works:**
|
|
139
|
+
- Phase 1 — parallel TCP sweep across host:port combinations
|
|
140
|
+
- Phase 2 — MCP protocol handshake on every open port (streamable-HTTP, falls back to SSE)
|
|
141
|
+
- Auth enforcement verified: servers that accept unauthenticated connections stay CRITICAL even if you pass a token
|
|
142
|
+
|
|
143
|
+
**Risk levels:**
|
|
144
|
+
- `CRITICAL` — unauthenticated server with dangerous or write-scope tools
|
|
145
|
+
- `HIGH` — unauthenticated server with read-only tools
|
|
146
|
+
- `MEDIUM` — MCP server confirmed but auth rejected (credentials needed)
|
|
147
|
+
- `LOW` — authenticated, tools enumerated
|
|
148
|
+
|
|
149
|
+
---
|
|
150
|
+
|
|
151
|
+
### `sentinel mcp scan` — MCP server security audit
|
|
152
|
+
|
|
153
|
+
Enumerates all tools on a running MCP server and audits for authentication gaps, dangerous capabilities, injection surface, and exfiltration paths. Supports HTTP (streamable and SSE) and stdio transports.
|
|
154
|
+
|
|
155
|
+
```bash
|
|
156
|
+
sentinel mcp scan http://localhost:8000/sse
|
|
157
|
+
sentinel mcp scan http://localhost:8000/sse --auth-header "Authorization: Bearer token"
|
|
158
|
+
sentinel mcp scan --stdio "python my_server.py"
|
|
159
|
+
sentinel mcp scan http://localhost:8000/sse --fail-on CRITICAL
|
|
160
|
+
sentinel mcp scan http://localhost:8000/sse --format json
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
**Rules:**
|
|
164
|
+
|
|
165
|
+
| Rule | Severity | What it catches |
|
|
166
|
+
|------|----------|-----------------|
|
|
167
|
+
| `NO_AUTH` | CRITICAL | Server accepts tool enumeration with no credentials |
|
|
168
|
+
| `UNAUTH_DANGEROUS_EXEC` | CRITICAL | Dangerous tools callable without authentication |
|
|
169
|
+
| `EXFILTRATION_PATH` | CRITICAL | Internal-read tools + external-write tools on the same server |
|
|
170
|
+
| `CODE_EXECUTION_TOOL` | CRITICAL | Server exposes shell/exec/code execution tools |
|
|
171
|
+
| `UNBOUNDED_INPUT` | HIGH | `command`, `path`, `query`, `url`, `code` parameters with no constraints |
|
|
172
|
+
| `TOOL_SPRAWL` | MEDIUM | >10 tools across 5+ distinct categories |
|
|
173
|
+
| `VAGUE_TOOL_DESCRIPTIONS` | MEDIUM | Tools with fewer than 3 words in their description |
|
|
174
|
+
|
|
175
|
+
---
|
|
176
|
+
|
|
177
|
+
### `sentinel supply-chain` — MCP tool manifest audit
|
|
178
|
+
|
|
179
|
+
Audits an MCP server's tool manifest for supply chain compromise: description injection, name/capability mismatch, hidden network fields, schema gaps, and registry drift against a saved baseline.
|
|
180
|
+
|
|
181
|
+
Covers **ASI04** (Agentic Supply Chain Compromise).
|
|
182
|
+
|
|
183
|
+
```bash
|
|
184
|
+
# Static rules
|
|
185
|
+
sentinel supply-chain http://localhost:8000/sse
|
|
186
|
+
sentinel supply-chain --stdio "python my_server.py"
|
|
187
|
+
|
|
188
|
+
# + Claude semantic analysis (catches subtle deception static rules miss)
|
|
189
|
+
sentinel supply-chain http://localhost:8000/sse --ai
|
|
190
|
+
|
|
191
|
+
# Baseline drift — detect changes over time
|
|
192
|
+
sentinel supply-chain http://localhost:8000/sse --save-baseline ./baseline.json
|
|
193
|
+
sentinel supply-chain http://localhost:8000/sse --baseline ./baseline.json
|
|
194
|
+
|
|
195
|
+
# CI gate
|
|
196
|
+
sentinel supply-chain http://localhost:8000/sse --fail-on CRITICAL
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
**Rules:**
|
|
200
|
+
|
|
201
|
+
| Rule | Severity | What it catches |
|
|
202
|
+
|------|----------|-----------------|
|
|
203
|
+
| `SC01_DESCRIPTION_INJECTION` | CRITICAL | LLM-targeting phrases in tool descriptions |
|
|
204
|
+
| `SC06_REGISTRY_DRIFT` | CRITICAL | Tools added, removed, or schema/description changed vs. baseline |
|
|
205
|
+
| `SC02_NAME_CAPABILITY_MISMATCH` | HIGH | Read-only name (`get_`, `list_`) with write/dangerous capability |
|
|
206
|
+
| `SC03_HIDDEN_NETWORK_FIELDS` | HIGH | Schema accepts `url`, `webhook`, `endpoint` not disclosed in description |
|
|
207
|
+
| `SC04_SCHEMA_MISSING_ON_WRITE` | HIGH | Write/dangerous tool with no input schema |
|
|
208
|
+
| `SC05_DECEPTIVE_BENIGN_NAME` | MEDIUM | `help`, `summarize`, `format` masking dangerous capability |
|
|
209
|
+
|
|
210
|
+
---
|
|
211
|
+
|
|
212
|
+
### `sentinel scan` — static posture audit
|
|
213
|
+
|
|
214
|
+
AST analysis of Python agent source files. Detects exfiltration paths, dangerous grants, hardcoded credentials, and privilege excess. No API key required. Zero extra dependencies.
|
|
215
|
+
|
|
216
|
+
```bash
|
|
217
|
+
sentinel scan my_agent.py
|
|
218
|
+
sentinel scan ./agents/
|
|
219
|
+
sentinel scan ./agents/ --fail-on CRITICAL
|
|
220
|
+
sentinel scan ./agents/ --format json
|
|
221
|
+
sentinel scan ./agents/ --ignore-rule DANGEROUS_GRANTS # suppress accepted finding
|
|
222
|
+
```
|
|
223
|
+
|
|
224
|
+
**Rules:**
|
|
225
|
+
|
|
226
|
+
| Rule | Severity | Trigger |
|
|
227
|
+
|------|----------|---------|
|
|
228
|
+
| `EXFILTRATION_PATH` | CRITICAL | Internal-read AND external-write grants |
|
|
229
|
+
| `CODE_EXECUTION_GRANT` | CRITICAL | bash/exec/shell grants |
|
|
230
|
+
| `HARDCODED_CREDENTIALS` | CRITICAL | API keys in source |
|
|
231
|
+
| `PROMPT_INJECTION_VECTOR` | HIGH | Web-read + write grants |
|
|
232
|
+
| `LATERAL_MOVEMENT_PATH` | HIGH | Admin/IAM + infrastructure grants |
|
|
233
|
+
| `PRIVILEGE_EXCESS` | HIGH | Write grants on a read-only described agent |
|
|
234
|
+
| `DANGEROUS_GRANTS` | HIGH | Dangerous grants outside code execution category |
|
|
235
|
+
| `TOOL_SPRAWL` | MEDIUM | >10 tools across 5+ categories |
|
|
236
|
+
| `UNDESCRIBED_WRITE_AGENT` | MEDIUM | Write grants, no description |
|
|
237
|
+
|
|
238
|
+
---
|
|
239
|
+
|
|
240
|
+
### `sentinel secrets` — credentials, PII, and memory contamination
|
|
241
|
+
|
|
242
|
+
Scans agent files and memory stores for exposed API keys, credentials, PII, and content that leaked from tool call results into persistent memory. No API key required. Zero extra dependencies.
|
|
243
|
+
|
|
244
|
+
```bash
|
|
245
|
+
sentinel secrets . # scan current directory
|
|
246
|
+
sentinel secrets ~/.claude/projects/ # scan Claude Code memory
|
|
247
|
+
sentinel secrets . --scope memory # memory files only
|
|
248
|
+
sentinel secrets . --severity HIGH # HIGH and CRITICAL only
|
|
249
|
+
sentinel secrets . --fail-on HIGH # CI gate
|
|
250
|
+
sentinel secrets . --format json
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
**Detects:**
|
|
254
|
+
|
|
255
|
+
- Credentials: Anthropic, OpenAI, AWS, GitHub, Stripe, Google, HuggingFace API keys · private keys · database URLs · JWT tokens
|
|
256
|
+
- PII (global): email addresses · credit cards (Luhn-validated) · US SSN · US phone
|
|
257
|
+
- PII (Singapore): NRIC/FIN (mod-11 checksum-validated) · passport · mobile · landline · UEN · postal code
|
|
258
|
+
- Memory contamination: email + NRIC/SSN clusters from tool call results · system prompt leakage in memory files
|
|
259
|
+
|
|
260
|
+
---
|
|
261
|
+
|
|
262
|
+
### `sentinel inspect` — agent intelligence report
|
|
263
|
+
|
|
264
|
+
Fingerprints an agent file or live HTTP endpoint: framework, model, role (MCP server vs. MCP client vs. agent), system prompt, environment variables.
|
|
265
|
+
|
|
266
|
+
```bash
|
|
267
|
+
sentinel inspect my_agent.py --no-ai
|
|
268
|
+
sentinel inspect mcp_server.py --no-ai
|
|
269
|
+
sentinel inspect http://localhost:8000
|
|
270
|
+
sentinel inspect ./agents/
|
|
271
|
+
```
|
|
272
|
+
|
|
273
|
+
Correctly distinguishes:
|
|
274
|
+
- **MCP Server** — `mcp.server.*` imports (tool provider, no LLM)
|
|
275
|
+
- **MCP Client** — `mcp.client.*` imports (agent connecting to an MCP server)
|
|
276
|
+
- **AI Agent** — standalone LLM agent
|
|
277
|
+
|
|
278
|
+
With `ANTHROPIC_API_KEY` set, generates a plain English security summary.
|
|
279
|
+
|
|
280
|
+
---
|
|
281
|
+
|
|
282
|
+
### `sentinel a2a` — multi-agent trust analysis
|
|
283
|
+
|
|
284
|
+
Builds a call graph from Python agent source and audits trust boundaries. Detects injection propagation across agent boundaries, unbounded spawning, and code-execution agents accepting unverified delegations.
|
|
285
|
+
|
|
286
|
+
Supports **LangChain / LangGraph**, **AutoGen**, and **CrewAI**.
|
|
287
|
+
|
|
288
|
+
```bash
|
|
289
|
+
sentinel a2a ./agents/
|
|
290
|
+
sentinel a2a multi_agent.py
|
|
291
|
+
sentinel a2a . --fail-on HIGH
|
|
292
|
+
sentinel a2a . --format json
|
|
293
|
+
```
|
|
294
|
+
|
|
295
|
+
**Rules:**
|
|
296
|
+
|
|
297
|
+
| Rule | Severity | What it catches |
|
|
298
|
+
|------|----------|-----------------|
|
|
299
|
+
| `A2A03_IMPLICIT_TRUST` | CRITICAL | Code-execution agent accepts calls from other agents with no verification |
|
|
300
|
+
| `A2A04_PROMPT_PASSTHROUGH` | HIGH | User input flows directly across an agent boundary without sanitization |
|
|
301
|
+
| `A2A02_UNBOUNDED_SPAWNING` | HIGH | Agent instantiated inside a loop — unbounded creation risk |
|
|
302
|
+
| `A2A06_CIRCULAR_DELEGATION` | HIGH | Cycle in the call graph — agents can loop indefinitely under injection |
|
|
303
|
+
| `A2A05_UNSCOPED_DELEGATION` | MEDIUM | Orchestrator delegates full tool set instead of a restricted subset |
|
|
304
|
+
|
|
305
|
+
Covers **ASI07** (Insecure Inter-Agent Communication).
|
|
306
|
+
|
|
307
|
+
---
|
|
308
|
+
|
|
309
|
+
## Finding suppression
|
|
310
|
+
|
|
311
|
+
Use `--ignore-rule` to suppress findings by rule ID. Suppressed findings are excluded from `--fail-on` evaluation — they don't break CI gates.
|
|
312
|
+
|
|
313
|
+
```bash
|
|
314
|
+
sentinel scan ./agents/ --fail-on HIGH --ignore-rule DANGEROUS_GRANTS
|
|
315
|
+
sentinel mcp scan http://localhost:8000/sse --fail-on CRITICAL \
|
|
316
|
+
--ignore-rule NO_AUTH \
|
|
317
|
+
--ignore-rule UNBOUNDED_INPUT
|
|
318
|
+
```
|
|
319
|
+
|
|
320
|
+
For project-level suppressions, create a **`.sentinelignore`** file in your project root. `sentinel` walks up from the target to find it — same discovery pattern as `.gitignore`.
|
|
321
|
+
|
|
322
|
+
```
|
|
323
|
+
# .sentinelignore
|
|
324
|
+
NO_AUTH # server is behind an authenticated reverse proxy
|
|
325
|
+
SC03_HIDDEN_NETWORK_FIELDS # webhook field verified safe — used for audit logging
|
|
326
|
+
```
|
|
327
|
+
|
|
328
|
+
Supported on: `sentinel scan`, `sentinel a2a`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel secrets`, `sentinel inspect`.
|
|
329
|
+
|
|
330
|
+
---
|
|
331
|
+
|
|
332
|
+
## OWASP Top 10 for Agentic Applications 2026 coverage
|
|
333
|
+
|
|
334
|
+
| OWASP Risk | ID | sentinel coverage |
|
|
335
|
+
|------------|-----|------------------|
|
|
336
|
+
| Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01) |
|
|
337
|
+
| Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan` |
|
|
338
|
+
| Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS) |
|
|
339
|
+
| **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis) |
|
|
340
|
+
| Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL) |
|
|
341
|
+
| **Memory & Context Poisoning** | **ASI06** | **`sentinel secrets`** (memory contamination, system prompt leakage) |
|
|
342
|
+
| **Insecure Inter-Agent Communication** | **ASI07** | **`sentinel a2a`** (call graph + trust rules) |
|
|
343
|
+
| Cascading Agent Failures | ASI08 | `sentinel discover` (surface unmonitored agents) |
|
|
344
|
+
| Rogue Agents | ASI10 | `sentinel discover` (find agents that shouldn't exist) |
|
|
345
|
+
|
|
346
|
+
---
|
|
347
|
+
|
|
348
|
+
## CI/CD integration
|
|
349
|
+
|
|
350
|
+
```yaml
|
|
351
|
+
# .github/workflows/agent-security.yml
|
|
352
|
+
name: Agent Security
|
|
353
|
+
on: [pull_request]
|
|
354
|
+
|
|
355
|
+
jobs:
|
|
356
|
+
security:
|
|
357
|
+
runs-on: ubuntu-latest
|
|
358
|
+
steps:
|
|
359
|
+
- uses: actions/checkout@v4
|
|
360
|
+
|
|
361
|
+
- name: Install sentinel
|
|
362
|
+
run: pip install "agentsentinel-cli[mcp]"
|
|
363
|
+
|
|
364
|
+
- name: Posture scan
|
|
365
|
+
run: sentinel scan ./agents/ --fail-on CRITICAL
|
|
366
|
+
|
|
367
|
+
- name: Secrets scan
|
|
368
|
+
run: sentinel secrets . --fail-on HIGH
|
|
369
|
+
|
|
370
|
+
- name: MCP supply chain audit
|
|
371
|
+
run: sentinel supply-chain http://localhost:8000/sse --fail-on CRITICAL
|
|
372
|
+
|
|
373
|
+
- name: MCP security audit
|
|
374
|
+
run: sentinel mcp scan http://localhost:8000/sse --fail-on CRITICAL
|
|
375
|
+
|
|
376
|
+
- name: Multi-agent trust analysis
|
|
377
|
+
run: sentinel a2a ./agents/ --fail-on HIGH
|
|
378
|
+
```
|
|
379
|
+
|
|
380
|
+
Use `.sentinelignore` at the repo root to suppress accepted risks without weakening the gate:
|
|
381
|
+
|
|
382
|
+
```
|
|
383
|
+
# .sentinelignore — committed to source control
|
|
384
|
+
NO_AUTH # server is behind an authenticated reverse proxy
|
|
385
|
+
```
|
|
386
|
+
|
|
387
|
+
---
|
|
388
|
+
|
|
389
|
+
## Requirements
|
|
390
|
+
|
|
391
|
+
- Python 3.10+
|
|
392
|
+
- No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`
|
|
393
|
+
- `ANTHROPIC_API_KEY` required for: `sentinel supply-chain --ai`, `sentinel inspect` (AI summary)
|
|
394
|
+
|
|
395
|
+
---
|
|
396
|
+
|
|
397
|
+
## Related
|
|
398
|
+
|
|
399
|
+
- [AgentSentinel platform](https://github.com/jaydenaung/agentsentinel) — enterprise AI agent monitoring (Trust Score, behavior baselining, live dashboard)
|
|
400
|
+
- [OWASP Top 10 for Agentic Applications 2026](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)
|