agentsentinel-cli 0.9.3__tar.gz → 0.9.4__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/PKG-INFO +95 -7
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/README.md +94 -6
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/cli.py +13 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/transport.py +6 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/pyproject.toml +1 -1
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/.gitignore +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/DOCUMENTATION.md +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/LICENSE +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/__init__.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_report.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_rules.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_scanner.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/discover.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/discover_report.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/fingerprint.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/frameworks.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_report.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_rules.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_scanner.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/inspect.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/inspect_report.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_client.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_report.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_rules.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/__init__.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_auth.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_fuzz.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_inject.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_poison.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_recon.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/models.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/payloads.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/report.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/report.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/rules.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/scanner.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets_report.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets_rules.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_ai.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_report.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_rules.py +0 -0
- {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/suppress.py +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: agentsentinel-cli
|
|
3
|
-
Version: 0.9.
|
|
3
|
+
Version: 0.9.4
|
|
4
4
|
Summary: AI agent and MCP server security scanner — discovery, static analysis, supply chain audit, and multi-agent trust analysis
|
|
5
5
|
Project-URL: Homepage, https://github.com/jaydenaung/agentsentinel-cli
|
|
6
6
|
Project-URL: Repository, https://github.com/jaydenaung/agentsentinel-cli
|
|
@@ -60,6 +60,7 @@ pipx install agentsentinel-cli
|
|
|
60
60
|
| `sentinel inspect` | What framework, model, and role is this agent? |
|
|
61
61
|
| `sentinel a2a` | Are multi-agent trust boundaries safe? |
|
|
62
62
|
| `sentinel host-scan` | What is my local AI security posture across all AI tools? |
|
|
63
|
+
| `sentinel redteam mcp` | Can I actively exploit this MCP server? |
|
|
63
64
|
|
|
64
65
|
---
|
|
65
66
|
|
|
@@ -87,6 +88,11 @@ sentinel secrets ~/.claude/projects/ # scan Claude Code memory
|
|
|
87
88
|
# Local AI security posture — no network calls
|
|
88
89
|
sentinel host-scan
|
|
89
90
|
sentinel host-scan --fail-on HIGH
|
|
91
|
+
|
|
92
|
+
# Active red-team — real attacks, confirmed exploitation
|
|
93
|
+
sentinel redteam mcp full http://localhost:8000
|
|
94
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
|
|
95
|
+
sentinel redteam mcp auth http://localhost:8000
|
|
90
96
|
```
|
|
91
97
|
|
|
92
98
|
---
|
|
@@ -382,6 +388,85 @@ No API key required. No network calls.
|
|
|
382
388
|
|
|
383
389
|
---
|
|
384
390
|
|
|
391
|
+
### `sentinel redteam mcp` — active MCP server exploitation
|
|
392
|
+
|
|
393
|
+
The active red-team module for MCP servers. Every finding is backed by confirmed evidence from the server's actual response — no heuristics, no noise. If a traversal finding says it read `/etc/passwd`, it read `/etc/passwd`.
|
|
394
|
+
|
|
395
|
+
Requires `httpx`: `pip install "agentsentinel-cli[mcp]"`
|
|
396
|
+
|
|
397
|
+
```bash
|
|
398
|
+
# Full run — all 5 phases, unified report
|
|
399
|
+
sentinel redteam mcp full http://localhost:8000
|
|
400
|
+
sentinel redteam mcp full http://localhost:8000 --intensity high --format json
|
|
401
|
+
|
|
402
|
+
# Targeted phases
|
|
403
|
+
sentinel redteam mcp recon http://localhost:8000 # enumerate attack surface
|
|
404
|
+
sentinel redteam mcp auth http://localhost:8000 # auth bypass (5 credential scenarios)
|
|
405
|
+
sentinel redteam mcp inject http://localhost:8000 # all injection techniques
|
|
406
|
+
sentinel redteam mcp poison http://localhost:8000 # tool description + result injection
|
|
407
|
+
sentinel redteam mcp fuzz http://localhost:8000 # schema and type boundary fuzzing
|
|
408
|
+
|
|
409
|
+
# Surgical injection — pick your techniques
|
|
410
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse
|
|
411
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
|
|
412
|
+
sentinel redteam mcp inject http://localhost:8000 --type cmd --type sqli --intensity high
|
|
413
|
+
|
|
414
|
+
# With auth
|
|
415
|
+
sentinel redteam mcp full http://localhost:8000 \
|
|
416
|
+
--auth-header "Authorization: Bearer token"
|
|
417
|
+
|
|
418
|
+
# stdio transport (local MCP servers)
|
|
419
|
+
sentinel redteam mcp full --stdio "python my_mcp_server.py"
|
|
420
|
+
|
|
421
|
+
# CI gate — fail if any CRITICAL confirmed
|
|
422
|
+
sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
|
|
423
|
+
|
|
424
|
+
# Save report
|
|
425
|
+
sentinel redteam mcp full http://localhost:8000 --output report.json
|
|
426
|
+
```
|
|
427
|
+
|
|
428
|
+
**Phases:**
|
|
429
|
+
|
|
430
|
+
| Phase | Command | What it tests |
|
|
431
|
+
|-------|---------|---------------|
|
|
432
|
+
| 1 — Recon | `recon` | Tool inventory, resource listing, dangerous capability flags |
|
|
433
|
+
| 2 — Auth Bypass | `auth` | 5 credential scenarios: no creds, empty bearer, garbage token, invalid JWT, JWT alg:none |
|
|
434
|
+
| 3 — Injection | `inject` | Path traversal, SSRF, command injection, SQL injection — payload fired, pattern matched in response |
|
|
435
|
+
| 4 — Poison | `poison` | Static: adversarial instructions in tool descriptions. Dynamic: LLM instruction injection via tool parameters |
|
|
436
|
+
| 5 — Fuzz | `fuzz` | Stack traces, internal path disclosure, template injection eval, type confusion |
|
|
437
|
+
|
|
438
|
+
**Injection techniques (`--type`):**
|
|
439
|
+
|
|
440
|
+
| Technique | What it confirms |
|
|
441
|
+
|-----------|-----------------|
|
|
442
|
+
| `traverse` | Arbitrary file read via path traversal — evidence: `/etc/passwd` content, `.env` keys |
|
|
443
|
+
| `ssrf` | Server-side request forgery — evidence: AWS IMDS tokens, Redis/SSH banners, cloud metadata |
|
|
444
|
+
| `cmd` | OS command injection — evidence: `uid=0(root)` from `id`, `REDTEAM_CMD_CONFIRMED` sentinel |
|
|
445
|
+
| `sqli` | SQL injection — evidence: DB error messages (`ORA-`, `You have an error in your SQL syntax`) |
|
|
446
|
+
| `llm` | LLM instruction injection via tool result — evidence: sentinel string echoed in clean response |
|
|
447
|
+
|
|
448
|
+
**Intensity levels (`--intensity`):**
|
|
449
|
+
|
|
450
|
+
| Level | Payloads per technique | Use case |
|
|
451
|
+
|-------|----------------------|----------|
|
|
452
|
+
| `low` | 5 | Fast CI gate |
|
|
453
|
+
| `medium` | 15 | Standard engagement (default) |
|
|
454
|
+
| `high` | Full library (~20) | Thorough pentest |
|
|
455
|
+
|
|
456
|
+
**Finding severities:**
|
|
457
|
+
|
|
458
|
+
| Severity | Example |
|
|
459
|
+
|----------|---------|
|
|
460
|
+
| CRITICAL | Path traversal confirmed — `/etc/passwd` content in response |
|
|
461
|
+
| HIGH | LLM instruction injection — sentinel reflected in clean tool result |
|
|
462
|
+
| MEDIUM | Input reflected in error message (injection vector, lower confidence) |
|
|
463
|
+
| LOW | Unexpected content returned on malformed input |
|
|
464
|
+
| INFO | Auth enforced on handshake, tool inventory |
|
|
465
|
+
|
|
466
|
+
Every finding includes a **MITRE ATLAS** ID and **OWASP ASI** ID. Use `--verbose` to see full request/response bodies.
|
|
467
|
+
|
|
468
|
+
---
|
|
469
|
+
|
|
385
470
|
## Finding suppression
|
|
386
471
|
|
|
387
472
|
Use `--ignore-rule` to suppress findings by rule ID. Suppressed findings are excluded from `--fail-on` evaluation — they don't break CI gates.
|
|
@@ -409,11 +494,11 @@ Supported on: `sentinel scan`, `sentinel a2a`, `sentinel mcp scan`, `sentinel su
|
|
|
409
494
|
|
|
410
495
|
| OWASP Risk | ID | sentinel coverage |
|
|
411
496
|
|------------|-----|------------------|
|
|
412
|
-
| Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01) |
|
|
413
|
-
| Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan
|
|
414
|
-
| Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED) |
|
|
415
|
-
| **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis) |
|
|
416
|
-
| Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL) |
|
|
497
|
+
| Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01), **`sentinel redteam mcp poison`** (confirmed injection) |
|
|
498
|
+
| Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan`, **`sentinel redteam mcp inject`** (confirmed exploitation) |
|
|
499
|
+
| Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED), **`sentinel redteam mcp auth`** (bypass confirmation) |
|
|
500
|
+
| **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis), **`sentinel redteam mcp poison`** (static description scan) |
|
|
501
|
+
| Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL), **`sentinel redteam mcp inject --type cmd`** |
|
|
417
502
|
| **Memory & Context Poisoning** | **ASI06** | **`sentinel secrets`** (memory contamination, system prompt leakage), `sentinel host-scan` (HOST_LARGE_MEMORY) |
|
|
418
503
|
| **Insecure Inter-Agent Communication** | **ASI07** | **`sentinel a2a`** (call graph + trust rules) |
|
|
419
504
|
| Cascading Agent Failures | ASI08 | `sentinel discover` (surface unmonitored agents) |
|
|
@@ -454,6 +539,9 @@ jobs:
|
|
|
454
539
|
|
|
455
540
|
- name: Host AI security posture
|
|
456
541
|
run: sentinel host-scan --fail-on HIGH
|
|
542
|
+
|
|
543
|
+
- name: MCP red-team (active exploitation check)
|
|
544
|
+
run: sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
|
|
457
545
|
```
|
|
458
546
|
|
|
459
547
|
Use `.sentinelignore` at the repo root to suppress accepted risks without weakening the gate:
|
|
@@ -468,7 +556,7 @@ NO_AUTH # server is behind an authenticated reverse proxy
|
|
|
468
556
|
## Requirements
|
|
469
557
|
|
|
470
558
|
- Python 3.10+
|
|
471
|
-
- No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`
|
|
559
|
+
- No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`, `sentinel redteam mcp`
|
|
472
560
|
- `ANTHROPIC_API_KEY` required for: `sentinel supply-chain --ai`, `sentinel inspect` (AI summary)
|
|
473
561
|
|
|
474
562
|
---
|
|
@@ -26,6 +26,7 @@ pipx install agentsentinel-cli
|
|
|
26
26
|
| `sentinel inspect` | What framework, model, and role is this agent? |
|
|
27
27
|
| `sentinel a2a` | Are multi-agent trust boundaries safe? |
|
|
28
28
|
| `sentinel host-scan` | What is my local AI security posture across all AI tools? |
|
|
29
|
+
| `sentinel redteam mcp` | Can I actively exploit this MCP server? |
|
|
29
30
|
|
|
30
31
|
---
|
|
31
32
|
|
|
@@ -53,6 +54,11 @@ sentinel secrets ~/.claude/projects/ # scan Claude Code memory
|
|
|
53
54
|
# Local AI security posture — no network calls
|
|
54
55
|
sentinel host-scan
|
|
55
56
|
sentinel host-scan --fail-on HIGH
|
|
57
|
+
|
|
58
|
+
# Active red-team — real attacks, confirmed exploitation
|
|
59
|
+
sentinel redteam mcp full http://localhost:8000
|
|
60
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
|
|
61
|
+
sentinel redteam mcp auth http://localhost:8000
|
|
56
62
|
```
|
|
57
63
|
|
|
58
64
|
---
|
|
@@ -348,6 +354,85 @@ No API key required. No network calls.
|
|
|
348
354
|
|
|
349
355
|
---
|
|
350
356
|
|
|
357
|
+
### `sentinel redteam mcp` — active MCP server exploitation
|
|
358
|
+
|
|
359
|
+
The active red-team module for MCP servers. Every finding is backed by confirmed evidence from the server's actual response — no heuristics, no noise. If a traversal finding says it read `/etc/passwd`, it read `/etc/passwd`.
|
|
360
|
+
|
|
361
|
+
Requires `httpx`: `pip install "agentsentinel-cli[mcp]"`
|
|
362
|
+
|
|
363
|
+
```bash
|
|
364
|
+
# Full run — all 5 phases, unified report
|
|
365
|
+
sentinel redteam mcp full http://localhost:8000
|
|
366
|
+
sentinel redteam mcp full http://localhost:8000 --intensity high --format json
|
|
367
|
+
|
|
368
|
+
# Targeted phases
|
|
369
|
+
sentinel redteam mcp recon http://localhost:8000 # enumerate attack surface
|
|
370
|
+
sentinel redteam mcp auth http://localhost:8000 # auth bypass (5 credential scenarios)
|
|
371
|
+
sentinel redteam mcp inject http://localhost:8000 # all injection techniques
|
|
372
|
+
sentinel redteam mcp poison http://localhost:8000 # tool description + result injection
|
|
373
|
+
sentinel redteam mcp fuzz http://localhost:8000 # schema and type boundary fuzzing
|
|
374
|
+
|
|
375
|
+
# Surgical injection — pick your techniques
|
|
376
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse
|
|
377
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
|
|
378
|
+
sentinel redteam mcp inject http://localhost:8000 --type cmd --type sqli --intensity high
|
|
379
|
+
|
|
380
|
+
# With auth
|
|
381
|
+
sentinel redteam mcp full http://localhost:8000 \
|
|
382
|
+
--auth-header "Authorization: Bearer token"
|
|
383
|
+
|
|
384
|
+
# stdio transport (local MCP servers)
|
|
385
|
+
sentinel redteam mcp full --stdio "python my_mcp_server.py"
|
|
386
|
+
|
|
387
|
+
# CI gate — fail if any CRITICAL confirmed
|
|
388
|
+
sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
|
|
389
|
+
|
|
390
|
+
# Save report
|
|
391
|
+
sentinel redteam mcp full http://localhost:8000 --output report.json
|
|
392
|
+
```
|
|
393
|
+
|
|
394
|
+
**Phases:**
|
|
395
|
+
|
|
396
|
+
| Phase | Command | What it tests |
|
|
397
|
+
|-------|---------|---------------|
|
|
398
|
+
| 1 — Recon | `recon` | Tool inventory, resource listing, dangerous capability flags |
|
|
399
|
+
| 2 — Auth Bypass | `auth` | 5 credential scenarios: no creds, empty bearer, garbage token, invalid JWT, JWT alg:none |
|
|
400
|
+
| 3 — Injection | `inject` | Path traversal, SSRF, command injection, SQL injection — payload fired, pattern matched in response |
|
|
401
|
+
| 4 — Poison | `poison` | Static: adversarial instructions in tool descriptions. Dynamic: LLM instruction injection via tool parameters |
|
|
402
|
+
| 5 — Fuzz | `fuzz` | Stack traces, internal path disclosure, template injection eval, type confusion |
|
|
403
|
+
|
|
404
|
+
**Injection techniques (`--type`):**
|
|
405
|
+
|
|
406
|
+
| Technique | What it confirms |
|
|
407
|
+
|-----------|-----------------|
|
|
408
|
+
| `traverse` | Arbitrary file read via path traversal — evidence: `/etc/passwd` content, `.env` keys |
|
|
409
|
+
| `ssrf` | Server-side request forgery — evidence: AWS IMDS tokens, Redis/SSH banners, cloud metadata |
|
|
410
|
+
| `cmd` | OS command injection — evidence: `uid=0(root)` from `id`, `REDTEAM_CMD_CONFIRMED` sentinel |
|
|
411
|
+
| `sqli` | SQL injection — evidence: DB error messages (`ORA-`, `You have an error in your SQL syntax`) |
|
|
412
|
+
| `llm` | LLM instruction injection via tool result — evidence: sentinel string echoed in clean response |
|
|
413
|
+
|
|
414
|
+
**Intensity levels (`--intensity`):**
|
|
415
|
+
|
|
416
|
+
| Level | Payloads per technique | Use case |
|
|
417
|
+
|-------|----------------------|----------|
|
|
418
|
+
| `low` | 5 | Fast CI gate |
|
|
419
|
+
| `medium` | 15 | Standard engagement (default) |
|
|
420
|
+
| `high` | Full library (~20) | Thorough pentest |
|
|
421
|
+
|
|
422
|
+
**Finding severities:**
|
|
423
|
+
|
|
424
|
+
| Severity | Example |
|
|
425
|
+
|----------|---------|
|
|
426
|
+
| CRITICAL | Path traversal confirmed — `/etc/passwd` content in response |
|
|
427
|
+
| HIGH | LLM instruction injection — sentinel reflected in clean tool result |
|
|
428
|
+
| MEDIUM | Input reflected in error message (injection vector, lower confidence) |
|
|
429
|
+
| LOW | Unexpected content returned on malformed input |
|
|
430
|
+
| INFO | Auth enforced on handshake, tool inventory |
|
|
431
|
+
|
|
432
|
+
Every finding includes a **MITRE ATLAS** ID and **OWASP ASI** ID. Use `--verbose` to see full request/response bodies.
|
|
433
|
+
|
|
434
|
+
---
|
|
435
|
+
|
|
351
436
|
## Finding suppression
|
|
352
437
|
|
|
353
438
|
Use `--ignore-rule` to suppress findings by rule ID. Suppressed findings are excluded from `--fail-on` evaluation — they don't break CI gates.
|
|
@@ -375,11 +460,11 @@ Supported on: `sentinel scan`, `sentinel a2a`, `sentinel mcp scan`, `sentinel su
|
|
|
375
460
|
|
|
376
461
|
| OWASP Risk | ID | sentinel coverage |
|
|
377
462
|
|------------|-----|------------------|
|
|
378
|
-
| Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01) |
|
|
379
|
-
| Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan
|
|
380
|
-
| Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED) |
|
|
381
|
-
| **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis) |
|
|
382
|
-
| Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL) |
|
|
463
|
+
| Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01), **`sentinel redteam mcp poison`** (confirmed injection) |
|
|
464
|
+
| Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan`, **`sentinel redteam mcp inject`** (confirmed exploitation) |
|
|
465
|
+
| Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED), **`sentinel redteam mcp auth`** (bypass confirmation) |
|
|
466
|
+
| **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis), **`sentinel redteam mcp poison`** (static description scan) |
|
|
467
|
+
| Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL), **`sentinel redteam mcp inject --type cmd`** |
|
|
383
468
|
| **Memory & Context Poisoning** | **ASI06** | **`sentinel secrets`** (memory contamination, system prompt leakage), `sentinel host-scan` (HOST_LARGE_MEMORY) |
|
|
384
469
|
| **Insecure Inter-Agent Communication** | **ASI07** | **`sentinel a2a`** (call graph + trust rules) |
|
|
385
470
|
| Cascading Agent Failures | ASI08 | `sentinel discover` (surface unmonitored agents) |
|
|
@@ -420,6 +505,9 @@ jobs:
|
|
|
420
505
|
|
|
421
506
|
- name: Host AI security posture
|
|
422
507
|
run: sentinel host-scan --fail-on HIGH
|
|
508
|
+
|
|
509
|
+
- name: MCP red-team (active exploitation check)
|
|
510
|
+
run: sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
|
|
423
511
|
```
|
|
424
512
|
|
|
425
513
|
Use `.sentinelignore` at the repo root to suppress accepted risks without weakening the gate:
|
|
@@ -434,7 +522,7 @@ NO_AUTH # server is behind an authenticated reverse proxy
|
|
|
434
522
|
## Requirements
|
|
435
523
|
|
|
436
524
|
- Python 3.10+
|
|
437
|
-
- No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`
|
|
525
|
+
- No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`, `sentinel redteam mcp`
|
|
438
526
|
- `ANTHROPIC_API_KEY` required for: `sentinel supply-chain --ai`, `sentinel inspect` (AI summary)
|
|
439
527
|
|
|
440
528
|
---
|
|
@@ -1064,6 +1064,13 @@ def _require_target(target: str | None, stdio_cmd: str | None) -> None:
|
|
|
1064
1064
|
sys.exit(1)
|
|
1065
1065
|
|
|
1066
1066
|
|
|
1067
|
+
def _normalize_url(url: str | None) -> str | None:
|
|
1068
|
+
"""Prepend http:// to bare host:port inputs (e.g. 127.0.0.1:8000 → http://127.0.0.1:8000)."""
|
|
1069
|
+
if url and not url.startswith(("http://", "https://")):
|
|
1070
|
+
return f"http://{url}"
|
|
1071
|
+
return url
|
|
1072
|
+
|
|
1073
|
+
|
|
1067
1074
|
def _check_exit(findings: list, fail_on: str | None) -> None:
|
|
1068
1075
|
if not fail_on:
|
|
1069
1076
|
return
|
|
@@ -1116,6 +1123,7 @@ def redteam_mcp_recon(
|
|
|
1116
1123
|
from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
|
|
1117
1124
|
|
|
1118
1125
|
_require_target(target, stdio_cmd)
|
|
1126
|
+
target = _normalize_url(target)
|
|
1119
1127
|
headers = _parse_auth_header(auth_header)
|
|
1120
1128
|
display = stdio_cmd or target
|
|
1121
1129
|
|
|
@@ -1183,6 +1191,7 @@ def redteam_mcp_auth(
|
|
|
1183
1191
|
from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
|
|
1184
1192
|
|
|
1185
1193
|
_require_target(target, stdio_cmd)
|
|
1194
|
+
target = _normalize_url(target)
|
|
1186
1195
|
headers = _parse_auth_header(auth_header)
|
|
1187
1196
|
display = stdio_cmd or target
|
|
1188
1197
|
|
|
@@ -1283,6 +1292,7 @@ def redteam_mcp_inject(
|
|
|
1283
1292
|
from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
|
|
1284
1293
|
|
|
1285
1294
|
_require_target(target, stdio_cmd)
|
|
1295
|
+
target = _normalize_url(target)
|
|
1286
1296
|
headers = _parse_auth_header(auth_header)
|
|
1287
1297
|
display = stdio_cmd or target
|
|
1288
1298
|
|
|
@@ -1355,6 +1365,7 @@ def redteam_mcp_poison(
|
|
|
1355
1365
|
from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
|
|
1356
1366
|
|
|
1357
1367
|
_require_target(target, stdio_cmd)
|
|
1368
|
+
target = _normalize_url(target)
|
|
1358
1369
|
headers = _parse_auth_header(auth_header)
|
|
1359
1370
|
display = stdio_cmd or target
|
|
1360
1371
|
|
|
@@ -1423,6 +1434,7 @@ def redteam_mcp_fuzz(
|
|
|
1423
1434
|
from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
|
|
1424
1435
|
|
|
1425
1436
|
_require_target(target, stdio_cmd)
|
|
1437
|
+
target = _normalize_url(target)
|
|
1426
1438
|
headers = _parse_auth_header(auth_header)
|
|
1427
1439
|
display = stdio_cmd or target
|
|
1428
1440
|
|
|
@@ -1506,6 +1518,7 @@ def redteam_mcp_full(
|
|
|
1506
1518
|
from rich.progress import Progress, SpinnerColumn, TextColumn, TimeElapsedColumn
|
|
1507
1519
|
|
|
1508
1520
|
_require_target(target, stdio_cmd)
|
|
1521
|
+
target = _normalize_url(target)
|
|
1509
1522
|
headers = _parse_auth_header(auth_header)
|
|
1510
1523
|
display = stdio_cmd or target
|
|
1511
1524
|
|
|
@@ -122,6 +122,12 @@ class RedTeamSession:
|
|
|
122
122
|
except ImportError:
|
|
123
123
|
raise McpError("httpx required: pip install 'agentsentinel-cli[mcp]'")
|
|
124
124
|
|
|
125
|
+
if self._url and not self._url.startswith(("http://", "https://")):
|
|
126
|
+
raise McpError(
|
|
127
|
+
f"Invalid URL '{self._url}' — missing protocol. "
|
|
128
|
+
f"Try: http://{self._url}"
|
|
129
|
+
)
|
|
130
|
+
|
|
125
131
|
base = self._url.rstrip("/")
|
|
126
132
|
headers: dict = {
|
|
127
133
|
"Content-Type": "application/json",
|
|
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
|
|
|
4
4
|
|
|
5
5
|
[project]
|
|
6
6
|
name = "agentsentinel-cli"
|
|
7
|
-
version = "0.9.
|
|
7
|
+
version = "0.9.4"
|
|
8
8
|
description = "AI agent and MCP server security scanner — discovery, static analysis, supply chain audit, and multi-agent trust analysis"
|
|
9
9
|
readme = "README.md"
|
|
10
10
|
requires-python = ">=3.10"
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_report.py
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|