dfx-agentguard 0.1.0__tar.gz

dfx_agentguard-0.1.0/PKG-INFO

@@ -0,0 +1,236 @@
+Metadata-Version: 2.4
+Name: dfx-agentguard
+Version: 0.1.0
+Summary: Autonomous security scanner for AI agents — detects prompt injection, tool abuse, data exfiltration, and OWASP ASI Top 10 vulnerabilities.
+Home-page: https://github.com/dockfixlabs/agentguard
+Author: Dockfix Labs
+Author-email: Dockfix Labs <security@dockfixlabs.dev>
+License: MIT
+Project-URL: Homepage, https://github.com/dockfixlabs/agentguard
+Project-URL: Documentation, https://github.com/dockfixlabs/agentguard#readme
+Project-URL: Issues, https://github.com/dockfixlabs/agentguard/issues
+Project-URL: Security Policy, https://github.com/dockfixlabs/agentguard/blob/main/SECURITY.md
+Keywords: ai-security,agent-security,owasp-asi,prompt-injection,mcp,static-analysis,llm-security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: license
+Requires-Dist: click>=8.1
+Requires-Dist: rich>=13.0
+Requires-Dist: pydantic>=2.0
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: ruff; extra == "dev"
+Provides-Extra: mcp
+Requires-Dist: mcp>=0.9; extra == "mcp"
+Dynamic: author
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-python
+
+# 🛡️ AgentGuard
+
+> **Autonomous security scanner for AI agents.** Detects prompt injection, tool abuse, data exfiltration, and OWASP ASI Top 10 vulnerabilities in agent code.
+
+[![Python 3.10+](https://img.shields.io/badge/Python-3.10+-3776AB?style=flat-square&logo=python&logoColor=white)](https://python.org)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green?style=flat-square)](LICENSE)
+[![CI](https://img.shields.io/badge/CI-GitHub%20Actions-2088FF?style=flat-square&logo=github-actions&logoColor=white)](https://github.com/dockfixlabs/agentguard/actions)
+[![OWASP ASI](https://img.shields.io/badge/OWASP-ASI%20Top%2010-orange?style=flat-square)](https://owasp.org/www-project-agentic-security-initiative/)
+
+---
+
+## Why AgentGuard?
+
+AI agents are being deployed at scale — in coding tools, customer support, trading bots, and autonomous systems. **Nobody is scanning their code for security vulnerabilities.**
+
+Existing tools (Bandit, Semgrep, CodeQL) scan for traditional vulnerabilities. AgentGuard scans for **agent-specific** attack vectors:
+
+- 📥 **Prompt Injection** — untrusted input reaching LLM prompts
+- 🔧 **Tool Abuse** — agents with unrestricted shell/exec access
+- 📤 **Data Exfiltration** — agents leaking data to external URLs
+- 🔑 **Credential Exposure** — hardcoded API keys and wallet seeds
+- ⚡ **Unsafe Eval** — `eval()`, `exec()`, `subprocess(shell=True)` with user input
+- 🧠 **Context Manipulation** — unbounded context window attacks
+- 🏰 **Trust Boundary Violations** — agents running as root, accessing host filesystem
+
+## Quick Start
+
+```bash
+pip install agentguard
+
+# Scan a directory
+agentguard .
+
+# JSON output for CI/CD
+agentguard src/ --format json
+
+# SARIF for GitHub Code Scanning
+agentguard . --format sarif > results.sarif
+
+# Only show HIGH and above
+agentguard . --min-severity HIGH
+```
+
+## CLI Usage
+
+```
+agentguard [OPTIONS] [TARGET]
+
+Arguments:
+  TARGET  Directory or file to scan (default: current directory)
+
+Options:
+  --format [text|json|sarif]  Output format (default: text)
+  --exit-code / --no-exit-code  Exit non-zero if findings found (default: on)
+  --min-severity [CRITICAL|HIGH|MEDIUM|LOW|INFO]  Minimum severity to report
+  --help  Show help
+```
+
+## OWASP ASI Top 10 Coverage
+
+| ID | Vulnerability | Status |
+|----|--------------|--------|
+| ASI01 | Prompt Injection | ✅ |
+| ASI02 | Tool Abuse / Unintended Tool Use | ✅ |
+| ASI03 | Data Exfiltration / Sensitive Data Leakage | ✅ |
+| ASI04 | Unauthorized Actions / Excessive Agency | ✅ |
+| ASI05 | Supply Chain / Untrusted Components | ✅ |
+| ASI06 | Insecure Output Handling | ✅ |
+| ASI07 | Credential / Secret Exposure | ✅ |
+| ASI08 | Context Window Manipulation | ✅ |
+| ASI09 | Agent Loop Exploitation | ✅ |
+| ASI10 | Trust Boundary Violation | ✅ |
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+name: Security Scan
+on: [push, pull_request]
+
+jobs:
+  agentguard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - run: pip install agentguard
+      - run: agentguard . --format sarif > results.sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+```
+
+### Pre-commit Hook
+
+```yaml
+repos:
+  - repo: https://github.com/dockfixlabs/agentguard
+    rev: v0.1.0
+    hooks:
+      - id: agentguard
+        args: ["--min-severity", "HIGH"]
+```
+
+## Programmatic Usage
+
+```python
+from agentguard.scanner import scan_directory
+from agentguard.reporter import json_report
+
+result = scan_directory("src/")
+
+print(f"Found {len(result.findings)} issues")
+print(f"Critical: {result.critical_count}")
+print(f"High: {result.high_count}")
+
+for finding in result.findings:
+    print(f"  [{finding.severity}] {finding.rule_name} at {finding.file}:{finding.line}")
+```
+
+## Detection Rules
+
+### ASI01 — Prompt Injection
+Detects untrusted user input being concatenated into LLM prompts via f-strings, `.format()`, or string concatenation.
+
+### ASI02 — Tool Abuse
+Flags agents with access to `exec()`, `subprocess`, `os.system()`, shell tools, unrestricted tool registration, and missing rate limits.
+
+### ASI03 — Data Exfiltration
+Detects outbound HTTP requests to external URLs, webhook configurations, DNS exfiltration patterns, and secret+network correlation.
+
+### ASI06 — Unsafe Eval
+Flags `eval()`, `exec()`, `compile()` with user input, `pickle.load()`, `yaml.load()` without SafeLoader, `subprocess(shell=True)`.
+
+### ASI07 — Credential Exposure
+Detects hardcoded API keys (sk-, ghp_, AKIA), private keys, connection strings with passwords, and crypto wallet seeds.
+
+### ASI08 — Context Manipulation
+Flags missing token limits, unbounded context accumulation, and large files loaded directly into LLM context.
+
+### ASI10 — Trust Boundary Violation
+Detects agents running as root, host filesystem access, self-modifying code, and direct database access with user input.
+
+## MCP Server Mode
+
+Scan agent code directly from Claude Code, Cursor, or any MCP-compatible client:
+
+```json
+// ~/.claude/claude_code_config.json
+{
+  "mcpServers": {
+    "agentguard": {
+      "command": "python3",
+      "args": ["-m", "agentguard.mcp_server"]
+    }
+  }
+}
+```
+
+Then ask Claude: *"Scan my agent code for security vulnerabilities"*
+
+### MCP Tools
+- `scan_agent_code` — Scan a directory/file for vulnerabilities
+- `list_rules` — List all detection rules and OWASP mapping
+- `get_finding_details` — Get remediation guidance for a specific rule
+
+## Roadmap
+
+- [x] OWASP ASI Top 10 — all 10 categories covered
+- [x] MCP server mode — scan from Claude Code/Cursor
+- [x] SARIF output — GitHub Code Scanning integration
+- [ ] PyPI publication
+- [ ] Semantic analysis with LLM-assisted code review
+- [ ] Language support: Rust, Go, Java
+- [ ] VS Code extension
+- [ ] GitHub App for automated PR reviews
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md). Bug reports and feature requests welcome.
+
+## Security
+
+See [SECURITY.md](SECURITY.md). Report vulnerabilities privately — do not open public issues.
+
+## License
+
+MIT — see [LICENSE](LICENSE).
+
+---
+
+Built by [Dockfix Labs](https://github.com/dockfixlabs). Built for the AI agent era.

dfx_agentguard-0.1.0/README.md

@@ -0,0 +1,195 @@
+# 🛡️ AgentGuard
+
+> **Autonomous security scanner for AI agents.** Detects prompt injection, tool abuse, data exfiltration, and OWASP ASI Top 10 vulnerabilities in agent code.
+
+[![Python 3.10+](https://img.shields.io/badge/Python-3.10+-3776AB?style=flat-square&logo=python&logoColor=white)](https://python.org)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green?style=flat-square)](LICENSE)
+[![CI](https://img.shields.io/badge/CI-GitHub%20Actions-2088FF?style=flat-square&logo=github-actions&logoColor=white)](https://github.com/dockfixlabs/agentguard/actions)
+[![OWASP ASI](https://img.shields.io/badge/OWASP-ASI%20Top%2010-orange?style=flat-square)](https://owasp.org/www-project-agentic-security-initiative/)
+
+---
+
+## Why AgentGuard?
+
+AI agents are being deployed at scale — in coding tools, customer support, trading bots, and autonomous systems. **Nobody is scanning their code for security vulnerabilities.**
+
+Existing tools (Bandit, Semgrep, CodeQL) scan for traditional vulnerabilities. AgentGuard scans for **agent-specific** attack vectors:
+
+- 📥 **Prompt Injection** — untrusted input reaching LLM prompts
+- 🔧 **Tool Abuse** — agents with unrestricted shell/exec access
+- 📤 **Data Exfiltration** — agents leaking data to external URLs
+- 🔑 **Credential Exposure** — hardcoded API keys and wallet seeds
+- ⚡ **Unsafe Eval** — `eval()`, `exec()`, `subprocess(shell=True)` with user input
+- 🧠 **Context Manipulation** — unbounded context window attacks
+- 🏰 **Trust Boundary Violations** — agents running as root, accessing host filesystem
+
+## Quick Start
+
+```bash
+pip install agentguard
+
+# Scan a directory
+agentguard .
+
+# JSON output for CI/CD
+agentguard src/ --format json
+
+# SARIF for GitHub Code Scanning
+agentguard . --format sarif > results.sarif
+
+# Only show HIGH and above
+agentguard . --min-severity HIGH
+```
+
+## CLI Usage
+
+```
+agentguard [OPTIONS] [TARGET]
+
+Arguments:
+  TARGET  Directory or file to scan (default: current directory)
+
+Options:
+  --format [text|json|sarif]  Output format (default: text)
+  --exit-code / --no-exit-code  Exit non-zero if findings found (default: on)
+  --min-severity [CRITICAL|HIGH|MEDIUM|LOW|INFO]  Minimum severity to report
+  --help  Show help
+```
+
+## OWASP ASI Top 10 Coverage
+
+| ID | Vulnerability | Status |
+|----|--------------|--------|
+| ASI01 | Prompt Injection | ✅ |
+| ASI02 | Tool Abuse / Unintended Tool Use | ✅ |
+| ASI03 | Data Exfiltration / Sensitive Data Leakage | ✅ |
+| ASI04 | Unauthorized Actions / Excessive Agency | ✅ |
+| ASI05 | Supply Chain / Untrusted Components | ✅ |
+| ASI06 | Insecure Output Handling | ✅ |
+| ASI07 | Credential / Secret Exposure | ✅ |
+| ASI08 | Context Window Manipulation | ✅ |
+| ASI09 | Agent Loop Exploitation | ✅ |
+| ASI10 | Trust Boundary Violation | ✅ |
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+name: Security Scan
+on: [push, pull_request]
+
+jobs:
+  agentguard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - run: pip install agentguard
+      - run: agentguard . --format sarif > results.sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+```
+
+### Pre-commit Hook
+
+```yaml
+repos:
+  - repo: https://github.com/dockfixlabs/agentguard
+    rev: v0.1.0
+    hooks:
+      - id: agentguard
+        args: ["--min-severity", "HIGH"]
+```
+
+## Programmatic Usage
+
+```python
+from agentguard.scanner import scan_directory
+from agentguard.reporter import json_report
+
+result = scan_directory("src/")
+
+print(f"Found {len(result.findings)} issues")
+print(f"Critical: {result.critical_count}")
+print(f"High: {result.high_count}")
+
+for finding in result.findings:
+    print(f"  [{finding.severity}] {finding.rule_name} at {finding.file}:{finding.line}")
+```
+
+## Detection Rules
+
+### ASI01 — Prompt Injection
+Detects untrusted user input being concatenated into LLM prompts via f-strings, `.format()`, or string concatenation.
+
+### ASI02 — Tool Abuse
+Flags agents with access to `exec()`, `subprocess`, `os.system()`, shell tools, unrestricted tool registration, and missing rate limits.
+
+### ASI03 — Data Exfiltration
+Detects outbound HTTP requests to external URLs, webhook configurations, DNS exfiltration patterns, and secret+network correlation.
+
+### ASI06 — Unsafe Eval
+Flags `eval()`, `exec()`, `compile()` with user input, `pickle.load()`, `yaml.load()` without SafeLoader, `subprocess(shell=True)`.
+
+### ASI07 — Credential Exposure
+Detects hardcoded API keys (sk-, ghp_, AKIA), private keys, connection strings with passwords, and crypto wallet seeds.
+
+### ASI08 — Context Manipulation
+Flags missing token limits, unbounded context accumulation, and large files loaded directly into LLM context.
+
+### ASI10 — Trust Boundary Violation
+Detects agents running as root, host filesystem access, self-modifying code, and direct database access with user input.
+
+## MCP Server Mode
+
+Scan agent code directly from Claude Code, Cursor, or any MCP-compatible client:
+
+```json
+// ~/.claude/claude_code_config.json
+{
+  "mcpServers": {
+    "agentguard": {
+      "command": "python3",
+      "args": ["-m", "agentguard.mcp_server"]
+    }
+  }
+}
+```
+
+Then ask Claude: *"Scan my agent code for security vulnerabilities"*
+
+### MCP Tools
+- `scan_agent_code` — Scan a directory/file for vulnerabilities
+- `list_rules` — List all detection rules and OWASP mapping
+- `get_finding_details` — Get remediation guidance for a specific rule
+
+## Roadmap
+
+- [x] OWASP ASI Top 10 — all 10 categories covered
+- [x] MCP server mode — scan from Claude Code/Cursor
+- [x] SARIF output — GitHub Code Scanning integration
+- [ ] PyPI publication
+- [ ] Semantic analysis with LLM-assisted code review
+- [ ] Language support: Rust, Go, Java
+- [ ] VS Code extension
+- [ ] GitHub App for automated PR reviews
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md). Bug reports and feature requests welcome.
+
+## Security
+
+See [SECURITY.md](SECURITY.md). Report vulnerabilities privately — do not open public issues.
+
+## License
+
+MIT — see [LICENSE](LICENSE).
+
+---
+
+Built by [Dockfix Labs](https://github.com/dockfixlabs). Built for the AI agent era.

dfx_agentguard-0.1.0/agentguard/__init__.py

@@ -0,0 +1,3 @@
+"""AgentGuard — Autonomous security scanner for AI agents."""
+
+__version__ = "0.1.0"

dfx_agentguard-0.1.0/agentguard/cli.py

@@ -0,0 +1,67 @@
+"""CLI entry point for AgentGuard."""
+
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import click
+from rich.console import Console
+
+from agentguard.scanner import scan_directory
+from agentguard.reporter import print_report, json_report, sarif_report
+
+
+@click.command()
+@click.argument("target", default=".", type=click.Path(exists=True))
+@click.option(
+    "--format", "output_format",
+    type=click.Choice(["text", "json", "sarif"], case_sensitive=False),
+    default="text",
+    help="Output format (default: text)",
+)
+@click.option(
+    "--exit-code/--no-exit-code",
+    default=True,
+    help="Exit with non-zero code if findings found (default: True)",
+)
+@click.option(
+    "--min-severity",
+    type=click.Choice(["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"], case_sensitive=False),
+    default="INFO",
+    help="Minimum severity to report (default: INFO = all)",
+)
+def main(target: str, output_format: str, exit_code: bool, min_severity: str) -> None:
+    """AgentGuard — Scan AI agent code for security vulnerabilities.
+
+    TARGET: Directory or file to scan (default: current directory)
+
+    Examples:
+
+        agentguard .                    # Scan current directory
+        agentguard src/ --format json   # JSON output
+        agentguard . --format sarif     # SARIF for CI/CD
+        agentguard . --min-severity HIGH  # Only HIGH+ findings
+    """
+    console = Console()
+    result = scan_directory(target)
+
+    # Filter by severity
+    severity_order = ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"]
+    min_idx = severity_order.index(min_severity.upper())
+    allowed = severity_order[:min_idx + 1]
+    result.findings = [f for f in result.findings if f.severity.value in allowed]
+
+    if output_format.lower() == "json":
+        print(json_report(result))
+    elif output_format.lower() == "sarif":
+        print(sarif_report(result))
+    else:
+        print_report(result, console)
+
+    if exit_code and not result.clean:
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()