hermes-shield-scanner 0.7.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- hermes_shield_scanner-0.7.1/LICENSE +202 -0
- hermes_shield_scanner-0.7.1/PKG-INFO +417 -0
- hermes_shield_scanner-0.7.1/README.md +184 -0
- hermes_shield_scanner-0.7.1/pyproject.toml +57 -0
- hermes_shield_scanner-0.7.1/setup.cfg +4 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/__init__.py +3 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/_demo/app.py.txt +12 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/_demo/eval_tool.py.txt +14 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/_demo/tools.py.txt +8 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/ai_assist.py +266 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/ai_finder.py +105 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/ai_tier.py +213 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/ai_verify.py +46 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/ast_sinks.py +794 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/banner.py +115 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/baseline.py +32 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/brand_fonts.py +1606 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/call_graph.py +330 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/cap_normalise.py +106 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/config/__init__.py +2 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/config/entrypoints.json +32 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/config/guard_primitives.json +25 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/config_loader.py +87 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/cross_module.py +217 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/cs_sinks.py +110 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/dashboard_export.py +31 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/dep_scan.py +525 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/drift.py +67 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/entrypoint_proof.py +111 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/entrypoints.py +66 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/guard_attribution.py +266 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/guard_detector.py +34 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/guard_integrity.py +210 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/install_report.py +244 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/inter_taint.py +302 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/learned_sinks.json +38 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/learned_sinks.py +141 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/llm_eval_detector.py +125 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/models.py +172 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/module_index.py +163 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/patch_plan.py +96 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/patterns.py +96 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/prove.py +891 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/repo_map.py +109 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/repo_scanner.py +393 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/report_writer.py +19 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/scan_hermes.py +471 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/secret_exfil_detector.py +147 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/semgrep_runner.py +181 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/shield_cli.py +327 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/shield_report.py +637 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/stream.py +185 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/summary.py +217 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/surface_classifier.py +103 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/taint.py +281 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/ts_sinks.py +133 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield/ts_taint.py +258 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/PKG-INFO +417 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/SOURCES.txt +107 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/dependency_links.txt +1 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/entry_points.txt +3 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/requires.txt +8 -0
- hermes_shield_scanner-0.7.1/src/hermes_shield_scanner.egg-info/top_level.txt +1 -0
- hermes_shield_scanner-0.7.1/tests/test_ai_cache_path_rejects_symlink.py +30 -0
- hermes_shield_scanner-0.7.1/tests/test_ai_default_cache_not_under_target_root.py +21 -0
- hermes_shield_scanner-0.7.1/tests/test_ai_reachability.py +116 -0
- hermes_shield_scanner-0.7.1/tests/test_ai_tier_cache_only.py +87 -0
- hermes_shield_scanner-0.7.1/tests/test_ai_tier_skips_out_of_root_symlink_targets.py +22 -0
- hermes_shield_scanner-0.7.1/tests/test_cli_ergonomics.py +173 -0
- hermes_shield_scanner-0.7.1/tests/test_demo_licence_metadata.py +114 -0
- hermes_shield_scanner-0.7.1/tests/test_dep_scan.py +349 -0
- hermes_shield_scanner-0.7.1/tests/test_field_container_taint.py +71 -0
- hermes_shield_scanner-0.7.1/tests/test_fix_plan.py +120 -0
- hermes_shield_scanner-0.7.1/tests/test_fp_suppression.py +87 -0
- hermes_shield_scanner-0.7.1/tests/test_get_source_recall.py +43 -0
- hermes_shield_scanner-0.7.1/tests/test_guard_attribution.py +308 -0
- hermes_shield_scanner-0.7.1/tests/test_hs03_ai_redaction_trust_size.py +131 -0
- hermes_shield_scanner-0.7.1/tests/test_hs04_semgrep_pinning.py +105 -0
- hermes_shield_scanner-0.7.1/tests/test_inter_taint.py +77 -0
- hermes_shield_scanner-0.7.1/tests/test_launch_hardening.py +168 -0
- hermes_shield_scanner-0.7.1/tests/test_learned_structural.py +57 -0
- hermes_shield_scanner-0.7.1/tests/test_llm_eval_detector.py +32 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9a_review_drift.py +103 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9b_precision.py +144 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9b_review_adversarial.py +126 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9c_cross_module.py +85 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9c_review_adversarial.py +135 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9d_config_entrypoints.py +103 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9d_review_adversarial.py +100 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9e_ast_sinks.py +92 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9e_review_adversarial.py +90 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9f_entrypoint_map.py +93 -0
- hermes_shield_scanner-0.7.1/tests/test_p2_9g_earlyreturn_soundness.py +46 -0
- hermes_shield_scanner-0.7.1/tests/test_prove_lane.py +416 -0
- hermes_shield_scanner-0.7.1/tests/test_prove_platform_guard.py +67 -0
- hermes_shield_scanner-0.7.1/tests/test_s8_84_cli_command_entrypoints.py +124 -0
- hermes_shield_scanner-0.7.1/tests/test_s8_85_scan_corrections.py +108 -0
- hermes_shield_scanner-0.7.1/tests/test_s8_86_install_liability_rating.py +78 -0
- hermes_shield_scanner-0.7.1/tests/test_s8_87_out_dir.py +68 -0
- hermes_shield_scanner-0.7.1/tests/test_s8_88_shield_report_wired.py +64 -0
- hermes_shield_scanner-0.7.1/tests/test_s8_89_semgrep_comparator.py +82 -0
- hermes_shield_scanner-0.7.1/tests/test_scan_skips_symlinked_py_files.py +28 -0
- hermes_shield_scanner-0.7.1/tests/test_scanner_core.py +138 -0
- hermes_shield_scanner-0.7.1/tests/test_secret_exfil_detector.py +24 -0
- hermes_shield_scanner-0.7.1/tests/test_ssti_sink.py +22 -0
- hermes_shield_scanner-0.7.1/tests/test_stage1_5_guard_integrity.py +118 -0
- hermes_shield_scanner-0.7.1/tests/test_target_guard_config_not_trusted_by_default.py +54 -0
- hermes_shield_scanner-0.7.1/tests/test_ts_taint.py +76 -0
- hermes_shield_scanner-0.7.1/tests/test_verified_fires.py +47 -0
|
@@ -0,0 +1,202 @@
|
|
|
1
|
+
|
|
2
|
+
Apache License
|
|
3
|
+
Version 2.0, January 2004
|
|
4
|
+
http://www.apache.org/licenses/
|
|
5
|
+
|
|
6
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
7
|
+
|
|
8
|
+
1. Definitions.
|
|
9
|
+
|
|
10
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
|
11
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
|
12
|
+
|
|
13
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
|
14
|
+
the copyright owner that is granting the License.
|
|
15
|
+
|
|
16
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
|
17
|
+
other entities that control, are controlled by, or are under common
|
|
18
|
+
control with that entity. For the purposes of this definition,
|
|
19
|
+
"control" means (i) the power, direct or indirect, to cause the
|
|
20
|
+
direction or management of such entity, whether by contract or
|
|
21
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
22
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
23
|
+
|
|
24
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
|
25
|
+
exercising permissions granted by this License.
|
|
26
|
+
|
|
27
|
+
"Source" form shall mean the preferred form for making modifications,
|
|
28
|
+
including but not limited to software source code, documentation
|
|
29
|
+
source, and configuration files.
|
|
30
|
+
|
|
31
|
+
"Object" form shall mean any form resulting from mechanical
|
|
32
|
+
transformation or translation of a Source form, including but
|
|
33
|
+
not limited to compiled object code, generated documentation,
|
|
34
|
+
and conversions to other media types.
|
|
35
|
+
|
|
36
|
+
"Work" shall mean the work of authorship, whether in Source or
|
|
37
|
+
Object form, made available under the License, as indicated by a
|
|
38
|
+
copyright notice that is included in or attached to the work
|
|
39
|
+
(an example is provided in the Appendix below).
|
|
40
|
+
|
|
41
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
|
42
|
+
form, that is based on (or derived from) the Work and for which the
|
|
43
|
+
editorial revisions, annotations, elaborations, or other modifications
|
|
44
|
+
represent, as a whole, an original work of authorship. For the purposes
|
|
45
|
+
of this License, Derivative Works shall not include works that remain
|
|
46
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
|
47
|
+
the Work and Derivative Works thereof.
|
|
48
|
+
|
|
49
|
+
"Contribution" shall mean any work of authorship, including
|
|
50
|
+
the original version of the Work and any modifications or additions
|
|
51
|
+
to that Work or Derivative Works thereof, that is intentionally
|
|
52
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
53
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
|
54
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
|
55
|
+
means any form of electronic, verbal, or written communication sent
|
|
56
|
+
to the Licensor or its representatives, including but not limited to
|
|
57
|
+
communication on electronic mailing lists, source code control systems,
|
|
58
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
|
59
|
+
Licensor for the purpose of discussing and improving the Work, but
|
|
60
|
+
excluding communication that is conspicuously marked or otherwise
|
|
61
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
|
62
|
+
|
|
63
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
64
|
+
on behalf of whom a Contribution has been received by Licensor and
|
|
65
|
+
subsequently incorporated within the Work.
|
|
66
|
+
|
|
67
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
68
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
69
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
70
|
+
copyright license to reproduce, prepare Derivative Works of,
|
|
71
|
+
publicly display, publicly perform, sublicense, and distribute the
|
|
72
|
+
Work and such Derivative Works in Source or Object form.
|
|
73
|
+
|
|
74
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
|
75
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
76
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
77
|
+
(except as stated in this section) patent license to make, have made,
|
|
78
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
79
|
+
where such license applies only to those patent claims licensable
|
|
80
|
+
by such Contributor that are necessarily infringed by their
|
|
81
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
|
82
|
+
with the Work to which such Contribution(s) was submitted. If You
|
|
83
|
+
institute patent litigation against any entity (including a
|
|
84
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
85
|
+
or a Contribution incorporated within the Work constitutes direct
|
|
86
|
+
or contributory patent infringement, then any patent licenses
|
|
87
|
+
granted to You under this License for that Work shall terminate
|
|
88
|
+
as of the date such litigation is filed.
|
|
89
|
+
|
|
90
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
|
91
|
+
Work or Derivative Works thereof in any medium, with or without
|
|
92
|
+
modifications, and in Source or Object form, provided that You
|
|
93
|
+
meet the following conditions:
|
|
94
|
+
|
|
95
|
+
(a) You must give any other recipients of the Work or
|
|
96
|
+
Derivative Works a copy of this License; and
|
|
97
|
+
|
|
98
|
+
(b) You must cause any modified files to carry prominent notices
|
|
99
|
+
stating that You changed the files; and
|
|
100
|
+
|
|
101
|
+
(c) You must retain, in the Source form of any Derivative Works
|
|
102
|
+
that You distribute, all copyright, patent, trademark, and
|
|
103
|
+
attribution notices from the Source form of the Work,
|
|
104
|
+
excluding those notices that do not pertain to any part of
|
|
105
|
+
the Derivative Works; and
|
|
106
|
+
|
|
107
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
|
108
|
+
distribution, then any Derivative Works that You distribute must
|
|
109
|
+
include a readable copy of the attribution notices contained
|
|
110
|
+
within such NOTICE file, excluding those notices that do not
|
|
111
|
+
pertain to any part of the Derivative Works, in at least one
|
|
112
|
+
of the following places: within a NOTICE text file distributed
|
|
113
|
+
as part of the Derivative Works; within the Source form or
|
|
114
|
+
documentation, if provided along with the Derivative Works; or,
|
|
115
|
+
within a display generated by the Derivative Works, if and
|
|
116
|
+
wherever such third-party notices normally appear. The contents
|
|
117
|
+
of the NOTICE file are for informational purposes only and
|
|
118
|
+
do not modify the License. You may add Your own attribution
|
|
119
|
+
notices within Derivative Works that You distribute, alongside
|
|
120
|
+
or as an addendum to the NOTICE text from the Work, provided
|
|
121
|
+
that such additional attribution notices cannot be construed
|
|
122
|
+
as modifying the License.
|
|
123
|
+
|
|
124
|
+
You may add Your own copyright statement to Your modifications and
|
|
125
|
+
may provide additional or different license terms and conditions
|
|
126
|
+
for use, reproduction, or distribution of Your modifications, or
|
|
127
|
+
for any such Derivative Works as a whole, provided Your use,
|
|
128
|
+
reproduction, and distribution of the Work otherwise complies with
|
|
129
|
+
the conditions stated in this License.
|
|
130
|
+
|
|
131
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
132
|
+
any Contribution intentionally submitted for inclusion in the Work
|
|
133
|
+
by You to the Licensor shall be under the terms and conditions of
|
|
134
|
+
this License, without any additional terms or conditions.
|
|
135
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
|
136
|
+
the terms of any separate license agreement you may have executed
|
|
137
|
+
with Licensor regarding such Contributions.
|
|
138
|
+
|
|
139
|
+
6. Trademarks. This License does not grant permission to use the trade
|
|
140
|
+
names, trademarks, service marks, or product names of the Licensor,
|
|
141
|
+
except as required for reasonable and customary use in describing the
|
|
142
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
|
143
|
+
|
|
144
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
145
|
+
agreed to in writing, Licensor provides the Work (and each
|
|
146
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
147
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
148
|
+
implied, including, without limitation, any warranties or conditions
|
|
149
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
150
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
151
|
+
appropriateness of using or redistributing the Work and assume any
|
|
152
|
+
risks associated with Your exercise of permissions under this License.
|
|
153
|
+
|
|
154
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
|
155
|
+
whether in tort (including negligence), contract, or otherwise,
|
|
156
|
+
unless required by applicable law (such as deliberate and grossly
|
|
157
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
|
158
|
+
liable to You for damages, including any direct, indirect, special,
|
|
159
|
+
incidental, or consequential damages of any character arising as a
|
|
160
|
+
result of this License or out of the use or inability to use the
|
|
161
|
+
Work (including but not limited to damages for loss of goodwill,
|
|
162
|
+
work stoppage, computer failure or malfunction, or any and all
|
|
163
|
+
other commercial damages or losses), even if such Contributor
|
|
164
|
+
has been advised of the possibility of such damages.
|
|
165
|
+
|
|
166
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
|
167
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
|
168
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
169
|
+
or other liability obligations and/or rights consistent with this
|
|
170
|
+
License. However, in accepting such obligations, You may act only
|
|
171
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
|
172
|
+
of any other Contributor, and only if You agree to indemnify,
|
|
173
|
+
defend, and hold each Contributor harmless for any liability
|
|
174
|
+
incurred by, or claims asserted against, such Contributor by reason
|
|
175
|
+
of your accepting any such warranty or additional liability.
|
|
176
|
+
|
|
177
|
+
END OF TERMS AND CONDITIONS
|
|
178
|
+
|
|
179
|
+
APPENDIX: How to apply the Apache License to your work.
|
|
180
|
+
|
|
181
|
+
To apply the Apache License to your work, attach the following
|
|
182
|
+
boilerplate notice, with the fields enclosed by brackets "[]"
|
|
183
|
+
replaced with your own identifying information. (Don't include
|
|
184
|
+
the brackets!) The text should be enclosed in the appropriate
|
|
185
|
+
comment syntax for the file format. We also recommend that a
|
|
186
|
+
file or class name and description of purpose be included on the
|
|
187
|
+
same "printed page" as the copyright notice for easier
|
|
188
|
+
identification within third-party archives.
|
|
189
|
+
|
|
190
|
+
Copyright 2026 Hermes Shield
|
|
191
|
+
|
|
192
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
|
193
|
+
you may not use this file except in compliance with the License.
|
|
194
|
+
You may obtain a copy of the License at
|
|
195
|
+
|
|
196
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
|
197
|
+
|
|
198
|
+
Unless required by applicable law or agreed to in writing, software
|
|
199
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
|
200
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
201
|
+
See the License for the specific language governing permissions and
|
|
202
|
+
limitations under the License.
|
|
@@ -0,0 +1,417 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: hermes-shield-scanner
|
|
3
|
+
Version: 0.7.1
|
|
4
|
+
Summary: Read-only static scanner for AI-agent codebases: finds dangerous action sinks, proves reachability, attributes guard coverage, and rates findings honestly (reachable-verified vs install-liability).
|
|
5
|
+
Author-email: Hermes Shield <hello@hermesshield.ai>
|
|
6
|
+
License:
|
|
7
|
+
Apache License
|
|
8
|
+
Version 2.0, January 2004
|
|
9
|
+
http://www.apache.org/licenses/
|
|
10
|
+
|
|
11
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
12
|
+
|
|
13
|
+
1. Definitions.
|
|
14
|
+
|
|
15
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
|
16
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
|
17
|
+
|
|
18
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
|
19
|
+
the copyright owner that is granting the License.
|
|
20
|
+
|
|
21
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
|
22
|
+
other entities that control, are controlled by, or are under common
|
|
23
|
+
control with that entity. For the purposes of this definition,
|
|
24
|
+
"control" means (i) the power, direct or indirect, to cause the
|
|
25
|
+
direction or management of such entity, whether by contract or
|
|
26
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
27
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
28
|
+
|
|
29
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
|
30
|
+
exercising permissions granted by this License.
|
|
31
|
+
|
|
32
|
+
"Source" form shall mean the preferred form for making modifications,
|
|
33
|
+
including but not limited to software source code, documentation
|
|
34
|
+
source, and configuration files.
|
|
35
|
+
|
|
36
|
+
"Object" form shall mean any form resulting from mechanical
|
|
37
|
+
transformation or translation of a Source form, including but
|
|
38
|
+
not limited to compiled object code, generated documentation,
|
|
39
|
+
and conversions to other media types.
|
|
40
|
+
|
|
41
|
+
"Work" shall mean the work of authorship, whether in Source or
|
|
42
|
+
Object form, made available under the License, as indicated by a
|
|
43
|
+
copyright notice that is included in or attached to the work
|
|
44
|
+
(an example is provided in the Appendix below).
|
|
45
|
+
|
|
46
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
|
47
|
+
form, that is based on (or derived from) the Work and for which the
|
|
48
|
+
editorial revisions, annotations, elaborations, or other modifications
|
|
49
|
+
represent, as a whole, an original work of authorship. For the purposes
|
|
50
|
+
of this License, Derivative Works shall not include works that remain
|
|
51
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
|
52
|
+
the Work and Derivative Works thereof.
|
|
53
|
+
|
|
54
|
+
"Contribution" shall mean any work of authorship, including
|
|
55
|
+
the original version of the Work and any modifications or additions
|
|
56
|
+
to that Work or Derivative Works thereof, that is intentionally
|
|
57
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
58
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
|
59
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
|
60
|
+
means any form of electronic, verbal, or written communication sent
|
|
61
|
+
to the Licensor or its representatives, including but not limited to
|
|
62
|
+
communication on electronic mailing lists, source code control systems,
|
|
63
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
|
64
|
+
Licensor for the purpose of discussing and improving the Work, but
|
|
65
|
+
excluding communication that is conspicuously marked or otherwise
|
|
66
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
|
67
|
+
|
|
68
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
69
|
+
on behalf of whom a Contribution has been received by Licensor and
|
|
70
|
+
subsequently incorporated within the Work.
|
|
71
|
+
|
|
72
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
73
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
74
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
75
|
+
copyright license to reproduce, prepare Derivative Works of,
|
|
76
|
+
publicly display, publicly perform, sublicense, and distribute the
|
|
77
|
+
Work and such Derivative Works in Source or Object form.
|
|
78
|
+
|
|
79
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
|
80
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
81
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
82
|
+
(except as stated in this section) patent license to make, have made,
|
|
83
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
84
|
+
where such license applies only to those patent claims licensable
|
|
85
|
+
by such Contributor that are necessarily infringed by their
|
|
86
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
|
87
|
+
with the Work to which such Contribution(s) was submitted. If You
|
|
88
|
+
institute patent litigation against any entity (including a
|
|
89
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
90
|
+
or a Contribution incorporated within the Work constitutes direct
|
|
91
|
+
or contributory patent infringement, then any patent licenses
|
|
92
|
+
granted to You under this License for that Work shall terminate
|
|
93
|
+
as of the date such litigation is filed.
|
|
94
|
+
|
|
95
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
|
96
|
+
Work or Derivative Works thereof in any medium, with or without
|
|
97
|
+
modifications, and in Source or Object form, provided that You
|
|
98
|
+
meet the following conditions:
|
|
99
|
+
|
|
100
|
+
(a) You must give any other recipients of the Work or
|
|
101
|
+
Derivative Works a copy of this License; and
|
|
102
|
+
|
|
103
|
+
(b) You must cause any modified files to carry prominent notices
|
|
104
|
+
stating that You changed the files; and
|
|
105
|
+
|
|
106
|
+
(c) You must retain, in the Source form of any Derivative Works
|
|
107
|
+
that You distribute, all copyright, patent, trademark, and
|
|
108
|
+
attribution notices from the Source form of the Work,
|
|
109
|
+
excluding those notices that do not pertain to any part of
|
|
110
|
+
the Derivative Works; and
|
|
111
|
+
|
|
112
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
|
113
|
+
distribution, then any Derivative Works that You distribute must
|
|
114
|
+
include a readable copy of the attribution notices contained
|
|
115
|
+
within such NOTICE file, excluding those notices that do not
|
|
116
|
+
pertain to any part of the Derivative Works, in at least one
|
|
117
|
+
of the following places: within a NOTICE text file distributed
|
|
118
|
+
as part of the Derivative Works; within the Source form or
|
|
119
|
+
documentation, if provided along with the Derivative Works; or,
|
|
120
|
+
within a display generated by the Derivative Works, if and
|
|
121
|
+
wherever such third-party notices normally appear. The contents
|
|
122
|
+
of the NOTICE file are for informational purposes only and
|
|
123
|
+
do not modify the License. You may add Your own attribution
|
|
124
|
+
notices within Derivative Works that You distribute, alongside
|
|
125
|
+
or as an addendum to the NOTICE text from the Work, provided
|
|
126
|
+
that such additional attribution notices cannot be construed
|
|
127
|
+
as modifying the License.
|
|
128
|
+
|
|
129
|
+
You may add Your own copyright statement to Your modifications and
|
|
130
|
+
may provide additional or different license terms and conditions
|
|
131
|
+
for use, reproduction, or distribution of Your modifications, or
|
|
132
|
+
for any such Derivative Works as a whole, provided Your use,
|
|
133
|
+
reproduction, and distribution of the Work otherwise complies with
|
|
134
|
+
the conditions stated in this License.
|
|
135
|
+
|
|
136
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
137
|
+
any Contribution intentionally submitted for inclusion in the Work
|
|
138
|
+
by You to the Licensor shall be under the terms and conditions of
|
|
139
|
+
this License, without any additional terms or conditions.
|
|
140
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
|
141
|
+
the terms of any separate license agreement you may have executed
|
|
142
|
+
with Licensor regarding such Contributions.
|
|
143
|
+
|
|
144
|
+
6. Trademarks. This License does not grant permission to use the trade
|
|
145
|
+
names, trademarks, service marks, or product names of the Licensor,
|
|
146
|
+
except as required for reasonable and customary use in describing the
|
|
147
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
|
148
|
+
|
|
149
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
150
|
+
agreed to in writing, Licensor provides the Work (and each
|
|
151
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
152
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
153
|
+
implied, including, without limitation, any warranties or conditions
|
|
154
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
155
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
156
|
+
appropriateness of using or redistributing the Work and assume any
|
|
157
|
+
risks associated with Your exercise of permissions under this License.
|
|
158
|
+
|
|
159
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
|
160
|
+
whether in tort (including negligence), contract, or otherwise,
|
|
161
|
+
unless required by applicable law (such as deliberate and grossly
|
|
162
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
|
163
|
+
liable to You for damages, including any direct, indirect, special,
|
|
164
|
+
incidental, or consequential damages of any character arising as a
|
|
165
|
+
result of this License or out of the use or inability to use the
|
|
166
|
+
Work (including but not limited to damages for loss of goodwill,
|
|
167
|
+
work stoppage, computer failure or malfunction, or any and all
|
|
168
|
+
other commercial damages or losses), even if such Contributor
|
|
169
|
+
has been advised of the possibility of such damages.
|
|
170
|
+
|
|
171
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
|
172
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
|
173
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
174
|
+
or other liability obligations and/or rights consistent with this
|
|
175
|
+
License. However, in accepting such obligations, You may act only
|
|
176
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
|
177
|
+
of any other Contributor, and only if You agree to indemnify,
|
|
178
|
+
defend, and hold each Contributor harmless for any liability
|
|
179
|
+
incurred by, or claims asserted against, such Contributor by reason
|
|
180
|
+
of your accepting any such warranty or additional liability.
|
|
181
|
+
|
|
182
|
+
END OF TERMS AND CONDITIONS
|
|
183
|
+
|
|
184
|
+
APPENDIX: How to apply the Apache License to your work.
|
|
185
|
+
|
|
186
|
+
To apply the Apache License to your work, attach the following
|
|
187
|
+
boilerplate notice, with the fields enclosed by brackets "[]"
|
|
188
|
+
replaced with your own identifying information. (Don't include
|
|
189
|
+
the brackets!) The text should be enclosed in the appropriate
|
|
190
|
+
comment syntax for the file format. We also recommend that a
|
|
191
|
+
file or class name and description of purpose be included on the
|
|
192
|
+
same "printed page" as the copyright notice for easier
|
|
193
|
+
identification within third-party archives.
|
|
194
|
+
|
|
195
|
+
Copyright 2026 Hermes Shield
|
|
196
|
+
|
|
197
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
|
198
|
+
you may not use this file except in compliance with the License.
|
|
199
|
+
You may obtain a copy of the License at
|
|
200
|
+
|
|
201
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
|
202
|
+
|
|
203
|
+
Unless required by applicable law or agreed to in writing, software
|
|
204
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
|
205
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
206
|
+
See the License for the specific language governing permissions and
|
|
207
|
+
limitations under the License.
|
|
208
|
+
|
|
209
|
+
Project-URL: Homepage, https://hermesshield.ai
|
|
210
|
+
Project-URL: Repository, https://github.com/hermesshield/hermes-shield-scanner
|
|
211
|
+
Project-URL: Changelog, https://github.com/hermesshield/hermes-shield-scanner/blob/main/CHANGELOG.md
|
|
212
|
+
Keywords: security,static-analysis,ai-agents,llm,prompt-injection,excessive-agency
|
|
213
|
+
Classifier: Development Status :: 4 - Beta
|
|
214
|
+
Classifier: Intended Audience :: Developers
|
|
215
|
+
Classifier: License :: OSI Approved :: Apache Software License
|
|
216
|
+
Classifier: Operating System :: OS Independent
|
|
217
|
+
Classifier: Programming Language :: Python :: 3
|
|
218
|
+
Classifier: Programming Language :: Python :: 3.10
|
|
219
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
220
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
221
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
222
|
+
Classifier: Topic :: Security
|
|
223
|
+
Requires-Python: >=3.10
|
|
224
|
+
Description-Content-Type: text/markdown
|
|
225
|
+
License-File: LICENSE
|
|
226
|
+
Provides-Extra: multilang
|
|
227
|
+
Requires-Dist: tree-sitter==0.26.0; extra == "multilang"
|
|
228
|
+
Requires-Dist: tree-sitter-typescript==0.23.2; extra == "multilang"
|
|
229
|
+
Requires-Dist: tree-sitter-c-sharp==0.23.5; extra == "multilang"
|
|
230
|
+
Provides-Extra: dev
|
|
231
|
+
Requires-Dist: pytest>=7; extra == "dev"
|
|
232
|
+
Dynamic: license-file
|
|
233
|
+
|
|
234
|
+
<div align="center">
|
|
235
|
+
|
|
236
|
+
<img src="https://raw.githubusercontent.com/hermesshield/hermes-shield-scanner/main/docs/assets/banner.png" alt="Hermes Shield — Protect every action your agent takes" width="100%" />
|
|
237
|
+
|
|
238
|
+
# Hermes Shield Scanner
|
|
239
|
+
|
|
240
|
+
**The actions firewall for AI agents — map and prove what a hijacked agent can actually do.**
|
|
241
|
+
|
|
242
|
+
[](https://github.com/hermesshield/hermes-shield-scanner/actions/workflows/ci.yml)
|
|
243
|
+
[](pyproject.toml)
|
|
244
|
+
[](LICENSE)
|
|
245
|
+
[](https://genai.owasp.org/)
|
|
246
|
+
[](#-quickstart)
|
|
247
|
+
|
|
248
|
+
[**hermesshield.ai**](https://hermesshield.ai) · [Free scan](https://hermesshield.ai/free-scan) · [Methodology](https://hermesshield.ai/methodology) · [@hermesshield](https://x.com/hermesshield)
|
|
249
|
+
|
|
250
|
+
**Catches a real CVSS 9.8 CVE at the documented line · 12 frameworks / 361k+ stars audited · independently security-assessed, twice**
|
|
251
|
+
|
|
252
|
+
</div>
|
|
253
|
+
|
|
254
|
+
---
|
|
255
|
+
|
|
256
|
+
> **Assume the model will fail. The dangerous action still must not execute.**
|
|
257
|
+
|
|
258
|
+
Every serious team now filters prompts. Almost nobody governs **actions**. But prompt filters stop *text* — a hijacked agent still *acts*: it runs shell commands, executes code, writes files, sends data out, calls tools. That is where the damage happens.
|
|
259
|
+
|
|
260
|
+
**Hermes Shield sits downstream of the injection.** The Scanner is step one: it maps every dangerous action your agent's code can take, traces each one back to a real entry point, and **proves** which are reachable by untrusted input with no guard in the way. Not a suspicious variable name. A traced path.
|
|
261
|
+
|
|
262
|
+
> **Every agent has a blast radius. See yours in one scan.**
|
|
263
|
+
|
|
264
|
+
## `▸ the_problem`
|
|
265
|
+
|
|
266
|
+
The risk in AI systems has moved. It's no longer "the model said something bad" — it's **"the model did something unauthorised"**. OWASP calls it **LLM06: Excessive Agency**. One injected instruction, and your helpful agent is executing someone else's intent with *your* credentials, *your* filesystem, *your* network.
|
|
267
|
+
|
|
268
|
+
| | Prompt firewall | **Hermes Shield** |
|
|
269
|
+
|---|---|---|
|
|
270
|
+
| **Asks** | "Is this prompt malicious?" | **"What can this agent actually DO?"** |
|
|
271
|
+
| **Layer** | Input text | **Action execution** |
|
|
272
|
+
| **When injection succeeds** | Already bypassed | **Still standing — governs the act itself** |
|
|
273
|
+
| **Evidence** | Heuristic score | **Traced path from entry point to sink** |
|
|
274
|
+
|
|
275
|
+
> Prompt filters stop text. Agents need action control.
|
|
276
|
+
|
|
277
|
+
And no — this is not "just static analysis". It is **deterministic static analysis + an optional AI-assisted recall tier + proved reachability**: entrypoint-grounded taint tracing over the whole-repo call graph, so a finding isn't a guess about what *might* be dangerous — it's a demonstrated route from *your* entry points to a live sink.
|
|
278
|
+
|
|
279
|
+
## `▸ see_it`
|
|
280
|
+
|
|
281
|
+
<div align="center">
|
|
282
|
+
|
|
283
|
+
<img src="https://raw.githubusercontent.com/hermesshield/hermes-shield-scanner/main/docs/assets/cli.png" alt="Hermes Shield Scanner running a live scan in the terminal" width="720" />
|
|
284
|
+
|
|
285
|
+
*The scan, live: sinks mapped, taint traced from real entry points, guards attributed — deterministic and fully local.*
|
|
286
|
+
|
|
287
|
+
<img src="https://raw.githubusercontent.com/hermesshield/hermes-shield-scanner/main/docs/assets/report.png" alt="The Hermes Shield customer report with its antivirus-style verdict banner" width="720" />
|
|
288
|
+
|
|
289
|
+
*The report: an antivirus-style verdict a non-technical reader gets in one glance, backed by evidence an auditor can verify line by line.*
|
|
290
|
+
|
|
291
|
+
</div>
|
|
292
|
+
|
|
293
|
+
## `▸ quickstart`
|
|
294
|
+
|
|
295
|
+
```bash
|
|
296
|
+
pip install hermes-shield-scanner
|
|
297
|
+
|
|
298
|
+
hermes-shield demo # a real red report in ~10 seconds
|
|
299
|
+
cd your-agent-repo
|
|
300
|
+
hermes-shield scan # scan your own agent
|
|
301
|
+
```
|
|
302
|
+
|
|
303
|
+
Your report lands at **`./shield-report/outputs/shield_customer_report.html`** — open it in a browser.
|
|
304
|
+
|
|
305
|
+
Zero-install, straight from the toolchain:
|
|
306
|
+
|
|
307
|
+
```bash
|
|
308
|
+
uvx hermes-shield-scanner scan .
|
|
309
|
+
```
|
|
310
|
+
|
|
311
|
+
**Requirements:** Python 3.10+. The core scanner is **stdlib-only** — no runtime dependencies, nothing phones home, and the scan is **read-only**: it never writes to your code and, by default, never executes it. Reports land in *your* directory; everything runs on your machine. *(The one opt-in exception is `--prove` — below — which fires a benign canary inside a network-denied sandbox to promote a candidate to PROVEN-LIVE. Consent-gated, off by default, Linux + bubblewrap.)*
|
|
312
|
+
|
|
313
|
+
**Languages:** Python gets the **full engine** — sinks, taint, guards, reachability. TypeScript/JavaScript and C# are **sink-mapping only** (blast radius, no reachability verdict) via `pip install "hermes-shield-scanner[multilang]"`; `--semgrep` adds ~30-language breadth.
|
|
314
|
+
|
|
315
|
+
More modes, one command each:
|
|
316
|
+
|
|
317
|
+
```bash
|
|
318
|
+
hermes-shield scan ./repo --semgrep # + semgrep comparator (multi-language breadth)
|
|
319
|
+
hermes-shield scan ./repo --ai # + AI-assist tier (novel-sink recall)
|
|
320
|
+
hermes-shield scan ./repo --all # core + semgrep + ai together
|
|
321
|
+
hermes-shield scan ./repo --deps # + scan the repo's own pinned dependencies
|
|
322
|
+
hermes-shield scan ./repo --prove # + sandboxed self-attack: PROVE a candidate sink is live (consent-gated)
|
|
323
|
+
hermes-shield diff ./repo # scan + compare against a saved baseline
|
|
324
|
+
```
|
|
325
|
+
|
|
326
|
+
`hermes-shield demo` scans a bundled, deliberately vulnerable toy agent (shipped inert, never executed) and produces the full report — including a guaranteed worst-case verdict — so you see exactly what a red result looks like before you point it at anything real. (`demo --prove` is the consent-gated exception: it runs the fixture inside the sandbox to show a real PROVEN-LIVE result.)
|
|
327
|
+
|
|
328
|
+
> **CI note — the exit code is `0` regardless of findings.** A RED report does not fail the process; the scan writes its verdict to the report and the JSON, it does not signal via the exit status. To gate a pipeline on findings, parse `shield-report/outputs/hermes_shield_report.json` (e.g. check the verdict / reachable-unguarded / proven-live counts). A dedicated `--fail-on` flag is a planned future enhancement, not available today.
|
|
329
|
+
|
|
330
|
+
## `▸ how_it_works` — Map → Trace → Prove
|
|
331
|
+
|
|
332
|
+
**1. Map.** A deterministic AST engine walks the whole repository and finds every dangerous action sink: shell execution, code execution, deserialisation, file writes, outbound network sends, LLM-chosen tool calls. Same input, same output, every run — an auditor can reproduce it.
|
|
333
|
+
|
|
334
|
+
**2. Trace.** It builds the whole-repo call graph and runs **entrypoint-grounded taint analysis**: does untrusted input — a web request, a document, a tool result, a model output — actually flow from a real entry point to that sink? Intra- and inter-procedural, across modules.
|
|
335
|
+
|
|
336
|
+
**3. Prove.** Every reachable sink is checked against the **guard quadrant** — reachable × guarded:
|
|
337
|
+
|
|
338
|
+
| | **Guarded** | **Unguarded** |
|
|
339
|
+
|---|---|---|
|
|
340
|
+
| **Reachable** | Rated, credit given for the guard | **`UNGUARDED_CRITICAL_LIVE_SINK`** — the worst verdict, reserved for this square alone |
|
|
341
|
+
| **Not reached** | Noted | Install-liability tier |
|
|
342
|
+
|
|
343
|
+
Only a sink that is **reachable AND unguarded** earns the critical verdict. A guard between entry point and sink is detected and credited — kill-switches, approval gates, untrusted-content fences, plus your own guard functions via a one-file `.hermes-shield.json` declaration (downgrade-only: a declared guard can lower a finding, its absence never hides one).
|
|
344
|
+
|
|
345
|
+
Findings are rated on the **OWASP LLM06** model — severity × likelihood, cross-referenced to **NIST 800-30** and **ISO 27005** — so the output slots straight into a real risk register.
|
|
346
|
+
|
|
347
|
+
**The optional tiers:**
|
|
348
|
+
|
|
349
|
+
- **`--ai`** — the recall booster. An LLM proposes *novel* sinks the static rules missed; every proposal is **AST-verified** before it's kept, and confirmed patterns become permanent static rules. **The scanner gets stricter over time.** AI findings live in a separate advisory tier — never counted in the deterministic headline. Uses your own local `claude` CLI; off by default.
|
|
350
|
+
- **`--semgrep`** — an isolated comparator tier (~30 languages) for breadth. Attributed separately, never merged into the core headline.
|
|
351
|
+
- **`--deps`** — the **install-inherited** scan. Fetches the repo's *own pinned* packages (wheels only — never installed, never executed) and scans them with the same engine. Catches the dangerous capability that lives in a dependency rather than your tree — what you inherit the moment you `pip install`. Off by default (it reaches the network).
|
|
352
|
+
|
|
353
|
+
## `▸ the_report`
|
|
354
|
+
|
|
355
|
+
The report is built to be read by two people at once: the founder who needs a verdict, and the engineer who needs the evidence.
|
|
356
|
+
|
|
357
|
+
**The verdict banner** — antivirus-style, one glance:
|
|
358
|
+
|
|
359
|
+
- 🔴 **Action needed** — a proven-live or reachable-unguarded finding exists. Fix first.
|
|
360
|
+
- 🟠 **Review before you ship** — install-liability present: inert here, live on install.
|
|
361
|
+
- 🔵 **No live threat proven** — clean run. Deliberately *never* worded "secure".
|
|
362
|
+
|
|
363
|
+
**The two tiers** — because "exploitable now" and "inherited on install" are different risks, and honest tooling refuses to blur them:
|
|
364
|
+
|
|
365
|
+
| Tier | Meaning |
|
|
366
|
+
|---|---|
|
|
367
|
+
| **Reachable-in-repo** | Live **now**, from your own entry points, unguarded. Fix first. |
|
|
368
|
+
| **Install-liability** | **Inert here, live on install.** A dangerous capability not reached from this repo's entry points — but the moment someone wires this code into an agent that feeds it untrusted input, they inherit it. You downloaded it; you inherited the risk. |
|
|
369
|
+
|
|
370
|
+
**PROVEN-LIVE** is the strictest tier of all: PoC-confirmed findings — either human-traced, or proved by the opt-in **`--prove`** lane, which fires a benign, unguessable canary at a candidate sink inside a network-denied sandbox (with a clean negative control) and only promotes it if the attack actually lands. It is the only tier that ever gets a severity badge, and promotion is one-way: a failed proof leaves a finding a *candidate*, never marks it safe. Raw scanner criticals are candidates — counted, never badged. If the proven-live set is empty, the report says so, plainly.
|
|
371
|
+
|
|
372
|
+
And the line we will never soften: **a clean result means "no path was proven" — never "secure".** Reachability analysis proves a sink *is* reachable; it cannot prove one *is not*. Most tools hide that asymmetry. We print it on the report, because a security tool that overstates its own certainty is part of the attack surface.
|
|
373
|
+
|
|
374
|
+
> **PROVE, DON'T GUESS.**
|
|
375
|
+
|
|
376
|
+
## `▸ prove_dont_guess` — proof it's real
|
|
377
|
+
|
|
378
|
+
- **It catches a real 9.8.** [CVE-2023-39662](https://nvd.nist.gov/vuln/detail/CVE-2023-39662) — the CVSS 9.8 remote-code-execution flaw in LlamaIndex's `PandasQueryEngine` — is flagged by the scanner **at the exact documented line, on the genuinely vulnerable release** (`llama-index` v0.7.13; patched upstream since). A detector proof against a third-party-documented CVE — not a benchmark we wrote for ourselves, and not a claim about current LlamaIndex.
|
|
379
|
+
- **12 open-source agent frameworks audited** — over **361,000 combined GitHub stars**, every repo pinned to a commit — mapping **8,509 action surfaces**: **474 proved reachable** from a real entry point by entrypoint-grounded taint tracing, and **520 install-liability capabilities** you'd inherit the moment you install (the two are distinct risks, counted separately). The per-framework counts and pinned commits are in **[BENCHMARKS.md](BENCHMARKS.md)**.
|
|
380
|
+
- **Independently security-assessed — twice.** A third-party firm assessed the scanner, then re-assessed the fixed build: the latest assessment confirmed **0 critical and 0 high** findings in the shipped deterministic core, and **every** finding it raised, at any severity, was remediated in the next release and locked in with the auditor's own regression tests. The tool that grades your attack surface has had its own graded — and published the loop.
|
|
381
|
+
- **Deterministic where it counts.** The core engine is reproducible byte-for-byte — an auditor can re-run the scan and get the same numbers. The honest caveats above aren't hedges; they're the reason the numbers can be trusted.
|
|
382
|
+
|
|
383
|
+
## `▸ the_ladder` — find it free · fix it · shield it
|
|
384
|
+
|
|
385
|
+
| | Product | What it does | Status |
|
|
386
|
+
|---|---|---|---|
|
|
387
|
+
| 🔍 | **Scanner** | **Discovery** — map, trace and prove your agent's action surface. This repo. | **Free · here now** |
|
|
388
|
+
| 🔧 | **Repairer** | Applies the fixes — diff-proposed, **human-approved, never auto-fix**, re-scanned to confirm. | **Paid · coming — [join early access](https://hermesshield.ai/register-interest)** |
|
|
389
|
+
| 🛡️ | **Shield** | Always-on runtime action firewall — **Kill Switch, Action Gates, Audit Trail** on every action the agent takes. | **Paid · private beta** |
|
|
390
|
+
| 🏛️ | **Enterprise** | Custom deployment, compliance mapping, dedicated support. | [Talk to us](mailto:hello@hermesshield.ai) |
|
|
391
|
+
|
|
392
|
+
The Scanner shows you the blast radius. The Repairer closes it. The Shield keeps it closed while the agent runs.
|
|
393
|
+
|
|
394
|
+
## `▸ contributing`
|
|
395
|
+
|
|
396
|
+
Found a bug or a sink we missed? **Open an issue** — a missed-detection report with a minimal repro is the most valuable thing you can send us. Vulnerabilities in the scanner itself go to [SECURITY.md](SECURITY.md), privately. And if a scan taught you something about your own agent, **star the repo** — it helps other builders find their blast radius too.
|
|
397
|
+
|
|
398
|
+
## `▸ links`
|
|
399
|
+
|
|
400
|
+
- **Website:** [hermesshield.ai](https://hermesshield.ai) · [Free scan](https://hermesshield.ai/free-scan) · [Methodology](https://hermesshield.ai/methodology) · [Scanner](https://hermesshield.ai/scanner)
|
|
401
|
+
- **X:** [@hermesshield](https://x.com/hermesshield) (company) · [@harleyfoote_](https://x.com/harleyfoote_) (founder) · [@fridayresearch_](https://x.com/fridayresearch_)
|
|
402
|
+
- **LinkedIn:** [Hermes Shield](https://www.linkedin.com/company/hermes-shield)
|
|
403
|
+
- **Email:** [hello@hermesshield.ai](mailto:hello@hermesshield.ai)
|
|
404
|
+
|
|
405
|
+
Deeper reading in this repo: [ARCHITECTURE.md](ARCHITECTURE.md) (full design + honest limitation list) · [FOR_AUDITORS.md](FOR_AUDITORS.md) · [CHANGELOG.md](CHANGELOG.md) · [SECURITY.md](SECURITY.md) (vulnerability disclosure).
|
|
406
|
+
|
|
407
|
+
---
|
|
408
|
+
|
|
409
|
+
<div align="center">
|
|
410
|
+
|
|
411
|
+
**Hermes Shield** · built where the agents run.
|
|
412
|
+
|
|
413
|
+
Licensed under [Apache-2.0](LICENSE) · Report a vulnerability via [SECURITY.md](SECURITY.md)
|
|
414
|
+
|
|
415
|
+
*Local. Read-only. Yours.*
|
|
416
|
+
|
|
417
|
+
</div>
|