v0.7.0 — Now with Docker, pre-commit, SARIF, and 22 detection rules

Autonomous Security
for the AI Agent Era

AgentGuard is an open-source static analysis tool purpose-built for AI agent code. It detects 22 classes of security vulnerabilities — including 6 novel attack vectors beyond the OWASP ASI Top 10 — with CWE and CVSS mappings. Scanned 9 major frameworks. 6,173 findings. 56 hand-crafted benchmark samples demonstrate comprehensive rule coverage.

Terminal — agentguard scan ./langchain
$ pip install dfx-agentguard
$ agentguard ./langchain --format json | head -20

{
"findings": 452,
"files": 1784,
"rules": 22,
"severity": {
"critical": 47,
"high": 89,
"medium": 201,
"low": 115
},
"top_findings": [
"ASI07: Hardcoded OpenAI API key in config.py:42",
"ASI02: os.system() on user-controlled input in tools.py:156",
"ASI-MEMORY-POISON: Untrusted data to Pinecone upsert in memory.py:89",
...
$
9
Frameworks Scanned
LangChain, LlamaIndex, AutoGen, CAMEL, CrewAI, Qwen-Agent, Semantic Kernel, Haystack, Dify, OpenAI Agents SDK
11,036
Files Analyzed
Python, JavaScript, TypeScript, YAML, TOML
6,173
Vulnerabilities Found
47 critical, 89 high across all frameworks
56
Benchmark Samples
Hand-crafted samples covering all 22 rules

22 Rules. Mapped to CWE. Scored with CVSS.

Every rule is traceable to a real-world vulnerability class. No black boxes. No magic. Read the full specification.

OWASP ASI Top 10

ASI01
Prompt Injection
Untrusted user input concatenated directly into LLM prompts via f-strings, format(), and string concatenation.
CWE-77CVSS 8.1
ASI02
Unrestricted Tool Execution
Agent code executes os.system(), subprocess.run(), exec(), or eval() on untrusted or agent-generated input.
CWE-94CVSS 9.8
ASI03
Information Disclosure via Logging
API keys, bearer tokens, and secrets written to log output — visible to any observer of agent execution.
CWE-532CVSS 7.5
ASI04
Agent Goal Manipulation
Dynamic prompt templates allow external input to override agent objectives, instructions, and constraints.
CWE-912CVSS 8.8
ASI05
Supply Chain Tool Poisoning
Untrusted tool registration from external sources — agents import capabilities from unverified origins.
CWE-427CVSS 8.6
ASI06
Cross-Agent Interference
Race conditions in shared mutable state between concurrent agents — state corruption via unsynchronized access.
CWE-362CVSS 7.0
ASI07
Credential Exposure
Hardcoded API keys, tokens, and passwords in source code, config files, and test fixtures.
CWE-798CVSS 9.8
ASI08
Excessive Agency
Agent granted system-level permissions (sudo, filesystem, network) beyond declared scope.
CWE-250CVSS 8.4
ASI09
Insecure Output Handling
Agent tool outputs (files, network responses) consumed without validation or sanitization.
CWE-79CVSS 6.1
ASI10
Unbounded Consumption
Agent operations without rate limits, timeouts, or resource caps — DoS by infinite execution.
CWE-400CVSS 7.5

Novel Rules — Beyond OWASP ASI

Six attack vectors we discovered while auditing real agent codebases. These do not appear in any existing standard or SAST tool.

ASI-MEMORY-POISON
Agent Memory Poisoning
Adversarial content injected into vector databases (Chroma, Pinecone, FAISS, Weaviate) and agent memory stores. 26 distinct sink patterns detected. RAG pipeline contamination via upsert/insert operations on untrusted data.
CWE-502CVSS 8.2
ASI-TOOL-TRUST
Blind Tool Output Trust
Agent consumes tool output without verification, enabling chained exploitation. A compromised tool can inject malicious payloads that the agent passes to downstream operations. Detects missing validation between tool returns and subsequent agent actions.
CWE-345CVSS 8.6
ASI-CHAIN-AMPLIFY
Chain Amplification
Destructive operations (os.remove, subprocess.run, shutil.rmtree) inside unbounded while/for loops. A single prompt injection can trigger infinite destructive execution. 22 confirmed instances in our benchmark.
CWE-834CVSS 7.5
ASI-AGENT-COLLUSION
Multi-Agent Collusion
Coordinated behavior between agents using shared memory, message queues, or filesystem as covert channel. Detects cross-agent state sharing patterns that bypass individual agent safety constraints.
CWE-265CVSS 6.8
ASI-PROMPT-TEMPLATE
Prompt Template Injection
Injection via Jinja2, f-string, and string.Template in agent prompt construction. Detects template rendering on attacker-controlled input before it reaches the LLM.
CWE-74CVSS 8.8
ASI-STEGANO-INJECT
Steganographic Command Injection
Encoded command injection via base64, hex, ROT13, and other obfuscation in agent tool parameters. Detects decode-execute chains that bypass simple string-based filters.
CWE-506CVSS 9.0
Active Vulnerability Disclosure
CWE-1188 (CVSS 10.0) discovered in LangChain ShellToolMiddleware during routine scanning. The default ExecutionPolicy.HOST grants unrestricted host command execution with zero sandboxing. Code path: shell_tool.py:503-534. Reported via GitHub Private Vulnerability Reporting. Full technical writeup in the Audit Report.

Framework Scan Results

Every scan is reproducible. Run agentguard . on any of these frameworks and verify the results yourself.

FrameworkTypeFilesFindingsCriticalHigh
LangChainAgent Framework1,7844521247
LlamaIndexData Framework2,9511,003831
AutoGenMulti-Agent5492291138
CAMELMulti-Agent899746952
CrewAIRole-Based84391528
Qwen-AgentAssistant239441242
Semantic KernelAgent SDK561282
HaystackLLM Pipeline1,540209
DifyLLM Platform1,8861,725
OpenAI Agents SDKAgent SDK543695
Total11,0366,17347238

Full benchmark: 56 hand-crafted samples covering all 22 detection rules.

OWASP ASI Compliant
CWE Mapped
CVSS Scored
MIT Licensed
107 Tests

Two Products. One Mission.

CORE PRODUCT

AgentGuard

22 detection rules. Pre-commit hook. GitHub Action. Docker image. SARIF output for GitHub Code Scanning. Interprocedural taint analysis across Python, JavaScript, and TypeScript.

GitHub PyPI
COMPANION TOOL

MCP Scanner

12 security checks for MCP server configurations. Docker privileged mode, root user, network binding, shell injection, argument injection. SARIF output.

GitHub PyPI

Three Ways to Run AgentGuard

Pre-commit Hook
pip install dfx-agentguard
agentguard install --pre-commit

Blocks insecure agent code at commit time. Works with any Git repository.

Docker
docker run --rm \
  -v $(pwd):/workspace \
  ghcr.io/dockfixlabs/agentguard \
  .

Zero-install. Works in any CI/CD pipeline. ghcr.io published on every release.

GitHub Action
- uses: dockfixlabs/agentguard@v1
  with:
    path: .
    format: sarif

Native GitHub Code Scanning integration. SARIF uploads automatically.