AI Agent Security Scanner

Configurable, API-based security scanner that audits AI agent configurations — MCP servers, Claude Code subagents, agent source code, permission files, and dependency manifests — for the kinds of risks that become catastrophic the moment a prompt-injection lands.

Ships with:

• A scanning engine with six pluggable scanners (MCP, agent-def, code, secrets, deps, permissions) and YAML-driven rule config.
• A FastAPI server with API-key auth, JSON / SARIF / Markdown reports, and /scan/path, /scan/content, /scan/upload endpoints.
• A Typer CLI (agent-scan) with a table renderer and CI-friendly --fail-on exit codes.
• A Claude Code subagent plugin under plugins/claude-agent/ that hits the scanner API on demand.
• A GitHub Copilot extension manifest + webhook adapter under plugins/copilot/.

What it finds

Scanner	Example rules
mcp	Shell-proxy MCP servers, Bash(*) grants, dangerous hooks, hardcoded env secrets
agent_def	tools: * wildcard, missing frontmatter, prompt-injection bait phrases
code	eval/exec, subprocess(shell=True), pickle.loads, path-traversal f-string open()
secrets	OpenAI / Anthropic / AWS / GitHub / Slack / Google / LangSmith keys, JWTs, private-key blocks
deps	Risky dependencies in requirements.txt, pyproject.toml, package.json
permissions	Wildcard tool grants in .claude/settings*.json, missing deny lists

Custom regex rules can be added under custom_patterns: in rules.yaml without touching code.

Quickstart

git clone https://github.com/kumar1shailesh/AI-Agent-Security-Scanner.git
cd AI-Agent-Security-Scanner
python -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -e .

# CLI
agent-scan scan tests/fixtures
agent-scan scan . --output sarif --out-file report.sarif --fail-on critical

# API
copy .env.example .env   # set SCANNER_API_KEY
agent-scan-serve

API

All POST endpoints require X-Api-Key: <SCANNER_API_KEY> unless DISABLE_AUTH=true (local dev only).

POST /scan/path

{
  "path": "C:/repos/my-agent",
  "scanners": ["mcp", "secrets"]
}

Returns a ScanResult JSON (summary + findings).

POST /scan/content

Scan inline content — useful for editor integrations:

{
  "content": "OPENAI_KEY = \"sk-abc123...\"",
  "filename": "demo.py",
  "scanners": ["secrets", "code"]
}

POST /scan/upload

multipart/form-data with a single file field. Returns the same ScanResult.

POST /scan/path.sarif and POST /scan/path.md

Same body as /scan/path but return SARIF (drop into GitHub code scanning) or Markdown directly.

Configurable rules

rules.yaml is loaded once per server start:

disabled: [MCP002]                 # skip specific rule
severity_overrides:
  PERM002: medium                  # bump severity
scanners:
  code:
    enabled: true
    extensions: [".py"]
  secrets:
    enabled: true
custom_patterns:
  - id: CUSTOM003
    title: Internal API key
    severity: high
    pattern: "ACME-[A-Z0-9]{24}"
    description: Matches internal ACME API keys.
    fix_guidance: Rotate the key and move to env var.

Plugins

Plugin	Where	What it does
Claude Code agent	plugins/claude-agent/	Subagent definition that calls this scanner's API
GitHub Copilot ext	plugins/copilot/	Extension manifest + SSE webhook adapter for /scan

See each plugin folder's README for install steps.

CI integration

# .github/workflows/agent-scan.yml
- run: pip install ai-agent-security-scanner
- run: agent-scan scan . --output sarif --out-file agent-scan.sarif --fail-on high
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: agent-scan.sarif

Exit codes: 0 = clean, 1 = only medium/low, 2 = critical/high findings (configurable with --fail-on).

Tests

pip install -e ".[dev]"
pytest

Test fixtures under tests/fixtures/ contain intentionally vulnerable MCP/agent/code samples. Each scanner has unit tests that exercise its rules end-to-end.

License

MIT