The official agent library for agentgg — AI-powered SAST agents for code security review.
Each agent is a self-contained markdown file with YAML frontmatter (metadata) and a markdown body (the LLM prompt). Agents are downloaded automatically by agentgg on first scan and updated with agentgg agents update.
agentgg-agents/
├── demo-agents/ # Small curated set — one agent per mode (file / walker / hunt) for a quick first scan via `-t demo-agents/`
└── base/ # Full vulnerability library, organized by category — runs automatically when no -t flag is given
├── injection/ # SQL, NoSQL, command, XSS, path traversal, mass assignment
├── auth/ # Authentication, authorization, JWT, OAuth, session, IDOR
├── exposure/ # Secrets, env vars, error leaks, debug endpoints
├── misconfiguration/ # CORS, caching, cookies, feature-flag security
├── logic/ # Race conditions, async bugs, event handler mismatches
├── infrastructure/ # Docker, Kubernetes, Terraform, GitHub Actions
├── cloud/ # AWS Lambda, GCP, Azure, IAM
├── cryptography/ # Insecure algorithms, unsafe deserialization
├── mobile/ # Android, iOS
└── ai/ # LLM/agent security, MCP, prompt injection
agentgg downloads and manages agents automatically. No manual setup needed.
Default scan — runs the full base/ vulnerability library:
agentgg scan ./srcRun the quick demo-agents/ set (one agent per mode — file / walker / hunt — for a fast first scan):
agentgg scan ./src -t demo-agents/Run a specific category:
agentgg scan ./src -t base/injection/
agentgg scan ./src -t base/auth/Run multiple categories:
agentgg scan ./src -t base/injection/ -t base/auth/Run a single agent by slug:
agentgg scan ./src -t sql-injectionUpdate to the latest agents:
agentgg agents updateEach agent is a .md file:
---
slug: sql-injection
name: SQL Injection
description: SQL queries built by concatenating untrusted input instead of using parameterized queries.
version: 0.1.0
author: your-github-handle
mode: file
noiseTier: normal
filePatterns:
- "**/*.{ts,js,py,rb,go,rs,php,java,cs}"
references:
- CWE-89
- OWASP-A03:2021
---
You are reviewing source code for SQL injection...| Field | Description |
|---|---|
slug |
Unique identifier, kebab-case. Used with -t. Must match the filename (<slug>.md). |
name |
Human-readable name. |
description |
One-line summary shown in agentgg agents list. |
version |
Semver string. |
author |
Your GitHub username, Twitter handle, or alias. Your name ships with the agent. Use agentgg for official agents. Optionally add a full profile in contributors.json. |
mode |
file (one LLM call per matching file), walker (agentic batches), or hunt (whole-repo exploration). |
noiseTier |
precise, normal, or noisy — how many false positives to expect. |
filePatterns |
Glob patterns for files this agent should scan. |
references |
Optional. CWE, CVE, or OWASP identifiers — helps users triage findings and report to their security team. |
See CONTRIBUTING.md for the full guide. In short:
- Fork this repo
- Add a new
.mdagent in the appropriate category folder (slug rules in the schema above) - Test it locally:
agentgg scan ./test-fixture -t ./your-agent.md - Lint the whole tree:
agentgg agents lint . - Open a pull request
New agents should have:
- A focused, single-responsibility prompt
- Clear true-positive and false-positive criteria in the prompt body
- Tight
filePatternsto avoid scanning irrelevant files - A CWE / CVE / OWASP reference when one fits (optional)
- agentgg — the CLI that runs these agents