Deep security analysis framework for autonomous AI agent implementations
AiSec is an open-source, multi-agent security analysis framework designed to perform deep security audits of autonomous AI agent implementations like OpenClaw, custom LLM agents, and other agentic AI systems.
Unlike traditional container scanners (Trivy, Clair) that focus on CVEs in OS packages, AiSec analyzes AI-specific attack vectors: prompt injection, excessive agency, data exfiltration, privacy compliance, adversarial robustness, synthetic content risks, and multi-agent cascade failures.
- 35 Specialized Agents - Security agents work in parallel, each focused on a specific attack domain
- Docker-Based Sandboxing - Target AI agents run in isolated Docker environments with full network and filesystem instrumentation
- 8 Compliance Frameworks - GDPR, CCPA, Habeas Data, EU AI Act, ISO 42001, NIST AI 600-1, NIST AI RMF, Argentina AI Bill
- 250+ Risk Detectors - Covering prompt injection, taint analysis, RAG security, MCP hardening, tool chain exploits, memory poisoning, and more
- Auto-Remediation Engine - Generates structured fix suggestions with code patches, commands, and framework-specific guidance
- Policy-as-Code - YAML-based security policies for CI/CD gating (strict/moderate/permissive)
- 31 Correlation Rules - Cross-agent compound risk detection (e.g., "MCP no auth + unrestricted tools = agent takeover", "Falco + open port = active exploitation")
- AI-CVSS Scoring - Extended CVSS scoring with AI-specific risk dimensions (autonomy impact, cascade potential, persistence risk)
- 4 Report Formats - JSON, HTML, PDF, and SARIF for IDE/CI integration (GitHub Code Scanning, VS Code)
- Web UI Dashboard - Interactive web dashboard at
/dashboard/with scan management, trend charts, and findings explorer - Cloud Deployment - Kubernetes manifests, Helm chart, Docker Compose for AWS/GCP/Azure production deployment
- Cloud Storage - Upload reports to S3, GCS, or Azure Blob Storage (
--cloud-storageflag) - Falco Runtime Monitoring - eBPF-based syscall monitoring via Falco sidecar with 9 AI-specific detection rules
- Prometheus Metrics -
/api/metrics/endpoint with counters, gauges, and histograms for scans, findings, agents, and API requests - Structured Logging - structlog-based JSON logging with request ID tracing (
AISEC_LOG_FORMAT=json) - Scan Scheduler - Cron-based recurring scans via APScheduler (
--schedule "0 2 * * *") - Scan Persistence - Scan reports and webhooks survive API restarts via SQLite-backed persistence
- Scan Queue - Thread pool with configurable concurrency limits (
AISEC_MAX_CONCURRENT_SCANS) and backpressure (HTTP 429) - Security Headers - CSP, X-Frame-Options, HSTS, X-Content-Type-Options on all API responses
- SSRF Protection - Webhook URL validation blocks private/internal IP addresses
- Plugin Hooks -
pre_scan,on_finding,post_scan,modify_reporthooks with error isolation - REST API -
aisec servewith Django REST Framework for programmatic access - GitHub Action - Marketplace action with SARIF upload for automated security scanning in CI/CD
- Scan History - SQLite-backed trending and baseline comparison for tracking security posture over time
- Plugin System - Extensible architecture for custom analysis agents and compliance frameworks
- Multilingual - Reports available in English and Spanish
+------------------+
| AiSec CLI |
| scan | serve |
+--------+---------+
|
+--------v---------+
| Orchestrator |
| Agent (DAG) |
+--------+---------+
|
┌─────────────────── Layer 1: Core Security ────────────────────┐
│ Network DataFlow Privacy Prompt Supply Permission │
│ Output Crypto SBOM Garak Guard ModelScan │
│ Adversarial Cascade SyntheticContent │
└───────────────────────────────────────────────────────────────┘
|
┌──────────────── Layer 2: Code & Infra Analysis ───────────────┐
│ StaticAnalysis DependencyAudit APISecurity IaCSecurity │
│ RuntimeBehavior │
└───────────────────────────────────────────────────────────────┘
|
┌──────────── Layer 3: Deep Code & Privacy (v1.4) ──────────────┐
│ TaintAnalysis Serialization GitHistorySecrets │
│ DeepDependency ResourceExhaustion InterService │
│ DataLineage EmbeddingLeakage │
└───────────────────────────────────────────────────────────────┘
|
┌──────── Layer 4: Agentic Runtime & Remediation (v1.5) ────────┐
│ RAGSecurity MCPSecurity ToolChain AgentMemory │
│ FineTuning CICDPipeline │
│ [Auto-Remediation Engine] [Policy-as-Code Engine] │
└───────────────────────────────────────────────────────────────┘
|
┌──────── Layer 5: Cloud & Runtime Monitoring (v1.7) ──────────┐
│ FalcoRuntime (eBPF sidecar) CloudStorage (S3/GCS/Azure) │
│ [K8s Manifests] [Helm Chart] [Docker Compose] │
└───────────────────────────────────────────────────────────────┘
|
┌──────── Layer 6: Observability & Scheduling (v1.8) ─────────┐
│ Prometheus Metrics (/api/metrics/) Structlog JSON Logging │
│ APScheduler Cron Scans Request ID Tracing │
└───────────────────────────────────────────────────────────────┘
|
┌──── Layer 6: Observability & Scheduling (v1.8) ────────────┐
│ Prometheus Metrics Structlog JSON Logging │
│ APScheduler Cron Request ID Tracing │
└─────────────────────────────────────────────────────────────┘
|
+--------v---------+
| Docker Sandbox |
| +---------------+ |
| | Target Agent | |
| | + Falco | |
| +---------------+ |
+-------------------+
|
+--------v---------+
| Report Builder |
| JSON|HTML|PDF|SARIF|
+-------------------+
| Agent | Focus Area | OWASP Mapping |
|---|---|---|
| NetworkAgent | Open ports, WebSocket security, TLS config, DNS exfiltration | LLM09, ASI07, ASI08 |
| DataFlowAgent | PII detection (Presidio), encryption at rest/transit, data retention | LLM02, ASI06 |
| PrivacyAgent | GDPR, CCPA, Habeas Data compliance assessment | LLM02 |
| PromptSecurityAgent | Direct/indirect prompt injection, tool hijacking, jailbreaks | LLM01, LLM07, ASI01 |
| SupplyChainAgent | Docker layer CVEs, dependency vulnerabilities, SBOM | LLM03, ASI04, ASI05 |
| PermissionAgent | Excessive agency, privilege escalation, tool access scope | LLM06, ASI02, ASI03 |
| OutputAgent | Output sanitization, information leakage, XSS vectors | LLM05, ASI09 |
| CryptoAuditAgent | TLS/SSL config, cipher suites, key management, quantum readiness | LLM02, LLM09 |
| SBOMAgent | Software Bill of Materials, license compliance, dependency depth | LLM03, ASI04 |
| GarakAgent | LLM vulnerability scanning (50+ probes), jailbreak, data leakage | LLM01, LLM04, LLM09 |
| GuardrailAgent | Safety guardrail presence (NeMo, Guardrails AI, LLM Guard), bypass testing | LLM05, ASI01 |
| ModelScanAgent | Malicious model files (Pickle, H5), backdoor triggers, provenance | LLM03, LLM04, ASI04 |
| AdversarialAgent | Evasion attacks, encoding bypass, multi-turn manipulation, fuzzing | LLM01, ASI01 |
| CascadeAgent | Multi-agent dependency graphs, cascade failure, inter-agent auth, trust boundaries | ASI07, ASI08 |
| SyntheticContentAgent | Deepfake detection, voice cloning, C2PA provenance, watermarking | LLM09, ASI09 |
| StaticAnalysisAgent | Semgrep + Bandit integration, AI-specific code patterns, dangerous constructs | LLM01, LLM07 |
| DependencyAuditAgent | pip-audit CVEs, typosquatting detection, malicious package flagging | LLM03, ASI04 |
| APISecurityAgent | Auth bypass, rate limiting, CORS, info disclosure, GraphQL introspection | LLM09, ASI07 |
| IaCSecurityAgent | Dockerfiles, K8s manifests, Helm charts, Checkov integration | ASI04, ASI05 |
| RuntimeBehaviorAgent | Process monitoring, filesystem changes, network activity, anomaly detection | ASI07, ASI08 |
| TaintAnalysisAgent | AST-based source-to-sink tracking, LLM output to eval/exec/SQL flows | LLM01, LLM07, ASI01 |
| SerializationAgent | Pickle, YAML, XML (XXE), jsonpickle, protobuf, msgpack deserialization | LLM03, ASI04 |
| GitHistorySecretsAgent | Git history secret scanning, gitleaks integration, historical vs current leaks | LLM02, ASI06 |
| DeepDependencyAgent | Transitive deps, license compliance, abandoned packages, dependency confusion | LLM03, ASI04, ASI05 |
| ResourceExhaustionAgent | ReDoS, zip bombs, unbounded loops, missing timeouts, memory bombs | LLM10, ASI08 |
| InterServiceAgent | Webhook HMAC, mTLS, message queue auth, gRPC reflection, callback validation | ASI07, ASI08 |
| DataLineageAgent | PII-to-LLM tracking, consent verification, right-to-erasure, GDPR/CCPA mapping | LLM02, ASI06 |
| EmbeddingLeakageAgent | Vector DB auth, namespace isolation, memorization risks, embedding inversion | LLM02, LLM04, ASI06 |
| RAGSecurityAgent | RAG pipeline: document injection, retrieval poisoning, context stuffing, grounding | LLM01, LLM08, ASI06 |
| MCPSecurityAgent | MCP server: auth, tool schemas, transport, approval flows, path traversal | ASI01, ASI02, LLM06 |
| ToolChainSecurityAgent | Tool use: sandbox, file/network/DB restrictions, output injection, chaining | LLM06, ASI02, ASI05 |
| AgentMemorySecurityAgent | Memory: encryption, access control, poisoning, unbounded growth, PII | ASI06, LLM02, LLM01 |
| FineTuningSecurityAgent | Training: data validation, PII scrubbing, provenance, RLHF, registry | LLM03, LLM04 |
| CICDPipelineSecurityAgent | CI/CD: secrets, model signing, pip safety, Docker privilege, branch protection | LLM05, ASI04 |
| FalcoRuntimeAgent | Falco eBPF sidecar: model tampering, crypto mining, container escape, DNS exfiltration | LLM06, ASI10 |
- Python 3.11+
- Docker Engine running
- (Optional) Trivy for enhanced CVE scanning
# Install from PyPI
pip install aisec
# Install with all optional dependencies
pip install "aisec[all]"
# Install with deep dependency analysis (pipdeptree, pip-licenses)
pip install "aisec[deptree]"
# Install with cloud storage support (S3, GCS, Azure)
pip install "aisec[cloud]"
# Install with Prometheus metrics
pip install "aisec[metrics]"
# Install with scan scheduler
pip install "aisec[scheduler]"
# Install with Prometheus metrics
pip install "aisec[metrics]"
# Install with scan scheduler
pip install "aisec[scheduler]"
# Install with REST API server
pip install "aisec[api]"
# Or install from source
git clone https://github.com/fboiero/AiSec.git
cd AiSec
pip install -e ".[dev]"# Run a full security scan against an AI agent Docker image
aisec scan run ghcr.io/openclaw/openclaw:latest
# Scan with specific agents only
aisec scan run myagent:latest --agents network,prompt_security,permission
# Generate reports in multiple formats (including SARIF for IDE integration)
aisec scan run myagent:latest --format json,html,pdf,sarif
# Generate report in Spanish
aisec scan run myagent:latest --lang es
# Run with TUI dashboard
aisec scan run myagent:latest --dashboard
# Scan with auto-remediation suggestions
aisec scan run myagent:latest --remediation
# Scan with policy-based CI/CD gating
aisec scan run myagent:latest --policy strict --gate# Use built-in policies: strict, moderate, permissive
aisec scan run myagent:latest --policy strict --gate
# Exit code: 0=pass, 1=fail, 2=warn
# Use custom policy file
aisec scan run myagent:latest --policy-file ./my-policy.yaml --gateExample policy (.aisec-policy.yaml):
name: production-deployment
gate:
block_on:
- severity: critical
count: ">0"
- severity: high
count: ">5"
warn_on:
- severity: medium
count: ">10"
required_agents:
- rag_security
- mcp_security
- tool_chain
thresholds:
max_critical: 0
max_high: 5# Start the server with dashboard (default)
aisec serve --port 8000
# Open http://localhost:8000/dashboard/ in your browser
# Features: scan management, trend charts, findings explorer, policy viewer
# Disable dashboard (API only)
aisec serve --no-dashboard# Upload reports to S3
AISEC_CLOUD_STORAGE_BACKEND=s3 AISEC_CLOUD_STORAGE_BUCKET=my-reports \
aisec scan run myagent:latest --cloud-storage
# Upload to Google Cloud Storage
AISEC_CLOUD_STORAGE_BACKEND=gcs AISEC_CLOUD_STORAGE_BUCKET=my-reports \
aisec scan run myagent:latest --cloud-storage
# Install cloud dependencies
pip install "aisec[cloud]"# Kubernetes (raw manifests)
kubectl apply -n aisec -f deploy/kubernetes/
# Helm
helm install aisec deploy/helm/aisec/ -n aisec --create-namespace
# Docker Compose
docker compose -f deploy/docker-compose.prod.yml up -dSee deploy/README.md for full deployment guide.
# Enable Falco eBPF sidecar during scans
AISEC_FALCO_ENABLED=true aisec scan run myagent:latest
# Falco detects: model tampering, crypto mining, container escape,
# DNS exfiltration, reverse shells, and more# Install metrics support
pip install "aisec[metrics]"
# Start API server — metrics available at /api/metrics/
aisec serve --port 8000
# Scrape metrics with Prometheus
# curl http://localhost:8000/api/metrics/
# Exposed metrics:
# aisec_scans_total, aisec_scans_active, aisec_scan_duration_seconds
# aisec_findings_total (by severity), aisec_agent_duration_seconds (by agent)
# aisec_api_requests_total, aisec_api_request_duration_seconds
# Enable JSON structured logging
AISEC_LOG_FORMAT=json aisec serve
# or: AISEC_LOG_JSON=true aisec serve# Install scheduler support
pip install "aisec[scheduler]"
# Start API server with a recurring scan (daily at 2am)
aisec serve --schedule "0 2 * * *" --schedule-image myapp:latest
# Cron shorthands: @hourly, @daily, @weekly, @monthly
aisec serve --schedule @daily --schedule-image myapp:latest
# Manage schedules via API
curl -X POST http://localhost:8000/api/schedules/ \
-H "Content-Type: application/json" \
-d '{"image": "myapp:latest", "cron": "@daily"}'
curl http://localhost:8000/api/schedules/
curl -X DELETE http://localhost:8000/api/schedules/<schedule-id>/# Install metrics dependency
pip install "aisec[metrics]"
# Start the API server — metrics are exposed at /api/metrics/
aisec serve --port 8000
# Scrape metrics (Prometheus text format)
curl http://localhost:8000/api/metrics/
# Available metrics:
# aisec_scans_total{status} — total scans started/completed/failed
# aisec_scans_active — currently running scans
# aisec_scan_duration_seconds — scan duration histogram
# aisec_findings_total{severity} — findings by severity
# aisec_agent_duration_seconds{agent} — per-agent execution time
# aisec_api_requests_total{method,endpoint,status} — API request counter
# aisec_api_request_duration_seconds — API request latency histogram# Enable JSON log output
AISEC_LOG_FORMAT=json aisec serve
# Or use the boolean flag
AISEC_LOG_JSON=true aisec serve
# Default: human-readable console output (structlog ConsoleRenderer)
# JSON output includes: timestamp, log level, logger name, event, request_id# Start server with a recurring scan schedule (daily at 2am)
aisec serve --schedule "0 2 * * *" --schedule-image myapp:latest
# Use cron aliases
aisec serve --schedule @daily --schedule-image myapp:latest
aisec serve --schedule @hourly --schedule-image myapp:latest
# Manage schedules via API
curl -X POST http://localhost:8000/api/schedules/ \
-H "Content-Type: application/json" \
-d '{"image": "myapp:latest", "cron": "0 2 * * *"}'
curl http://localhost:8000/api/schedules/
curl -X DELETE http://localhost:8000/api/schedules/<schedule-id>/
# Install scheduler dependency
pip install "aisec[scheduler]"# Start the API server (Django REST Framework)
aisec serve --port 8000
# Submit a scan via API
curl -X POST http://localhost:8000/api/scan/ \
-H "Content-Type: application/json" \
-d '{"image": "myagent:latest"}'
# Check scan status
curl http://localhost:8000/api/scan/<scan-id>/
# List all scans
curl http://localhost:8000/api/scans/
# Health check
curl http://localhost:8000/api/health/# .github/workflows/aisec.yml
name: AI Agent Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build agent image
run: docker build -t myagent:latest .
- name: Run AiSec scan
uses: fboiero/AiSec@v1
with:
image: myagent:latest
formats: json,sarif
fail-on: highaisec config initThis creates aisec.yaml:
target:
image: ""
name: ""
type: "generic"
scan:
timeout: 3600
agents:
- all
report:
format: ["json", "html", "sarif"]
language: "en"
output_dir: "./aisec-reports"
compliance:
frameworks:
- gdpr
- ccpa
- habeas_data
- eu_ai_act
- iso_42001
- nist_ai_600_1
- argentina_ai
cloud:
storage_backend: "" # s3, gcs, or azure
storage_bucket: ""
storage_prefix: "aisec-reports/"
falco:
enabled: false
image: "falcosecurity/falco-no-driver:latest"Full coverage of all 10 categories from prompt injection (LLM01) through unbounded consumption (LLM10).
Assessment against agent-specific risks: goal hijacking, tool misuse, identity abuse, supply chain, code execution, memory poisoning, inter-agent communication, cascading failures, trust exploitation, and rogue agents.
Mapping to GOVERN, MAP, MEASURE, and MANAGE functions with subcategory-level assessment.
200+ action items across 12 GenAI-specific risk categories: confabulation, data privacy, information integrity, CBRN information, human-AI interaction, and more.
22 checks covering risk classification (Art. 6), prohibited practices (Art. 5), high-risk requirements (Art. 8-15), GPAI model obligations (Art. 53-55), transparency (Art. 50), fundamental rights impact assessment (Art. 27), and post-market monitoring (Art. 72).
28 checks against the AI Management System standard: context, leadership, planning, support, operation, performance evaluation, improvement, and Annex A controls.
15 checks covering Ley 25.326 AI extensions, Bill 3003-D-2024 (AI Regulation Bill), AAIP guidance, and provincial protocols (Buenos Aires, Santa Fe).
- GDPR (EU) - Articles 5-9, 12-22, 25, 32-35
- CCPA (California) - Right to know, delete, opt-out
- Habeas Data (Argentina, Ley 25.326) - Articles 2-8, 11-12, 14, 16, 26-27
| Format | Use Case | Features |
|---|---|---|
| JSON | Programmatic access, CI/CD | Full finding details, machine-readable |
| HTML | Human review | Dark theme, interactive cards, risk radar |
| Executive reporting | Print-ready, WeasyPrint rendering | |
| SARIF | IDE integration | GitHub Code Scanning, VS Code, Azure DevOps |
Create custom analysis agents:
from aisec.agents.base import BaseAgent
from aisec.plugins.interface import AiSecPlugin
class MyCustomAgent(BaseAgent):
name = "my_custom_check"
description = "Custom security check"
async def analyze(self):
self.add_finding(...)
class MyPlugin(AiSecPlugin):
name = "my-plugin"
version = "1.0.0"
def register_agents(self, registry):
registry.register(MyCustomAgent)Register in pyproject.toml:
[project.entry-points."aisec.plugins"]
my-plugin = "my_plugin:MyPlugin"git clone https://github.com/fboiero/AiSec.git
cd AiSec
pip install -e ".[dev,all]"
# Run tests
pytest
# Run linter
ruff check src/ tests/
# Run type checker
mypy src/aisec/- Core agent framework and orchestrator
- Docker sandbox with network/filesystem instrumentation
- 35 specialized security analysis agents
- OWASP LLM Top 10 + Agentic Top 10 mapping
- NIST AI RMF + NIST AI 600-1 assessment
- 8 compliance frameworks (GDPR, CCPA, Habeas Data, EU AI Act, ISO 42001, NIST 600-1, Argentina AI)
- AI-CVSS risk scoring with 250+ risk detectors
- JSON, HTML, PDF, SARIF report generation
- Interactive TUI dashboard (Rich Live)
- REST API server (Django REST Framework)
- GitHub Action for CI/CD integration
- Multi-agent cascade analysis
- Synthetic content / deepfake detection
- Scan history and trending (SQLite)
- Static analysis (Semgrep + Bandit), dependency audit, API security, IaC scanning
- AST-based taint analysis, serialization attack surface, git history secrets
- Deep dependency analysis, resource exhaustion detection, inter-service security
- Data lineage privacy tracking, embedding leakage detection
- RAG pipeline security, MCP server hardening, tool chain analysis
- Agent memory security, fine-tuning pipeline security, CI/CD pipeline security
- Auto-remediation engine with code patches and framework guidance
- Policy-as-code engine with CI/CD gating (strict/moderate/permissive)
- 31 cross-agent correlation rules
- Cloud deployment (AWS, GCP, Azure) — K8s manifests, Helm chart, Docker Compose, cloud storage (S3/GCS/Azure)
- Real-time runtime monitoring (Falco eBPF sidecar with 9 AI-specific rules)
- Web UI dashboard (Chart.js, Alpine.js, HTMX)
- Prometheus observability (
/api/metrics/endpoint, counters, gauges, histograms) - Structured JSON logging (structlog, request ID tracing)
- Scheduled scans (APScheduler cron, API + CLI support)
- Prometheus metrics endpoint with counters, gauges, and histograms
- Structured JSON logging with structlog and request ID tracing
- Scan scheduler with APScheduler cron support
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
If you discover a security vulnerability, please see SECURITY.md for responsible disclosure instructions.
AiSec is licensed under the Apache License 2.0.
- OWASP GenAI Security Project for the LLM and Agentic Top 10 frameworks
- NIST AI Risk Management Framework for AI governance standards
- EU AI Act for comprehensive AI regulation
- ISO/IEC 42001 for AI management system standards
- Trivy for container vulnerability scanning inspiration
- The open-source AI security research community
Made with security in mind by Federico Boiero