Skip to content

v0.1.0 - Initial Release

Choose a tag to compare

View all tags
@HeadyZhang HeadyZhang released this 04 Feb 00:22
· 67 commits to master since this release
v0.1.0
41c2bf8

Agent Audit v0.1.0 - Initial Release

🛡️ Security scanner for AI agents and MCP configurations based on OWASP Agentic Top 10

🛡️ 基于 OWASP Agentic Top 10 的 AI Agent 和 MCP 配置安全扫描器

✨ Features | 功能特性

English

  • 🔍 Python AST Scanning - Detects dangerous patterns like shell=True, eval(), exec(), and tainted input flows
  • ⚙️ MCP Configuration Scanning - Validates MCP server configurations for security issues
  • 🔐 Secret Detection - Finds hardcoded credentials (AWS keys, OpenAI/Anthropic API tokens, GitHub tokens, private keys)
  • 🌐 Runtime MCP Inspection - Probes MCP servers without executing tools ("Agent Nmap")
  • 📊 Multiple Output Formats - Terminal (rich), JSON, SARIF (GitHub Code Scanning), Markdown
  • 🎯 Baseline Scanning - Track new findings incrementally, ignore known issues
  • 🔧 Configurable - Customize via .agent-audit.yaml configuration file

中文

  • 🔍 Python AST 扫描 - 检测危险模式,如 shell=Trueeval()exec() 和受污染的输入流
  • ⚙️ MCP 配置扫描 - 验证 MCP 服务器配置的安全问题
  • 🔐 密钥检测 - 发现硬编码凭证(AWS 密钥、OpenAI/Anthropic API Token、GitHub Token、私钥)
  • 🌐 MCP 运行时检查 - 在不执行工具的情况下探测 MCP 服务器("Agent Nmap")
  • 📊 多种输出格式 - 终端(富文本)、JSON、SARIF(GitHub 代码扫描)、Markdown
  • 🎯 基线扫描 - 增量跟踪新发现,忽略已知问题
  • 🔧 可配置 - 通过 .agent-audit.yaml 配置文件自定义

🎯 Detected Issues | 检测规则

Rule ID Title Severity
AGENT-001 Command Injection via Unsanitized Input 🔴 Critical
AGENT-002 Excessive Agent Permissions 🟡 Medium
AGENT-003 Potential Data Exfiltration Chain 🟠 High
AGENT-004 Hardcoded Credentials 🔴 Critical
AGENT-005 Unverified MCP Server 🟠 High

📦 Installation | 安装

pip install agent-audit

🚀 Quick Start | 快速开始

Basic Scan | 基本扫描

  • Scan current directory | 扫描当前目录
    agent-audit scan .

  • Scan with specific path | 扫描指定路径
    agent-audit scan ./my-agent

  • Scan with JSON output | JSON 格式输出
    agent-audit scan . --format json

  • Scan with SARIF output (for GitHub) | SARIF 格式输出(用于 GitHub)
    agent-audit scan . --format sarif --output results.sarif

MCP Server Inspection | MCP 服务器检查

  • Inspect a stdio MCP server | 检查 stdio MCP 服务器
    agent-audit inspect stdio -- npx -y @modelcontextprotocol/server-filesystem /tmp

  • Inspect with JSON output | JSON 格式输出
    agent-audit inspect stdio --format json -- python my_mcp_server.

CI/CD Integration | CI/CD 集成

  • Fail on high severity findings | 发现高危问题时失败
    agent-audit scan . --fail-on high

  • Only report critical issues | 仅报告严重问题
    agent-audit scan . --severity critical

🔗 GitHub Action

  • Add to your workflow | 添加到你的工作流:
    name: Security Scan
    on: [push, pull_request]
    jobs:
    agent-audit:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: Run Agent Audit
    uses: HeadyZhang/agent-audit@v1
    with:
    path: '.'
    fail-on: 'high'
    upload-sarif: 'true'

📋 Requirements | 系统要求

  • Python 3.9+

📄 License | 许可证

  • MIT Liscence
Assets 6
Loading