agentguard
Enables automated security scanning of agent code within GitHub Actions workflows, detecting vulnerabilities on push or pull request events.
Adds a pre-commit hook to automatically scan agent code for security vulnerabilities before committing changes.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@agentguardscan my agent code for vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
AgentGuard
Autonomous security scanner for AI agents. Detects prompt injection, tool abuse, data exfiltration, and OWASP ASI Top 10 vulnerabilities in agent code.
Why AgentGuard?
AI agents are being deployed at scale -- in coding tools, customer support, trading bots, and autonomous systems. Nobody is scanning their code for security vulnerabilities.
Existing tools (Bandit, Semgrep, CodeQL) scan for traditional vulnerabilities. AgentGuard scans for agent-specific attack vectors that traditional SAST tools miss.
Comparison
Feature | AgentGuard | Semgrep | CodeQL | Bandit |
Prompt Injection (ASI01) | Yes + AST taint | No | No | No |
Tool Abuse (ASI02) | Yes | No | No | Partial |
Data Exfiltration (ASI03) | Yes | No | No | No |
Excessive Agency (ASI04) | Yes | No | No | No |
Supply Chain (ASI05) | Yes | No | No | No |
Insecure Output (ASI06) | Yes | No | No | No |
Credential Exposure (ASI07) | Yes | Partial | Partial | Yes |
Context Manipulation (ASI08) | Yes | No | No | No |
Agent Loop Exploitation (ASI09) | Yes | No | No | No |
Trust Boundary (ASI10) | Yes | No | No | No |
AST Taint Tracking | Yes | No | No | No |
OWASP ASI Top 10 Coverage | 10/10 | 1/10 | 1/10 | 2/10 |
MCP Server Mode | Yes | No | No | No |
SARIF Output | Yes | Yes | Yes | No |
Pre-commit Hook | Yes | Yes | No | No |
GitHub Action | Yes | Yes | Yes | No |
Comparison based on author's assessment of default rule sets (v0.8.1 vs Semgrep OSS v1.x, CodeQL default queries, Bandit v1.7). "Partial" indicates some coverage via general-purpose rules but no agent-specific detection.
Related MCP server: vibecheck
Live Demo
See AgentGuard in action on the demo repo. The CI runs AgentGuard on every push, and findings appear in GitHub Code Scanning.
Precision & Validation
AgentGuard's precision has been independently measured:
Metric | Value |
Precision (independent sample) | 88% (44 TP / 6 FP) |
Sample size | 50 CONFIRMED findings |
Frameworks covered | 7 (CAMEL, Qwen-Agent, LangChain, CrewAI, AutoGen, LlamaIndex, Dify) |
Validation method | Manual source code inspection at each reported line |
FP filter effectiveness | 32 systematic FP patterns eliminated (from 36% to 88%) |
License | LGPL v3 — free for individuals and OSS, paid for enterprise |
All 6 remaining FPs fixed in v0.8.1 (single pattern: def _update_prompts).
Methodology: 50 findings were randomly sampled from 951 CONFIRMED results, completely disjoint from the development/fix sample. Each finding was verified by reading the actual source code at the reported line with surrounding context.
Roadmap
See ROADMAP.md for the full 2026–2027 roadmap. Current phase: Phase 1 — Prove Technical Value (complete). Next: Phase 2 — Build Audience.
Sovereign Security Audit 2026
AgentGuard was deployed against 7 major AI agent frameworks:
Framework | Files | Findings | CONFIRMED | Risk Score |
Dify | 2,030 | 1,687 | 216 | 12,570 |
LlamaIndex | 2,951 | 1,080 | 294 | 6,341 |
CrewAI | 1,042 | 1,317 | 99 | 6,392 |
LangChain | 1,831 | 436 | 132 | 2,653 |
AutoGen | 553 | 696 | 98 | 2,696 |
CAMEL | 355 | 147 | 62 | 946 |
Qwen-Agent | 238 | 242 | 50 | 1,325 |
TOTAL | 9,000 | 5,605 | 951 | 32,923 |
Full report: AUDIT_REPORT_2026.md
AgentGuard is the first and only static analysis tool with dedicated OWASP ASI Top 10 rules. Traditional SAST tools (Semgrep, CodeQL, Bandit) lack agent-specific detection rules -- they were designed for traditional vulnerabilities, not AI agent attack vectors.
Security Specification: specification.md — the formal standard for AI agent code security.
Quick Start
pip install dfx-agentguard
# Scan a directory
agentguard .
# JSON output for CI/CD
agentguard src/ --format json
# SARIF for GitHub Code Scanning
agentguard . --format sarif > results.sarif
# Only show HIGH and above
agentguard . --min-severity HIGH
# Include test files in scan
agentguard . --include-testsCLI Usage
agentguard [OPTIONS] [TARGET]
Arguments:
TARGET Directory or file to scan (default: current directory)
Options:
--format [text|json|sarif] Output format (default: text)
--exit-code / --no-exit-code Exit non-zero if findings found (default: on)
--min-severity [CRITICAL|HIGH|MEDIUM|LOW|INFO] Minimum severity to report
--include-tests Include test files in scan (default: skip)
--no-fp-filter Disable false positive filtering
--no-classify Disable finding classification
--auto-report PATH Generate auto Markdown audit report
--ci CI/CD concise output mode
--help Show helpOWASP ASI Top 10 Coverage
ID | Vulnerability | Status | Detection Method |
ASI01 | Prompt Injection | Detected | f-string, .format(), messages array, context stuffing, tool description poisoning |
ASI02 | Tool Abuse / Unintended Tool Use | Detected | os.system, subprocess, shell tools, unrestricted registration |
ASI03 | Data Exfiltration | Detected | External URLs, variable URL correlation, fetch/axios, subprocess curl, DNS exfil |
ASI04 | Unauthorized Actions / Excessive Agency | Detected | Auto-execute, no confirmation, autonomous actions |
ASI05 | Supply Chain / Untrusted Components | Detected | Dynamic import, unpinned deps, untrusted pip install |
ASI06 | Insecure Output Handling | Detected | LLM output in HTML/JSX/DOM, innerHTML, document.write, markdown.render |
ASI07 | Credential / Secret Exposure | Detected | API keys (sk-, ghp_, AKIA, AIza, xox), private keys, passwords, connection strings |
ASI08 | Context Window Manipulation | Detected | Unbounded context, token stuffing, missing limits |
ASI09 | Agent Loop Exploitation | Detected | Recursive calls without depth limit, while True, no max iterations |
ASI10 | Trust Boundary Violation | Detected | Root access, host filesystem mounts, no sandbox, self-modification |
CI/CD Integration
Docker — Run Anywhere
docker run --rm -v $(pwd):/workspace ghcr.io/dockfixlabs/agentguard .Works in any CI/CD pipeline. No Python needed.
GitHub Action
name: Security Scan
on: [push, pull_request]
jobs:
agentguard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- run: pip install dfx-agentguard
- run: agentguard . --format sarif > results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifDrop-in GitHub Action
- uses: dockfixlabs/agentguard@v0.8.1
with:
path: src/
format: sarifPre-commit Hook
repos:
- repo: https://github.com/dockfixlabs/agentguard
rev: v0.8.1
hooks:
- id: agentguard
args: ["--min-severity", "HIGH"]Programmatic Usage
from agentguard.scanner import scan_directory
result = scan_directory("src/")
print(f"Found {len(result.findings)} issues")
print(f"Critical: {result.critical_count}")
print(f"High: {result.high_count}")
for finding in result.findings:
print(f" [{finding.severity}] {finding.rule_name} at {finding.file}:{finding.line}")MCP Server Mode
Scan agent code directly from Claude Code, Cursor, or any MCP-compatible client:
{
"mcpServers": {
"agentguard": {
"command": "python3",
"args": ["-m", "agentguard.mcp_server"]
}
}
}Then ask Claude: "Scan my agent code for security vulnerabilities"
Benchmark Results
Tested against 28 vulnerable code samples + 8 real-world attack patterns:
Category Total Detected Coverage
ASI01 6 6 Covered
ASI02 5 5 Covered
ASI03 4 4 Covered
ASI07 6 6 Covered
ASI10 5 5 Covered
clean 2 0 Verified clean
TOTAL 28 26 —The complete benchmark suite contains 56 hand-crafted samples covering all detection rules.
Project Ecosystem
Repository | Description |
Core scanner + CLI + MCP server | |
MCP server configuration scanner | |
GitHub App for automated PR reviews | |
VS Code extension | |
Benchmark suite (56 samples) |
Roadmap
OWASP ASI Top 10 -- all 10 categories covered
MCP server mode -- scan from Claude Code/Cursor
SARIF output -- GitHub Code Scanning integration
PyPI publication -- dfx-agentguard
VS Code extension
GitHub App for PR reviews
Benchmark suite (28 samples, covering all detection rules)
Pre-commit hook (.pre-commit-hooks.yaml)
GitHub Action (action.yml)
Dockerfile for agentguard-app
PyPI Trusted Publishing (OIDC)
AST-based taint tracking (v0.5.0) -- traces source-to-sink data flow
Language support: Rust, Go, Java
Web dashboard (SaaS)
REST API (Scan-as-a-Service)
See the full ROADMAP.md.
Contributing
See CONTRIBUTING.md. Bug reports and feature requests welcome.
Security
See SECURITY.md. Report vulnerabilities privately -- do not open public issues.
License
LGPL v3 -- see LICENSE. AI agent SAST is a new category. The LGPL ensures the core remains open while protecting against cloud vendor appropriation (learned from Bandit's Apache 2.0 → $0 revenue path).
Built by Dockfix Labs. Built for the AI agent era.
AgentGuard Ecosystem
AgentGuard is the core security scanner. Companion tools:
Tool | Purpose | Install |
AI agent code security scanner |
| |
MCP server security audit |
| |
GitHub App for PR reviews | Install from Marketplace | |
VS Code inline diagnostics | Install from VS Code | |
Detection benchmark suite |
| |
Live demo with Code Scanning |
|
22 detection rules | 139 tests | 28 benchmark samples | OWASP ASI Top 10 | 88% precision GitHub Action: dockfixlabs/agentguard@v1
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/dockfixlabs/agentguard'
If you have feedback or need assistance with the MCP directory API, please join our Discord server