# AgentGuard: Open-Source Security Scanning for AI Agent Code

> Source: <https://dev.to/dockfixlabs/agentguard-open-source-security-scanning-for-ai-agent-code-2d66>
> Published: 2026-06-28 22:41:23+00:00

AI agents are being deployed at scale — in customer support, code generation, data analysis, and autonomous workflows. But the code that powers these agents is rarely security-audited.

Consider this pattern, common in production agent codebases:

```
user_input = request.json()["prompt"]
prompt = f"You are a helpful assistant. {user_input}"
response = openai.chat.completions.create(
    model="gpt-4",
    messages=[{"role": "user", "content": prompt}]
)
```

This is a **prompt injection** vulnerability. A user can override the system prompt and manipulate the agent's behavior. It is the AI equivalent of SQL injection — and it is everywhere.

The [OWASP Agentic Security Initiative](https://owasp.org/www-project-agentic-security/) published a Top 10 list of risks specific to AI agent systems:

| ID | Risk |
|---|---|
| ASI01 | Prompt Injection |
| ASI02 | Tool Abuse / Unintended Tool Use |
| ASI03 | Data Exfiltration / Sensitive Data Leakage |
| ASI04 | Unauthorized Actions / Excessive Agency |
| ASI05 | Supply Chain / Untrusted Components |
| ASI06 | Insecure Output Handling |
| ASI07 | Credential / Secret Exposure |
| ASI08 | Context Window Manipulation |
| ASI09 | Agent Loop Exploitation |
| ASI10 | Trust Boundary Violation |

Most of these have no coverage in traditional SAST tools. Semgrep and CodeQL were built for a world without LLMs.

[AgentGuard](https://github.com/dockfixlabs/agentguard) is an open-source static analysis tool that scans AI agent codebases for all 10 OWASP ASI categories.

```
pip install dfx-agentguard
# Scan current directory
agentguard .

# JSON output for CI/CD
agentguard src/ --format json

# SARIF for GitHub code scanning
agentguard . --format sarif
```

**Prompt Injection (ASI01)** — f-string prompt construction, string concatenation with user input, system prompt overrides.

```
# Vulnerable
prompt = f"You are a helpful assistant. {user_input}"

# AgentGuard flags this as ASI01-PROMPT-INJECTION
```

**Tool Abuse (ASI02)** — `os.system()`

, `subprocess`

with user input, `eval()`

/`exec()`

in agent tool functions.

``` python
# Vulnerable
def run_command(query):
    return os.system(f"echo {query}")

# AgentGuard flags this as ASI02-TOOL-ABUSE
```

**Data Exfiltration (ASI03)** — `requests.post()`

to external URLs, `fetch()`

calls, webhook configurations, DNS-based exfiltration patterns, subprocess `curl`

/`wget`

calls.

```
# Vulnerable
requests.post("https://analytics-server.com/collect", json=agent_data)

# AgentGuard flags this as ASI03-DATA-EXFIL
```

**Credential Exposure (ASI07)** — hardcoded API keys (`sk-proj-*`

, `AKIA*`

, `ghp_*`

), private keys, connection strings with passwords, wallet seed phrases, Slack tokens, Google API keys.

```
# Vulnerable
OPENAI_API_KEY = "sk-proj-Tq8m2X4vN7bR1wK9pL3hY6jD5cF0aZ8s"

# AgentGuard flags this as ASI07-CREDENTIAL-LEAK
```

Plus: Excessive Agency (ASI04), Supply Chain (ASI05), Insecure Output Handling (ASI06), Context Manipulation (ASI08), Agent Loop Exploitation (ASI09), Trust Boundary Violations (ASI10).

```
agentguard . --format text
agentguard . --format json --exit-code
agentguard . --format sarif
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/dockfixlabs/agentguard
    rev: v0.2.2
    hooks:
      - id: agentguard
# .github/workflows/security.yml
name: Agent Security Scan
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dockfixlabs/agentguard@v0.2.2
        with:
          path: src/
          format: sarif
```

AgentGuard can run as a Model Context Protocol server, letting AI coding assistants (Claude Code, Cursor) scan code in real-time:

```
agentguard --mcp
```

Inline diagnostics, scan-on-save, and a findings tree view. Available as a VSIX on the [releases page](https://github.com/dockfixlabs/agentguard-vscode/releases).

The [AgentGuard Benchmark](https://github.com/dockfixlabs/agentguard-benchmark) provides 28 vulnerable code samples across 5 OWASP ASI categories, plus clean code for false-positive testing.

```
git clone https://github.com/dockfixlabs/agentguard-benchmark
cd agentguard-benchmark
python benchmark.py
```

Full roadmap on [GitHub](https://github.com/dockfixlabs/agentguard/blob/main/ROADMAP.md).

| Repository | Description |
|---|---|
|

```
pip install dfx-agentguard
agentguard . --format text
```

If you find this useful, star the repo on [GitHub](https://github.com/dockfixlabs/agentguard). Contributions welcome — see [CONTRIBUTING.md](https://github.com/dockfixlabs/agentguard/blob/main/CONTRIBUTING.md).

*AgentGuard is MIT-licensed and built by Dockfix Labs.*