cd /news/ai-safety/safeai-open-source-static-ai-risk-an… · home topics ai-safety article
[ARTICLE · art-64891] src=github.com ↗ pub= topic=ai-safety verified=true sentiment=↑ positive

SafeAI – Open-Source Static AI Risk Analyzer for AI Agents

SafeAI, an open-source static analysis tool for AI agent source code, was released to detect security risks, capability exposure, and governance gaps before deployment. The tool scans code offline, integrates into CI/CD pipelines, and identifies issues like prompt injection and tool misuse across eight AI frameworks. It aims to fill a gap left by traditional application security tools for AI systems.

read6 min views1 publishedJul 18, 2026
SafeAI – Open-Source Static AI Risk Analyzer for AI Agents
Image: source

SafeAI is a static analysis tool that scans AI application source code for security risks, capability exposure, and governance gaps. It runs entirely offline, never executes agents or calls LLMs, and integrates into CI/CD pipelines.

🌐

[safeai-analyzer.ikaruscareer.com]— project landing page

Traditional application security tools (SAST, SCA, IaC scanning) are not designed for AI agent systems. AI applications introduce new risk surfaces:

Prompt injection— untrusted input flows into model prompts** Agent tool misuse**— agents with filesystem, shell, or database access** Capability sprawl**— frameworks expose capabilities without visibility** MCP exposure**— Model Context Protocol endpoints and tools** Governance gaps**— missing authentication, permissions, audit trails

SafeAI fills this gap by analyzing frameworks, agents, tools, capabilities, and MCP integrations at rest—before deployment.

SafeAI analyzes AI applications without executing them, helping developers discover capabilities, identify potential risks, and improve governance early in the software lifecycle.

Designed to be lightweight, explainable, and community-driven, SafeAI aims to become an open foundation for AI capability and risk analysis.

SafeAI sits before runtime guardrails and red-teaming tools in the security lifecycle. It scans agent source code at commit time — detecting framework-specific capabilities, MCP misconfigurations, and prompt injection patterns — before you ever deploy an agent to staging. It does not replace runtime tools (Microsoft AGT), evaluation frameworks (LangSmith, DeepEval), or red-teaming scanners (Promptfoo, Garak). It complements them: find the risk in code first, then validate at runtime.

Feature Description
Framework Detection
Detects and parses 8 AI agent frameworks
Capability Discovery
Identifies filesystem, shell, network, database, and other capabilities
AI Risk Analysis
Categorizes findings into 7 risk categories with weighted trust scoring
Prompt Risk Analysis
Detects injection patterns, delimiter issues, system leak, role override
Tool Analysis
Identifies agent-bound tools and their risk profiles
Memory Analysis
Detects memory/checkpointer usage in agent workflows
MCP Analysis
Discovers MCP servers, clients, tools, resources, and validates configuration
Data Leakage Detection
Flags hardcoded secrets, tokens, and API keys
CI/CD Integration
SARIF output, exit codes, GitHub Actions workflow included
Multi-Format Reports
Terminal summary, JSON, SARIF 2.1.0, HTML
Cross-File Analysis
Import graph, symbol resolution, and project graph
Confidence-Arbitrated Parsing
Multiple parsers per file, merged with provenance
Source Code
    │
    ▼
Framework Detection — identifies AI frameworks via imports, configs, deps
    │
    ▼
Static Analysis — AST parsing, capability patterns, dependency scanning
    │
    ▼
Capability Mapping — maps framework objects to normalized risk categories
    │
    ▼
Risk Rules — applies rule engine with configurable severity and weights
    │
    ▼
Trust Score — deterministic category-weighted scoring from 0–100
    │
    ▼
Reports — terminal, JSON, SARIF, HTML
Framework Detection Discovery Capability Analysis Risk Analysis Status
LangGraph Partial Partial Partial Early Preview
CrewAI Partial Partial Partial Early Preview
LangChain Partial Partial Partial Early Preview
Semantic Kernel Partial Partial Partial Early Preview
OpenAI Agents SDK Partial Partial Partial Early Preview
Microsoft Agent Framework Partial Partial Partial Early Preview
Azure AI Foundry Minimal Minimal Minimal Early Preview
Bedrock Agent Minimal Minimal Minimal Early Preview

LangGraph— detectsStateGraph

,add_edge

,bind_tools

, nodes, modelsCrewAI— detectsAgent

,Task

, tools, modelsLangChain— detectsAgentExecutor

,Chain

,Tool

,PromptTemplate

, modelsSemantic Kernel— detectsKernel.invoke

, plugins, functions, skills, memoryOpenAI Agents SDK— detectsAgent

, tools, handoffs, MCP referencesMicrosoft Agent Framework— detectsAgentClient

, tools, workflows, Azure modelsAzure AI Foundry— detects YAML configurations with Azure resources** Bedrock Agent**— detects JSON configurations with Bedrock resources

SafeAI fingerprints capabilities at the framework object level and via fallback regex patterns. Each capability includes evidence, confidence score, resolved definition, and provenance.

Capability Category Risk Impact
Shell Execution Shell Command injection, host compromise
Filesystem Access Filesystem Data exfiltration, file tampering
Browser Automation Browser UI-based attacks, credential theft
Planning / Orchestration Planner Autonomous decision chain risk
Agent Delegation Delegation Unchecked sub-agent authority
Memory / Checkpoint Memory Data retention across sessions
RAG / Retrieval RAG Document exfiltration, prompt injection via documents
GitHub Integration GitHub Repository access, secret leakage
Slack Integration Slack Channel monitoring, message injection
Email Integration Phishing, data exfiltration
Database Access Databases SQL injection, data breach
Cloud Services Cloud Cloud resource abuse, cost escalation
External APIs External APIs Third-party data exfiltration
MCP Services MCP Exposed endpoints, unauthorized tool access
Human Approval Human Approval Approval bypass risk
Multi-Agent Multi-Agent Delegation-based privilege escalation

Note:Some capabilities (Browser, GitHub, Slack, Email, RAG, Human Approval) are detected primarily through MCP configuration analysis. Framework adapter detection for these capabilities is planned.

  • Python 3.11 or 3.12
  • PyYAML (for YAML configuration parsing)
git clone https://github.com/ikaruscareer/SafeAI.git
cd SafeAI
pip install -e .
pip install -e ".[dev]"
python -m safeai scan <directory> [options]
Option Default Description
directory
required Path to scan
--sarif
report.sarif
SARIF output path (empty string to skip)
--json
JSON output path
--html
HTML report output path
--rules
built-in Custom rules directory
--fail-on
critical
Exit code threshold: critical , high , medium
--verbose
Enable verbose output
Code Condition
0 No findings at or above threshold
1 Finding at or above threshold detected
SafeAI Scan Summary
Files: 12
Frameworks: langgraph, crewai
MCP assets: 2
Overall AI Risk Score: 73
critical: 1
high: 3
medium: 5
Findings:
[critical] app.py:10 - Untrusted input interpolated into prompt
[high] app.py:22 - Capability detected: shell_execution
[high] mcp.json:1 - MCP configuration does not define authentication
{
  "Framework": "LangGraph",
  "Capabilities": ["Planner", "Memory", "Filesystem", "MCP"],
  "Risk Score": 73,
  "Findings": 9,
  "Critical": 1,
  "High": 3
}

A workflow is included at .github/workflows/ci.yml

. To use in your project:

jobs:
  safeai-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install SafeAI
        run: |
          pip install -e .
      - name: Run scan
        run: |
          python -m safeai scan . --sarif results.sarif --html report.html
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
safeai-scan:
  image: python:3.12
  script:
    - pip install -e .
    - safeai scan . --sarif results.sarif --html report.html
  artifacts:
    paths:
      - results.sarif
      - report.html
- task: PythonScript@0
  inputs:
    scriptSource: 'inline'
    script: |
      import subprocess
      subprocess.run(["pip", "install", "-e", "."])
      subprocess.run(["safeai", "scan", ".", "--sarif", "$(Build.ArtifactStagingDirectory)/results.sarif"])

SafeAI outputs SARIF 2.1.0 format, compatible with GitHub Advanced Security, Azure DevOps, and other SARIF-compliant tools.

See ROADMAP.md for the detailed roadmap covering all 5 phases:

Phase 1— Static AI Risk Scanner (OSS) —in active developmentPhase 1.5— AI Component Security** Phase 2**— AI Security Testing (optional future)** Phase 3**— Test Packs** Phase 4**— Enterprise (Commercial)** Phase 5**— Community Intelligence

SafeAI is released under the Apache 2.0 License.

── more in #ai-safety 4 stories · sorted by recency
── more on @safeai 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/safeai-open-source-s…] indexed:0 read:6min 2026-07-18 ·