SafeAI is a static analysis tool that scans AI application source code for security risks, capability exposure, and governance gaps. It runs entirely offline, never executes agents or calls LLMs, and integrates into CI/CD pipelines.
🌐
[safeai-analyzer.ikaruscareer.com]— project landing page
Traditional application security tools (SAST, SCA, IaC scanning) are not designed for AI agent systems. AI applications introduce new risk surfaces:
Prompt injection— untrusted input flows into model prompts** Agent tool misuse**— agents with filesystem, shell, or database access** Capability sprawl**— frameworks expose capabilities without visibility** MCP exposure**— Model Context Protocol endpoints and tools** Governance gaps**— missing authentication, permissions, audit trails
SafeAI fills this gap by analyzing frameworks, agents, tools, capabilities, and MCP integrations at rest—before deployment.
SafeAI analyzes AI applications without executing them, helping developers discover capabilities, identify potential risks, and improve governance early in the software lifecycle.
Designed to be lightweight, explainable, and community-driven, SafeAI aims to become an open foundation for AI capability and risk analysis.
SafeAI sits before runtime guardrails and red-teaming tools in the security lifecycle. It scans agent source code at commit time — detecting framework-specific capabilities, MCP misconfigurations, and prompt injection patterns — before you ever deploy an agent to staging. It does not replace runtime tools (Microsoft AGT), evaluation frameworks (LangSmith, DeepEval), or red-teaming scanners (Promptfoo, Garak). It complements them: find the risk in code first, then validate at runtime.
| Feature | Description |
|---|---|
| Framework Detection | |
| Detects and parses 8 AI agent frameworks | |
| Capability Discovery | |
| Identifies filesystem, shell, network, database, and other capabilities | |
| AI Risk Analysis | |
| Categorizes findings into 7 risk categories with weighted trust scoring | |
| Prompt Risk Analysis | |
| Detects injection patterns, delimiter issues, system leak, role override | |
| Tool Analysis | |
| Identifies agent-bound tools and their risk profiles | |
| Memory Analysis | |
| Detects memory/checkpointer usage in agent workflows | |
| MCP Analysis | |
| Discovers MCP servers, clients, tools, resources, and validates configuration | |
| Data Leakage Detection | |
| Flags hardcoded secrets, tokens, and API keys | |
| CI/CD Integration | |
| SARIF output, exit codes, GitHub Actions workflow included | |
| Multi-Format Reports | |
| Terminal summary, JSON, SARIF 2.1.0, HTML | |
| Cross-File Analysis | |
| Import graph, symbol resolution, and project graph | |
| Confidence-Arbitrated Parsing | |
| Multiple parsers per file, merged with provenance |
Source Code
│
▼
Framework Detection — identifies AI frameworks via imports, configs, deps
│
▼
Static Analysis — AST parsing, capability patterns, dependency scanning
│
▼
Capability Mapping — maps framework objects to normalized risk categories
│
▼
Risk Rules — applies rule engine with configurable severity and weights
│
▼
Trust Score — deterministic category-weighted scoring from 0–100
│
▼
Reports — terminal, JSON, SARIF, HTML
| Framework | Detection | Discovery | Capability Analysis | Risk Analysis | Status |
|---|---|---|---|---|---|
| LangGraph | ✔ | Partial | Partial | Partial | Early Preview |
| CrewAI | ✔ | Partial | Partial | Partial | Early Preview |
| LangChain | ✔ | Partial | Partial | Partial | Early Preview |
| Semantic Kernel | ✔ | Partial | Partial | Partial | Early Preview |
| OpenAI Agents SDK | ✔ | Partial | Partial | Partial | Early Preview |
| Microsoft Agent Framework | ✔ | Partial | Partial | Partial | Early Preview |
| Azure AI Foundry | ✔ | Minimal | Minimal | Minimal | Early Preview |
| Bedrock Agent | ✔ | Minimal | Minimal | Minimal | Early Preview |
LangGraph— detectsStateGraph
,add_edge
,bind_tools
, nodes, modelsCrewAI— detectsAgent
,Task
, tools, modelsLangChain— detectsAgentExecutor
,Chain
,Tool
,PromptTemplate
, modelsSemantic Kernel— detectsKernel.invoke
, plugins, functions, skills, memoryOpenAI Agents SDK— detectsAgent
, tools, handoffs, MCP referencesMicrosoft Agent Framework— detectsAgentClient
, tools, workflows, Azure modelsAzure AI Foundry— detects YAML configurations with Azure resources** Bedrock Agent**— detects JSON configurations with Bedrock resources
SafeAI fingerprints capabilities at the framework object level and via fallback regex patterns. Each capability includes evidence, confidence score, resolved definition, and provenance.
| Capability | Category | Risk Impact |
|---|---|---|
| Shell Execution | Shell | Command injection, host compromise |
| Filesystem Access | Filesystem | Data exfiltration, file tampering |
| Browser Automation | Browser | UI-based attacks, credential theft |
| Planning / Orchestration | Planner | Autonomous decision chain risk |
| Agent Delegation | Delegation | Unchecked sub-agent authority |
| Memory / Checkpoint | Memory | Data retention across sessions |
| RAG / Retrieval | RAG | Document exfiltration, prompt injection via documents |
| GitHub Integration | GitHub | Repository access, secret leakage |
| Slack Integration | Slack | Channel monitoring, message injection |
| Email Integration | Phishing, data exfiltration | |
| Database Access | Databases | SQL injection, data breach |
| Cloud Services | Cloud | Cloud resource abuse, cost escalation |
| External APIs | External APIs | Third-party data exfiltration |
| MCP Services | MCP | Exposed endpoints, unauthorized tool access |
| Human Approval | Human Approval | Approval bypass risk |
| Multi-Agent | Multi-Agent | Delegation-based privilege escalation |
Note:Some capabilities (Browser, GitHub, Slack, Email, RAG, Human Approval) are detected primarily through MCP configuration analysis. Framework adapter detection for these capabilities is planned.
- Python 3.11 or 3.12
- PyYAML (for YAML configuration parsing)
git clone https://github.com/ikaruscareer/SafeAI.git
cd SafeAI
pip install -e .
pip install -e ".[dev]"
python -m safeai scan <directory> [options]
| Option | Default | Description |
|---|---|---|
directory |
||
| required | Path to scan | |
--sarif |
||
report.sarif |
||
| SARIF output path (empty string to skip) | ||
--json |
||
| — | JSON output path | |
--html |
||
| — | HTML report output path | |
--rules |
||
| built-in | Custom rules directory | |
--fail-on |
||
critical |
||
Exit code threshold: critical , high , medium |
||
--verbose |
||
| — | Enable verbose output |
| Code | Condition |
|---|---|
| 0 | No findings at or above threshold |
| 1 | Finding at or above threshold detected |
SafeAI Scan Summary
Files: 12
Frameworks: langgraph, crewai
MCP assets: 2
Overall AI Risk Score: 73
critical: 1
high: 3
medium: 5
Findings:
[critical] app.py:10 - Untrusted input interpolated into prompt
[high] app.py:22 - Capability detected: shell_execution
[high] mcp.json:1 - MCP configuration does not define authentication
{
"Framework": "LangGraph",
"Capabilities": ["Planner", "Memory", "Filesystem", "MCP"],
"Risk Score": 73,
"Findings": 9,
"Critical": 1,
"High": 3
}
A workflow is included at .github/workflows/ci.yml
. To use in your project:
jobs:
safeai-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install SafeAI
run: |
pip install -e .
- name: Run scan
run: |
python -m safeai scan . --sarif results.sarif --html report.html
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
safeai-scan:
image: python:3.12
script:
- pip install -e .
- safeai scan . --sarif results.sarif --html report.html
artifacts:
paths:
- results.sarif
- report.html
- task: PythonScript@0
inputs:
scriptSource: 'inline'
script: |
import subprocess
subprocess.run(["pip", "install", "-e", "."])
subprocess.run(["safeai", "scan", ".", "--sarif", "$(Build.ArtifactStagingDirectory)/results.sarif"])
SafeAI outputs SARIF 2.1.0 format, compatible with GitHub Advanced Security, Azure DevOps, and other SARIF-compliant tools.
See ROADMAP.md for the detailed roadmap covering all 5 phases:
Phase 1— Static AI Risk Scanner (OSS) —in active developmentPhase 1.5— AI Component Security** Phase 2**— AI Security Testing (optional future)** Phase 3**— Test Packs** Phase 4**— Enterprise (Commercial)** Phase 5**— Community Intelligence
SafeAI is released under the Apache 2.0 License.