{"slug": "safeai-open-source-static-ai-risk-analyzer-for-ai-agents", "title": "SafeAI – Open-Source Static AI Risk Analyzer for AI Agents", "summary": "SafeAI, an open-source static analysis tool for AI agent source code, was released to detect security risks, capability exposure, and governance gaps before deployment. The tool scans code offline, integrates into CI/CD pipelines, and identifies issues like prompt injection and tool misuse across eight AI frameworks. It aims to fill a gap left by traditional application security tools for AI systems.", "body_md": "**SafeAI** is a static analysis tool that scans AI application source code for security risks, capability exposure, and governance gaps. It runs entirely offline, never executes agents or calls LLMs, and integrates into CI/CD pipelines.\n\n🌐\n\n[safeai-analyzer.ikaruscareer.com]— project landing page\n\nTraditional application security tools (SAST, SCA, IaC scanning) are not designed for AI agent systems. AI applications introduce new risk surfaces:\n\n**Prompt injection**— untrusted input flows into model prompts** Agent tool misuse**— agents with filesystem, shell, or database access** Capability sprawl**— frameworks expose capabilities without visibility** MCP exposure**— Model Context Protocol endpoints and tools** Governance gaps**— missing authentication, permissions, audit trails\n\nSafeAI fills this gap by analyzing frameworks, agents, tools, capabilities, and MCP integrations at rest—before deployment.\n\nSafeAI analyzes AI applications without executing them, helping developers discover capabilities, identify potential risks, and improve governance early in the software lifecycle.\n\nDesigned to be lightweight, explainable, and community-driven, SafeAI aims to become an open foundation for AI capability and risk analysis.\n\nSafeAI sits before runtime guardrails and red-teaming tools in the security lifecycle. It scans agent source code at commit time — detecting framework-specific capabilities, MCP misconfigurations, and prompt injection patterns — before you ever deploy an agent to staging. It does not replace runtime tools (Microsoft AGT), evaluation frameworks (LangSmith, DeepEval), or red-teaming scanners (Promptfoo, Garak). It complements them: find the risk in code first, then validate at runtime.\n\n| Feature | Description |\n|---|---|\nFramework Detection |\nDetects and parses 8 AI agent frameworks |\nCapability Discovery |\nIdentifies filesystem, shell, network, database, and other capabilities |\nAI Risk Analysis |\nCategorizes findings into 7 risk categories with weighted trust scoring |\nPrompt Risk Analysis |\nDetects injection patterns, delimiter issues, system leak, role override |\nTool Analysis |\nIdentifies agent-bound tools and their risk profiles |\nMemory Analysis |\nDetects memory/checkpointer usage in agent workflows |\nMCP Analysis |\nDiscovers MCP servers, clients, tools, resources, and validates configuration |\nData Leakage Detection |\nFlags hardcoded secrets, tokens, and API keys |\nCI/CD Integration |\nSARIF output, exit codes, GitHub Actions workflow included |\nMulti-Format Reports |\nTerminal summary, JSON, SARIF 2.1.0, HTML |\nCross-File Analysis |\nImport graph, symbol resolution, and project graph |\nConfidence-Arbitrated Parsing |\nMultiple parsers per file, merged with provenance |\n\n```\nSource Code\n    │\n    ▼\nFramework Detection — identifies AI frameworks via imports, configs, deps\n    │\n    ▼\nStatic Analysis — AST parsing, capability patterns, dependency scanning\n    │\n    ▼\nCapability Mapping — maps framework objects to normalized risk categories\n    │\n    ▼\nRisk Rules — applies rule engine with configurable severity and weights\n    │\n    ▼\nTrust Score — deterministic category-weighted scoring from 0–100\n    │\n    ▼\nReports — terminal, JSON, SARIF, HTML\n```\n\n| Framework | Detection | Discovery | Capability Analysis | Risk Analysis | Status |\n|---|---|---|---|---|---|\n| LangGraph | ✔ | Partial | Partial | Partial | Early Preview |\n| CrewAI | ✔ | Partial | Partial | Partial | Early Preview |\n| LangChain | ✔ | Partial | Partial | Partial | Early Preview |\n| Semantic Kernel | ✔ | Partial | Partial | Partial | Early Preview |\n| OpenAI Agents SDK | ✔ | Partial | Partial | Partial | Early Preview |\n| Microsoft Agent Framework | ✔ | Partial | Partial | Partial | Early Preview |\n| Azure AI Foundry | ✔ | Minimal | Minimal | Minimal | Early Preview |\n| Bedrock Agent | ✔ | Minimal | Minimal | Minimal | Early Preview |\n\n**LangGraph**— detects`StateGraph`\n\n,`add_edge`\n\n,`bind_tools`\n\n, nodes, models**CrewAI**— detects`Agent`\n\n,`Task`\n\n, tools, models**LangChain**— detects`AgentExecutor`\n\n,`Chain`\n\n,`Tool`\n\n,`PromptTemplate`\n\n, models**Semantic Kernel**— detects`Kernel.invoke`\n\n, plugins, functions, skills, memory**OpenAI Agents SDK**— detects`Agent`\n\n, tools, handoffs, MCP references**Microsoft Agent Framework**— detects`AgentClient`\n\n, tools, workflows, Azure models**Azure AI Foundry**— detects YAML configurations with Azure resources** Bedrock Agent**— detects JSON configurations with Bedrock resources\n\nSafeAI fingerprints capabilities at the framework object level and via fallback regex patterns. Each capability includes evidence, confidence score, resolved definition, and provenance.\n\n| Capability | Category | Risk Impact |\n|---|---|---|\n| Shell Execution | Shell | Command injection, host compromise |\n| Filesystem Access | Filesystem | Data exfiltration, file tampering |\n| Browser Automation | Browser | UI-based attacks, credential theft |\n| Planning / Orchestration | Planner | Autonomous decision chain risk |\n| Agent Delegation | Delegation | Unchecked sub-agent authority |\n| Memory / Checkpoint | Memory | Data retention across sessions |\n| RAG / Retrieval | RAG | Document exfiltration, prompt injection via documents |\n| GitHub Integration | GitHub | Repository access, secret leakage |\n| Slack Integration | Slack | Channel monitoring, message injection |\n| Email Integration | Phishing, data exfiltration | |\n| Database Access | Databases | SQL injection, data breach |\n| Cloud Services | Cloud | Cloud resource abuse, cost escalation |\n| External APIs | External APIs | Third-party data exfiltration |\n| MCP Services | MCP | Exposed endpoints, unauthorized tool access |\n| Human Approval | Human Approval | Approval bypass risk |\n| Multi-Agent | Multi-Agent | Delegation-based privilege escalation |\n\nNote:Some capabilities (Browser, GitHub, Slack, Email, RAG, Human Approval) are detected primarily through MCP configuration analysis. Framework adapter detection for these capabilities is planned.\n\n- Python 3.11 or 3.12\n- PyYAML (for YAML configuration parsing)\n\n```\ngit clone https://github.com/ikaruscareer/SafeAI.git\ncd SafeAI\npip install -e .\npip install -e \".[dev]\"\npython -m safeai scan <directory> [options]\n```\n\n| Option | Default | Description |\n|---|---|---|\n`directory` |\nrequired | Path to scan |\n`--sarif` |\n`report.sarif` |\nSARIF output path (empty string to skip) |\n`--json` |\n— | JSON output path |\n`--html` |\n— | HTML report output path |\n`--rules` |\nbuilt-in | Custom rules directory |\n`--fail-on` |\n`critical` |\nExit code threshold: `critical` , `high` , `medium` |\n`--verbose` |\n— | Enable verbose output |\n\n| Code | Condition |\n|---|---|\n| 0 | No findings at or above threshold |\n| 1 | Finding at or above threshold detected |\n\n```\nSafeAI Scan Summary\nFiles: 12\nFrameworks: langgraph, crewai\nMCP assets: 2\nOverall AI Risk Score: 73\ncritical: 1\nhigh: 3\nmedium: 5\nFindings:\n[critical] app.py:10 - Untrusted input interpolated into prompt\n[high] app.py:22 - Capability detected: shell_execution\n[high] mcp.json:1 - MCP configuration does not define authentication\n{\n  \"Framework\": \"LangGraph\",\n  \"Capabilities\": [\"Planner\", \"Memory\", \"Filesystem\", \"MCP\"],\n  \"Risk Score\": 73,\n  \"Findings\": 9,\n  \"Critical\": 1,\n  \"High\": 3\n}\n```\n\nA workflow is included at `.github/workflows/ci.yml`\n\n. To use in your project:\n\n```\njobs:\n  safeai-scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: actions/setup-python@v5\n        with:\n          python-version: '3.12'\n      - name: Install SafeAI\n        run: |\n          pip install -e .\n      - name: Run scan\n        run: |\n          python -m safeai scan . --sarif results.sarif --html report.html\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: results.sarif\nsafeai-scan:\n  image: python:3.12\n  script:\n    - pip install -e .\n    - safeai scan . --sarif results.sarif --html report.html\n  artifacts:\n    paths:\n      - results.sarif\n      - report.html\n- task: PythonScript@0\n  inputs:\n    scriptSource: 'inline'\n    script: |\n      import subprocess\n      subprocess.run([\"pip\", \"install\", \"-e\", \".\"])\n      subprocess.run([\"safeai\", \"scan\", \".\", \"--sarif\", \"$(Build.ArtifactStagingDirectory)/results.sarif\"])\n```\n\nSafeAI outputs SARIF 2.1.0 format, compatible with GitHub Advanced Security, Azure DevOps, and other SARIF-compliant tools.\n\nSee [ROADMAP.md](/ikaruscareer/SafeAI/blob/main/ROADMAP.md) for the detailed roadmap covering all 5 phases:\n\n**Phase 1**— Static AI Risk Scanner (OSS) —*in active development***Phase 1.5**— AI Component Security** Phase 2**— AI Security Testing (optional future)** Phase 3**— Test Packs** Phase 4**— Enterprise (Commercial)** Phase 5**— Community Intelligence\n\nSafeAI is released under the Apache 2.0 License.", "url": "https://wpnews.pro/news/safeai-open-source-static-ai-risk-analyzer-for-ai-agents", "canonical_source": "https://github.com/ikaruscareer/SafeAI", "published_at": "2026-07-18 22:24:40+00:00", "updated_at": "2026-07-18 22:51:14.735782+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-agents", "ai-infrastructure", "developer-tools"], "entities": ["SafeAI", "LangGraph", "CrewAI", "LangChain", "Semantic Kernel", "OpenAI Agents SDK", "Microsoft Agent Framework", "Azure AI Foundry"], "alternates": {"html": "https://wpnews.pro/news/safeai-open-source-static-ai-risk-analyzer-for-ai-agents", "markdown": "https://wpnews.pro/news/safeai-open-source-static-ai-risk-analyzer-for-ai-agents.md", "text": "https://wpnews.pro/news/safeai-open-source-static-ai-risk-analyzer-for-ai-agents.txt", "jsonld": "https://wpnews.pro/news/safeai-open-source-static-ai-risk-analyzer-for-ai-agents.jsonld"}}