SafeAI – Open-Source Static AI Risk Analyzer for AI Agents SafeAI, an open-source static analysis tool for AI agent source code, was released to detect security risks, capability exposure, and governance gaps before deployment. The tool scans code offline, integrates into CI/CD pipelines, and identifies issues like prompt injection and tool misuse across eight AI frameworks. It aims to fill a gap left by traditional application security tools for AI systems. SafeAI is a static analysis tool that scans AI application source code for security risks, capability exposure, and governance gaps. It runs entirely offline, never executes agents or calls LLMs, and integrates into CI/CD pipelines. 🌐 safeai-analyzer.ikaruscareer.com β€” project landing page Traditional application security tools SAST, SCA, IaC scanning are not designed for AI agent systems. AI applications introduce new risk surfaces: Prompt injection β€” untrusted input flows into model prompts Agent tool misuse β€” agents with filesystem, shell, or database access Capability sprawl β€” frameworks expose capabilities without visibility MCP exposure β€” Model Context Protocol endpoints and tools Governance gaps β€” missing authentication, permissions, audit trails SafeAI fills this gap by analyzing frameworks, agents, tools, capabilities, and MCP integrations at restβ€”before deployment. SafeAI analyzes AI applications without executing them, helping developers discover capabilities, identify potential risks, and improve governance early in the software lifecycle. Designed to be lightweight, explainable, and community-driven, SafeAI aims to become an open foundation for AI capability and risk analysis. SafeAI sits before runtime guardrails and red-teaming tools in the security lifecycle. It scans agent source code at commit time β€” detecting framework-specific capabilities, MCP misconfigurations, and prompt injection patterns β€” before you ever deploy an agent to staging. It does not replace runtime tools Microsoft AGT , evaluation frameworks LangSmith, DeepEval , or red-teaming scanners Promptfoo, Garak . It complements them: find the risk in code first, then validate at runtime. | Feature | Description | |---|---| Framework Detection | Detects and parses 8 AI agent frameworks | Capability Discovery | Identifies filesystem, shell, network, database, and other capabilities | AI Risk Analysis | Categorizes findings into 7 risk categories with weighted trust scoring | Prompt Risk Analysis | Detects injection patterns, delimiter issues, system leak, role override | Tool Analysis | Identifies agent-bound tools and their risk profiles | Memory Analysis | Detects memory/checkpointer usage in agent workflows | MCP Analysis | Discovers MCP servers, clients, tools, resources, and validates configuration | Data Leakage Detection | Flags hardcoded secrets, tokens, and API keys | CI/CD Integration | SARIF output, exit codes, GitHub Actions workflow included | Multi-Format Reports | Terminal summary, JSON, SARIF 2.1.0, HTML | Cross-File Analysis | Import graph, symbol resolution, and project graph | Confidence-Arbitrated Parsing | Multiple parsers per file, merged with provenance | Source Code β”‚ β–Ό Framework Detection β€” identifies AI frameworks via imports, configs, deps β”‚ β–Ό Static Analysis β€” AST parsing, capability patterns, dependency scanning β”‚ β–Ό Capability Mapping β€” maps framework objects to normalized risk categories β”‚ β–Ό Risk Rules β€” applies rule engine with configurable severity and weights β”‚ β–Ό Trust Score β€” deterministic category-weighted scoring from 0–100 β”‚ β–Ό Reports β€” terminal, JSON, SARIF, HTML | Framework | Detection | Discovery | Capability Analysis | Risk Analysis | Status | |---|---|---|---|---|---| | LangGraph | βœ” | Partial | Partial | Partial | Early Preview | | CrewAI | βœ” | Partial | Partial | Partial | Early Preview | | LangChain | βœ” | Partial | Partial | Partial | Early Preview | | Semantic Kernel | βœ” | Partial | Partial | Partial | Early Preview | | OpenAI Agents SDK | βœ” | Partial | Partial | Partial | Early Preview | | Microsoft Agent Framework | βœ” | Partial | Partial | Partial | Early Preview | | Azure AI Foundry | βœ” | Minimal | Minimal | Minimal | Early Preview | | Bedrock Agent | βœ” | Minimal | Minimal | Minimal | Early Preview | LangGraph β€” detects StateGraph , add edge , bind tools , nodes, models CrewAI β€” detects Agent , Task , tools, models LangChain β€” detects AgentExecutor , Chain , Tool , PromptTemplate , models Semantic Kernel β€” detects Kernel.invoke , plugins, functions, skills, memory OpenAI Agents SDK β€” detects Agent , tools, handoffs, MCP references Microsoft Agent Framework β€” detects AgentClient , tools, workflows, Azure models Azure AI Foundry β€” detects YAML configurations with Azure resources Bedrock Agent β€” detects JSON configurations with Bedrock resources SafeAI fingerprints capabilities at the framework object level and via fallback regex patterns. Each capability includes evidence, confidence score, resolved definition, and provenance. | Capability | Category | Risk Impact | |---|---|---| | Shell Execution | Shell | Command injection, host compromise | | Filesystem Access | Filesystem | Data exfiltration, file tampering | | Browser Automation | Browser | UI-based attacks, credential theft | | Planning / Orchestration | Planner | Autonomous decision chain risk | | Agent Delegation | Delegation | Unchecked sub-agent authority | | Memory / Checkpoint | Memory | Data retention across sessions | | RAG / Retrieval | RAG | Document exfiltration, prompt injection via documents | | GitHub Integration | GitHub | Repository access, secret leakage | | Slack Integration | Slack | Channel monitoring, message injection | | Email Integration | Phishing, data exfiltration | | | Database Access | Databases | SQL injection, data breach | | Cloud Services | Cloud | Cloud resource abuse, cost escalation | | External APIs | External APIs | Third-party data exfiltration | | MCP Services | MCP | Exposed endpoints, unauthorized tool access | | Human Approval | Human Approval | Approval bypass risk | | Multi-Agent | Multi-Agent | Delegation-based privilege escalation | Note:Some capabilities Browser, GitHub, Slack, Email, RAG, Human Approval are detected primarily through MCP configuration analysis. Framework adapter detection for these capabilities is planned. - Python 3.11 or 3.12 - PyYAML for YAML configuration parsing git clone https://github.com/ikaruscareer/SafeAI.git cd SafeAI pip install -e . pip install -e ". dev " python -m safeai scan