Skip to content

empowered-humanity/agent-security-action

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Agent Security GitHub Action

GitHub Marketplace npm

Scan your AI agent code for security vulnerabilities on every pull request. Powered by @empowered-humanity/agent-security.

190+ detection patterns covering:

  • OWASP Agentic Security Issues (ASI) Top 10
  • Prompt injection and instruction override
  • MCP protocol vulnerabilities (44 patterns from SlowMist checklist)
  • Credential exposure and hardcoded secrets
  • Cross-agent privilege escalation (CAPE)
  • Remote code execution via argument injection
  • CWE-mapped findings for GitHub Security tab

Quick Start

Add to .github/workflows/agent-security.yml:

name: Agent Security Scan
on:
  pull_request:
  push:
    branches: [main]

permissions:
  security-events: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: empowered-humanity/agent-security-action@v1
        with:
          path: '.'
          severity: 'medium'
          fail-on: 'high'

Inputs

Input Description Default
path Path to scan (relative to repo root) .
severity Minimum severity to report (critical, high, medium, low) medium
format Output format (console, json, sarif) sarif
fail-on Fail workflow if findings at or above this severity high
upload-sarif Upload SARIF results to GitHub Code Scanning true
version Scanner version to use latest

Outputs

Output Description
findings-count Total number of security findings
risk-level Overall risk assessment (passed or failed)
sarif-file Path to SARIF output file

GitHub Security Tab Integration

When upload-sarif is true (default), findings appear directly in the Security tab of your repository with:

  • CWE ID links to MITRE definitions
  • OWASP ASI category tags
  • Severity-based filtering
  • Inline code annotations on pull requests

Examples

Scan only critical issues

- uses: empowered-humanity/agent-security-action@v1
  with:
    severity: 'critical'
    fail-on: 'critical'

Scan specific directory

- uses: empowered-humanity/agent-security-action@v1
  with:
    path: 'src/agents'

JSON output without SARIF upload

- uses: empowered-humanity/agent-security-action@v1
  with:
    format: 'json'
    upload-sarif: 'false'

Use scan results in subsequent steps

- uses: empowered-humanity/agent-security-action@v1
  id: security
  with:
    fail-on: 'critical'

- name: Comment on PR
  if: steps.security.outputs.findings-count > 0
  uses: actions/github-script@v7
  with:
    script: |
      github.rest.issues.createComment({
        issue_number: context.issue.number,
        owner: context.repo.owner,
        repo: context.repo.repo,
        body: `Agent Security found ${{ steps.security.outputs.findings-count }} issue(s).`
      })

What It Detects

Category Patterns CWE Coverage
Prompt Injection 25+ CWE-74, CWE-94
Credential Exposure 15+ CWE-798, CWE-522
MCP Security 44 CWE-346, CWE-918
OWASP ASI01-ASI10 34 CWE-74 through CWE-506
Argument Injection / RCE 15+ CWE-88, CWE-78
Cross-Agent Escalation 10+ CWE-269
Defense Evasion 10+ CWE-693

License

MIT - Empowered Humanity, Inc.

About

GitHub Action to scan for AI agent security vulnerabilities — 190+ detection patterns for OWASP ASI Top 10, prompt injection, MCP security, and credential exposure

Topics

mcp scanner owasp ci-cd devsecops ai-security github-action prompt-injection

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors