AI News HubLIVE
In-site rewrite5 min read

SafeAI – Open-Source Static AI Risk Analyzer for AI Agents

SafeAI is a static analysis tool that scans AI application source code for security risks, capability exposure, and governance gaps. It runs entirely offline, never executes agents or calls LLMs, and integrates into CI/CD pipelines. It detects 8 AI frameworks, identifies capabilities like shell execution, filesystem access, and generates reports in SARIF, JSON, HTML formats.

SourceHacker News AIAuthor: ikaruscareer

Notifications You must be signed in to change notification settings

Fork 0

Star 0

BranchesTags

Open more actions menu

Folders and files

NameName

Last commit message

Last commit date

Latest commit

History

3 Commits

3 Commits

PLUGIN_TEMPLATE

PLUGIN_TEMPLATE

examples

examples

safeai

safeai

scripts

scripts

tests

tests

.gitignore

.gitignore

ARCHITECTURE.md

ARCHITECTURE.md

ARCHITECTURE_FOR_CONTRIBUTORS.md

ARCHITECTURE_FOR_CONTRIBUTORS.md

CAPABILITIES.md

CAPABILITIES.md

CHANGELOG.md

CHANGELOG.md

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

COMMUNITY_PROJECTS.md

COMMUNITY_PROJECTS.md

CONTRIBUTING.md

CONTRIBUTING.md

CONTRIBUTOR_ROADMAP.md

CONTRIBUTOR_ROADMAP.md

FRAMEWORK_SUPPORT.md

FRAMEWORK_SUPPORT.md

GITHUB_RELEASE.md

GITHUB_RELEASE.md

GOOD_FIRST_ISSUES.md

GOOD_FIRST_ISSUES.md

HOW_TO_ADD_ANALYZER.md

HOW_TO_ADD_ANALYZER.md

HOW_TO_ADD_CAPABILITY.md

HOW_TO_ADD_CAPABILITY.md

HOW_TO_ADD_FRAMEWORK.md

HOW_TO_ADD_FRAMEWORK.md

HOW_TO_ADD_RULE.md

HOW_TO_ADD_RULE.md

LABELS_GUIDE.md

LABELS_GUIDE.md

LICENSE

LICENSE

MCP_SECURITY.md

MCP_SECURITY.md

README.md

README.md

RELEASE_NOTES.md

RELEASE_NOTES.md

RISK_MODEL.md

RISK_MODEL.md

ROADMAP.md

ROADMAP.md

RULES_REFERENCE.md

RULES_REFERENCE.md

SECURITY.md

SECURITY.md

SECURITY_MODEL.md

SECURITY_MODEL.md

TESTING_CORPUS_GUIDE.md

TESTING_CORPUS_GUIDE.md

USER_GUIDE.md

USER_GUIDE.md

pyproject.toml

pyproject.toml

requirements-dev.lock

requirements-dev.lock

requirements.lock

requirements.lock

Repository files navigation

SafeAI is a static analysis tool that scans AI application source code for security risks, capability exposure, and governance gaps. It runs entirely offline, never executes agents or calls LLMs, and integrates into CI/CD pipelines.

🌐 safeai-analyzer.ikaruscareer.com — project landing page

Why SafeAI?

Traditional application security tools (SAST, SCA, IaC scanning) are not designed for AI agent systems. AI applications introduce new risk surfaces:

Prompt injection — untrusted input flows into model prompts

Agent tool misuse — agents with filesystem, shell, or database access

Capability sprawl — frameworks expose capabilities without visibility

MCP exposure — Model Context Protocol endpoints and tools

Governance gaps — missing authentication, permissions, audit trails

SafeAI fills this gap by analyzing frameworks, agents, tools, capabilities, and MCP integrations at rest—before deployment.

SafeAI analyzes AI applications without executing them, helping developers discover capabilities, identify potential risks, and improve governance early in the software lifecycle.

Designed to be lightweight, explainable, and community-driven, SafeAI aims to become an open foundation for AI capability and risk analysis.

SafeAI sits before runtime guardrails and red-teaming tools in the security lifecycle. It scans agent source code at commit time — detecting framework-specific capabilities, MCP misconfigurations, and prompt injection patterns — before you ever deploy an agent to staging. It does not replace runtime tools (Microsoft AGT), evaluation frameworks (LangSmith, DeepEval), or red-teaming scanners (Promptfoo, Garak). It complements them: find the risk in code first, then validate at runtime.

Key Features

Feature Description

Framework Detection Detects and parses 8 AI agent frameworks

Capability Discovery Identifies filesystem, shell, network, database, and other capabilities

AI Risk Analysis Categorizes findings into 7 risk categories with weighted trust scoring

Prompt Risk Analysis Detects injection patterns, delimiter issues, system leak, role override

Tool Analysis Identifies agent-bound tools and their risk profiles

Memory Analysis Detects memory/checkpointer usage in agent workflows

MCP Analysis Discovers MCP servers, clients, tools, resources, and validates configuration

Data Leakage Detection Flags hardcoded secrets, tokens, and API keys

CI/CD Integration SARIF output, exit codes, GitHub Actions workflow included

Multi-Format Reports Terminal summary, JSON, SARIF 2.1.0, HTML

Cross-File Analysis Import graph, symbol resolution, and project graph

Confidence-Arbitrated Parsing Multiple parsers per file, merged with provenance

How It Works

Source Code │ ▼ Framework Detection — identifies AI frameworks via imports, configs, deps │ ▼ Static Analysis — AST parsing, capability patterns, dependency scanning │ ▼ Capability Mapping — maps framework objects to normalized risk categories │ ▼ Risk Rules — applies rule engine with configurable severity and weights │ ▼ Trust Score — deterministic category-weighted scoring from 0–100 │ ▼ Reports — terminal, JSON, SARIF, HTML

Supported Frameworks

Framework Detection Discovery Capability Analysis Risk Analysis Status

LangGraph ✔ Partial Partial Partial Early Preview

CrewAI ✔ Partial Partial Partial Early Preview

LangChain ✔ Partial Partial Partial Early Preview

Semantic Kernel ✔ Partial Partial Partial Early Preview

OpenAI Agents SDK ✔ Partial Partial Partial Early Preview

Microsoft Agent Framework ✔ Partial Partial Partial Early Preview

Azure AI Foundry ✔ Minimal Minimal Minimal Early Preview

Bedrock Agent ✔ Minimal Minimal Minimal Early Preview

Framework Support Details

LangGraph — detects StateGraph, add_edge, bind_tools, nodes, models

CrewAI — detects Agent, Task, tools, models

LangChain — detects AgentExecutor, Chain, Tool, PromptTemplate, models

Semantic Kernel — detects Kernel.invoke, plugins, functions, skills, memory

OpenAI Agents SDK — detects Agent, tools, handoffs, MCP references

Microsoft Agent Framework — detects AgentClient, tools, workflows, Azure models

Azure AI Foundry — detects YAML configurations with Azure resources

Bedrock Agent — detects JSON configurations with Bedrock resources

Supported Capabilities

SafeAI fingerprints capabilities at the framework object level and via fallback regex patterns. Each capability includes evidence, confidence score, resolved definition, and provenance.

Capability Category Risk Impact

Shell Execution Shell Command injection, host compromise

Filesystem Access Filesystem Data exfiltration, file tampering

Browser Automation Browser UI-based attacks, credential theft

Planning / Orchestration Planner Autonomous decision chain risk

Agent Delegation Delegation Unchecked sub-agent authority

Memory / Checkpoint Memory Data retention across sessions

RAG / Retrieval RAG Document exfiltration, prompt injection via documents

GitHub Integration GitHub Repository access, secret leakage

Slack Integration Slack Channel monitoring, message injection

Email Integration Email Phishing, data exfiltration

Database Access Databases SQL injection, data breach

Cloud Services Cloud Cloud resource abuse, cost escalation

External APIs External APIs Third-party data exfiltration

MCP Services MCP Exposed endpoints, unauthorized tool access

Human Approval Human Approval Approval bypass risk

Multi-Agent Multi-Agent Delegation-based privilege escalation

Note: Some capabilities (Browser, GitHub, Slack, Email, RAG, Human Approval) are detected primarily through MCP configuration analysis. Framework adapter detection for these capabilities is planned.

Installation

Requirements

Python 3.11 or 3.12

PyYAML (for YAML configuration parsing)

Install from source

git clone https://github.com/ikaruscareer/SafeAI.git cd SafeAI pip install -e .

Install development dependencies

pip install -e ".[dev]"

CLI Usage

python -m safeai scan [options]

Options

Option Default Description

directory required Path to scan

--sarif report.sarif SARIF output path (empty string to skip)

--json — JSON output path

--html — HTML report output path

--rules built-in Custom rules directory

--fail-on critical Exit code threshold: critical, high, medium

--verbose — Enable verbose output

Exit Codes

Code Condition

0 No findings at or above threshold

1 Finding at or above threshold detected

Example Output

Terminal

SafeAI Scan Summary Files: 12 Frameworks: langgraph, crewai MCP assets: 2 Overall AI Risk Score: 73 critical: 1 high: 3 medium: 5 Findings: [critical] app.py:10 - Untrusted input interpolated into prompt [high] app.py:22 - Capability detected: shell_execution [high] mcp.json:1 - MCP configuration does not define authentication

Example: LangGraph agent with MCP

{ "Framework": "LangGraph", "Capabilities": ["Planner", "Memory", "Filesystem", "MCP"], "Risk Score": 73, "Findings": 9, "Critical": 1, "High": 3 }

CI/CD Integration

GitHub Actions

A workflow is included at .github/workflows/ci.yml. To use in your project:

jobs: safeai-scan: runs-on: ubuntu-latest steps:

  • uses: actions/checkout@v4
  • uses: actions/setup-python@v5

with: python-version: '3.12'

  • name: Install SafeAI

run: | pip install -e .

  • name: Run scan

run: | python -m safeai scan . --sarif results.sarif --html report.html

  • name: Upload SARIF

uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif

GitLab CI

safeai-scan: image: python:3.12 script:

  • pip install -e .
  • safeai scan . --sarif results.sarif --html report.html

artifacts: paths:

  • results.sarif
  • report.html

Azure DevOps

  • task: PythonScript@0

inputs: scriptSource: 'inline' script: | import subprocess subprocess.run(["pip", "install", "-e", "."]) subprocess.run(["safeai", "scan", ".", "--sarif", "$(Build.ArtifactStagingDirectory)/results.sarif"])

SARIF Integration

SafeAI outputs SARIF 2.1.0 format, compatible with GitHub Advanced Security, Azure DevOps, and other SARIF-compliant tools.

Roadmap

See ROADMAP.md for the detailed roadmap covering all 5 phases:

Phase 1 — Static AI Risk Scanner (OSS) — in active development

Phase 1.5 — AI Component Security

Phase 2 — AI Security Testing (optional future)

Phase 3 — Test Packs

Phase 4 — Enterprise (Commercial)

Phase 5 — Community Intelligence

License

SafeAI is released under the Apache 2.0 License.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks

Report repository

Releases

No releases published

Packages 0

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

Python 100.0%