SafeAI – Open-Source Static AI Risk Analyzer for AI Agents
SafeAI is a static analysis tool that scans AI application source code for security risks, capability exposure, and governance gaps. It runs entirely offline, never executes agents or calls LLMs, and integrates into CI/CD pipelines. It detects 8 AI frameworks, identifies capabilities like shell execution, filesystem access, and generates reports in SARIF, JSON, HTML formats.
Notifications You must be signed in to change notification settings
Fork 0
Star 0
BranchesTags
Open more actions menu
Folders and files
NameName
Last commit message
Last commit date
Latest commit
History
3 Commits
3 Commits
PLUGIN_TEMPLATE
PLUGIN_TEMPLATE
examples
examples
safeai
safeai
scripts
scripts
tests
tests
.gitignore
.gitignore
ARCHITECTURE.md
ARCHITECTURE.md
ARCHITECTURE_FOR_CONTRIBUTORS.md
ARCHITECTURE_FOR_CONTRIBUTORS.md
CAPABILITIES.md
CAPABILITIES.md
CHANGELOG.md
CHANGELOG.md
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
COMMUNITY_PROJECTS.md
COMMUNITY_PROJECTS.md
CONTRIBUTING.md
CONTRIBUTING.md
CONTRIBUTOR_ROADMAP.md
CONTRIBUTOR_ROADMAP.md
FRAMEWORK_SUPPORT.md
FRAMEWORK_SUPPORT.md
GITHUB_RELEASE.md
GITHUB_RELEASE.md
GOOD_FIRST_ISSUES.md
GOOD_FIRST_ISSUES.md
HOW_TO_ADD_ANALYZER.md
HOW_TO_ADD_ANALYZER.md
HOW_TO_ADD_CAPABILITY.md
HOW_TO_ADD_CAPABILITY.md
HOW_TO_ADD_FRAMEWORK.md
HOW_TO_ADD_FRAMEWORK.md
HOW_TO_ADD_RULE.md
HOW_TO_ADD_RULE.md
LABELS_GUIDE.md
LABELS_GUIDE.md
LICENSE
LICENSE
MCP_SECURITY.md
MCP_SECURITY.md
README.md
README.md
RELEASE_NOTES.md
RELEASE_NOTES.md
RISK_MODEL.md
RISK_MODEL.md
ROADMAP.md
ROADMAP.md
RULES_REFERENCE.md
RULES_REFERENCE.md
SECURITY.md
SECURITY.md
SECURITY_MODEL.md
SECURITY_MODEL.md
TESTING_CORPUS_GUIDE.md
TESTING_CORPUS_GUIDE.md
USER_GUIDE.md
USER_GUIDE.md
pyproject.toml
pyproject.toml
requirements-dev.lock
requirements-dev.lock
requirements.lock
requirements.lock
Repository files navigation
SafeAI is a static analysis tool that scans AI application source code for security risks, capability exposure, and governance gaps. It runs entirely offline, never executes agents or calls LLMs, and integrates into CI/CD pipelines.
🌐 safeai-analyzer.ikaruscareer.com — project landing page
Why SafeAI?
Traditional application security tools (SAST, SCA, IaC scanning) are not designed for AI agent systems. AI applications introduce new risk surfaces:
Prompt injection — untrusted input flows into model prompts
Agent tool misuse — agents with filesystem, shell, or database access
Capability sprawl — frameworks expose capabilities without visibility
MCP exposure — Model Context Protocol endpoints and tools
Governance gaps — missing authentication, permissions, audit trails
SafeAI fills this gap by analyzing frameworks, agents, tools, capabilities, and MCP integrations at rest—before deployment.
SafeAI analyzes AI applications without executing them, helping developers discover capabilities, identify potential risks, and improve governance early in the software lifecycle.
Designed to be lightweight, explainable, and community-driven, SafeAI aims to become an open foundation for AI capability and risk analysis.
SafeAI sits before runtime guardrails and red-teaming tools in the security lifecycle. It scans agent source code at commit time — detecting framework-specific capabilities, MCP misconfigurations, and prompt injection patterns — before you ever deploy an agent to staging. It does not replace runtime tools (Microsoft AGT), evaluation frameworks (LangSmith, DeepEval), or red-teaming scanners (Promptfoo, Garak). It complements them: find the risk in code first, then validate at runtime.
Key Features
Feature Description
Framework Detection Detects and parses 8 AI agent frameworks
Capability Discovery Identifies filesystem, shell, network, database, and other capabilities
AI Risk Analysis Categorizes findings into 7 risk categories with weighted trust scoring
Prompt Risk Analysis Detects injection patterns, delimiter issues, system leak, role override
Tool Analysis Identifies agent-bound tools and their risk profiles
Memory Analysis Detects memory/checkpointer usage in agent workflows
MCP Analysis Discovers MCP servers, clients, tools, resources, and validates configuration
Data Leakage Detection Flags hardcoded secrets, tokens, and API keys
CI/CD Integration SARIF output, exit codes, GitHub Actions workflow included
Multi-Format Reports Terminal summary, JSON, SARIF 2.1.0, HTML
Cross-File Analysis Import graph, symbol resolution, and project graph
Confidence-Arbitrated Parsing Multiple parsers per file, merged with provenance
How It Works
Source Code │ ▼ Framework Detection — identifies AI frameworks via imports, configs, deps │ ▼ Static Analysis — AST parsing, capability patterns, dependency scanning │ ▼ Capability Mapping — maps framework objects to normalized risk categories │ ▼ Risk Rules — applies rule engine with configurable severity and weights │ ▼ Trust Score — deterministic category-weighted scoring from 0–100 │ ▼ Reports — terminal, JSON, SARIF, HTML
Supported Frameworks
Framework Detection Discovery Capability Analysis Risk Analysis Status
LangGraph ✔ Partial Partial Partial Early Preview
CrewAI ✔ Partial Partial Partial Early Preview
LangChain ✔ Partial Partial Partial Early Preview
Semantic Kernel ✔ Partial Partial Partial Early Preview
OpenAI Agents SDK ✔ Partial Partial Partial Early Preview
Microsoft Agent Framework ✔ Partial Partial Partial Early Preview
Azure AI Foundry ✔ Minimal Minimal Minimal Early Preview
Bedrock Agent ✔ Minimal Minimal Minimal Early Preview
Framework Support Details
LangGraph — detects StateGraph, add_edge, bind_tools, nodes, models
CrewAI — detects Agent, Task, tools, models
LangChain — detects AgentExecutor, Chain, Tool, PromptTemplate, models
Semantic Kernel — detects Kernel.invoke, plugins, functions, skills, memory
OpenAI Agents SDK — detects Agent, tools, handoffs, MCP references
Microsoft Agent Framework — detects AgentClient, tools, workflows, Azure models
Azure AI Foundry — detects YAML configurations with Azure resources
Bedrock Agent — detects JSON configurations with Bedrock resources
Supported Capabilities
SafeAI fingerprints capabilities at the framework object level and via fallback regex patterns. Each capability includes evidence, confidence score, resolved definition, and provenance.
Capability Category Risk Impact
Shell Execution Shell Command injection, host compromise
Filesystem Access Filesystem Data exfiltration, file tampering
Browser Automation Browser UI-based attacks, credential theft
Planning / Orchestration Planner Autonomous decision chain risk
Agent Delegation Delegation Unchecked sub-agent authority
Memory / Checkpoint Memory Data retention across sessions
RAG / Retrieval RAG Document exfiltration, prompt injection via documents
GitHub Integration GitHub Repository access, secret leakage
Slack Integration Slack Channel monitoring, message injection
Email Integration Email Phishing, data exfiltration
Database Access Databases SQL injection, data breach
Cloud Services Cloud Cloud resource abuse, cost escalation
External APIs External APIs Third-party data exfiltration
MCP Services MCP Exposed endpoints, unauthorized tool access
Human Approval Human Approval Approval bypass risk
Multi-Agent Multi-Agent Delegation-based privilege escalation
Note: Some capabilities (Browser, GitHub, Slack, Email, RAG, Human Approval) are detected primarily through MCP configuration analysis. Framework adapter detection for these capabilities is planned.
Installation
Requirements
Python 3.11 or 3.12
PyYAML (for YAML configuration parsing)
Install from source
git clone https://github.com/ikaruscareer/SafeAI.git cd SafeAI pip install -e .
Install development dependencies
pip install -e ".[dev]"
CLI Usage
python -m safeai scan [options]
Options
Option Default Description
directory required Path to scan
--sarif report.sarif SARIF output path (empty string to skip)
--json — JSON output path
--html — HTML report output path
--rules built-in Custom rules directory
--fail-on critical Exit code threshold: critical, high, medium
--verbose — Enable verbose output
Exit Codes
Code Condition
0 No findings at or above threshold
1 Finding at or above threshold detected
Example Output
Terminal
SafeAI Scan Summary Files: 12 Frameworks: langgraph, crewai MCP assets: 2 Overall AI Risk Score: 73 critical: 1 high: 3 medium: 5 Findings: [critical] app.py:10 - Untrusted input interpolated into prompt [high] app.py:22 - Capability detected: shell_execution [high] mcp.json:1 - MCP configuration does not define authentication
Example: LangGraph agent with MCP
{ "Framework": "LangGraph", "Capabilities": ["Planner", "Memory", "Filesystem", "MCP"], "Risk Score": 73, "Findings": 9, "Critical": 1, "High": 3 }
CI/CD Integration
GitHub Actions
A workflow is included at .github/workflows/ci.yml. To use in your project:
jobs: safeai-scan: runs-on: ubuntu-latest steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: python-version: '3.12'
- name: Install SafeAI
run: | pip install -e .
- name: Run scan
run: | python -m safeai scan . --sarif results.sarif --html report.html
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif
GitLab CI
safeai-scan: image: python:3.12 script:
- pip install -e .
- safeai scan . --sarif results.sarif --html report.html
artifacts: paths:
- results.sarif
- report.html
Azure DevOps
- task: PythonScript@0
inputs: scriptSource: 'inline' script: | import subprocess subprocess.run(["pip", "install", "-e", "."]) subprocess.run(["safeai", "scan", ".", "--sarif", "$(Build.ArtifactStagingDirectory)/results.sarif"])
SARIF Integration
SafeAI outputs SARIF 2.1.0 format, compatible with GitHub Advanced Security, Azure DevOps, and other SARIF-compliant tools.
Roadmap
See ROADMAP.md for the detailed roadmap covering all 5 phases:
Phase 1 — Static AI Risk Scanner (OSS) — in active development
Phase 1.5 — AI Component Security
Phase 2 — AI Security Testing (optional future)
Phase 3 — Test Packs
Phase 4 — Enterprise (Commercial)
Phase 5 — Community Intelligence
License
SafeAI is released under the Apache 2.0 License.
About
No description, website, or topics provided.
Resources
Readme
License
Apache-2.0 license
Code of conduct
Code of conduct
Contributing
Contributing
Security policy
Security policy
Uh oh!
There was an error while loading. Please reload this page.
Activity
Stars
0 stars
Watchers
0 watching
Forks
0 forks
Report repository
Releases
No releases published
Packages 0
Uh oh!
There was an error while loading. Please reload this page.
Contributors
Uh oh!
There was an error while loading. Please reload this page.
Languages
Python 100.0%