agent-shield 0.8.7

Security scanner for AI agent extensions — offline-first, multi-framework, SARIF output
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275

name: Action E2E Test

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  CARGO_TERM_COLOR: always

jobs:
  # Test the GitHub Action against real fixtures
  action-e2e:
    name: Action E2E (${{ matrix.os }})
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest]

    permissions:
      security-events: write  # Required for SARIF upload

    steps:
      - uses: actions/checkout@v6

      # Build from source (action normally downloads release binary)
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - name: Build AgentShield
        run: cargo build --release

      # Put binary on PATH so the action's scan step finds it
      - name: Install binary
        run: |
          mkdir -p ${{ runner.temp }}/agentshield
          cp target/release/agentshield ${{ runner.temp }}/agentshield/
          echo "${{ runner.temp }}/agentshield" >> $GITHUB_PATH

      # --- Test 1: Clean server should PASS ---
      - name: "Test 1: Scan safe_calculator (expect pass)"
        id: scan-safe
        shell: bash
        run: |
          set +e
          agentshield scan tests/fixtures/mcp_servers/safe_calculator --format sarif --output ${{ runner.temp }}/safe.sarif --fail-on high
          EXIT_CODE=$?
          set -e
          echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
          if [ "$EXIT_CODE" -ne 0 ]; then
            echo "::error::safe_calculator should produce exit code 0, got $EXIT_CODE"
            exit 1
          fi
          echo "PASS: safe_calculator scanned clean (exit 0)"

      - name: "Test 1: Verify SARIF output"
        run: |
          SARIF="${{ runner.temp }}/safe.sarif"
          if [ ! -f "$SARIF" ]; then
            echo "::error::SARIF file not created"
            exit 1
          fi
          # Validate JSON structure and no high/critical findings
          python3 -c "
          import json, sys
          with open('$SARIF') as f:
              data = json.load(f)
          assert 'runs' in data, 'Missing runs key'
          results = data['runs'][0].get('results', [])
          # May have low/medium supply chain findings, but no high/critical
          high_crit = [r for r in results if r.get('level') in ('error',)]
          assert len(high_crit) == 0, f'Expected 0 high/critical, got {len(high_crit)}'
          print(f'PASS: SARIF valid, {len(results)} results (0 high/critical)')
          "

      # --- Test 2: Vulnerable server should FAIL ---
      - name: "Test 2: Scan vuln_cmd_inject (expect fail)"
        id: scan-vuln
        shell: bash
        run: |
          set +e
          agentshield scan tests/fixtures/mcp_servers/vuln_cmd_inject --format sarif --output ${{ runner.temp }}/vuln.sarif --fail-on high
          EXIT_CODE=$?
          set -e
          echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
          if [ "$EXIT_CODE" -ne 1 ]; then
            echo "::error::vuln_cmd_inject should produce exit code 1 (findings), got $EXIT_CODE"
            exit 1
          fi
          echo "PASS: vuln_cmd_inject correctly detected (exit 1)"

      - name: "Test 2: Verify findings in SARIF"
        run: |
          python3 -c "
          import json, sys
          with open('${{ runner.temp }}/vuln.sarif') as f:
              data = json.load(f)
          results = data['runs'][0].get('results', [])
          assert len(results) > 0, 'Expected findings but got 0'
          # Check for SHIELD-001 (command injection)
          rule_ids = [r['ruleId'] for r in results]
          assert 'SHIELD-001' in rule_ids, f'Expected SHIELD-001, got {rule_ids}'
          print(f'PASS: {len(results)} findings, includes SHIELD-001')
          "

      # --- Test 3: SSRF detection ---
      - name: "Test 3: Scan vuln_ssrf (expect fail)"
        shell: bash
        run: |
          set +e
          agentshield scan tests/fixtures/mcp_servers/vuln_ssrf --format json --output ${{ runner.temp }}/ssrf.json --fail-on high
          EXIT_CODE=$?
          set -e
          if [ "$EXIT_CODE" -ne 1 ]; then
            echo "::error::vuln_ssrf should produce exit code 1, got $EXIT_CODE"
            exit 1
          fi
          python3 -c "
          import json
          with open('${{ runner.temp }}/ssrf.json') as f:
              data = json.load(f)
          findings = data.get('findings', [])
          rule_ids = [f['rule_id'] for f in findings]
          assert 'SHIELD-003' in rule_ids, f'Expected SHIELD-003, got {rule_ids}'
          print(f'PASS: {len(findings)} findings, includes SHIELD-003')
          "

      # --- Test 4: Credential exfiltration detection ---
      - name: "Test 4: Scan vuln_cred_exfil (expect fail)"
        shell: bash
        run: |
          set +e
          agentshield scan tests/fixtures/mcp_servers/vuln_cred_exfil --format json --output ${{ runner.temp }}/cred.json --fail-on high
          EXIT_CODE=$?
          set -e
          if [ "$EXIT_CODE" -ne 1 ]; then
            echo "::error::vuln_cred_exfil should produce exit code 1, got $EXIT_CODE"
            exit 1
          fi
          python3 -c "
          import json
          with open('${{ runner.temp }}/cred.json') as f:
              data = json.load(f)
          findings = data.get('findings', [])
          rule_ids = [f['rule_id'] for f in findings]
          assert 'SHIELD-002' in rule_ids, f'Expected SHIELD-002, got {rule_ids}'
          print(f'PASS: {len(findings)} findings, includes SHIELD-002')
          "

      # --- Test 5: Console output format ---
      - name: "Test 5: Console output format"
        shell: bash
        run: |
          OUTPUT=$(agentshield scan tests/fixtures/mcp_servers/safe_calculator --format console 2>&1)
          if echo "$OUTPUT" | grep -q "findings\|No issues"; then
            echo "PASS: Console output contains expected text"
          else
            echo "::warning::Console output may not contain expected text"
          fi

      # --- Test 6: HTML output format ---
      - name: "Test 6: HTML output format"
        shell: bash
        run: |
          agentshield scan tests/fixtures/mcp_servers/vuln_cmd_inject --format html --output ${{ runner.temp }}/report.html || true
          if [ -f "${{ runner.temp }}/report.html" ]; then
            SIZE=$(wc -c < "${{ runner.temp }}/report.html" | tr -d ' ')
            if [ "$SIZE" -gt 100 ]; then
              echo "PASS: HTML report generated ($SIZE bytes)"
            else
              echo "::error::HTML report too small ($SIZE bytes)"
              exit 1
            fi
          else
            echo "::error::HTML report not created"
            exit 1
          fi

      # --- Test 7: list-rules command ---
      - name: "Test 7: list-rules shows all 18 detectors"
        shell: bash
        run: |
          COUNT=$(agentshield list-rules 2>&1 | grep -c "SHIELD-0")
          if [ "$COUNT" -ge 18 ]; then
            echo "PASS: list-rules shows $COUNT detectors (>= 18)"
          else
            echo "::error::Expected >= 18 detectors, got $COUNT"
            exit 1
          fi

      - name: "Test 8a: Unfiltered subdirectory scan sees ancestor metadata"
        shell: bash
        run: |
          set +e
          agentshield scan tests/fixtures/action_subdir_filters/src/mcp --format json --output ${{ runner.temp }}/subdir-unfiltered.json --fail-on low
          UNFILTERED_EXIT=$?
          set -e

          if [ "$UNFILTERED_EXIT" -ne 1 ]; then
            echo "::error::unfiltered subdirectory scan should fail on ancestor package.json findings, got $UNFILTERED_EXIT"
            exit 1
          fi

          python3 -c "
          from pathlib import Path

          unfiltered = Path('${{ runner.temp }}/subdir-unfiltered.json').read_text()
          assert 'package.json' in unfiltered, 'unfiltered scan should read ancestor package metadata'
          assert 'event-stream' in unfiltered, 'unfiltered scan should report dependency metadata'
          print('PASS: unfiltered subdirectory scan read ancestor dependency metadata')
          "

      - name: "Test 8b: Composite action honors root config path filters"
        id: subdir-filtered-action
        uses: ./
        with:
          binary-path: ${{ runner.temp }}/agentshield/agentshield
          path: tests/fixtures/action_subdir_filters/src/mcp
          config: tests/fixtures/action_subdir_filters/.agentshield.toml
          format: sarif
          fail-on: low
          upload-sarif: false

      - name: "Test 8c: Verify composite action filtered SARIF"
        shell: bash
        run: |
          if [ "${{ steps.subdir-filtered-action.outputs.exit-code }}" != "0" ]; then
            echo "::error::filtered composite action scan should pass, got ${{ steps.subdir-filtered-action.outputs.exit-code }}"
            exit 1
          fi
          if [ "${{ steps.subdir-filtered-action.outputs.finding-count }}" != "0" ]; then
            echo "::error::filtered composite action scan should have zero findings, got ${{ steps.subdir-filtered-action.outputs.finding-count }}"
            exit 1
          fi

          python3 -c "
          import json
          from pathlib import Path

          sarif = Path('${{ steps.subdir-filtered-action.outputs.sarif-file }}').read_text()
          assert 'package.json' not in sarif, 'filtered SARIF must not mention excluded package.json'
          assert 'event-stream' not in sarif, 'filtered SARIF must not mention excluded dependency'

          data = json.loads(sarif)
          results = data.get('runs', [{}])[0].get('results', [])
          assert results == [], f'expected no filtered SARIF results, got {results}'
          print('PASS: composite action used root config and suppressed excluded metadata findings')
          "

      # --- Upload SARIF for real Code Scanning integration ---
      - name: Upload SARIF to Code Scanning
        if: always() && matrix.os == 'ubuntu-latest'
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: ${{ runner.temp }}/vuln.sarif
          category: agentshield-e2e
        continue-on-error: true

      - name: Summary
        if: always()
        run: |
          echo "## AgentShield Action E2E Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Test | Description | Status |" >> $GITHUB_STEP_SUMMARY
          echo "|------|-------------|--------|" >> $GITHUB_STEP_SUMMARY
          echo "| 1 | Safe server → exit 0 | Passed |" >> $GITHUB_STEP_SUMMARY
          echo "| 2 | Vuln server → exit 1 + SHIELD-001 | Passed |" >> $GITHUB_STEP_SUMMARY
          echo "| 3 | SSRF detection → SHIELD-003 | Passed |" >> $GITHUB_STEP_SUMMARY
          echo "| 4 | Cred exfil → SHIELD-002 | Passed |" >> $GITHUB_STEP_SUMMARY
          echo "| 5 | Console output format | Passed |" >> $GITHUB_STEP_SUMMARY
          echo "| 6 | HTML output format | Passed |" >> $GITHUB_STEP_SUMMARY
          echo "| 7 | list-rules (18 detectors) | Passed |" >> $GITHUB_STEP_SUMMARY
          echo "| 8 | Subdirectory path filters | Passed |" >> $GITHUB_STEP_SUMMARY
          echo "| 9 | SARIF upload to Code Scanning | Attempted |" >> $GITHUB_STEP_SUMMARY