Skip to main content

oxidized_agentic_audit/
lib.rs

1//! # oxidized-agentic-audit
2//!
3//! Security auditing framework for AI agent skills.
4//!
5//! `oxidized-agentic-audit` scans skill directories for security vulnerabilities including
6//! prompt injection, dangerous bash patterns, exposed secrets, unsafe package
7//! installations, and more. It runs multiple scanners in parallel and produces
8//! reports in human-readable, JSON, or [SARIF] formats.
9//!
10//! ## Quick start
11//!
12//! ```rust,no_run
13//! use std::path::Path;
14//! use oxidized_agentic_audit::{scan::{self, ScanMode}, config::Config, output};
15//!
16//! let config = Config::load(None).expect("failed to load config");
17//! let report = scan::run_scan(Path::new("./my-skill"), &config, ScanMode::Skill);
18//!
19//! if report.passed {
20//!     println!("Scan passed!");
21//! } else {
22//!     let text = output::format_report(&report, &output::OutputFormat::Pretty);
23//!     print!("{text}");
24//! }
25//! ```
26//!
27//! ## Architecture
28//!
29//! The crate is organized around a pipeline:
30//!
31//! 1. **[`config`]** — load and validate configuration from TOML files.
32//! 2. **[`scanners`]** — pluggable [`scanners::Scanner`] trait with built-in
33//!    implementations (prompt, bash patterns, secrets, shellcheck, semgrep, …).
34//! 3. **[`scan`]** — orchestrate scanners in parallel and collect results.
35//! 4. **[`finding`]** — core data types ([`finding::Finding`], [`finding::ScanReport`]).
36//! 5. **[`output`]** — format reports as pretty text, JSON, or SARIF.
37//!
38//! ## Scanners
39//!
40//! | Scanner | External tool | Description |
41//! |---------|--------------|-------------|
42//! | `prompt` | — | Prompt injection pattern detection |
43//! | `bash_patterns` | — | Dangerous bash anti-patterns (Categories A–H) |
44//! | `typescript_patterns` | — | Dangerous TypeScript/JavaScript patterns (Categories A–H) |
45//! | `package_install` | — | Unsafe package installation patterns |
46//! | `frontmatter` | — | SKILL.md frontmatter validation |
47//! | `shellcheck` | [shellcheck] | Shell script linting |
48//! | `secrets` | [gitleaks] | Secret and credential scanning |
49//! | `semgrep` | [semgrep] | Static analysis |
50//!
51//! [SARIF]: https://sarifweb.azurewebsites.net/
52//! [shellcheck]: https://www.shellcheck.net/
53//! [gitleaks]: https://github.com/gitleaks/gitleaks
54//! [semgrep]: https://semgrep.dev/
55
56pub mod config;
57pub mod finding;
58pub mod output;
59pub mod scan;
60pub mod scanners;