The open source security engine for AI agent and supply-chain trust.
Aguara checks the trust layer: the things modern projects and agents are about to obey, before execution. Packages, lockfiles, install scripts, MCP configs, CI workflows, and the agent configuration a cloned repo ships. Locally, deterministically, as one signed Go binary. No SaaS account, no telemetry, no LLM calls.
$ brew install garagon/tap/aguara
One run over a freshly cloned repo, before installing anything. Every rule ID resolves with aguara explain <ID>.
What it checks
Three commands map to the three moments where trust is granted: check before install, scan before delegation, audit before CI execution.
| Surface | Evidence read | Command |
|---|---|---|
| Packages & lockfiles | pnpm-lock.yaml · package-lock.json · yarn.lock (classic + Berry) · bun.lock · go.sum · Cargo.lock · composer.lock · Gemfile.lock · Maven · NuGet - plus installed trees (node_modules, site-packages) | aguara check . |
| Agent host config | .claude/settings.json shipped by a repo: hooks, env, permissions, credential helpers | aguara scan . |
| Instruction files | .cursorrules · .windsurfrules · .clinerules · AGENTS.md · copilot-instructions.md as high-trust prompt surfaces | aguara scan . |
| Skills & tools | Agent skills, prompts, tool descriptions: injection, poisoning, exfiltration | aguara scan <path> |
| MCP configs | 17 clients auto-discovered: Claude Desktop, Cursor, VS Code, Cline, Windsurf, Zed… | aguara scan --auto |
| Package-manager policy | pnpm-workspace.yaml settings weakened below pnpm v11 defaults | aguara scan . |
| Install scripts | npm lifecycle hooks; install-time JavaScript, Python & Rust behavior | aguara scan . |
| CI workflows | GitHub Actions trust chains: pwn requests, cache poisoning, OIDC surface, persisted credentials | aguara scan .github/workflows |
| Everything, one verdict | check + scan composed · SARIF, JSON, Markdown, terminal · deterministic exit codes | aguara audit . --ci |
Detections
250 cataloged detections: 193 YAML pattern rules and 57 emitted by 12 analyzers (pattern, NLP, ci-trust, pkgmeta, jsrisk, pyrisk, rsbuild, npm-policy, pnpm-policy, agent-policy, toxic-flow, rug-pull). Rules are versioned with the binary, so a pinned version gives reproducible CI results. A sample:
Browse all rules on GitHub, or run aguara explain <ID> for the threat model, examples & remediation of any rule.
Coverage by ecosystem
Threat intel is matched offline against around 228,000 known-malicious packages: 26,268 exact-version records plus 202,526 all-versions advisory entries from OSV.dev and OpenSSF Malicious Packages, with a hand-curated emergency list on top. Advisories that mark every version of a package malicious match at any installed version; npm advisories with real version bounds are evaluated by semver range. aguara update fetches signed refreshes; a refresh returning zero records is refused.
| Ecosystem | Evidence | Coverage |
|---|---|---|
| npm · pnpm · Yarn · Bun | node_modules, .pnpm store, all 5 lockfiles; npm: aliases resolve to the real package | strong · pre-install |
| PyPI | site-packages, .pth files, pip/uv caches | strong + persistence |
| RubyGems | Gemfile.lock | strong |
| NuGet | packages.lock.json · *.csproj · *.fsproj · *.vbproj | strong · exact-version |
| Go | go.sum · go.mod | parser ready |
| crates.io | Cargo.lock | parser ready |
| Packagist | composer.lock | parser ready |
| Maven · Gradle | pom.xml · gradle.lockfile · dependency-locks | parser ready |
Aguara is not a full SCA and does not try to be one. It focuses on known-malicious packages and the agent-layer surfaces SCA platforms do not cover, and complements one. Range-aware CVE matching is the next layer.
Install
Homebrew
$ brew install garagon/tap/aguara
Script · checksum-verified
$ curl -fsSL \
https://raw.githubusercontent.com/garagon/aguara/main/install.sh \
| VERSION=v0.27.0 sh
Docker · multi-arch, non-root
$ docker run --rm -v "$PWD:/repo:ro" \
ghcr.io/garagon/aguara:0.24.0 check /repo
GitHub Action · pin both refs
- uses: garagon/[email protected] with: path: . fail-on: high version: v0.27.0
Verify the release
Release archives are Cosign-signed (keyless) with an SPDX SBOM per archive. The Docker image is signed at digest and carries SBOM + SLSA provenance attestations. Base images are digest-pinned; the container runs as a non-root user.
Archive
$ cosign verify-blob \ --bundle checksums.txt.bundle checksums.txt $ sha256sum --check --ignore-missing checksums.txt
Image
$ cosign verify ghcr.io/garagon/aguara:0.24.0 \
--certificate-identity-regexp \
'https://github.com/garagon/aguara' \
--certificate-oidc-issuer \
https://token.actions.githubusercontent.com
For agents · MCP
mcp-aguara exposes the same engine as an MCP server: an agent can request a local check before trusting a third-party tool, a pasted config, a repo’s Claude Code settings, or an instruction file. In-process library calls; no shell-out, no network. Tools: scan_content, check_mcp_config, list_rules, explain_rule, discover_mcp.
Install the server
$ curl -sSL \
https://raw.githubusercontent.com/garagon/mcp-aguara/main/install.sh | sh
Wire it into Claude Code
$ claude mcp add aguara -- aguara-mcp
FAQ
What is Aguara?
An open source security engine for the trust layer around AI agents and software supply chains. One signed Go binary that checks packages, lockfiles, install scripts, MCP configs, CI workflows and agent configuration locally - no SaaS account, no telemetry, no LLM calls.
Can Aguara check a project before installing dependencies?
Yes. aguara check . reads resolved lockfiles directly - pnpm-lock.yaml, package-lock.json, yarn.lock (classic and Berry), bun.lock, go.sum, Cargo.lock, composer.lock, Gemfile.lock, Maven and NuGet files - so a freshly cloned repo can be vetted before any install script runs.
Does Aguara upload code or dependency data?
No. Everything runs locally against a threat-intel snapshot embedded in the binary. Network access is opt-in, through aguara update or --fresh, and only fetches signed advisory data - it never sends yours.
How are releases signed?
Binaries are signed with Cosign (keyless) and ship an SPDX SBOM per archive. The multi-arch Docker image is signed at digest with SBOM and SLSA provenance attestations and runs as a non-root user.
Is Aguara a full SCA scanner?
No, and it does not try to be. Aguara focuses on known-malicious packages, high-confidence advisories, and the agent-layer trust surfaces SCA platforms do not cover. It complements an SCA, and stays fast, local and deterministic.