aguara v0.27.0

The open source security engine for AI agent and supply-chain trust.

Aguara checks the trust layer: the things modern projects and agents are about to obey, before execution. Packages, lockfiles, install scripts, MCP configs, CI workflows, and the agent configuration a cloned repo ships. Locally, deterministically, as one signed Go binary. No SaaS account, no telemetry, no LLM calls.

$ brew install garagon/tap/aguara
Other install methods ↓

250 detections· 12 analyzers· 8 ecosystems· Apache-2.0· changelog

~/cloned-repo
$ aguara audit . --ci
reading pnpm-lock.yaml, bun.lock, go.sum · scanning .claude/, .cursorrules, .github/workflows/
CRITICALpnpm-lock.yamlknown-compromised-package · @antv/[email protected] CRITICAL.claude/settings.jsonAGENTCFG_HOOK_FETCH_EXEC_001 · hook pipes curl | sh HIGHpnpm-workspace.yamlPNPM_DANGEROUS_BUILDS_001 · dangerouslyAllowAllBuilds HIGH.github/workflows/ci.ymlGHA_PWN_REQUEST_001 · pull_request_target + head ref
2 critical · 2 high · 162 files · 0.5s · exit 1security.sarif

One run over a freshly cloned repo, before installing anything. Every rule ID resolves with aguara explain <ID>.

01

What it checks

Three commands map to the three moments where trust is granted: check before install, scan before delegation, audit before CI execution.

SurfaceEvidence readCommand
Packages & lockfilespnpm-lock.yaml · package-lock.json · yarn.lock (classic + Berry) · bun.lock · go.sum · Cargo.lock · composer.lock · Gemfile.lock · Maven · NuGet - plus installed trees (node_modules, site-packages)aguara check .
Agent host config.claude/settings.json shipped by a repo: hooks, env, permissions, credential helpersaguara scan .
Instruction files.cursorrules · .windsurfrules · .clinerules · AGENTS.md · copilot-instructions.md as high-trust prompt surfacesaguara scan .
Skills & toolsAgent skills, prompts, tool descriptions: injection, poisoning, exfiltrationaguara scan <path>
MCP configs17 clients auto-discovered: Claude Desktop, Cursor, VS Code, Cline, Windsurf, Zed…aguara scan --auto
Package-manager policypnpm-workspace.yaml settings weakened below pnpm v11 defaultsaguara scan .
Install scriptsnpm lifecycle hooks; install-time JavaScript, Python & Rust behavioraguara scan .
CI workflowsGitHub Actions trust chains: pwn requests, cache poisoning, OIDC surface, persisted credentialsaguara scan .github/workflows
Everything, one verdictcheck + scan composed · SARIF, JSON, Markdown, terminal · deterministic exit codesaguara audit . --ci
02

Detections

250 cataloged detections: 193 YAML pattern rules and 57 emitted by 12 analyzers (pattern, NLP, ci-trust, pkgmeta, jsrisk, pyrisk, rsbuild, npm-policy, pnpm-policy, agent-policy, toxic-flow, rug-pull). Rules are versioned with the binary, so a pinned version gives reproducible CI results. A sample:

CRITAGENTCFG_HOOK_FETCH_EXEC_001hook fetches & executes remote code
CRITJS_WIPER_TRIPWIRE_001destructive wipe of credential stores
CRITPY_IMPORTTIME_REMOTE_JS_001setup.py fetches JS, runs node -e
CRITRS_BUILD_WALLET_EXFIL_001build.rs reads wallet, sends it out
CRITPROMPT_INJECTION_001instruction override in agent content
HIGHAGENTCFG_BYPASS_PERMS_001bypassPermissions as project default
HIGHPNPM_DANGEROUS_BUILDS_001all deps may run install scripts
HIGHJS_GITHUB_C2_001GitHub used as a command channel
HIGHGHA_PWN_REQUEST_001pull_request_target pwn chain
MEDNLP_HIDDEN_INSTRUCTIONaction verbs hidden in HTML comments

Browse all rules on GitHub, or run aguara explain <ID> for the threat model, examples & remediation of any rule.

03

Coverage by ecosystem

Threat intel is matched offline against around 228,000 known-malicious packages: 26,268 exact-version records plus 202,526 all-versions advisory entries from OSV.dev and OpenSSF Malicious Packages, with a hand-curated emergency list on top. Advisories that mark every version of a package malicious match at any installed version; npm advisories with real version bounds are evaluated by semver range. aguara update fetches signed refreshes; a refresh returning zero records is refused.

EcosystemEvidenceCoverage
npm · pnpm · Yarn · Bunnode_modules, .pnpm store, all 5 lockfiles; npm: aliases resolve to the real packagestrong · pre-install
PyPIsite-packages, .pth files, pip/uv cachesstrong + persistence
RubyGemsGemfile.lockstrong
NuGetpackages.lock.json · *.csproj · *.fsproj · *.vbprojstrong · exact-version
Gogo.sum · go.modparser ready
crates.ioCargo.lockparser ready
Packagistcomposer.lockparser ready
Maven · Gradlepom.xml · gradle.lockfile · dependency-locksparser ready

Aguara is not a full SCA and does not try to be one. It focuses on known-malicious packages and the agent-layer surfaces SCA platforms do not cover, and complements one. Range-aware CVE matching is the next layer.

04

Install

Homebrew

$ brew install garagon/tap/aguara

Script · checksum-verified

$ curl -fsSL \
    https://raw.githubusercontent.com/garagon/aguara/main/install.sh \
    | VERSION=v0.27.0 sh

Docker · multi-arch, non-root

$ docker run --rm -v "$PWD:/repo:ro" \
    ghcr.io/garagon/aguara:0.24.0 check /repo

GitHub Action · pin both refs

- uses: garagon/[email protected]
  with:
    path: .
    fail-on: high
    version: v0.27.0
05

Verify the release

Release archives are Cosign-signed (keyless) with an SPDX SBOM per archive. The Docker image is signed at digest and carries SBOM + SLSA provenance attestations. Base images are digest-pinned; the container runs as a non-root user.

Archive

$ cosign verify-blob \
    --bundle checksums.txt.bundle checksums.txt
$ sha256sum --check --ignore-missing checksums.txt

Image

$ cosign verify ghcr.io/garagon/aguara:0.24.0 \
    --certificate-identity-regexp \
      'https://github.com/garagon/aguara' \
    --certificate-oidc-issuer \
      https://token.actions.githubusercontent.com
06

For agents · MCP

mcp-aguara exposes the same engine as an MCP server: an agent can request a local check before trusting a third-party tool, a pasted config, a repo’s Claude Code settings, or an instruction file. In-process library calls; no shell-out, no network. Tools: scan_content, check_mcp_config, list_rules, explain_rule, discover_mcp.

Install the server

$ curl -sSL \
    https://raw.githubusercontent.com/garagon/mcp-aguara/main/install.sh | sh

Wire it into Claude Code

$ claude mcp add aguara -- aguara-mcp
07

FAQ

What is Aguara?

An open source security engine for the trust layer around AI agents and software supply chains. One signed Go binary that checks packages, lockfiles, install scripts, MCP configs, CI workflows and agent configuration locally - no SaaS account, no telemetry, no LLM calls.

Can Aguara check a project before installing dependencies?

Yes. aguara check . reads resolved lockfiles directly - pnpm-lock.yaml, package-lock.json, yarn.lock (classic and Berry), bun.lock, go.sum, Cargo.lock, composer.lock, Gemfile.lock, Maven and NuGet files - so a freshly cloned repo can be vetted before any install script runs.

Does Aguara upload code or dependency data?

No. Everything runs locally against a threat-intel snapshot embedded in the binary. Network access is opt-in, through aguara update or --fresh, and only fetches signed advisory data - it never sends yours.

How are releases signed?

Binaries are signed with Cosign (keyless) and ship an SPDX SBOM per archive. The multi-arch Docker image is signed at digest with SBOM and SLSA provenance attestations and runs as a non-root user.

Is Aguara a full SCA scanner?

No, and it does not try to be. Aguara focuses on known-malicious packages, high-confidence advisories, and the agent-layer trust surfaces SCA platforms do not cover. It complements an SCA, and stays fast, local and deterministic.

Check what your next clone is about to trust.

One signed binary. Local, deterministic, offline by default. Your code never leaves the machine.

$ brew install garagon/tap/aguara && aguara audit .

Star it on GitHub · Read the v0.27.0 release post