Feature · Pre-deployment scanning
Runtime guardrails catch what reaches production. The pre-deploy scanner catches what shouldn't reach production in the first place — secrets in source, unsafe tool config, missing policy coverage, prompt-injection corpus regression. Runs as a CI gate, emits SARIF, fails the build.
# .github/workflows/aegis-predeploy.yml
name: AEGIS pre-deploy scan
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aegis-dev/predeploy-scan-action@v1
with:
fail-on: HIGH # HIGH / MEDIUM / LOW / never
require-coverage: AAT-T1,AAT-T4,AAT-T5,AAT-T10
policy-bundle: .aegis/policies.json
output: sarif
Or via CLI in any CI: agentguard predeploy --fail-on HIGH --sarif results.sarif.
GitHub Code Scanning auto-renders SARIF as inline PR
annotations.
Production-grade signature library: sk-,
sk-ant-, hf_, AIza,
r8_, gsk_, co-,
together_, plus cloud + DB + PEM + JWT.
Entropy gate + is_test heuristic
eliminates the noise that gitleaks-style tools give you.
Severity: CRITICAL · Auto-fails any non-test secret.
Shell tools that pass shell=True without
argument sanitisation. Database tools whose connection
string includes write access where read-only would do.
HTTP tools without URL allowlist. Function-call specs
missing required arg validation.
Severity: HIGH or MEDIUM depending on tool category.
Cross-references the scanner's tool inventory against the repo's policy bundle. If a tool is registered but no policy gates it, that's a coverage gap. If a workflow edge is a sensitive-relay path with no DSL rule, that's a coverage gap.
Severity: configurable (default MEDIUM).
Every PR runs the 26-pattern prompt-injection corpus against the deployed policy bundle. If a previously-caught variant goes uncaught (regression), the build fails. Same idea as unit-test regression but for adversarial inputs.
Severity: HIGH on regression. PI corpus details.
Drop a YAML file in .aegis/rules/ with your
org's named patterns — internal endpoint shapes,
compliance-mandated allowlists, framework-specific
anti-patterns. Treated identically to built-in checks
in SARIF output.
See /features/customize.
Declare which AEGIS Agent Threat tactics + techniques your agent's policy + detector posture must cover. Build fails if any required technique has no enforcement path. Maps directly to procurement / compliance checklists.
10 tactics × 4 techniques each. Full ontology.
📋 AEGIS pre-deploy scan — 7 findings, 2 BLOCKING
✗ CRITICAL src/copilot.py:42 Anthropic API key in source
Match: 'sk-ant-API03-...' Rule: ai-credential.anthropic
✗ HIGH src/tools/billing.py:8 Shell call without arg validation
Match: 'subprocess.run(cmd, shell=True)' Rule: unsafe-tool.shell
⚠ MEDIUM src/agents/crew.py:55 No policy for tool 'send_invoice'
Workflow edge 'orchestrator → send_invoice' is sensitive-relay path
Rule: policy-coverage-gap
⚠ MEDIUM PI corpus regression — variant pi-tool-2 not blocked anymore
Was blocked in commit abc1234, no longer covered after policy diff
Rule: pi-corpus-regression
ℹ LOW AAT-T7003 (workflow topology probe) has no detector coverage
Optional — only required if you ship to PCI / regulated industries
Rule: ontology-coverage
[fail] Job exited with 1 because of 2 BLOCKING findings.GitHub Code Scanning, Bitbucket, GitLab, Azure DevOps — every modern code-host reads SARIF and surfaces findings as inline PR annotations. Same flow as CodeQL / Semgrep / Snyk.
For custom CI, dashboards, security review pipelines. Schema documented in /docs/api. Includes per-finding remediation hints + a verified counterfactual where applicable.
scan_history table stores every scan with
its findings + SARIF blob. Cockpit lists scans by repo,
shows diffs between scans, lets operators triage. Audit
evidence for SOC 2 / ISO 27001 lands in
/api/v1/compliance/bundle/soc2.
Same scanner the desktop bundle ships with. Self-host, or
drop the GitHub Action into .github/workflows/.