Skip to content

Custom scanner plugin for AI-agent threats (prompt injection / MCP / skill manifests) #372

Description

@eeee2345

ASH ships scanners for code and IaC (bandit, semgrep, checkov, grype, cdk-nag, syft, etc.), but there is no detector today for adversarial content in AI-agent assets — prompt injection, tool poisoning, and MCP/skill manipulation that live in skill manifests, MCP tool descriptions, and agent prompt files rather than in source logic. As repos add agents and MCP servers, those files are a scan surface ASH doesn't cover yet.

This fits the existing plugin model cleanly, as an external custom scanner — no core changes:

  • a class subclassing ScannerPluginBase[T] decorated with @ash_scanner_plugin (from automated_security_helper.plugins.decorators)
  • implementing scan(self, target, target_type, ...), returning a SarifReport (or ScanResultsContainer) like the built-in scanners
  • tool_type = ScannerToolType.CUSTOM, discovered via ash_plugin_modules in .ash/.ash.yaml

The detection engine would be pyatr (https://pypi.org/project/pyatr/) — the Python reference engine for Agent Threat Rules, an open MIT ruleset of deterministic regex patterns for agent attacks. It runs in-process (import pyatr, no subprocess), and each rule carries MITRE ATT&CK + ATLAS mappings, which map naturally to SARIF rule metadata and taxonomies. So findings would surface in the existing aggregated SARIF report with technique IDs attached.

Before writing anything, I wanted to check direction:

  1. Is an agent/skill/MCP threat scanner in scope for ASH, or out of scope by design?
  2. Would you prefer it as a standalone external plugin package (referenced from docs), or contributed into the repo as a bundled community plugin module like ash_ferret_plugins / ash_trivy_plugins?

Happy to follow whichever path you point to. Standard examples/ash_plugins_example shape, with tests.

Disclosure: I maintain ATR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions