ASH ships scanners for code and IaC (bandit, semgrep, checkov, grype, cdk-nag, syft, etc.), but there is no detector today for adversarial content in AI-agent assets — prompt injection, tool poisoning, and MCP/skill manipulation that live in skill manifests, MCP tool descriptions, and agent prompt files rather than in source logic. As repos add agents and MCP servers, those files are a scan surface ASH doesn't cover yet.
This fits the existing plugin model cleanly, as an external custom scanner — no core changes:
- a class subclassing
ScannerPluginBase[T] decorated with @ash_scanner_plugin (from automated_security_helper.plugins.decorators)
- implementing
scan(self, target, target_type, ...), returning a SarifReport (or ScanResultsContainer) like the built-in scanners
tool_type = ScannerToolType.CUSTOM, discovered via ash_plugin_modules in .ash/.ash.yaml
The detection engine would be pyatr (https://pypi.org/project/pyatr/) — the Python reference engine for Agent Threat Rules, an open MIT ruleset of deterministic regex patterns for agent attacks. It runs in-process (import pyatr, no subprocess), and each rule carries MITRE ATT&CK + ATLAS mappings, which map naturally to SARIF rule metadata and taxonomies. So findings would surface in the existing aggregated SARIF report with technique IDs attached.
Before writing anything, I wanted to check direction:
- Is an agent/skill/MCP threat scanner in scope for ASH, or out of scope by design?
- Would you prefer it as a standalone external plugin package (referenced from docs), or contributed into the repo as a bundled community plugin module like
ash_ferret_plugins / ash_trivy_plugins?
Happy to follow whichever path you point to. Standard examples/ash_plugins_example shape, with tests.
Disclosure: I maintain ATR.
ASH ships scanners for code and IaC (bandit, semgrep, checkov, grype, cdk-nag, syft, etc.), but there is no detector today for adversarial content in AI-agent assets — prompt injection, tool poisoning, and MCP/skill manipulation that live in skill manifests, MCP tool descriptions, and agent prompt files rather than in source logic. As repos add agents and MCP servers, those files are a scan surface ASH doesn't cover yet.
This fits the existing plugin model cleanly, as an external custom scanner — no core changes:
ScannerPluginBase[T]decorated with@ash_scanner_plugin(fromautomated_security_helper.plugins.decorators)scan(self, target, target_type, ...), returning aSarifReport(orScanResultsContainer) like the built-in scannerstool_type = ScannerToolType.CUSTOM, discovered viaash_plugin_modulesin.ash/.ash.yamlThe detection engine would be
pyatr(https://pypi.org/project/pyatr/) — the Python reference engine for Agent Threat Rules, an open MIT ruleset of deterministic regex patterns for agent attacks. It runs in-process (import pyatr, no subprocess), and each rule carries MITRE ATT&CK + ATLAS mappings, which map naturally to SARIF rule metadata and taxonomies. So findings would surface in the existing aggregated SARIF report with technique IDs attached.Before writing anything, I wanted to check direction:
ash_ferret_plugins/ash_trivy_plugins?Happy to follow whichever path you point to. Standard
examples/ash_plugins_exampleshape, with tests.Disclosure: I maintain ATR.