Guard v0.8
Major release: AgentSeal Guard now supports project policies, delta scanning, live registry enrichment, custom rules, and CI/CD integration.
New Features
agentseal guard init— Generate.agentseal.yamlproject policy from your scanned environment. Define allowed agents, MCP servers, and custom rules.- Delta scanning — Detect rug-pulls and config changes since your last scan. SQLite-backed baselines with 90-day retention.
- Registry enrichment — Live trust scores from the MCP Security Registry (6,600+ servers scanned). Shows inline with each MCP server in the guard report.
- Custom YAML rules — Write org-specific policies and validate them with
agentseal guard test. - GitHub Action — Run guard in CI with SARIF upload for the GitHub Security tab.
- Output formats — Terminal (default), JSON, SARIF, HTML via
--outputflag. --from-json— Re-render a saved JSON report without re-scanning.--fail-on— CI gate: exit non-zero if findings exceed threshold (danger/warning/safe).
Security Hardening
- TR39 confusables detection (80+ homoglyph characters)
- 2-pass deobfuscation (catches double-encoded payloads)
- HTML entity decoding
- 12 canonical seed hashes in blocklist
- 5 new supply chain runner checks (bunx, deno, docker, pip, go)
- 3 new markdown image exfiltration detection patterns
- URL included in MCP server fingerprint (catches endpoint swaps)
Stats
- Python: 1,123 tests passing
- JavaScript: 942 tests passing
- 225 total probes (143 injection + 82 extraction)
Install
pip install agentseal==0.8.0
agentseal guardnpm install agentseal@0.6.0
npx agentseal guard