Agentic Workflow Guard: Detecting Dangerous Workflows Before AI Agents Gain Write Access

A static security scanning tool for AI automation workflows, designed to detect risks like prompt injection paths, over-authorized tools, unsafe GitHub Actions configurations, and MCP permission leaks before AI agents get write access. It integrates into CI/CD processes, uses static analysis (similar to Semgrep) to identify issues without executing code, and supports multiple output formats including SARIF for GitHub Code Scanning.

With the popularization of AI automation tools, teams use AI agents for sensitive operations (code review, auto-fix, deployment) but face risks: untrusted inputs (Issue comments, PR descriptions) can lead to prompt injection, manipulate AI agents to perform malicious actions. Agentic Workflow Guard addresses this by statically scanning code repositories before workflows run, integrating into CI/CD to intercept risks pre-merge (unlike runtime tools that need code execution).

Supports scanning multiple AI workflow types:

1. CI/CD platforms (GitHub Actions, GitLab CI, Jenkins, etc.)—detects AI agents executing external inputs or accessing sensitive credentials.
2. Low-code/automation platforms (n8n, Dify, Flowise)—identifies dangerous data flows (untrusted input → AI decision → side-effect operations).
3. MCP tool configs—flags over-broad permissions (e.g., full filesystem access, unrestricted Shell execution).
4. Browser automation tools (Playwright, Puppeteer)—detects AI-driven sensitive steps (click, submit, upload).

Built with Node.js, provides command-line tools:

• init: Sets up config files/CI workflows (advisory/balanced/strict modes).
• doctor: Validates config correctness (GitHub Actions settings, rule locks).
• scan: Core function, outputs markdown/JSON/SARIF (SARIF for GitHub Code Scanning; supports --baseline to focus on new risks).
• fix: Offers dry-run/patch/apply modes to fix issues (e.g., reduce permissions, add dry-run tags).
• Rule management: Built-in rule packages (core/community) with declarative rules; explain command shows risk details.

Focuses on identifying "untrusted input → AI decision → write-side effect" paths. Key risks addressed:

1. Prompt injection: Untrusted data (Issue content, PR comments) entering AI prompts.
2. Model output execution: AI-generated content flowing to Shell/code execution or HTTP requests.
3. Over-authorization: AI agents having excessive permissions (full repo write, wide filesystem access).
4. Credential leaks: Sensitive info (tokens, keys) misused in CI/CD configs (e.g., passed to AI agents, logged).

Integrations:

• Skillpacks: Exports configs for AI agents (Claude Skills, Copilot instructions, etc.) to audit workflows.
• MCP support: AI agents can query rules/benchmarks via MCP interface.
• GitHub Actions: Integrates with Code Scanning (results in PR security tab). Use cases: AI-driven code review, automation operation and maintenance platforms, multi-tenant SaaS products, compliance (SOC2, ISO27001) audits.

Agentic Workflow Guard fills a gap in AI automation security—traditional tools can't identify AI-specific risks. It uses static analysis to avoid runtime overhead, providing comprehensive scanning. As AI agents become more prevalent, such tools will grow in importance. Its open-source nature allows community extensions (custom rules, new platform coverage).