PurpleGate: CI/CD Security Gateway for Agentic AI Applications

PurpleGate, an open-source project by Kardoxa Labs, is a CI/CD security gateway for agentic AI applications that integrates red team penetration testing and blue team defense scanning into a single GitHub Action. It specifically detects emerging security risks in agentic AI applications such as prompt injection, secret leakage, and MCP vulnerabilities, and adopts the Purple Team concept to achieve offensive-defensive collaboration, continuously verifying security in the software delivery process.

As large language models (LLMs) evolve from simple chatbots to agents that can call tools, access databases, and execute code, the application attack surface has undergone fundamental changes. Traditional static application security testing (SAST) cannot detect prompt injection, traditional secret scanning tools struggle to find system prompt leaks, and emerging Model Context Protocol (MCP) servers introduce entirely new supply chain risks. Against this backdrop, PurpleGate was born.

PurpleGate integrates nine categories of security detection probes:

Red Team Detection Modules: Prompt injection detection (using isolated Claude + promptfoo framework), system prompt leakage detection, cross-user data leakage probes, secret leakage detection (integrating Gitleaks & TruffleHog), dependency vulnerability scanning (OSV-Scanner, focusing on MCP SDK vulnerabilities like CVE-2025-6514), IaC scanning (Checkov detects missing Supabase RLS), workflow injection detection (zizmor tool), HTTP security header detection.

Blue Team Defense Assessment: Detects runtime protection mechanisms (e.g., LLM Guard, Guardrails AI) and rate limiter configurations. If a vulnerability is covered by protection, its severity rating is lowered (no unfounded rating increases).

Each detection finding is mapped to OWASP LLM Top10 2025, OWASP Agentic AI Top10 2026, and MITRE ATLAS v5.4.0 (presented as ruleId in SARIF format). For example, prompt injection corresponds to LLM01, and system prompt leakage corresponds to LLM02.

Severity is divided into four levels: Critical (e.g., verified active credentials, public tables missing RLS) and High (e.g., unprotected routes, high CVE scores) levels block CI builds by default; Medium/Low levels only generate reports. Users can customize the gateway policy via the fail-on parameter. The suppression mechanism requires providing a reason, a confirmer, and an expiration time ≤365 days.

The Alpha version uses a Docker container Action, built from source code each time. Consumers lock the version via uses: sameermohan-git/purplegate@<sha>; binary tools in the image are verified via SHA256, and third-party Actions use commit hashes instead of tags.

v1.0 plan: Pre-built images will be published to GHCR with cosign keyless signatures, supporting verification via gh attestation verify; implement SLSA L3 build provenance, attach SBOM, and conduct continuous evaluation via OSSF Scorecard.

Deployment is simple: Add a step to the workflow, configure LLM API key, target URL, and configuration file path. The configuration file is in YAML format, supporting scanner enable/disable, custom rules, and severity overrides.

Project roadmap v1.0: Complete suite with 37 test cases, promptfoo integration, full Checkov integration, and consumer-specific SARIF suppression functionality.

PurpleGate represents the evolution direction of security tools: from general-purpose to domain-specific. Traditional tools cannot understand the unique risk model of LLM applications, and PurpleGate fills this gap with dedicated probes.

For agentic AI teams: It provides a CI/CD continuous security verification solution, helping to find issues before merging and evaluate defense effectiveness. As agentic AI becomes popular, the Purple Team methodology may become an important part of industry best practices.