Aguara is an open-source security scanner for AI agents and software supply chains. It checks agent-facing files, MCP configs, CI workflows, and known compromised packages using a local deterministic engine with 219 cataloged detections. Single signed Go binary, 100% local execution, zero dependencies, Apache-2.0 licensed.

What does aguara check . do?

aguara check . inspects package lockfiles and installed package trees for known compromised packages and related persistence artifacts. It reports the ecosystem, source path, package count, findings, and severity.

Can Aguara check a project before installing dependencies?

Yes, when resolved versions are present in supported lockfiles such as pnpm-lock.yaml, go.sum, Cargo.lock, composer.lock, Gemfile.lock, Maven/Gradle lockfiles, or NuGet files. If packages are already installed, Aguara can also inspect node_modules, pnpm's .pnpm store, and Python site-packages.

What package ecosystems does Aguara inspect?

npm, pnpm, PyPI, Go modules, Rust (crates.io), PHP (Packagist), Ruby (RubyGems), Java (Maven/Gradle), and .NET (NuGet). Strong embedded malicious-package coverage today for npm/pnpm, PyPI, RubyGems, and NuGet. Go, crates.io, Packagist, and Maven/Gradle are parser-ready and surfaced in output, with range-aware matching tracked separately.

Does Aguara upload code or dependency data?

No. Aguara runs locally as one signed Go binary with no SaaS account, no telemetry, and no LLM calls. Source code, prompts, configs, and dependency data never leave your machine.

Is Aguara offline by default?

Yes. All checks use the threat-intel snapshot embedded in the binary. Network access is opt-in through aguara update (refreshes the local cache for future offline runs) or aguara check . --fresh (refreshes only the ecosystems the run touches). The snapshot is built from OSV.dev, OpenSSF Malicious Packages, and a short hand-curated list of high-priority emergency advisories.

How are releases signed?

Every release is signed with Cosign keyless and ships an SPDX SBOM per archive. The multi-arch container image (linux/amd64 and linux/arm64) is signed at the digest and carries SBOM and SLSA build provenance attestations attached to the OCI index. The install script verifies SHA256 against a release-published checksums.txt; for keyless signature verification on the curl-pipe path, follow up with cosign verify-blob.

How do I run Aguara in CI?

Use the official GitHub Action pinned to v0.18.2: uses: garagon/aguara@v0.18.2 with path: . fail-on: high version: v0.18.2. Pin both the action ref and the version input. Aguara emits SARIF, JSON, Markdown, and terminal output.

mcp-aguara exposes Aguara as an MCP server so compatible agents can request local security checks before trusting third-party tools, pasted configs, or skill content. Repository: https://github.com/garagon/mcp-aguara.

Is Aguara a full SCA scanner?

No. Aguara focuses on known compromised packages and high-risk trust points for AI-agent and software-supply-chain workflows. It is complementary to broader SCA platforms. Range-aware vulnerability matching for some ecosystems is tracked separately.

Local security engine for AI agents
and software supply chains

Your project trusts more than the code you wrote. Aguara checks the rest locally, before install or delegation: package versions, lockfiles, installed dependency trees, CI workflows, MCP configs, skills, AI agent tools.

Install Aguara View on GitHub →

Local by default · No SaaS account · No LLM calls

~/api-gateway — aguara

$aguara check .

Resolving pnpm-lock.yaml · go.sum · Gemfile.lock

Inspecting node_modules · .venv/site-packages

CRITICAL pnpm-lock.yaml

known-compromised-package: @antv/g2@5.6.8

ecosystem: npm · SOCKET-2026-05-19-mini-shai-hulud-antv

HIGH .mcp.json:12

mcp-config-unpinned-npx

fix: pin version → npx -y @org/server@1.4.2

─────────────────────────────────────

Audit complete · 142 files · 0.41s

1 critical · 1 high

how it works

Three steps. One signed binary.
No SaaS in the loop.

Aguara resolves the local evidence your project is about to trust, matches supported package references and agent surfaces against embedded detections, and emits a deterministic verdict your CI can gate on.

01 RESOLVE

Read lockfiles & installed trees

Aguara discovers every supported lockfile and installed package tree under the path. pnpm-lock.yaml works before install. node_modules and site-packages work after.

$ aguara check .
  ▸ pnpm-lock.yaml
  ▸ go.sum
  ▸ node_modules/

02 MATCH

Compare against embedded intel

Supported package references are normalized and matched against embedded OSV.dev and OpenSSF malicious-package intelligence where exact-version coverage is available. No network call required.

$ aguara status
  snapshot: 2026-05-18
  records: 47,318
  source: OSV + OpenSSF

03 REPORT

Emit a deterministic verdict

SARIF for GitHub Code Scanning. JSON for tooling. Markdown for PR summaries. Terminal for humans. --fail-on high gates CI.

$ aguara audit . --ci
  Audit complete · exit 1
  → security.sarif

what it catches

Four trust points
worth checking before they bite.

Each pillar maps to one of Aguara's analyzer families. Findings include severity, file location, the matched evidence, and remediation guidance.

Compromised packages

Known malicious versions across npm/pnpm, PyPI, RubyGems, NuGet, Go, crates.io, Packagist, and Maven. Detects them from lockfiles before install where supported, and from installed package trees after install.

CRITICAL pnpm-lock.yaml known-compromised-package: @antv/g2@5.6.8 ecosystem: npm · SOCKET-2026-05-19-mini-shai-hulud-antv

Prompt injection & tool poisoning

Instruction overrides, hidden instructions, authority claims, role switching, and poisoning of tool descriptions and MCP schema fields.

CRITICAL .claude/skills/deploy/SKILL.md:47 prompt-injection-role-switch "Ignore all previous instructions and..."

MCP config risk

Unpinned npx/uvx, shell metacharacters in args, hardcoded secrets, host networking, Docker privileges, capability escalation.

HIGH .mcp.json:12 mcp-config-unpinned-npx fix: pin → npx -y @org/server@1.4.2

CI workflow trust chains

pull_request_target chains, cache poisoning across fork boundaries, OIDC token harvest, mutable action refs, persisted-credentials checkouts on PR head refs.

MEDIUM .github/workflows/ci.yml:31 ci-trust-mutable-ref action uses @main, pin to a SHA

install

Install in under 30 seconds.
Pin both refs in CI.

Pick the path that matches how you ship security tooling. Every release is signed with Cosign keyless and ships an SPDX SBOM.

$ brew install garagon/tap/aguara
$ aguara check .

Simplest local install on macOS or Linux. Auto-updates via brew upgrade.

$ docker run --rm \
    -v "$PWD:/repo:ro" \
    ghcr.io/garagon/aguara:0.18.2 \
    check /repo

Multi-arch (linux/amd64 + linux/arm64), non-root UID 10001, digest-pinned base, image signed with cosign + SBOM + SLSA provenance.

$ curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh \
    | VERSION=v0.18.2 sh
$ aguara check .

Override location for CI / containers with INSTALL_DIR=/usr/local/bin. install.sh verifies SHA256 against the release's checksums.txt.

# .github/workflows/security.yml
- uses: garagon/aguara@v0.18.2
  with:
    path: .
    severity: medium
    fail-on: high
    format: sarif
    version: v0.18.2

Pin both the action ref and the version: input. The action ref pins the workflow wrapper. version: pins the Aguara binary.

$ go install github.com/garagon/aguara/cmd/aguara@v0.18.2
$ aguara version

For developers building from source. Requires Go 1.25+. Source builds report dev metadata; for signed releases use Homebrew, Docker, or the install script.

supply-chain surface

Eight ecosystems.
One question: am I exposed?

Aguara checks local package evidence: lockfiles before install where supported, and installed dependency trees after install. Strong exact-version malicious-package coverage is available for npm/pnpm, PyPI, RubyGems, and NuGet. Other ecosystems are parser-ready with coverage expanding as range-aware matching lands.

Surface	Inputs	Current coverage
npm (incl. pnpm)	node_modules, pnpm .pnpm store, pnpm-lock.yaml	Strong malicious-package coverage. pnpm-lock.yaml works before install.
PyPI	site-packages, .pth, pip/uv caches	Strong malicious-package + persistence coverage
RubyGems	Gemfile.lock	Strong malicious-package coverage
NuGet	packages.lock.json, .csproj, .fsproj, *.vbproj	Strong exact-version malicious-package coverage
Go	go.sum, go.mod	Parser ready; limited exact-version embedded matches today
crates.io	Cargo.lock (public registry only)	Parser ready; range-aware OSV matching deferred
Packagist	composer.lock	Parser ready; range-aware OSV matching deferred
Maven / Gradle	pom.xml, gradle.lockfile, gradle/dependency-locks/*	Parser ready; range-aware OSV matching deferred

positioning

Aguara is not a full SCA.
It complements one.

Aguara stays focused on known compromised packages and high-confidence trust-point failures for AI-agent and supply-chain workflows. General CVE / range matching is a different problem.

Use Aguara when

You want a deterministic check that runs locally and in CI without uploading source, prompts, or dependency data.
You need to gate before an install-time script or an AI agent trusts third-party content.
You ship pnpm / Go / Rust / Ruby / .NET projects and want pre-install lockfile checks against known compromised versions.
You want a single signed binary you can verify with Cosign, with SBOM and SLSA provenance.

Reach for a full SCA platform when

You need range-aware vulnerability matching across every CVE in every ecosystem.
You want a hosted dashboard with cross-repo aggregation and SLA-driven triage workflows.
You need policy enforcement at the registry layer or license-compliance reporting.
You want managed remediation PRs across hundreds of repos.

agents & mcp

Give your agent
a local security scanner.

mcp-aguara exposes the same Aguara scanner as an MCP server, so a compatible agent can request a local check before it trusts a third-party tool, a pasted config, or skill content. No network, no LLM, fast local scans.

step 1 · agent AI agent tool_call: scan_content
arg: ./untrusted-skill.md

MCP

step 2 · server mcp-aguara imports aguara as a
Go library. No shell-out

scan

step 3 · verdict Finding HIGH prompt-injection
at line 47 · do not trust

Or run it as a CLI without an agent

aguara scan --auto

Discovers and scans every MCP config on this machine across 17 supported clients in one pass.

aguara scan .claude/skills --ci

Scan skill files for prompt injection, hidden instructions, and command execution.

go install github.com/garagon/mcp-aguara@latest

Install the MCP server, then claude mcp add aguara -- mcp-aguara wires it into the agent.

17 MCP clients auto-detected Claude Desktop · Cursor · VS Code · Cline · Windsurf · OpenClaw · OpenCode · Zed · Amp · Gemini CLI · Copilot CLI · Amazon Q · Claude Code · Roo Code · Kilo Code · BoltAI · JetBrains

View mcp-aguara on GitHub →

ci/cd

One workflow.
Deterministic exit code.

SARIF lands directly in GitHub Code Scanning. JSON for custom tooling. Markdown for PR summaries. Terminal for humans. Pin both the action ref and the binary version.

GitHub Action

# .github/workflows/security.yml
name: Aguara
on:
  pull_request:
  push:
    branches: [main]

jobs:
  aguara:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: garagon/aguara@v0.18.2
        with:
          path: .
          severity: medium
          fail-on: high
          format: sarif
          version: v0.18.2

Inputs: path, severity, fail-on, format (sarif default), upload-sarif, version. SARIF upload requires security-events: write and is free for public repositories.

supply chain of the scanner itself

Verifiable from binary
to bill of materials.

A security scanner that you cannot verify is just code you trust on faith. Every Aguara release ships with three things you can check.

Cosign keyless signature

Every release archive and Docker image is signed at the digest with Cosign. Verify the signer is the release GitHub Actions workflow at the tagged ref.

SPDX SBOM per archive

Every release ships a complete SPDX 2.3 software bill of materials. Container images carry the SBOM as a BuildKit attestation on the OCI index.

SLSA build provenance

Container images include SLSA build provenance attestations so you can verify which workflow, which commit, and which runner produced the bits you ran.

Verify a release archive

$ VERSION=v0.18.2
$ ARCHIVE=aguara_${VERSION#v}_linux_amd64.tar.gz

$ curl -fsSLO https://github.com/garagon/aguara/releases/download/${VERSION}/${ARCHIVE}
$ curl -fsSLO https://github.com/garagon/aguara/releases/download/${VERSION}/checksums.txt
$ curl -fsSLO https://github.com/garagon/aguara/releases/download/${VERSION}/checksums.txt.bundle

$ cosign verify-blob \
    --bundle checksums.txt.bundle \
    --certificate-identity "https://github.com/garagon/aguara/.github/workflows/release.yml@refs/tags/${VERSION}" \
    --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
    checksums.txt

$ sha256sum --check --ignore-missing checksums.txt

For the container image: cosign verify ghcr.io/garagon/aguara:0.18.2 with the matching --certificate-identity for docker.yml.

Local security engine for AI agents
and software supply chains

Three steps. One signed binary.
No SaaS in the loop.

Read lockfiles & installed trees

Compare against embedded intel

Emit a deterministic verdict

Four trust points
worth checking before they bite.

Compromised packages

Prompt injection & tool poisoning

MCP config risk

CI workflow trust chains

Install in under 30 seconds.
Pin both refs in CI.

Eight ecosystems.
One question: am I exposed?

Aguara is not a full SCA.
It complements one.

Use Aguara when

Reach for a full SCA platform when

Give your agent
a local security scanner.

Or run it as a CLI without an agent

One workflow.
Deterministic exit code.

GitHub Action

Verifiable from binary
to bill of materials.

Cosign keyless signature

SPDX SBOM per archive

SLSA build provenance

Verify a release archive

219 detections, versioned with the binary.

One binary between you and a malicious package.

Local security engine for AI agents and software supply chains

Three steps. One signed binary.No SaaS in the loop.

Read lockfiles & installed trees

Compare against embedded intel

Emit a deterministic verdict

Four trust pointsworth checking before they bite.

Compromised packages

Prompt injection & tool poisoning

MCP config risk

CI workflow trust chains

Install in under 30 seconds.Pin both refs in CI.

Eight ecosystems.One question: am I exposed?

Aguara is not a full SCA.It complements one.

Use Aguara when

Reach for a full SCA platform when

Give your agenta local security scanner.

Or run it as a CLI without an agent

One workflow.Deterministic exit code.

GitHub Action

Verifiable from binaryto bill of materials.

Cosign keyless signature

SPDX SBOM per archive

SLSA build provenance

Verify a release archive

219 detections, versioned with the binary.

Release notes & supply-chain research.

One binary between you and a malicious package.

Local security engine for AI agents
and software supply chains

Three steps. One signed binary.
No SaaS in the loop.

Four trust points
worth checking before they bite.

Install in under 30 seconds.
Pin both refs in CI.

Eight ecosystems.
One question: am I exposed?

Aguara is not a full SCA.
It complements one.

Give your agent
a local security scanner.

One workflow.
Deterministic exit code.

Verifiable from binary
to bill of materials.