Command args can leak through logs, process lists, shell history, and agent transcripts.
AI agent security / MCP / local automation
Find the secrets normal scanners miss in agent-era repos.
agent-secret-guard is a 5-minute safety check for AI coding agent, MCP, and local automation repositories. It catches risky config before it becomes a public GitHub mistake.
npx agent-secret-guard scan . --fail-on high
Scan AGENTS.md, CLAUDE.md, Cursor rules, Codex config, and local automation notes.
Catch broad workflow permissions and unsafe release automation before they ship.
Flag cookie stores, credential paths, and broad filesystem roots that agents should not see.
Why it exists
AI coding agents moved secrets into new places.
Traditional secret scanners are still essential. Keep using GitHub Secret Scanning, gitleaks, TruffleHog, detect-secrets, and secretlint. This tool focuses on the layer those tools may not prioritize: agent instructions, MCP configs, local automation notes, browser profiles, credential stores, and workflow permissions.
It is local-first: files are scanned locally, reports are printed locally, and no remote service receives your findings.
GitHub Actions
Add it to pull requests.
The dedicated wrapper is live on GitHub Marketplace, so teams can add the scanner without writing custom CI shell steps.
name: Agent Secret Guard
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: aolingge/agent-secret-guard-action@v0.1.4
with:
path: .
fail-on: highBefore you publish