CipherNest
Open Source AI Application Security Platform
Most security tools were built before AI agents existed.
CipherNest was built for the world where your code ships with an LLM attached to a database.
Why CipherNest?
Most security tools stop at source code.
CipherNest secures the entire AI application stack.
| Layer |
Coverage |
| Application Code |
✓ |
| AI Prompts |
✓ |
| AI Agents |
✓ |
| MCP Servers |
✓ |
| Secrets & Credentials |
✓ |
| Dependencies & Supply Chain |
✓ |
| GitHub Actions & CI/CD |
✓ |
| Docker & Containers |
✓ |
| Kubernetes |
✓ |
| Infrastructure as Code |
✓ |
| Runtime MCP Tool Calls |
✓ |
| Attack Chains & Threat Paths |
✓ |
from a single security engine.
Screenshots
Security Dashboard
Attack Graph
NPM Shield
Agent Permission Map
Comparison
| Feature |
CipherNest |
Semgrep |
Snyk |
SonarQube |
| Code Security |
✓ |
✓ |
✓ |
✓ |
| LLM Security |
✓ |
✗ |
Partial |
✗ |
| MCP Security |
✓ |
✗ |
✗ |
✗ |
| Agent Security |
✓ |
✗ |
✗ |
✗ |
| Prompt Injection |
✓ |
✗ |
✗ |
✗ |
| Attack Graphs |
✓ |
Partial |
Partial |
✗ |
| Runtime MCP Gateway |
✓ |
✗ |
✗ |
✗ |
| Security Benchmark |
✓ |
✗ |
✗ |
✗ |
Quick start
npx ciphernest scan .
ciphernest benchmark .
Add CipherNest to any AI agent through MCP:
{
"mcpServers": {
"ciphernest": {
"command": "npx",
"args": ["-y", "@ciphernest/mcp-server"]
}
}
}
What CipherNest covers
| Layer |
What it scans |
| Code |
OWASP Top 10 — SQLi, XSS, eval, path traversal, XXE, SSRF, RCE |
| LLM / AI |
OWASP LLM Top 10 — prompt injection, excessive agency, insecure output, training poisoning |
| Secrets |
21 provider patterns — OpenAI, AWS, GitHub, Stripe, Anthropic, GCP, Twilio, SendGrid |
| Dependencies |
CVE lookup via OSV.dev for npm and pip |
| MCP configs |
Dangerous tool permissions, wildcard grants, missing auth in Claude/Cursor/Cline configs |
| AI Agents |
LangChain, CrewAI, AutoGen, OpenAI Agents — tool over-permissioning, missing human-in-the-loop |
| Supply chain |
Typosquat detection, install script analysis, lockfile integrity, dependency confusion |
| CI/CD |
GitHub Actions and GitLab CI — script injection, unpinned actions, secret leaks |
| Docker |
Dockerfile hardening — root user, secrets in layers, privileged mode |
| IaC |
Terraform, CloudFormation, Kubernetes — public S3, open security groups, unencrypted storage |
Run anywhere
CipherNest is a monorepo. All scanner logic lives once in @ciphernest/core. Every client is a thin wrapper.
CLI
npx ciphernest scan .
╔═══════════════════════════════╗
║ CipherNest Security Scanner ║
╚═══════════════════════════════╝
── CODE ──────────────────────────────
[CRITICAL] CODE001 Dangerous eval()
src/api.ts:42
Fix: Replace eval() with JSON.parse() or safer alternatives
── SECRET ──────────────────────────────
[CRITICAL] SEC001 OpenAI API Key
config.ts:7 sk-proj-ab***REDACTED***
── LLM ──────────────────────────────
[HIGH ] LLM001 Direct Prompt Injection Risk
src/chat.ts:18
12 finding(s) 6 critical 6 high 0 medium
Security Grade: C (score: 65/100)
✅ PASS — no findings at or above high severity
Options:
ciphernest scan . # table output (default)
ciphernest scan . --format json # JSON output
ciphernest scan . --format sarif # SARIF for GitHub Code Scanning
ciphernest scan . --severity high # only high and above
ciphernest scan . --fail-on critical # exit 1 only on critical
ciphernest scan . --no-llm --no-agent # skip specific scanners
GitHub Action
- name: CipherNest Security Scan
uses: ciphernest/scan-action@v1
- name: Upload SARIF to Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ciphernest-results.sarif
On every pull request, CipherNest posts:
- Inline annotations in the diff (red for critical/high, yellow for medium)
- A PR comment with the security grade and scanner breakdown
- A SARIF file for GitHub Code Scanning integration
## 🟠 CipherNest Security Scan
Security Grade: B (82/100)
| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 2 |
| 🟡 Medium | 5 |
### Top Findings
| Rule | Severity | Name | Location |
|----------|----------|---------------------------|-----------------|
| `LLM001` | 🟠 high | Direct Prompt Injection | `chat.ts:18` |
| `CICD002`| 🟠 high | Unpinned GitHub Action | `ci.yml:14` |
Action inputs:
- uses: ciphernest/scan-action@v1
with:
path: "."
severity: "low"
fail-on: "high"
post-pr-comment: "true"
sarif-output: "ciphernest-results.sarif"
MCP Server
Add CipherNest to any AI agent — Claude Desktop, Cursor, Windsurf, LangGraph, Mastra, OpenAI Agents:
{
"mcpServers": {
"ciphernest": {
"command": "npx",
"args": ["-y", "@ciphernest/mcp-server"]
}
}
}
Available tools:
| Tool |
Description |
scan_repository |
Full scan of a local directory — all scanners, returns grade + findings |
scan_code |
Scan a code snippet for OWASP Top 10 vulnerabilities |
scan_llm_code |
Scan LLM/agent code for OWASP LLM Top 10 risks |
scan_secrets |
Detect hardcoded secrets and credentials |
scan_mcp_config |
Audit an MCP server config for dangerous permissions |
scan_agent_code |
Audit agent tool registrations for excessive permissions |
scan_cicd |
Scan CI/CD pipeline files for supply chain risks |
get_security_score |
Compute score and grade from a finding list |
VS Code Extension
Install from the marketplace or:
code --install-extension ciphernest-0.7.0.vsix
Findings appear inline as diagnostics. Open the CipherNest sidebar for the tree view, score, and attack graph.
Architecture
Every product surface uses the same scanner, rules, scoring, policy, and attack-graph engine.
packages/
├── core/ @ciphernest/core — single source of truth for all scan logic
│ └── src/
│ ├── engine.ts SecurityEngine orchestrator
│ ├── types.ts Finding, SecurityScore, Severity, ScanInput
│ ├── rules/ codeRules, llmRules, secretRules, agentRules
│ ├── scanners/ All scanners (vscode-agnostic)
│ ├── scoring/ scoreEngine — A–F grade
│ ├── policy/ policyEngine — .ciphernest.json
│ ├── attackGraph/ graphBuilder — Mermaid diagrams
│ └── npmShield/ supply chain scanner
│
├── cli/ ciphernest — npm binary
├── github-action/ ciphernest/scan-action — SARIF + PR comments
└── mcp-server/ @ciphernest/mcp-server — MCP tools for AI agents
src/ VS Code extension — thin adapters over @ciphernest/core
Policy as code
Configure with .ciphernest.json at the project root:
{
"version": 1,
"severityThreshold": "low",
"enabledScanners": ["code", "llm", "secret", "dependency", "mcp", "agent"],
"disabledRules": ["CODE014"],
"severityOverrides": { "SEC010": "high" },
"excludePatterns": ["**/node_modules/**", "**/*.test.ts"],
"ciFailThreshold": "high",
"ciMaxFindings": 0,
"complianceFrameworks": ["gdpr", "hipaa", "pci", "dpdp"],
"approvedLLMProviders": ["openai", "anthropic"],
"autoScanOnOpen": true,
}
Generate a scaffold: CipherNest: Create .ciphernest.json Policy
Scoring
| Grade |
Score |
Meaning |
| A |
90–100 |
Production-ready |
| B |
75–89 |
Minor issues |
| C |
60–74 |
Review before shipping |
| D |
40–59 |
Significant risk |
| F |
0–39 |
Block deployment |
Deductions: Critical = 25 pts · High = 10 pts · Medium = 4 pts · Low = 1 pt. Per-scanner cap prevents one noisy scanner from zeroing the overall score.
Benchmark results
Run the AI application security benchmark:
ciphernest benchmark .
| Benchmark |
Detected |
| OWASP Top 10 |
94/100 |
| OWASP LLM Top 10 |
46/50 |
| MCP Security |
27/30 |
| Supply Chain |
39/45 |
Prompt Injection Score 91 ████████████████████░ A
Agent Security Score 88 ████████████████████░ B+
MCP Security Score 93 █████████████████████ A
Supply Chain Score 84 ████████████████████░ B
Infrastructure Score 81 ███████████████████░░ B-
Overall Security Score 87 Grade: B+
Rule reference
Code rules (CODE001–020)
| ID |
Name |
Severity |
| CODE001 |
eval() — arbitrary code execution |
Critical |
| CODE002 |
exec() with dynamic input — OS command injection |
Critical |
| CODE003 |
String concatenation in SQL — SQL injection |
Critical |
| CODE004 |
innerHTML with dynamic content — XSS |
High |
| CODE005 |
Unsafe object merge — prototype pollution |
High |
| CODE006 |
Unvalidated file path — path traversal |
High |
| CODE007 |
Math.random() — not cryptographically secure |
Medium |
| CODE008 |
Hardcoded password |
Critical |
| CODE009 |
TLS verification disabled |
High |
| CODE010 |
MD5/SHA1 — broken hash algorithm |
Medium |
| CODE011 |
Unsafe XML parsing — XXE |
High |
| CODE015 |
Wildcard CORS |
High |
| CODE016–020 |
SSRF, CSRF, race condition, ReDoS, open redirect |
Medium–High |
LLM / AI rules (LLM001–018)
| ID |
Name |
OWASP LLM |
Severity |
| LLM001 |
Prompt injection — unsanitized user input |
LLM01 |
Critical |
| LLM002 |
Insecure output handling — raw response to client |
LLM02 |
High |
| LLM004 |
Raw LLM output rendered as HTML |
LLM02 |
High |
| LLM005 |
PII/key in prompt |
LLM06 |
High |
| LLM007 |
Agent with unrestricted file write |
LLM08 |
Critical |
| LLM008 |
Agent with database write/delete |
LLM08 |
Critical |
| LLM011 |
LangChain agent without tool restrictions |
LLM08 |
High |
| LLM014 |
AutoGen agent missing human approval |
LLM08 |
High |
| LLM018 |
Shadow AI — unapproved LLM provider |
LLM09 |
Medium |
Secret patterns (SEC001–021)
OpenAI · Anthropic · AWS · Google · GitHub · Stripe · Slack · Twilio · SendGrid · Mailgun · Cloudflare · HuggingFace · Pinecone · Weaviate · MongoDB Atlas · Generic high-entropy secret
CI/CD rules (CICD001–010+)
| ID |
Name |
Severity |
| CICD001 |
pull_request_target with code checkout |
Critical |
| CICD002 |
Unpinned action (@main, @latest) |
Critical |
| CICD003 |
Script injection via github.event context |
High |
| CICD004 |
Secret exposed in run: command |
High |
| CICD005 |
permissions: write-all |
Critical |
Docker and IaC rules
Docker: FROM :latest · Running as root · Secret in ENV/ARG · --privileged flag · Missing HEALTHCHECK
IaC: S3 public ACL · Security group 0.0.0.0/0 · RDS publicly accessible · No encryption at rest · IAM * wildcard · K8s privileged pod
GitHub App
Not an Action — an App. Inline PR comments per finding, like CodeQL and SonarQube:
LLM001 — Prompt Injection Risk
User input passed to LLM without sanitization on line 42.
Attacker can override system instructions and gain tool access.
Suggested fix:
sanitizeInput(userMessage) before passing to chain.invoke()
Runtime MCP Gateway
Move from scan-before-deploy to monitor-while-running. A proxy layer that intercepts MCP tool calls before they execute:
Agent
↓
CipherNest Gateway
↓ (inspects: tool name, parameters, calling context)
Tool
Blocks: delete operations, exfiltration patterns, privilege escalation, prompt injection in tool output.
Security Reasoning Engine
Move from rules → findings to rules → findings → explanation:
Current: LLM001 detected at chat.ts:42
Future: Prompt injection at chat.ts:42.
Attacker controlling user_input can override the system prompt,
gain access to the file_write tool registered at agents.ts:17,
and exfiltrate /etc/passwd via the HTTP callback in tools.ts:91.
Business impact: complete agent compromise, data breach.
Marketplace rules (packages/rules)
Rules extracted into a standalone package so the community can contribute and enterprises can buy packs:
npm install @ciphernest/rules-enterprise
npm install @ciphernest/rules-hipaa
npm install @ciphernest/rules-pci
Security
Triage and suppression
Suppress a false positive with a tracked reason:
CipherNest: Suppress Finding
All suppressions are stored in .ciphernest-suppressions.json and visible in the triage report. The audit log captures every suppression with timestamp and author.
License
MIT © Vairamuthu
