
AI security gateway and static analysis
AI-first cloud security. EEG catches AI-specific risks in agent code and at runtime — before and after you ship.
Source: github.com/promptagainstthemachine/EEG · PyPI: eeg-security
| Surface | How |
|---|---|
| Static (SAST) | eeg --headless / eeg scan — catalog profiles over your repo |
| Dynamic (gateway) | eeg --gateway-wrap URL — local EEG runtime in front of an AI app |
| Console | eeg --serve — full OSS web app (Django) |
| CI | GitHub Action + CLI exit codes / SARIF |
| Distribute | Publish eeg-security to PyPI |
Need the commercial platform? See EEG for Enterprise.
Installation
pip install eeg-security
This installs the full package: CLI (scan / gateway-wrap), rules, and the OSS dashboard (eeg --serve).
Cloud extras (optional):
pip install eeg-security[aws]
pip install eeg-security[azure]
pip install eeg-security[gcp]
pip install eeg-security[all]
From source:
git clone https://github.com/promptagainstthemachine/EEG.git
cd EEG
pip install -e ".[dev]"
Quick start
# Static catalog scan (default profile: code)
eeg --headless .
eeg --headless ./my-agent --profile full --format sarif -o eeg-results.sarif
eeg scan ./my-agent --profile agent --fail-on high
# List profiles
eeg profiles
# Dynamic runtime gateway
eeg --gateway-wrap https://myaiapp.example --port 8787
# OSS web UI
eeg --serve --host 127.0.0.1 --port 8000
Module form (useful in CI):
python -m eeg --headless . --profile code --format sarif -o eeg-results.sarif
python -m eeg scan . --profile code --fail-on high
CLI modes
Static — --headless / scan
Runs scan profiles from eeg/rules/catalog.yaml against a directory.
| Option | Values | Default |
|---|---|---|
target |
path | . |
--profile |
code agent full model dep |
code |
--format |
json sarif |
json |
--output / -o |
file | stdout |
--fail-on |
none low medium high critical any |
high |
--cloud |
aws azure gcp any |
unset |
--include-model |
flag | off |
--pretty / --verbose |
flags | off |
Profiles
| Profile | Focus |
|---|---|
code |
Code security, forensics, gateway OSS surface |
agent |
Agent / MCP / memory / gateway surfaces |
full |
Broad static pack (+ cloud static when --cloud set) |
model |
Model artifacts |
dep |
Dependency / CVE-oriented scan |
Dynamic — --gateway-wrap
Puts EEG’s runtime gateway in front of an upstream AI HTTP endpoint (OpenAI-style chat completions where possible).
eeg --gateway-wrap https://api.example.com --port 8787
Console — --serve
eeg --serve --host 127.0.0.1 --port 8000
Runtime data defaults to ~/.eeg for PyPI installs (override with EEG_HOME).
Exit codes (CI)
| Code | Meaning |
|---|---|
0 |
Below --fail-on threshold |
1 |
Findings at or above --fail-on |
2 |
Usage / path / execution error |
GitHub Action
name: AI Security Scan
on: [push, pull_request]
jobs:
eeg:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install eeg-security
- name: EEG scan
run: python -m eeg scan . --profile code --format sarif --output eeg-results.sarif --fail-on high
What it scans
- Agent & prompt risks — injection, unsafe agency, secrets in prompts/config
- MCP / A2A / gateway surfaces
- Code & forensics rule packs
- Dependencies (
dep/full) - Cloud static — AWS / Azure / GCP when
--cloudis set onfull - Runtime (gateway-wrap) — policy, blocking, attribution
License
MIT — see the repository LICENSE file.
