Breakintelligence
← Open source tools
EEG OSS

Documentation

EEG OSS — Extensive Exposure Guard

AI security gateway & static analysis

AI security gateway and static analysis

AI-first cloud security. EEG catches AI-specific risks in agent code and at runtime — before and after you ship.

Source: github.com/promptagainstthemachine/EEG · PyPI: eeg-security

Surface How
Static (SAST) eeg --headless / eeg scan — catalog profiles over your repo
Dynamic (gateway) eeg --gateway-wrap URL — local EEG runtime in front of an AI app
Console eeg --serve — full OSS web app (Django)
CI GitHub Action + CLI exit codes / SARIF
Distribute Publish eeg-security to PyPI

Need the commercial platform? See EEG for Enterprise.


Installation

pip install eeg-security

This installs the full package: CLI (scan / gateway-wrap), rules, and the OSS dashboard (eeg --serve).

Cloud extras (optional):

pip install eeg-security[aws]
pip install eeg-security[azure]
pip install eeg-security[gcp]
pip install eeg-security[all]

From source:

git clone https://github.com/promptagainstthemachine/EEG.git
cd EEG
pip install -e ".[dev]"

Quick start

# Static catalog scan (default profile: code)
eeg --headless .
eeg --headless ./my-agent --profile full --format sarif -o eeg-results.sarif
eeg scan ./my-agent --profile agent --fail-on high

# List profiles
eeg profiles

# Dynamic runtime gateway
eeg --gateway-wrap https://myaiapp.example --port 8787

# OSS web UI
eeg --serve --host 127.0.0.1 --port 8000

Module form (useful in CI):

python -m eeg --headless . --profile code --format sarif -o eeg-results.sarif
python -m eeg scan . --profile code --fail-on high

CLI modes

Static — --headless / scan

Runs scan profiles from eeg/rules/catalog.yaml against a directory.

Option Values Default
target path .
--profile code agent full model dep code
--format json sarif json
--output / -o file stdout
--fail-on none low medium high critical any high
--cloud aws azure gcp any unset
--include-model flag off
--pretty / --verbose flags off

Profiles

Profile Focus
code Code security, forensics, gateway OSS surface
agent Agent / MCP / memory / gateway surfaces
full Broad static pack (+ cloud static when --cloud set)
model Model artifacts
dep Dependency / CVE-oriented scan

Dynamic — --gateway-wrap

Puts EEG’s runtime gateway in front of an upstream AI HTTP endpoint (OpenAI-style chat completions where possible).

eeg --gateway-wrap https://api.example.com --port 8787

Console — --serve

eeg --serve --host 127.0.0.1 --port 8000

Runtime data defaults to ~/.eeg for PyPI installs (override with EEG_HOME).


Exit codes (CI)

Code Meaning
0 Below --fail-on threshold
1 Findings at or above --fail-on
2 Usage / path / execution error

GitHub Action

name: AI Security Scan
on: [push, pull_request]

jobs:
  eeg:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - run: pip install eeg-security
      - name: EEG scan
        run: python -m eeg scan . --profile code --format sarif --output eeg-results.sarif --fail-on high

What it scans

  • Agent & prompt risks — injection, unsafe agency, secrets in prompts/config
  • MCP / A2A / gateway surfaces
  • Code & forensics rule packs
  • Dependencies (dep / full)
  • Cloud static — AWS / Azure / GCP when --cloud is set on full
  • Runtime (gateway-wrap) — policy, blocking, attribution

License

MIT — see the repository LICENSE file.