Security posture scanner for AI coding agents.
tripwire inventories the AI tools and Model Context Protocol (MCP) servers configured on a machine, flags plaintext credentials and risky configuration, captures secrets exposed to running agents, tracks drift against an approved baseline, and exports findings as SARIF or Sigma.
It is a single static binary with no dependencies, and runs on Linux, macOS, and Windows.
Developers wire AI agents (Claude Code, Claude Desktop, Cursor, Codex, Windsurf, Continue, VS Code) to MCP servers that read source, secrets, and internal systems. The credentials and permissions these agents receive routinely end up hardcoded in plaintext config files, scoped far too broadly, or injected into a running process where no config scanner can see them. Most teams have no free way to inventory or audit any of it. tripwire is that audit.
go install github.com/smakarim/tripwire@latestOr download a prebuilt binary from the releases page, or build from source:
git clone https://github.com/smakarim/tripwire.git
cd tripwire
go build -o tripwire .tripwire # scan configs and running agents
tripwire --format json # machine and SIEM friendly output
tripwire --fail-on critical # CI gate: non-zero exit on findings- Config files: declared MCP servers across all supported tools.
- Runtime: running AI agents and the MCP child processes they spawned, by reading
their live environment (Linux
/proc, macOSps). This catches secrets injected at launch that never appear in any config file. Disable with--no-runtime.
| Severity | Rule | Meaning |
|---|---|---|
| critical | PLAINTEXT_SECRET |
A recognized API key or token hardcoded in an MCP env or argument (AWS, GitHub, Anthropic, OpenAI, Slack, Google, Stripe, JWT) |
| high | LIKELY_PLAINTEXT_SECRET |
An env var named like a secret holding a hardcoded value |
| high | GENERIC_ENTROPY_SECRET |
A high-entropy, opaque value that looks like a token (paths, sentences, and URLs filtered out) |
| high | AUTO_APPROVE_RISK |
Agent or server runs tools without confirmation (autoApprove, alwaysAllow, --dangerously-skip-permissions, --yolo) |
| high | BROAD_FILESYSTEM_ACCESS |
An MCP server scoped to /, $HOME, or similar |
| medium | REMOTE_CODE_EXECUTION |
Server launches via npx, uvx, pipx, and downloads and runs code at launch |
| medium | UNPINNED_PACKAGE |
Remote runner package with no version pin or @latest, so a malicious update runs automatically |
| medium | DRIFT_NEW_SERVER |
An MCP server not present in the approved baseline |
| info | DRIFT_REMOVED_SERVER |
An approved server no longer present |
| info | SECRET_REFERENCE_OK |
Credential passed by reference (${VAR}), which is the recommended pattern |
| info | REMOTE_MCP_ENDPOINT |
Server connects to a remote URL |
Secrets are never printed. Evidence shows only [redacted, N chars], and JSON
output redacts all environment values.
tripwire --format text # default, human readable
tripwire --format json # JSON (--json is an alias)
tripwire --format sarif # SARIF 2.1.0 for GitHub Code Scanning
tripwire --format sigma # Sigma detection rules (YAML, stdout)The exit code is non-zero when a finding at or above --fail-on exists (default
high), so tripwire drops directly into CI or a pre-commit hook.
Record the servers you have reviewed, then flag anything that appears later.
tripwire --write-baseline tripwire-baseline.json # approve current state
tripwire --baseline tripwire-baseline.json # report drift on later scans--format sigma emits a pack of Sigma detection rules for AI-agent threats. When
combined with --baseline, it also emits a rule tailored to your approved set
that alerts when an MCP server outside the baseline launches.
tripwire --format sigma --baseline tripwire-baseline.json > rules.ymlThe workflow in .github/workflows/ci.yml runs formatting, vet, tests, and build
on every push and pull request. A useful pre-merge gate:
tripwire --no-runtime --fail-on highbash scripts/build-release.sh <version> cross-compiles binaries for Linux,
macOS, and Windows on amd64 and arm64 into dist/, with checksums. Pushing a
v* tag builds and publishes a GitHub release via
.github/workflows/release.yml.
- OCSF event streaming for SIEM ingestion.
- A kernel-level watch daemon (eBPF on Linux, Endpoint Security on macOS) that traces which agent read which file and where the content was sent.
Contributions are welcome. Please read CONTRIBUTING.md and open a pull request from a fork. All pull requests require review and approval before merge.
To report a vulnerability, see SECURITY.md. Please do not open a public issue for security reports.
Licensed under the Apache License 2.0. See LICENSE.