githubinferredactive
drako
provenance:github:angelnicolasc/drako
AI agent security platform. Scan before you deploy. Block in runtime. No Azure required.
README
<h1 align="center">Drako 🐉</h1>
<p align="center">
<strong>Scan before you ship. Govern after you deploy.</strong>
</p>
<p align="center">
Scans your codebase, scores your governance posture, flags what's reachable,<br>
connects findings to known advisories. Free, offline, no account required.<br>
Full runtime enforcement when you're ready.
</p>
<p align="center">
<a href="https://pypi.org/project/drako/">
<img src="https://img.shields.io/pypi/v/drako?style=flat-square&color=3776AB&logo=pypi&logoColor=white" alt="PyPI">
</a>
<a href="https://www.python.org/downloads/">
<img src="https://img.shields.io/badge/python-3.10+-3776AB.svg?style=flat-square&logo=python&logoColor=yellow" alt="Python 3.10+">
</a>
<a href="https://github.com/angelnicolasc/drako/actions">
<img src="https://img.shields.io/badge/tests-1489%20passing-2ea44f.svg?style=flat-square&logo=github-actions&logoColor=white" alt="Tests">
</a>
<img src="https://img.shields.io/badge/rules-97-6366F1.svg?style=flat-square" alt="Rules">
<a href="LICENSE">
<img src="https://img.shields.io/badge/license-BUSL--1.1-6366F1.svg?style=flat-square&logo=opensourceinitiative&logoColor=white" alt="License: BUSL-1.1">
</a>
<img src="https://img.shields.io/badge/policy%20eval-%3C2ms-6366F1.svg?style=flat-square" alt="Performance">
</p>
```bash
pip install drako && drako scan .
```
---
## Scan
```
┌─ Drako Scan ─────────────────────────────────────────────┐
│ my-project │ crewai 0.86.0 │ 0.4s │
└──────────────────────────────────────────────────────────┘
Agent BOM: 3 agents │ 12 tools │ 2 models │ 4 prompts
GOVERNANCE: 42/100 [D] ▰▰▰▰▰▰▰▰▱▱▱▱▱▱▱▱▱▱▱▱ 42%
DETERMINISM: 34/100 [F] ▰▰▰▰▰▰▰▱▱▱▱▱▱▱▱▱▱▱▱▱ 34%
Better than 28% of scanned projects
CRITICAL 3 │ HIGH 5 │ MEDIUM 4 │ LOW 2
SEC-001 API key hardcoded in source (src/main.py)
⚠ REACHABLE — used by agent 'researcher'
Related: DRAKO-ABSS-2026-003
Impact: Attacker inherits all agent permissions
Ref: CWE-798, OWASP LLM06
SEC-005 Arbitrary code execution in tool (tools/runner.py)
○ UNREACHABLE — no agent references this tool
DET-001 LLM temperature not set (agents/writer.py)
Impact: Non-deterministic outputs between runs
```
Two scores, two audiences. **Governance** speaks to security teams: are your agents safe? **Determinism** speaks to engineers: will they behave the same way twice?
**Reachability** separates real risks from theoretical ones — a dangerous tool that no agent actually uses is dimmed, not screamed at you.
```bash
drako scan . # Full scan, both scores
drako scan --details # Code snippets + fix suggestions
drako scan --benchmark # Compare against 100 scanned projects
drako scan --baseline # Acknowledge existing issues, only show new ones
drako scan --format sarif # GitHub Code Scanning
drako scan --fail-on critical # CI gate
drako scan --share # Generate shareable score card
drako fix --dry-run # Preview auto-fixes
drako scan --diff HEAD~1 # Only scan changed files
drako history # view policy snapshot history
drako diff v2 v3 # compare policy versions
drako rollback v2 # restore previous policy
```
---
## Agent BOM
Standalone inventory. No runtime, no network, pure AST.
```bash
drako bom .
```
```
Agents 3 researcher, writer, reviewer
Tools 12 web_search, file_reader, code_runner, ...
Models 2 gpt-4o, claude-sonnet-4-20250514
MCP 1 server (filesystem)
Prompts 4 system prompts (content hashed, not exposed)
Perms filesystem, network, code_execution
Framework crewai 0.86.0
Vendors OpenAI (model), Anthropic (model)
```
Output formats: `--format text` (default) · `json` · `markdown`
---
## Rules
97 deterministic rules across 16 categories. No LLM in the evaluation loop. Same code, same result, every time. [Full rule reference →](docs/rules/index.md)
| Category | Rules | What it catches |
|----------|-------|-----------------|
| **Security** | SEC-001 → SEC-011 | Hardcoded keys, prompt injection, code execution, filesystem/network access |
| **Governance** | GOV-001 → GOV-011 | No audit logging, no HITL, self-modifying prompts, no fallback |
| **Compliance** | COM-001 → COM-005 | EU AI Act Art. 9, 11, 12, 14 gaps |
| **Determinism** | DET-001 → DET-007 | Temperature not set, no timeout, no retry, no iteration limit, no seed |
| **Vendor Concentration** | VCR-001 → VCR-003 | Same vendor across model + framework + cloud + governance layers |
| **Framework-Specific** | FW-001 → FW-010 | CrewAI delegation risks, AutoGen code exec defaults, LangGraph state issues |
| **Operational Boundaries** | ODD-001 → ODD-004 | No boundary definition, unrestricted tools, no spend cap |
| **Magnitude** | MAG-001 → MAG-003 | No spend cap, no rate limit, unclassified data access |
| **Identity** | ID-001 → ID-003 | Static credentials, shared credentials, no identity |
| **Multi-Agent** | MULTI-001 → MULTI-004 | No topology, circular deps, no conflict protection |
| **Hooks** | HOOK-001 → HOOK-003 | No pre-action validation, no session-end gate |
| **Versioning** | CV-001 → CV-002 | No policy versioning, no audit policy reference |
| **FinOps** | FIN-001 → FIN-003 | No cost tracking, single model for all tasks, no cache |
| **Resilience** | RES-001 → RES-002 | No fallback for critical ops, no state preservation |
| **A2A** | A2A-001 → A2A-003 | No A2A auth, unvalidated inter-agent input |
| **Best Practices** | BP-001 → BP-005 | Outdated framework, no tests, too many tools |
**Vendor Concentration** rules detect when your model, framework, and governance stack come from the same vendor — flagging audit independence risk that vendor-affiliated tools have no incentive to report.
**Framework-Specific** rules detect known governance gaps in the frameworks you use, including default configurations that ship insecure.
Scoring: start at 100, deduct per finding with caps per category. Grades: **A** (90-100) · **B** (75-89) · **C** (60-74) · **D** (40-59) · **F** (0-39)
> **TypeScript/JavaScript:** 17 additional rules (SEC, GOV, COM, DET, ODD) apply when scanning TS/JS projects.
> Install: `pip install drako[typescript]`
---
## Advisories
Drako ships with 25 security advisories in the **DRAKO-ABSS** format (Agent Behavioral Security Standard) — covering OWASP Top 10 for LLMs, MITRE ATLAS techniques, and real CVEs from CrewAI, LangChain, and AutoGen.
Advisories appear inline in scan findings:
```
SEC-007 Prompt injection vulnerability (agents/researcher.py)
Related: DRAKO-ABSS-2026-001 — System Prompt Extraction
Ref: OWASP LLM01:2025, MITRE AML.T0051
```
Each advisory includes: affected configurations, IOC pattern hashes for runtime matching, taint paths, and remediation mapped to Drako rules.
📄 [Browse advisories →](src/drako/data/advisories/) · [ABSS format spec →](docs/abss-format.md)
---
## Baseline
Existing projects get 40+ findings on first scan. The baseline lets teams acknowledge known issues and focus only on **new** ones.
```bash
drako scan . --baseline # save current state
drako scan . # only NEW findings from now on
drako baseline show # what's baselined
drako baseline reset # start fresh
```
- Score always reflects **all** findings — real posture, not a filtered view
- CI pass/fail is based on **new findings only**
- SARIF marks baselined findings as `"baselineState": "unchanged"`
- Baseline file commits to your repo — shared across the team
---
## Observability Dashboard
Drako ships with a **built-in observability dashboard** at [getdrako.com/dashboard](https://getdrako.com/dashboard).
No external tooling required.
<!-- TODO: Replace with actual
[truncated…]PUBLIC HISTORY
First discoveredMar 26, 2026
IDENTITY
inferred
Identity inferred from code signals. No PROVENANCE.yml found.
Is this yours? Claim it →METADATA
platformgithub
first seenMar 18, 2026
last updatedMar 25, 2026
last crawled16 days ago
version—
README BADGE
Add to your README:
