githubinferredactive
drako
provenance:github:angelnicolasc/drako
WHAT THIS AGENT DOES
Drako is a tool designed to assess the safety and predictability of AI agents. It scans your codebase to identify potential security vulnerabilities and governance issues, providing a score for both. Drako highlights risks that are actually reachable by agents, separating critical concerns from theoretical ones. The tool offers full runtime enforcement capabilities when needed and operates offline without requiring an account. It provides a clear overview of your agent's components, including agents, tools, models, and prompts. Drako is valuable for developers and security teams looking to proactively manage the risks associated with AI agent deployments. It helps ensure agents are both secure and behave consistently.
PROBLEM IT SOLVES
Drako solves the problem of understanding and mitigating the risks associated with AI agents, which can be complex and difficult to assess manually. Instead of relying on guesswork or simpler tools, Drako provides a comprehensive and automated way to identify vulnerabilities and ensure agent behavior is predictable.
CAPABILITIES & CONSTRAINTS
TECH & STACK
pythonai-agentssecuritygovernancecode-scanningragcliopenai
README
<h1 align="center">Drako 🐉</h1>
<p align="center">
<strong>Scan before you ship. Govern after you deploy.</strong>
</p>
<p align="center">
Scans your codebase, scores your governance posture, flags what's reachable,<br>
connects findings to known advisories. Free, offline, no account required.<br>
Full runtime enforcement when you're ready.
</p>
<p align="center">
<a href="https://pypi.org/project/drako/">
<img src="https://img.shields.io/pypi/v/drako?style=flat-square&color=3776AB&logo=pypi&logoColor=white" alt="PyPI">
</a>
<a href="https://www.python.org/downloads/">
<img src="https://img.shields.io/badge/python-3.10+-3776AB.svg?style=flat-square&logo=python&logoColor=yellow" alt="Python 3.10+">
</a>
<a href="https://github.com/angelnicolasc/drako/actions">
<img src="https://img.shields.io/badge/tests-1489%20passing-2ea44f.svg?style=flat-square&logo=github-actions&logoColor=white" alt="Tests">
</a>
<img src="https://img.shields.io/badge/rules-97-6366F1.svg?style=flat-square" alt="Rules">
<a href="LICENSE">
<img src="https://img.shields.io/badge/license-BUSL--1.1-6366F1.svg?style=flat-square&logo=opensourceinitiative&logoColor=white" alt="License: BUSL-1.1">
</a>
<img src="https://img.shields.io/badge/policy%20eval-%3C2ms-6366F1.svg?style=flat-square" alt="Performance">
</p>
```bash
pip install drako && drako scan .
```
---
## Scan
```
┌─ Drako Scan ─────────────────────────────────────────────┐
│ my-project │ crewai 0.86.0 │ 0.4s │
└──────────────────────────────────────────────────────────┘
Agent BOM: 3 agents │ 12 tools │ 2 models │ 4 prompts
GOVERNANCE: 42/100 [D] ▰▰▰▰▰▰▰▰▱▱▱▱▱▱▱▱▱▱▱▱ 42%
DETERMINISM: 34/100 [F] ▰▰▰▰▰▰▰▱▱▱▱▱▱▱▱▱▱▱▱▱ 34%
Better than 28% of scanned projects
CRITICAL 3 │ HIGH 5 │ MEDIUM 4 │ LOW 2
SEC-001 API key hardcoded in source (src/main.py)
⚠ REACHABLE — used by agent 'researcher'
Related: DRAKO-ABSS-2026-003
Impact: Attacker inherits all agent permissions
Ref: CWE-798, OWASP LLM06
SEC-005 Arbitrary code execution in tool (tools/runner.py)
○ UNREACHABLE — no agent references this tool
DET-001 LLM temperature not set (agents/writer.py)
Impact: Non-deterministic outputs between runs
```
Two scores, two audiences. **Governance** speaks to security teams: are your agents safe? **Determinism** speaks to engineers: will they behave the same way twice?
**Reachability** separates real risks from theoretical ones — a dangerous tool that no agent actually uses is dimmed, not screamed at you.
```bash
drako scan . # Full scan, both scores
drako scan --details # Code snippets + fix suggestions
drako scan --benchmark # Compare against 100 scanned projects
drako scan --baseline # Acknowledge existing issues, only show new ones
drako scan --format sarif # GitHub Code Scanning
drako scan --fail-on critical # CI gate
drako scan --share # Generate shareable score card
drako fix --dry-run # Preview auto-fixes
drako scan --diff HEAD~1 # Only scan changed files
drako history # view policy snapshot history
drako diff v2 v3 # compare policy versions
drako rollback v2 # restore previous policy
```
---
## Agent BOM
Standalone inventory. No runtime, no network, pure AST.
```bash
drako bom .
```
```
Agents 3 researcher, writer, reviewer
Tools 12 web_search, file_reader, code_runner, ...
Models 2 gpt-4o, claude-sonnet-4-20250514
MCP 1 server (filesystem)
Prompts 4 system prompts (content hashed, not exposed)
Perms filesystem, network, code_execution
Framework crewai 0.86.0
Vendors OpenAI (model), Anthropic (model)
```
Output formats: `--format text` (default) · `json` · `markdown`
---
## Rules
97 deterministic rules across 16 categories. No LLM in the evaluation loop. Same code, same result, every time. [Full rule reference →](docs/rules/index.md)
| Category | Rules | What it catches |
|----------|-------|-----------------|
| **Security** | SEC-001 → SEC-011 | Hardcoded keys, prompt injection, code execution, filesystem/network access |
| **Governance** | GOV-001 → GOV-011 | No audit logging, no HITL, self-modifying prompts, no fallback |
| **Compliance** | COM-001 → COM-005 | EU AI Act Art. 9, 11, 12, 14 gaps |
| **Determinism** | DET-001 → DET-007 | Temperature not set, no timeout, no retry, no iteration limit, no seed |
| **Vendor Concentration** | VCR-001 → VCR-003 | Same vendor across model + framework + cloud + governance layers |
| **Framework-Specific** | FW-001 → FW-010 | CrewAI delegation risks, AutoGen code exec defaults, LangGraph state issues |
| **Operational Boundaries** | ODD-001 → ODD-004 | No boundary definition, unrestricted tools, no spend cap |
| **Magnitude** | MAG-001 → MAG-003 | No spend cap, no rate limit, unclassified data access |
| **Identity** | ID-001 → ID-003 | Static credentials, shared credentials, no identity |
| **Multi-Agent** | MULTI-001 → MULTI-004 | No topology, circular deps, no conflict protection |
| **Hooks** | HOOK-001 → HOOK-003 | No pre-action validation, no session-end gate |
| **Versioning** | CV-001 → CV-002 | No policy versioning, no audit policy reference |
| **FinOps** | FIN-001 → FIN-003 | No cost tracking, single model for all tasks, no cache |
| **Resilience** | RES-001 → RES-002 | No fallback for critical ops, no state preservation |
| **A2A** | A2A-001 → A2A-003 | No A2A auth, unvalidated inter-agent input |
| **Best Practices** | BP-001 → BP-005 | Outdated framework, no tests, too many tools |
**Vendor Concentration** rules detect when your model, framework, and governance stack come from the same vendor — flagging audit independence risk that vendor-affiliated tools have no incentive to report.
**Framework-Specific** rules detect known governance gaps in the frameworks you use, including default configurations that ship insecure.
Scoring: start at 100, deduct per finding with caps per category. Grades: **A** (90-100) · **B** (75-89) · **C** (60-74) · **D** (40-59) · **F** (0-39)
> **TypeScript/JavaScript:** 17 additional rules (SEC, GOV, COM, DET, ODD) apply when scanning TS/JS projects.
> Install: `pip install drako[typescript]`
---
## Advisories
Drako ships with 25 security advisories in the **DRAKO-ABSS** format (Agent Behavioral Security Standard) — covering OWASP Top 10 for LLMs, MITRE ATLAS techniques, and real CVEs from CrewAI, LangChain, and AutoGen.
Advisories appear inline in scan findings:
```
SEC-007 Prompt injection vulnerability (agents/researcher.py)
Related: DRAKO-ABSS-2026-001 — System Prompt Extraction
Ref: OWASP LLM01:2025, MITRE AML.T0051
```
Each advisory includes: affected configurations, IOC pattern hashes for runtime matching, taint paths, and remediation mapped to Drako rules.
📄 [Browse advisories →](src/drako/data/advisories/) · [ABSS format spec →](docs/abss-format.md)
---
## Baseline
Existing projects get 40+ findings on first scan. The baseline lets teams acknowledge known issues and focus only on **new** ones.
```bash
drako scan . --baseline # save current state
drako scan . # only NEW findings from now on
drako baseline show # what's baselined
drako baseline reset # start fresh
```
- Score always reflects **all** findings — real posture, not a filtered view
- CI pass/fail is based on **new findings only**
- SARIF marks baselined findings as `"baselineState": "unchanged"`
- Baseline file commits to your repo — shared across the team
---
## Observability Dashboard
Drako ships with a **built-in observability dashboard** at [getdrako.com/dashboard](https://getdrako.com/dashboard).
No external tooling required.
<!-- TODO: Replace with actual
[truncated…]PUBLIC HISTORY
First discoveredMar 26, 2026
IDENTITY
inferred
Identity inferred from code signals. No PROVENANCE.yml found.
Is this yours? Claim it →METADATA
platformgithub
first seenMar 18, 2026
last updatedMar 25, 2026
last crawled2 months ago
version—
README BADGE
Add to your README:
