sec-check/agentsec.example.yaml at main · alxayo/sec-check · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# AgentSec Configuration File
# ============================
#
# This file configures the AgentSec security scanner.
# Copy this file to 'agentsec.yaml' in your project root and customize it.
#
# The CLI will automatically search for config files in:
#   1. Current directory (agentsec.yaml, agentsec.yml, .agentsec.yaml, .agentsec.yml)
#   2. Home directory
#   3. ~/.config/agentsec/
#
# You can also specify a config file explicitly:
#   agentsec scan ./src --config ./my-config.yaml
#
# CLI arguments always override config file settings.


# System Message
# ==============
# The system message tells the AI who it is and how to behave.
# It's sent to the LLM at the start of each session.
#
# You can either:
#   1. Write the message directly here (system_message)
#   2. Point to an external file (system_message_file)
#
# If both are provided, 'system_message' takes priority.
#
# The BUILT-IN DEFAULT system message (used when no config is specified):
#   - Identifies the agent as "AgentSec, the Malicious Code Scanner"
#   - Lists all available Copilot CLI tools (bash, skill, view)
#   - Provides a structured scanning workflow
#   - Includes comprehensive safety guardrails
#   - Defends against prompt injection from analyzed code
#
# You can override it here to customize the agent's behavior.
# For example, to focus on a specific language or vulnerability type:

# system_message: |
#   You are a security expert specializing in Python web applications.
#   Use the skill tool to invoke bandit-security-scan and graudit-security-scan.
#   Focus on SQL injection, XSS, and authentication vulnerabilities.
#   Generate a Markdown report with severity levels and remediation advice.

# Or use an external file:
# system_message_file: ./prompts/system-message.txt


# Initial Prompt
# ==============
# The initial prompt is the template used when starting a scan.
# Use {folder_path} as a placeholder for the target folder.
#
# You can either:
#   1. Write the prompt directly here (initial_prompt)
#   2. Point to an external file (initial_prompt_file)
#
# If both are provided, 'initial_prompt' takes priority.
#
# The BUILT-IN DEFAULT prompt instructs the agent to:
#   1. Use bash to discover files
#   2. Use the skill tool to run security scanners
#   3. Use view for manual inspection
#   4. Compile a structured Markdown report
#
# Override it here for customized scanning behavior:

# initial_prompt: |
#   Scan {folder_path} for security vulnerabilities.
#   Focus on HIGH and CRITICAL severity only.
#   Use bandit-security-scan and graudit-security-scan skills.
#   Generate a brief summary report.

# Or use an external file:
# initial_prompt_file: ./prompts/scan-prompt.txt


# Advanced Examples
# =================
#
# Example 1: Minimal config with external files
# ---------------------------------------------
# system_message_file: ./prompts/system.txt
# initial_prompt_file: ./prompts/scan.txt
#
#
# Example 2: Custom security focus (Python web apps)
# ---------------------------------------------------
# system_message: |
#   You are a security expert specializing in Python web applications.
#   Use the skill tool to invoke bandit-security-scan and graudit-security-scan.
#   Focus especially on:
#   - SQL injection vulnerabilities
#   - Cross-site scripting (XSS)
#   - Authentication and authorization issues
#   - Sensitive data exposure
#
#
# Example 3: Brief scanning mode (HIGH severity only)
# ----------------------------------------------------
# initial_prompt: |
#   Quick security check of {folder_path}.
#   Only report HIGH and CRITICAL severity issues.
#   Use bandit-security-scan skill, then generate a brief summary.
#
#
# Example 4: Multi-language scanning
# -----------------------------------
# initial_prompt: |
#   Scan {folder_path} for security issues across all file types.
#   For Python files: use bandit-security-scan
#   For JS/TS files: use eslint-security-scan
#   For shell scripts: use shellcheck-security-scan
#   For all files: use graudit-security-scan with secrets database
#   Compile all findings into one report.


# Parallel Scanning
# =================
# These settings only apply when using the --parallel CLI flag
# (or calling agent.scan_parallel() programmatically).
#
# Parallel mode runs multiple scanners concurrently as sub-agents
# and synthesises the results into a single report.
#
# Maximum number of scanner sub-agents running at the same time.
# Higher values = faster scans but more API load.  Default is 3.
#
# max_concurrent: 3
#
# CLI usage examples:
#   agentsec scan ./src --parallel
#   agentsec scan ./src --parallel --max-concurrent 5


# Model Selection
# ===============
# The LLM model to use for scanning sessions.
# Default is "gpt-5". Change this to use a different model.
#
# model: gpt-5
#
# Examples:
#   model: gpt-5
#   model: claude-sonnet-4.5
#   model: gpt-4.1


# Per-Phase Model Overrides
# =========================
# You can use a different model for each scan phase.
# When not set, each phase falls back to the global `model` above.
#
# Phase 2 — Parallel scanner sub-agents (tool runners):
# model_scanners: gpt-4.1-mini
#
# Phase 3 — LLM deep analysis (semantic malicious code review):
# model_analysis: claude-sonnet-4.5
#
# Phase 4 — Report synthesis (deduplication and report compilation):
# model_synthesis: gpt-4.1-mini
#
# Example: Use a powerful model for analysis but fast/cheap for everything else:
#   model: gpt-4.1-mini
#   model_analysis: gpt-5