The pre-flight security scanner for AI agents. It provides static analysis, logic flaw detection, and EU AI Act compliance mapping, supporting frameworks like LangChain/CrewAI and GitHub Actions integration.
Project Overview#
Inkog is a static security analysis tool designed specifically for AI Agents, positioned as "The pre-flight check for AI agents." It discovers logic flaws and security vulnerabilities through static analysis before AI agents go into production, preventing cost overruns, data breaches, and legal risks.
Core Detection Capabilities#
| Category | Detection Content | Risk Impact |
|---|---|---|
| Infinite Loops | Agent repeatedly calls itself without exit conditions, LLM output feeds back as input indefinitely | Agent runs forever and accumulates API costs |
| Prompt Injection | User input flows into system prompts without sanitization, contaminated data reaches tool calls | Attackers can hijack agent behavior |
| Missing Guardrails | Destructive operations without human intervention, no rate limits on LLM calls, unconstrained tool access | One wrong decision leads to runaway agent |
| Hardcoded Secrets | API keys, tokens, and passwords in source code (detected locally, never uploaded) | Credential exposure when pushed to GitHub |
| Compliance Gaps | Missing human oversight, no audit logs, missing authorization checks | Violates EU AI Act and other regulatory requirements |
Supported Frameworks#
Code-first Frameworks: LangChain, LangGraph, CrewAI, AutoGen, OpenAI Agents, Semantic Kernel, Azure AI Foundry, LlamaIndex, Haystack, DSPy, Phidata, Smolagents, PydanticAI, Google ADK
No-code Platforms: n8n, Flowise, Langflow, Dify, Microsoft Copilot Studio, Salesforce Agentforce
Compliance Mapping#
- EU AI Act: Maps to Article 14 (Human Oversight) and Article 15 (Robustness) requirements
- OWASP LLM Top 10: Automatic mapping to relevant security risks
- NIST AI RMF: Supports GOVERN, MAP, MEASURE, MANAGE functions
Installation & Usage#
Quick Start (No Installation Required)#
npx -y @inkog-io/cli scan .
Permanent Installation#
# Homebrew
brew tap inkog-io/inkog && brew install inkog
# Install Script
curl -fsSL https://inkog.io/install.sh | sh
# Go install
go install github.com/inkog-io/inkog/cmd/inkog@latest
Basic Usage#
# Configure API key (obtain from https://app.inkog.io)
export INKOG_API_KEY=sk_live_...
# Scan current directory
inkog scan .
Integration Capabilities#
GitHub Actions#
- uses: inkog-io/inkog@v1
with:
api-key: ${{ secrets.INKOG_API_KEY }}
sarif-upload: true # Display findings in GitHub Security tab
MCP Server Integration#
npx -y @inkog-io/mcp
Provides 7 tools including MCP server audit and multi-agent topology analysis, enabling direct scanning of agent code in Claude, ChatGPT, or Cursor.
Architecture Highlights#
- Core Language: Go (95.3%)
- Analysis Method: Static analysis (does not run agent code)
- Privacy Protection: 100% local analysis, code is never uploaded
- Universal IR: Unified intermediate representation supporting multiple frameworks
- Data Flow Tracking: Tracks user input to LLM data flows
- Remediation Guidance: Provides specific code fix recommendations