Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.agentguardian.io/llms.txt

Use this file to discover all available pages before exploring further.

What this gives you

A single uses: line that installs agent-guardian, runs a scan, writes SARIF, and uploads it to GitHub Code Scanning. Use this in place of the longhand workflow in GitHub Actions when you want the shortest possible adoption path.

Wire it up

Grant permissions

The calling workflow must grant security-events: write so SARIF upload succeeds. Composite actions cannot declare repository-level permissions, so the caller owns this.
permissions:
  contents: read
  security-events: write

Add the action

.github/workflows/agent-guardian.yml
name: AgentGuardian
on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read
  security-events: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: glacien-technologies/agent-guardian/.github/actions/agentguardian-scan@v1
        with:
          framework: langgraph
          framework-ref: my_app.graph:graph
          model: gemini:gemini-2.5-flash
          mode: full
          fail-under: "70"
        env:
          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}

Confirm the run

Open a PR. The scan check appears in the PR conversation, the SARIF artifact is attached to the workflow run, and findings show up under Security → Code scanning keyed by the agentguardian category.

Inputs

NameDefaultDescription
target""Positional dotted path (MODULE:ATTR). Mutually exclusive with the other target inputs.
system-prompt""Path to a system prompt file.
endpoint""Hosted HTTP endpoint URL.
framework""adk, autogen, crewai, langgraph, openai_agents, strands.
framework-ref""MODULE:ATTR for the framework-native object.
modelstubLLM spec (e.g. gemini:gemini-2.5-flash).
modefullfast, smart, or full.
budget-usd""Runtime USD cap. Empty disables the cap.
fail-under70Minimum AIVSS for exit-0. Empty skips the gate.
output-pathagentguardian-scan.sarifWhere the SARIF is written.
upload-sariftrueSet false to skip the Code Scanning upload.
categoryagentguardianSARIF category used for Code Scanning grouping.
agent-guardian-version""pip install version specifier. Empty = latest.
python-version3.12Python runtime.
extra-args""Extra flags appended verbatim.

Outputs

NameDescription
sarif-pathPath of the SARIF report.
exit-codeRaw scan exit code (see exit codes).

Sample report

A static reference render of the JSON / SARIF output, generated from a real scan: sample-report.html.

When to use the longhand form instead

Use the longhand workflow when you need to:
  • Run on a self-hosted runner without internet access (you supply your own install step).
  • Run the scan inside a services: container that the composite action would not see.
  • Compose multiple scans against the same target across the same job (the composite action assumes one scan per step).