One CLI for AI Agent Security
Credential detection with scope drift analysis, config integrity signing, runtime monitoring, and supply chain verification. Works with Node.js, Python, Go, and MCP server projects.
Instant Security Assessment
Run opena2a init in any project to get a security score, credential findings, scope drift alerts, and prioritized actions. Then run opena2a protect to fix everything.
Core Commands
Eight built-in commands plus 9 adapter-backed tools from the OpenA2A ecosystem.
opena2a init
Assess your project's security posture
Detects project type, scans for credentials, checks hygiene, calculates trust score (0-100), and provides prioritized next steps.
opena2a protect
Detect and migrate hardcoded credentials
Finds API keys across all source files. Language-aware replacements for JS, Python, Go, Ruby, Java, and Rust. Stores secrets in vault or .env.
opena2a guard
Config file integrity protection
Signs config files with SHA-256 hashes. Detects tampering, tracks unsigned files, maintains a signature store.
opena2a runtime
Agent runtime monitoring
Wraps ARP (Agent Runtime Protection) to monitor process, network, and filesystem activity. Protocol-aware for MCP and A2A.
opena2a verify
Binary integrity verification
Compares installed package hashes against the Trust Registry. Detects supply chain tampering across all OpenA2A tools.
opena2a scan
147 security checks via HackMyAgent
Adapter-backed scanning with attack simulation, auto-fix suggestions, and compliance reporting.
opena2a shield
Unified security orchestration
One-command setup: init, status, event log, policy enforcement, sessions, baselines, and posture reporting.
opena2a review
Security dashboard with HTML report
Runs all checks (init + protect + guard + HMA scan), generates an interactive HTML dashboard with score breakdown.
Scope Drift Detection
API keys provisioned for one service often silently grant access to others. A Google Maps key can call Gemini. An AWS S3 key may reach Bedrock. OpenA2A detects these cross-service privilege escalations.
Google API Key Gemini Drift
A key provisioned for Google Maps silently grants access to Gemini AI models. Attackers can run LLM workloads billed to your account.
AWS Access Key Bedrock Drift
An AWS key intended for S3 or EC2 may also grant access to Bedrock LLM models due to over-provisioned IAM policies.
Detected Credential Patterns
Regex-based detection with language-aware replacements for JS, Python, Go, Ruby, Java, and Rust.
| ID | Pattern | Prefix | Severity |
|---|---|---|---|
| CRED-001 | Anthropic API Key | sk-ant-api* | Critical |
| CRED-002 | OpenAI API Key | sk-*, sk-proj-* | Critical |
| CRED-003 | GitHub Token | ghp_*, ghs_* | High |
| DRIFT-001 | Google API Key | AIza* | High |
| DRIFT-002 | AWS Access Key | AKIA* | High |
| CRED-004 | Generic API Key | api_key=, secret_key= | Medium |
Smart Command Discovery
Four input modes so you always find the right command, whether you know exactly what you need or just have a vague idea.
Interactive Wizard
Run with no arguments for a guided menu.
$ opena2aSemantic Search
Search by concept with domain expansion.
$ opena2a ~google driftContext-Aware Suggestions
Get recommendations based on your project state.
$ opena2a ?Natural Language
Describe what you want in plain English.
$ opena2a find leaked credentialsCI/CD Integration
All commands support --format json and --ci for pipeline integration.
- name: Security assessment
run: npx opena2a-cli init --ci --format json > report.json
- name: Credential check
run: |
npx opena2a-cli protect --dry-run --ci --format json > creds.json
jq -e '.totalFound == 0' creds.json
- name: Config integrity
run: npx opena2a-cli guard verify --ciUnified Security Ecosystem
The CLI orchestrates 10 specialized security tools through adapter commands. Each installs on first use -- no manual setup required.
cryptoguardreviewGet Started in 30 Seconds
No signup, no configuration, no dependencies. One command to assess your project.