Skip to content

AI security scanning

Bulwark scans the AI coding assistants on your machine — Claude Code, Cursor, GitHub Copilot, OpenAI Codex, Gemini CLI, Aider, Continue, Windsurf, Cline/Roo and Amazon Q — for two classes of problem that ordinary host scanners don't look for:

  1. Secrets leaked into AI context. API keys, tokens, and connection strings pasted into a CLAUDE.md, an agent's memory, an MCP config, a .env, or a session transcript. Anything an assistant can read is one prompt-injection away from being exfiltrated — and transcripts keep a copy on disk long after the conversation.
  2. Dangerous agent configuration. Settings that a prompt injection can turn into code execution on your host, grounded in real, published attacks.

It's a first-class tab in the desktop app (highlighted in the sidebar) and a bulwarkctl ai subcommand in the CLI.

What it checks

RuleSeverityWhat it catchesReference
BLWK-AI-001Critical / MediumA provider secret (Anthropic, OpenAI, GitHub, AWS, …) in an assistant's context, config, or transcriptT1552.001
BLWK-AI-002CriticalProject-supplied Claude Code hooks that run shell on session/tool eventsCVE-2025-59536
BLWK-AI-003HighAn MCP server launched via an unpinned npx/uvx packageT1195.001
BLWK-AI-004HighAn MCP server using mcp-remote (command-injection ≤ 0.1.15)CVE-2025-6514
BLWK-AI-005HighAn MCP server wrapped in a shell interpreter (bash -c …)T1059.004
BLWK-AI-006HighA permission allowlist that permits arbitrary execution (Bash(*), Bash(curl:*))T1059
BLWK-AI-007HighdefaultMode: "bypassPermissions" — no approval prompts at allT1059
BLWK-AI-008HighenableAllProjectMcpServers / enabledMcpjsonServers auto-enabling a repo's MCP serversCVE-2025-59536
BLWK-AI-009CriticalVS Code chat.tools.autoApprove ("YOLO mode")CVE-2025-53773
BLWK-AI-010HighVS Code Workspace Trust disabledT1204.002
BLWK-AI-011HighA VS Code task set to run on folderOpenT1204.002
BLWK-AI-012HighHidden Unicode / bidi controls in an instruction file (the Rules File Backdoor)Pillar Security
BLWK-AI-013MediumPrompt-injection-style phrases in an instruction file (heuristic)T1566
BLWK-AI-014HighAn ANTHROPIC_BASE_URL / OPENAI_BASE_URL override to a non-official hostCVE-2025-59536
BLWK-AI-015MediumA plaintext credential file readable by group/otherT1552.001
BLWK-AI-016HighA secret-bearing file in a git repo with no .gitignore rule covering itT1552.001
BLWK-AI-017HighCodex approval_policy = "never" + sandbox_mode = "danger-full-access"T1059

These are native Rust detectors, not YAML rules — the same reason the ClamAV integration isn't a collector. Secret detection needs capturing regexes and redaction spans; the config checks parse MCP JSON and inspect files for invisible Unicode; none of that fits the flat condition DSL. They carry the same shape as a YAML rule all the same (id, severity, plain-language explanation, one-line fix, references) and the same discipline (every detector is unit-tested, including a benign no-false-positive case).

How workspaces are discovered

Because every developer's layout differs, the scanned workspace set is derived, not hardcoded:

  • From your assistants' own records — the projects Claude Code has opened (~/.claude/projects/).
  • A shallow sweep of common code roots~/Workspaces, ~/Projects, ~/src, ~/dev, ~/code, ~/git, … — for directories carrying an AI marker (.claude/, CLAUDE.md, .cursor/, .mcp.json, AGENTS.md, …). node_modules, .git, and build trees are skipped.
  • Roots you add in the tab's settings, plus any you exclude.

Global $HOME tool state (~/.claude/, ~/.codex/, ~/.cursor/mcp.json, ~/.gemini/, …) is always included. The desktop app also runs a periodic background sweep and notifies you when a new secret or risky config appears — toggleable from the tab.

Redaction

Bulwark reads these files but never rewrites them on its own — finding a secret and removing it are two deliberate, separate acts, the same stance file-integrity baselining takes.

  • Dry run first. bulwarkctl ai redact (no flags) reports exactly which files would change and how many secrets each holds, touching nothing.
  • Apply explicitly. bulwarkctl ai redact --apply (or the tab's Redact button) rewrites the files, replacing each high-confidence secret with an inert placeholder. Before overwriting, it writes a 0600 backup of every file it touches, and it preserves the original file's permissions on the rewritten copy. Only high-confidence provider secrets are redacted — the fuzzy KEY=value heuristic is report-only.

Redaction removes the secret from disk; it can't un-leak it. Rotate any exposed credential.

CLI

bash
# Scan every discovered workspace + your home-directory tool state.
bulwarkctl ai scan

# Scan just one project (skips the whole-machine sweep).
bulwarkctl ai scan --target ~/work/service

# Add or exclude discovery roots.
bulwarkctl ai scan --root ~/oss --exclude ~/Projects/huge-monorepo

# Preview, then apply, redaction. A 0600 backup of each file is kept.
bulwarkctl ai redact
bulwarkctl ai redact --apply

ai scan exits non-zero on findings (2 for a critical, 1 for medium/high), so it drops into cron or CI the same way bulwarkctl scan does.

Released under the AGPL-3.0-or-later License.