Documentation

AgentSentry CLI

Open-source NHI scanner — runs locally, zero data upload, one command to audit your entire cloud.

Installation Quick start Providers Output formats Advanced

Installation

AgentSentry requires Python 3.9+. Install the base package, then add provider extras for each cloud you want to scan.

bash

# Base install
$ pip install agentsentry
 
# With all provider extras
$ pip install 'agentsentry[aws,azure,gcp,github,k8s]'
 
# Verify
$ agentsentry --version

Quick start

The fastest way to see AgentSentry in action — scan your local environment. No credentials needed.

bash

# Scan local environment (no credentials needed)
$ agentsentry scan local
 
# Scan everything configured on this machine
$ agentsentry scan all
 
# Open the interactive attack graph in your browser
$ agentsentry visualize

Provider setup & scan commands

Amazon Web Services (AWS)

bash

# Install AWS extra
$ pip install 'agentsentry[aws]'
 
# Configure credentials
$ export AWS_PROFILE=my-profile
 
# Scan
$ agentsentry scan aws

Microsoft Azure

bash

$ pip install 'agentsentry[azure]'
$ az login
$ agentsentry scan azure

Google Cloud (GCP)

bash

$ pip install 'agentsentry[gcp]'
$ gcloud auth application-default login
$ agentsentry scan gcp

GitHub

bash

$ pip install agentsentry
$ export GITHUB_TOKEN=<your-pat>
$ agentsentry scan github

Kubernetes

bash

$ pip install 'agentsentry[k8s]'
$ kubectl config use-context <your-cluster>
$ agentsentry scan k8s

Output formats

Export findings in multiple formats for integration with your existing security toolchain.

bash

# Default: rich terminal table
$ agentsentry scan all
 
# JSON (for SIEM / automation)
$ agentsentry scan all --output json > findings.json
 
# CSV (for spreadsheets)
$ agentsentry scan all --output csv > findings.csv
 
# Open attack graph in browser
$ agentsentry visualize
 
# Save graph as HTML file
$ agentsentry visualize --save report.html

Advanced usage

Filter by risk threshold, target a specific AWS profile, or run in CI/CD pipelines.

bash

# Show only CRITICAL and HIGH findings
$ agentsentry scan all --min-risk HIGH
 
# Use a specific AWS profile
$ export AWS_PROFILE=prod
$ agentsentry scan aws
 
# Non-zero exit code on CRITICAL findings (great for CI)
$ agentsentry scan all --fail-on CRITICAL
 
# Scan a specific LangChain / CrewAI project directory
$ agentsentry scan agents ./my-agent-project

GitHub Actions example:

yaml

- name: AgentSentry NHI Scan
  run: |
    pip install agentsentry[aws]
    agentsentry scan aws --output json --fail-on CRITICAL
  env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

View on GitHub Contact us