Skip to content

Phase 3: Add stateless scan CLI command (agent-invocable) #309

Description

@msoedov

Part of #306. This is the real work — it replaces MCP as the agent integration path.

Today scanning is config-file-driven: init writes agesec.toml, then ci reads it. An agent must do two steps with hidden disk state. Replace with a direct one-shot command.

Target UX (finalize in design)

  • agentic_security scan --spec <file|-> — stateless, no agesec.toml required; spec from arg, file, or stdin
  • Streams machine-readable results to stdout (JSON lines), logs to stderr
  • Non-zero exit code when failures are found (CI-friendly)
  • Decide fate of existing ci: keep ci for config workflows, add scan for ad-hoc/agent use

Open design questions

  • Output format: JSON lines vs single JSON doc vs both behind a flag
  • Does scan need the FastAPI app, or call fuzzer.scan_router() directly via lib.SecurityScanner (preferred — fully standalone)
  • Minimal spec an agent must pass (llmSpec only? + datasets?)

Done when

  • An agent runs a full scan with a single CLI command, no server, no config file, and parses results from stdout.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions