Main features:
- Broad coverage: scans AWS, GCP, Azure, 100+ API key environment variables and credential files, Kubernetes, Docker, SSH keys, Terraform configs, and .env files
- Severity levels: every finding is tagged LOW, MODERATE, HIGH, or CRITICAL so you know what actually matters
- CI/CD integration: run agentcheck --ci to fail a pipeline if findings exceed a configurable threshold, with JSON and Markdown output for automation
- Configurable: extend it with your own env vars, credential files, and CLI tool checks via a config file
When you hand a shell to an AI agent, it inherits everything in that environment: cloud credentials, API keys, SSH keys, kubectl contexts. That's often more access than you'd consciously grant, and it’s hard to keep track of what permissions your user account actually has. Agentcheck makes that surface area visible before you run the agent.
It’s a single Go binary, no dependencies. Install with Homebrew:
brew install Pringled/tap/agentcheck
Code: github.com/Pringled/agentcheck
Let me know if you have any feedback!
matrixgard•2d ago
The CI integration is the piece I'd actually lean on first. Most teams I've seen think about agent access controls after they've already deployed, at which point you're doing cleanup instead of prevention. Gating it in the pipeline means the access question gets answered before the agent is running against your Terraform state and live kube contexts.
Are you seeing any patterns in severity distribution — mostly cloud creds coming up critical, or are the kube context exposures landing higher than expected?