v1.0.1

[chaksaray]

Bawbel Scanner v1.0.1

The first production-stable release.

40 AVE records. 37 pattern rules. 6 detection engines. 5-layer false-positive reduction. VS Code extension. GitHub Actions. Near-zero false positives.

---

Highlights

40 AVE Records — the open vulnerability standard for agentic AI

The AVE standard now covers 40 attack classes — from prompt injection and memory poisoning to lateral movement, steganographic covert channels, and cross-agent A2A injection. Every finding links to a published record with behavioral fingerprints, IOC lists, CVSS-AI scores, and remediation steps. Browse all records at api.piranha.bawbel.io.

6 Detection Engines

• Stage 0 — Magika: ML content-type verification. Catches binaries and scripts disguised as skill files before any text analysis runs.
• Stage 1a — Pattern: 37 regex rules. Always runs. Zero dependencies.
• Stage 1b — YARA: 39 rules. Binary + text matching. Unicode homoglyph detection.
• Stage 1c — Semgrep: 41 rules. Structural and multi-line pattern matching.
• Stage 2 — LLM: Semantic analysis via LiteLLM. Any provider. Requires API key.
• Stage 3 — Behavioral Sandbox: Docker runtime isolation. eBPF syscall tracing.

Near-Zero False Positives

5-layer FP reduction — code fence stripping, negation context, confidence scoring, LLM meta-analysis, and file-type scan profiles. Validated: 21 documentation files → 0 active findings.

VS Code Extension — live in Marketplace

ext install bawbel.bawbel-scanner — inline squiggles, hover detail with "How to fix" guidance, false-positive suppression, auto-scan on save. Zero setup.

GitHub Actions

- uses: bawbel/bawbel-integrations@v1
  with:
    path: .
    fail-on-severity: high

---

What's New Since v0.3.0

25 New AVE Records (00016–00040)

ID	Title	Sev
AVE-2026-00016	Indirect Prompt Injection via RAG	HIGH 8.2
AVE-2026-00017	MCP Server Impersonation	HIGH 8.6
AVE-2026-00018	Tool Result Manipulation	HIGH 8.1
AVE-2026-00019	Agent Memory Poisoning	CRIT 9.2
AVE-2026-00020	Cross-Agent Injection (A2A)	HIGH 8.7
AVE-2026-00021	Autonomous Action — No Confirmation	HIGH 8.3
AVE-2026-00022	Scope Creep — Undeclared Resources	MED 6.8
AVE-2026-00023	Context Window Flooding	HIGH 8.0
AVE-2026-00024	Binary Content Disguised as Skill File	CRIT 9.5
AVE-2026-00025	Fake Conversation History Injection	HIGH 8.5
AVE-2026-00026	Exfiltration via Tool Output Encoding	CRIT 9.1
AVE-2026-00027	Multi-Turn Instruction Persistence	HIGH 8.4
AVE-2026-00028	Prompt Injection via File Content	HIGH 8.3
AVE-2026-00029	Homoglyph & Unicode Obfuscation	HIGH 8.0
AVE-2026-00030	False Role Claim Escalation	CRIT 9.0
AVE-2026-00031	Feedback Loop / RLHF Poisoning	HIGH 8.6
AVE-2026-00032	Internal Network Reconnaissance	HIGH 8.2
AVE-2026-00033	Unsafe Deserialization / Eval	CRIT 9.3
AVE-2026-00034	Dynamic Third-Party Skill Import	CRIT 9.2
AVE-2026-00035	Sensor / Telemetry Falsification	HIGH 7.9
AVE-2026-00036	Lateral Movement — Internal Pivot	CRIT 9.4
AVE-2026-00037	Prompt Injection via Image / Vision	HIGH 8.5
AVE-2026-00038	Excessive Agency — Unbounded Tools	HIGH 8.1
AVE-2026-00039	Steganographic Covert Channel	HIGH 8.3
AVE-2026-00040	Insecure Output — SQL/XSS/Shell Injection	HIGH 8.2

---

bawbel.io · Docs · AVE Standard · PiranhaDB · VS Code

# Bawbel Scanner v1.0.0

The first production-stable release.

40 AVE records. 37 pattern rules. 6 detection engines. 5-layer false-positive
reduction. VS Code extension. GitHub Actions. Near-zero false positives.

---

Highlights

40 AVE Records — the open vulnerability standard for agentic AI

The AVE standard now covers 40 attack classes — from prompt injection and memory
poisoning to lateral movement, steganographic covert channels, and cross-agent
A2A injection. Every finding links to a published record with behavioral
fingerprints, IOC lists, CVSS-AI scores, and remediation steps.
Browse all records at [api.piranha.bawbel.io](https://api.piranha.bawbel.io).

6 Detection Engines

• Stage 0 — Magika: ML content-type verification. Catches binaries and scripts
  disguised as skill files before any text analysis runs.
• Stage 1a — Pattern: 37 regex rules. Always runs. Zero dependencies.
• Stage 1b — YARA: 39 rules. Binary + text matching. Unicode homoglyph detection.
• Stage 1c — Semgrep: 41 rules. Structural and multi-line pattern matching.
• Stage 2 — LLM: Semantic analysis via LiteLLM. Any provider. Requires API key.
• Stage 3 — Behavioral Sandbox: Docker runtime isolation. eBPF syscall tracing.

Near-Zero False Positives

5-layer FP reduction — code fence stripping, negation context, confidence scoring,
LLM meta-analysis, and file-type scan profiles.
Validated: 21 documentation files → 0 active findings.

VS Code Extension — live in Marketplace

ext install bawbel.bawbel-scanner — inline squiggles, hover detail with "How to
fix" guidance, false-positive suppression, auto-scan on save. Zero setup.

GitHub Actions

- uses: bawbel/bawbel-integrations@v1
  with:
    path: .
    fail-on-severity: high

---

What's New Since v0.3.0

25 New AVE Records (00016–00040)

ID	Title	Sev
AVE-2026-00016	Indirect Prompt Injection via RAG	HIGH 8.2
AVE-2026-00017	MCP Server Impersonation	HIGH 8.6
AVE-2026-00018	Tool Result Manipulation	HIGH 8.1
AVE-2026-00019	Agent Memory Poisoning	CRIT 9.2
AVE-2026-00020	Cross-Agent Injection (A2A)	HIGH 8.7
AVE-2026-00021	Autonomous Action — No Confirmation	HIGH 8.3
AVE-2026-00022	Scope Creep — Undeclared Resources	MED 6.8
AVE-2026-00023	Context Window Flooding	HIGH 8.0
AVE-2026-00024	Binary Content Disguised as Skill File	CRIT 9.5
AVE-2026-00025	Fake Conversation History Injection	HIGH 8.5
AVE-2026-00026	Exfiltration via Tool Output Encoding	CRIT 9.1
AVE-2026-00027	Multi-Turn Instruction Persistence	HIGH 8.4
AVE-2026-00028	Prompt Injection via File Content	HIGH 8.3
AVE-2026-00029	Homoglyph & Unicode Obfuscation	HIGH 8.0
AVE-2026-00030	False Role Claim Escalation	CRIT 9.0
AVE-2026-00031	Feedback Loop / RLHF Poisoning	HIGH 8.6
AVE-2026-00032	Internal Network Reconnaissance	HIGH 8.2
AVE-2026-00033	Unsafe Deserialization / Eval	CRIT 9.3
AVE-2026-00034	Dynamic Third-Party Skill Import	CRIT 9.2
AVE-2026-00035	Sensor / Telemetry Falsification	HIGH 7.9
AVE-2026-00036	Lateral Movement — Internal Pivot	CRIT 9.4
AVE-2026-00037	Prompt Injection via Image / Vision	HIGH 8.5
AVE-2026-00038	Excessive Agency — Unbounded Tools	HIGH 8.1
AVE-2026-00039	Steganographic Covert Channel	HIGH 8.3
AVE-2026-00040	Insecure Output — SQL/XSS/Shell Injection	HIGH 8.2

Rule Counts

Engine	v0.3.0	v1.0.0	+Delta
Pattern	15	37	+22
YARA	15	39	+24
Semgrep	15	41	+26

New Engines

Stage 0 — Magika (scanner/engines/magika_engine.py)
ML-based content-type verification. Runs before all text engines. Detects ELF
binaries, Windows PE32, pickles, PHP, and shell scripts disguised as .md/.yaml.

pip install "bawbel-scanner[magika]"

LLM Meta-Analyzer (scanner/engines/meta_analyzer.py)
LLM-based false positive filter. One API call per file covers all medium-confidence
findings. Verdicts: real, false_positive, needs_review. Skips silently if no
LLM configured.

False Positive Reduction — 5 Layers

Layer	Mechanism	Reduction
FP-1	Code fence stripping	~60% on docs
FP-2	Negation context (preceding line)	~15%
FP-3	Confidence scoring	~10%
FP-4	LLM meta-analysis	~7%
FP-5	File-type scan profiles	~3%

Result: 21 documentation files → 0 active findings.

Suppression System

<!-- bawbel-ignore -->
<!-- bawbel-ignore: bawbel-external-fetch -->
<!-- bawbel-ignore: AVE-2026-00001 -->
<!-- bawbel-ignore-start --> ... <!-- bawbel-ignore-end -->

.bawbelignore for file/directory exclusions.
--no-ignore flag to override all suppressions for security audits.
Suppressed findings always present in JSON/SARIF output for audit completeness.

New CLI Commands

bawbel init          # scaffold .bawbelignore, bawbel.yml, CI workflow
bawbel scan --watch  # re-scan on every file change (requires [watch] extra)
bawbel report        # full remediation guide per finding

PiranhaDB

• All 40 AVE records live at api.piranha.bawbel.io
• total_records: 40 | total_mutations: 2113 | CRITICAL: 10 | HIGH: 27 | MEDIUM: 3
• Auto-syncs from bawbel/bawbel-ave on every deploy
• GITHUB_TOKEN support: 60 → 5000 req/hr rate limit
• Hot-reload via POST /reload without container restart

Integrations

• GitHub Actions — bawbel/bawbel-integrations@v1
• VS Code Extension — bawbel.bawbel-scanner v1.0.1 on Marketplace
• GitLab CI, Jenkins, CircleCI, Bitbucket Pipelines, Azure DevOps
• Pre-commit hook
• Docker — 3 build targets, Docker Compose with 7 services

---

Bug Fixes

• YARA engine SyntaxError on filenames with [ ] — use data= instead of filepath=
• Docker smoke test path pointed at removed fixture — fixed
• Pattern engine docstring \s+ caused SyntaxWarning — fixed
• Semgrep 4 rules missing ave_id metadata — fixed
• YARA severity label mismatches on 5 rules — corrected to match CVSS scores

---

Tests

182 test methods across 19 test classes

• TestAVERecordsV2 — 43 tests for AVE-2026-00026 to 00040
• TestCodeFenceStripping — 12 tests for FP-1
• TestConfidenceScoring, TestPrecedingLineContext, TestMagikaEngine added

---

Install

pip install bawbel-scanner                   # pattern engine only
pip install "bawbel-scanner[all]"            # all engines
pip install "bawbel-scanner[yara,semgrep]"   # + YARA + Semgrep
pip install "bawbel-scanner[magika]"         # + content-type verification
pip install "bawbel-scanner[llm]"            # + LLM semantic analysis
pip install "bawbel-scanner[watch]"          # + watch mode

bawbel scan ./skills/ --recursive

---

Detection Coverage

Engine	Rules	AVE IDs	Install
Pattern	37	00001–00040	pip install bawbel-scanner
YARA	39	00001–00040	[yara]
Semgrep	41	00001–00040	[semgrep]
Magika	—	00024	[magika]
LLM	—	semantic	[llm] + API key
Sandbox	—	runtime	Docker

---

[bawbel.io](https://bawbel.io) · [Docs](https://bawbel.io/docs) · [AVE Standard](https://github.com/bawbel/bawbel-ave) · [PiranhaDB](https://api.piranha.bawbel.io) · [VS Code](https://marketplace.visualstudio.com/items?itemName=bawbel.bawbel-scanner)

---

This discussion was created from the release v1.0.1.