v1.2.3 - MCP Registry verification marker

What's changed

Added <!-- mcp-name: io.github.bawbel/scanner --> to README.md so the
official MCP Registry at registry.modelcontextprotocol.io can verify PyPI
package ownership.

No functional changes. Scanner behaviour, detection rules, and API output
are identical to v1.2.2.

Upgrade

pip install --upgrade bawbel-scanner

v1.2.2 - Confidence scoring fixes and --no-ignore audit mode repair

What's fixed

Unknown file profile over-suppression (B1)
Files outside recognized paths (docs/, examples/) were classified as
unknown and assigned a confidence threshold of 0.80 — higher than the
skill threshold of 0.60. Findings that would fire on a skill file were
silently suppressed on any file with an unrecognized name or path.
unknown threshold is now 0.60, matching skill.

Also fixed a dead code path: the FP-3 threshold logic had a hardcoded
branch for skill files that made _PROFILE_THRESHOLDS["skill"] unreachable.
Simplified to always use profile_threshold.

--no-ignore did not bypass FP-2 or FP-3 (B2)
The flag correctly bypassed inline and justified suppression but had no effect
on negation-context (FP-2) or confidence scoring (FP-3). Findings suppressed
by confidence scoring were invisible even in audit mode.
--no-ignore now bypasses all suppression layers. Every finding surfaces.

risk_score showed 0.0 with active toxic flows (B3)
A file with zero active findings but CRITICAL toxic flows reported
risk_score: 0.0 and label CLEAN. The score calculation only read from
findings and ignored toxic_flows.
risk_score now takes the maximum across both. is_clean also requires
len(toxic_flows) == 0.

LiteLLM botocore startup warnings
bawbel version and every scan emitted two WARNING lines from LiteLLM
attempting to pre-load AWS Bedrock and SageMaker shapes when botocore is
not installed. Suppressed at the logger level in llm_engine.py.

Upgrade

pip install --upgrade bawbel-scanner

Full changelog: CHANGELOG.md

v1.2.1: PyPI packaging fix with ASCII diagrams

What's in this release

This is a packaging-only release. No functional changes to the scanner,
detection rules, or CLI commands.

Fixed

README.md renders correctly on PyPI

The three diagram images in README.md used local file paths
(docs/diagrams/...) which PyPI cannot serve. They have been replaced with
ASCII text diagrams that render correctly on PyPI, GitHub, and any Markdown
renderer with no external dependencies.

Three diagrams replaced:

• System overview: full scan pipeline from file to ScanResult
• Detection stages: six engines with install requirements and merge flow
• False positive reduction: all eight FP layers as a vertical waterfall

Upgrade

pip install --upgrade bawbel-scanner
bawbel version

All v1.2.0 features are included. If you are on v1.2.0 already, there is
nothing new here beyond the corrected PyPI page. See the
v1.2.0 release notes
for the full feature list.

Links

• Docs: https://bawbel.io/docs
• CHANGELOG: https://github.com/bawbel/scanner/blob/main/CHANGELOG.md

v1.2.0: Justified Suppression, 3 new AVE records, bawbel creds + chain

What's new

Justified suppression and false positive feedback

The existing bawbel-ignore silently removes findings. That's not enough
when a developer can't explain why something is suppressed, or when an
accepted risk is never reviewed again.

v1.2.0 adds two new inline comment keywords:

• bawbel-ignore with metadata: false positive declaration. Requires a
  reason, reviewer, and reviewed date. Suppressed permanently. The
  reason is recorded in the audit trail.
• bawbel-accept with an expires date: accepted risk. When the expiry
  passes, the finding resurfaces automatically on the next scan.

<!-- bawbel-ignore: AVE-2026-00001
     reason: Internal registry endpoint, not attacker-controlled
     reviewer: chaksaray
     reviewed: 2026-05-16
-->

<!-- bawbel-accept: AVE-2026-00047
     reason: Placeholder replaced at deploy time by CI pipeline
     reviewer: chaksaray
     reviewed: 2026-05-16
     expires: 2026-08-16
-->

The bawbel accept CLI inserts these comments directly into source files
without manual editing:

bawbel accept AVE-2026-00001 ./skill.md --line 7 \
  --reason "Internal registry endpoint" \
  --type false-positive

bawbel accept AVE-2026-00047 ./skill.md --line 3 \
  --reason "Placeholder, replaced at deploy time" \
  --type accepted-risk \
  --expires 90d

bawbel accept --list
bawbel accept --expiring-soon --within 30

JSON output now includes an accepted_findings array with full metadata
for each justified suppression. --report sends an anonymous FP signal to
PiranhaDB (AVE ID, engine, confidence, match hash only, no file content).

---

3 new AVE records

Rule	AVE ID	Severity	AIVSS	What it detects
bawbel-hook-hijack	AVE-2026-00046	CRITICAL	9.1	MCP tool hook hijacking: skill files that register hooks to intercept or redirect tool execution calls to attacker-controlled callbacks
bawbel-hardcoded-credential	AVE-2026-00047	HIGH	7.8	Hardcoded API keys, tokens, passwords, private key blocks, and URL-embedded credentials (scheme://user:pass@host)
bawbel-unsafe-delegation	AVE-2026-00048	HIGH	8.2	Sub-agent spawning with inherited permissions and no explicit trust boundary

Pattern engine: 37 rules -> 40 rules. AVE records: 45 -> 48.

---

bawbel creds and bawbel chain

Two new focused scan commands. Both use the same panel output as
bawbel scan and support --recursive, --no-ignore, --fail-on-any,
--format json.

# Credential-only scan (AVE-2026-00047)
bawbel creds ./skills/ --recursive

# Delegation chain scan (AVE-2026-00048)
bawbel chain ./skills/ --recursive

Use bawbel scan for full security review. These commands are for targeted
triage or specialized CI gates.

---

bawbel report improvements

• --recursive / -r flag: scan a directory and produce a full remediation
  report for every file.
• --no-ignore flag: audit mode, same as bawbel scan --no-ignore.

---

Fixes

• pr-review.yml regression-check: missing pip install -e . caused import
  failures on clean repos.
• ci.yml test job: same missing pip install -e . fix.
• ci.yml Docker verify step: python3 -c "..." with f-strings was mangled
  by shell brace expansion before Python saw the script. Replaced with a
  single-line assertion. Also fixed wrong field name (aivss -> aivss_score)
  and wrong threshold (9.0 -> 7.0).

---

Upgrade

pip install --upgrade bawbel-scanner
bawbel version

Links

• Docs: https://bawbel.io/docs
• AVE records 46/47/48: https://github.com/bawbel/ave
• PiranhaDB: https://api.piranha.bawbel.io
• CHANGELOG: https://github.com/bawbel/scanner/blob/main/CHANGELOG.md

v1.1.1

Packaging fix for MCP official registry submission.
Adds mcp-name marker to README for PyPI package ownership verification.
No functional changes from v1.1.0.

The MCP Security Layer

Bawbel Scanner v1.1.0: The MCP Security Layer

Released: May 2026

PyPI: pip install "bawbel-scanner==1.1.0"

Changelog: github.com/bawbel/bawbel-scanner/releases/tag/v1.1.0

v1.1.0 makes Bawbel the first scanner purpose-built for the full MCP 2026 attack surface: server-cards, tool descriptions, cross-app escalation, async task poisoning, and spec conformance. Every finding now maps to both the AVE standard and the OWASP MCP Top 10.

---

What's new

bawbel scan-server-card + bawbel ssc

Fetches .well-known/mcp.json (SEP-1649) and scans all tool descriptions, parameter descriptions, and config schemas before your agent makes a single call. The attack surface exists at the discovery layer, before execution.

bawbel scan-server-card https://api.example.com
bawbel ssc https://api.example.com          # alias

First dedicated scanner for the MCP server-card attack surface.

---

Toxic flow detection

Detects when two or more findings combine into a complete, exploitable attack chain. A credential-read finding is HIGH. Combined with a data-exfil finding it becomes CRITICAL 9.8. The risk score is elevated to the combined value automatically.

TOXIC FLOWS DETECTED
  These findings form complete attack chains.
⛓  CRITICAL  Credential Exfiltration Chain  CVSS-AI 9.8

Chain:    credential-read + data-exfil

AVEs:     AVE-2026-00003, AVE-2026-00026

OWASP MCP: MCP01, MCP05
⛓  CRITICAL  Remote Code Execution Chain  CVSS-AI 9.7

Chain:    external-fetch + command-exec

AVEs:     AVE-2026-00001, AVE-2026-00004

OWASP MCP: MCP04, MCP05

12 built-in attack chain definitions:

Chain	CVSS-AI
Credential Exfiltration	CRITICAL 9.8
Remote Code Execution	CRITICAL 9.7
Supply Chain RCE	CRITICAL 9.6
Goal Override + Command Execution	CRITICAL 9.5
Lateral Movement + Execution	CRITICAL 9.4
Tool Poisoning + Exfiltration	CRITICAL 9.3
Identity Spoofing + Escalation	CRITICAL 9.2
Persistence + Exfiltration	CRITICAL 9.1
Context Injection + Memory Write	HIGH 8.9
Goal Override + Exfiltration	HIGH 8.8
Scope Expansion + Exfiltration	HIGH 8.7
Covert Channel + Persistence	HIGH 8.6

---

PiranhaDB v1.1

api.piranha.bawbel.io upgraded from a 4-endpoint AVE record API to a full public threat intelligence platform. 14 endpoints, no auth, Apache 2.0.

New endpoints:

• GET /registry-scan/latest: latest Smithery/MCP registry scan results
• GET /registry-scan/history: weekly trend data
• GET /github-scan/{owner}/{repo}: GitHub skills repo scans
• GET /stats/ecosystem: aggregate stats across all sources
• POST /scan: on-demand scan, submit any URL or content

Future-proof: Redis cache and PostgreSQL store activate automatically when REDIS_URL and DATABASE_URL env vars are set. Zero code changes required at either phase.

---

Bug fixes

YARA AVE_A2AInjection false positive: bare a2a string match evaluated "inject" as boolean true so the rule always matched. Tightened to require explicit attack phrases or a combination of agent-type string and attack-verb string. Fixes false positive on agenttrust/mcp-server and similar legitimate A2A protocol references.

scanner/cli/__main__.py: added missing file that caused No module named scanner.cli.__main__ in Docker smoke tests after the CLI refactor.

scanner/pinner.py bandit annotation: removed unused B607 nosec tag that caused bandit to exit non-zero in strict mode CI.

---

Breaking changes

None. All existing commands, JSON output fields, and Python API are unchanged.

toxic_flows is a new additive field on ScanResult that defaults to []. owasp_mcp is a new additive field on finding JSON output.

---

Upgrade

pip install "bawbel-scanner==1.1.0"

VS Code extension: update to v1.2.0 from the Marketplace.

---

Full changelog

feat: bawbel scan-server-card + bawbel ssc alias
feat: toxic flow detection, 12 attack chain definitions
feat: bawbel scan-conformance / bawbel conform, MCP spec scoring
feat: bawbel pin + bawbel check-pins + bawbel cp, rug pull detection
feat: OWASP MCP Top 10 mapping on all findings (owasp_mcp field)
feat: AVE records 41-45, MCP 2026 attack surface
feat: CLI modular refactor, scanner/cli/ package
feat: PiranhaDB v1.1, 14-endpoint threat intel platform
fix:  AVE_A2AInjection YARA rule, remove false bare a2a match
fix:  add scanner/cli/__main__.py for python -m scanner.cli
fix:  remove unused B607 nosec tag in pinner.py, fixes bandit CI

# Bawbel Scanner v1.1.0: The MCP Security Layer

Released: May 2026

PyPI: pip install "bawbel-scanner==1.1.0"

Changelog: [github.com/bawbel/bawbel-scanner/releases/tag/v1.1.0](https://github.com/bawbel/bawbel-scanner/releases/tag/v1.1.0)

v1.1.0 makes Bawbel the first scanner purpose-built for the full MCP 2026 attack surface: server-cards, tool descriptions, cross-app escalation, async task poisoning, and spec conformance. Every finding now maps to both the AVE standard and the OWASP MCP Top 10.

---

What's new

bawbel scan-server-card + bawbel ssc

Fetches .well-known/mcp.json (SEP-1649) and scans all tool descriptions, parameter descriptions, and config schemas before your agent makes a single call. The attack surface exists at the discovery layer, before execution.

bawbel scan-server-card https://api.example.com
bawbel ssc https://api.example.com          # alias

First dedicated scanner for the MCP server-card attack surface.

---

Toxic flow detection

Detects when two or more findings combine into a complete, exploitable attack chain. A credential-read finding is HIGH. Combined with a data-exfil finding it becomes CRITICAL 9.8. The risk score is elevated to the combined value automatically.

TOXIC FLOWS DETECTED
  These findings form complete attack chains.

  ⛓  CRITICAL  Credential Exfiltration Chain  CVSS-AI 9.8
  Chain:    credential-read + data-exfil
  AVEs:     AVE-2026-00003, AVE-2026-00026
  OWASP MCP: MCP01, MCP05

  ⛓  CRITICAL  Remote Code Execution Chain  CVSS-AI 9.7
  Chain:    external-fetch + command-exec
  AVEs:     AVE-2026-00001, AVE-2026-00004
  OWASP MCP: MCP04, MCP05

12 built-in attack chain definitions:

Chain	CVSS-AI
Credential Exfiltration	CRITICAL 9.8
Remote Code Execution	CRITICAL 9.7
Supply Chain RCE	CRITICAL 9.6
Goal Override + Command Execution	CRITICAL 9.5
Lateral Movement + Execution	CRITICAL 9.4
Tool Poisoning + Exfiltration	CRITICAL 9.3
Identity Spoofing + Escalation	CRITICAL 9.2
Persistence + Exfiltration	CRITICAL 9.1
Context Injection + Memory Write	HIGH 8.9
Goal Override + Exfiltration	HIGH 8.8
Scope Expansion + Exfiltration	HIGH 8.7
Covert Channel + Persistence	HIGH 8.6

toxic_flows array is included in all JSON and SARIF output. See [docs/guides/toxic-flows.md](docs/guides/toxic-flows.md).

---

bawbel scan-conformance + bawbel conform

Scores an MCP server manifest against the MCP specification. Returns a grade A+ to F and per-check results across 18 checks in 3 tiers. Works on local files, live servers, and the official MCP registry.

bawbel scan-conformance ./server.json
bawbel conform https://api.example.com     # alias, fetches server-card
bawbel conform ac.tandem/docs-mcp --registry
bawbel conform ./server.json --fail-below 80
bawbel conform ./server.json --fail-non-conformant

18 checks across 3 tiers:

Tier	Weight	Checks
REQUIRED	3	name, description, version, HTTPS, tool descriptions, valid tool names, unique tool names, inputSchema
RECOMMENDED	2	$schema ref, streamable-http transport, parameter descriptions, required params, no deprecated SSE
BEST PRACTICE	1	source repository, description length, no sensitive params in headers, tool description length

Grading: A+ (95-100), A (90-94), B (80-89), C (70-79), D (60-69), F (below 60)

See [docs/guides/conformance.md](docs/guides/conformance.md).

---

bawbel pin + bawbel check-pins + bawbel cp

Hash skill files and MCP manifests. Detect when content changes after you audited it. Stored in .bawbel-pins.json committed to git, visible in diffs, shared with the team automatically.

bawbel pin ./skills/                  # hash all files to .bawbel-pins.json
bawbel check-pins ./skills/           # detect drift
bawbel cp ./skills/ --fail-on-drift   # CI mode, exit 2 on drift

Changes show in PRs, every developer on the team shares the same pins, and it works on any machine after a git clone. Beats Snyk local ~/.mcp-scan on every dimension.

See [docs/guides/pinning.md](docs/guides/pinning.md).

---

OWASP MCP Top 10 mapping on every finding

Every finding now includes owasp_mcp, mappin...

v1.0.1

Bawbel Scanner v1.0.1

The first production-stable release.

40 AVE records. 37 pattern rules. 6 detection engines. 5-layer false-positive reduction. VS Code extension. GitHub Actions. Near-zero false positives.

---

Highlights

40 AVE Records — the open vulnerability standard for agentic AI

The AVE standard now covers 40 attack classes — from prompt injection and memory poisoning to lateral movement, steganographic covert channels, and cross-agent A2A injection. Every finding links to a published record with behavioral fingerprints, IOC lists, CVSS-AI scores, and remediation steps. Browse all records at api.piranha.bawbel.io.

6 Detection Engines

• Stage 0 — Magika: ML content-type verification. Catches binaries and scripts disguised as skill files before any text analysis runs.
• Stage 1a — Pattern: 37 regex rules. Always runs. Zero dependencies.
• Stage 1b — YARA: 39 rules. Binary + text matching. Unicode homoglyph detection.
• Stage 1c — Semgrep: 41 rules. Structural and multi-line pattern matching.
• Stage 2 — LLM: Semantic analysis via LiteLLM. Any provider. Requires API key.
• Stage 3 — Behavioral Sandbox: Docker runtime isolation. eBPF syscall tracing.

Near-Zero False Positives

5-layer FP reduction — code fence stripping, negation context, confidence scoring, LLM meta-analysis, and file-type scan profiles. Validated: 21 documentation files → 0 active findings.

VS Code Extension — live in Marketplace

ext install bawbel.bawbel-scanner — inline squiggles, hover detail with "How to fix" guidance, false-positive suppression, auto-scan on save. Zero setup.

GitHub Actions

- uses: bawbel/bawbel-integrations@v1
  with:
    path: .
    fail-on-severity: high

---

What's New Since v0.3.0

25 New AVE Records (00016–00040)

ID	Title	Sev
AVE-2026-00016	Indirect Prompt Injection via RAG	HIGH 8.2
AVE-2026-00017	MCP Server Impersonation	HIGH 8.6
AVE-2026-00018	Tool Result Manipulation	HIGH 8.1
AVE-2026-00019	Agent Memory Poisoning	CRIT 9.2
AVE-2026-00020	Cross-Agent Injection (A2A)	HIGH 8.7
AVE-2026-00021	Autonomous Action — No Confirmation	HIGH 8.3
AVE-2026-00022	Scope Creep — Undeclared Resources	MED 6.8
AVE-2026-00023	Context Window Flooding	HIGH 8.0
AVE-2026-00024	Binary Content Disguised as Skill File	CRIT 9.5
AVE-2026-00025	Fake Conversation History Injection	HIGH 8.5
AVE-2026-00026	Exfiltration via Tool Output Encoding	CRIT 9.1
AVE-2026-00027	Multi-Turn Instruction Persistence	HIGH 8.4
AVE-2026-00028	Prompt Injection via File Content	HIGH 8.3
AVE-2026-00029	Homoglyph & Unicode Obfuscation	HIGH 8.0
AVE-2026-00030	False Role Claim Escalation	CRIT 9.0
AVE-2026-00031	Feedback Loop / RLHF Poisoning	HIGH 8.6
AVE-2026-00032	Internal Network Reconnaissance	HIGH 8.2
AVE-2026-00033	Unsafe Deserialization / Eval	CRIT 9.3
AVE-2026-00034	Dynamic Third-Party Skill Import	CRIT 9.2
AVE-2026-00035	Sensor / Telemetry Falsification	HIGH 7.9
AVE-2026-00036	Lateral Movement — Internal Pivot	CRIT 9.4
AVE-2026-00037	Prompt Injection via Image / Vision	HIGH 8.5
AVE-2026-00038	Excessive Agency — Unbounded Tools	HIGH 8.1
AVE-2026-00039	Steganographic Covert Channel	HIGH 8.3
AVE-2026-00040	Insecure Output — SQL/XSS/Shell Injection	HIGH 8.2

---

bawbel.io · Docs · AVE Standard · PiranhaDB · VS Code

# Bawbel Scanner v1.0.0

The first production-stable release.

40 AVE records. 37 pattern rules. 6 detection engines. 5-layer false-positive
reduction. VS Code extension. GitHub Actions. Near-zero false positives.

---

Highlights

40 AVE Records — the open vulnerability standard for agentic AI

The AVE standard now covers 40 attack classes — from prompt injection and memory
poisoning to lateral movement, steganographic covert channels, and cross-agent
A2A injection. Every finding links to a published record with behavioral
fingerprints, IOC lists, CVSS-AI scores, and remediation steps.
Browse all records at [api.piranha.bawbel.io](https://api.piranha.bawbel.io).

6 Detection Engines

• Stage 0 — Magika: ML content-type verification. Catches binaries and scripts
  disguised as skill files before any text analysis runs.
• Stage 1a — Pattern: 37 regex rules. Always runs. Zero dependencies.
• Stage 1b — YARA: 39 rules. Binary + text matching. Unicode homoglyph detection.
• Stage 1c — Semgrep: 41 rules. Structural and multi-line pattern matching.
• Stage 2 — LLM: Semantic analysis via LiteLLM. Any provider. Requires API key.
• Stage 3 — Behavioral Sandbox: Docker runtime isolation. eBPF syscall tracing.

Near-Zero False Positives

5-layer FP reduction — code fence stripping, negation context, confidence scoring,
LLM meta-analysis, and file-type scan profiles.
Validated: 21 documentation files → 0 active findings.

VS Code Extension — live in Marketplace

ext install bawbel.bawbel-scanner — inline squiggles, hover detail with "How to
fix" guidance, false-positive suppression, auto-scan on save. Zero setup.

GitHub Actions

- uses: bawbel/bawbel-integrations@v1
  with:
    path: .
    fail-on-severity: high

---

What's New Since v0.3.0

25 New AVE Records (00016–00040)

ID	Title	Sev
AVE-2026-00016	Indirect Prompt Injection via RAG	HIGH 8.2
AVE-2026-00017	MCP Server Impersonation	HIGH 8.6
AVE-2026-00018	Tool Result Manipulation	HIGH 8.1
AVE-2026-00019	Agent Memory Poisoning	CRIT 9.2
AVE-2026-00020	Cross-Agent Injection (A2A)	HIGH 8.7
AVE-2026-00021	Autonomous Action — No Confirmation	HIGH 8.3
AVE-2026-00022	Scope Creep — Undeclared Resources	MED 6.8
AVE-2026-00023	Context Window Flooding	HIGH 8.0
AVE-2026-00024	Binary Content Disguised as Skill File	CRIT 9.5
AVE-2026-00025	Fake Conversation History Injection	HIGH 8.5
AVE-2026-00026	Exfiltration via Tool Output Encoding	CRIT 9.1
AVE-2026-00027	Multi-Turn Instruction Persistence	HIGH 8.4
AVE-2026-00028	Prompt Injection via File Content	HIGH 8.3
AVE-2026-00029	Homoglyph & Unicode Obfuscation	HIGH 8.0
AVE-2026-00030	False Role Claim Escalation	CRIT 9.0
AVE-2026-00031	Feedback Loop / RLHF Poisoning	HIGH 8.6
AVE-2026-00032	Internal Network Reconnaissance	HIGH 8.2
AVE-2026-00033	Unsafe Deserialization / Eval	CRIT 9.3
AVE-2026-00034	Dynamic Third-Party Skill Import	CRIT 9.2
AVE-2026-00035	Sensor / Telemetry Falsification	HIGH 7.9
AVE-2026-00036	Lateral Movement — Internal Pivot	CRIT 9.4
AVE-2026-00037	Prompt Injection via Image / Vision	HIGH 8.5
AVE-2026-00038	Excessive Agency — Unbounded Tools	HIGH 8.1
AVE-2026-00039	Steganographic Covert Channel	HIGH 8.3
AVE-2026-00040	Insecure Output — SQL/XSS/Shell Injection	HIGH 8.2

Rule Counts

Engine	v0.3.0	v1.0.0	+Delta
Pattern	15	37	+22
YARA	15	39	+24
Semgrep	15	41	+26

New Engines

Stage 0 — Magika (scanner/engines/magika_engine.py)
ML-based content-type verification. Runs before all text engines. Detects ELF
binaries, Windows PE32, pickles, PHP, and shell scripts disguised as .md/.yaml.

pip install "bawbel-scanner[magika]"

LLM Meta-Analyzer (scanner/engines/meta_analyzer.py)
LLM-based false positive filter. One API call per file covers all medium-confidence
findings. Verdicts: real, false_positive, needs_review. Skips silently if no
LLM configured.

False Positive Reduction — 5 Layers

Layer	Mechanism	Reduction
FP-1	Code fence stripping	~60% on docs
FP-2	Negation context (preceding line)	~15%
FP-3	Confidence scoring	~10%
FP-4	LLM meta-analysis	~7%
FP-5	File-type scan profiles	~3%

Result: 21 documentation files → 0 active findings.

Suppression System

<!-- bawbel-ignore -->
<!-- bawbel-ignore: bawbel-external-fetch -->
<!-- bawbel-ignore: AVE-2026-00001 -->
<!-- bawbel-ignore-start --> ... <!-- bawbel-ignore-end -->

.bawbelignore for file/directory exclusions.
--no-ignore flag to override all suppressions for security audits.
Suppressed findings always present in JSON/SARIF output for audit completeness.

New CLI Commands

bawbel init          # scaffold .bawbelignore, bawbel.yml, CI workflow
bawbel scan --watch  # re-scan on every file change (requires [watch] extra)
bawbel report        # full remediation guide per finding

PiranhaDB

• All 40 AVE records live at api.piranha.bawbel.io
• total_records: 40 | total_mutations: 2113 | CRITICAL: 10 | HIGH: 27 | MEDIUM: 3
• Auto-syncs from bawbel/bawbel-ave on every deploy
• GITHUB_TOKEN support: 60 → 5000 req/hr rate limit
• Hot-reload via POST /reload without container restart

Integrations

• GitHub Actions — bawbel/bawbel-integrations@v1
• VS Code Extension — bawbel.bawbel-scanner v1.0.1 on Marketplace
• GitLab CI, Jenkins, CircleCI, Bitbucket Pipelines, Azure Dev...

Bawbel Scanner v1.0.0 — 40 AVE records, 6 engines, VS Code extension

Bawbel Scanner v1.0.0

The first production-stable release.

40 AVE records. 37 pattern rules. 6 detection engines. 5-layer false-positive reduction. VS Code extension. GitHub Actions. Near-zero false positives.

---

Highlights

40 AVE Records — the open vulnerability standard for agentic AI

The AVE standard now covers 40 attack classes — from prompt injection and memory poisoning to lateral movement, steganographic covert channels, and cross-agent A2A injection. Every finding links to a published record with behavioral fingerprints, IOC lists, CVSS-AI scores, and remediation steps. Browse all records at api.piranha.bawbel.io.

6 Detection Engines

• Stage 0 — Magika: ML content-type verification. Catches binaries and scripts disguised as skill files before any text analysis runs.
• Stage 1a — Pattern: 37 regex rules. Always runs. Zero dependencies.
• Stage 1b — YARA: 39 rules. Binary + text matching. Unicode homoglyph detection.
• Stage 1c — Semgrep: 41 rules. Structural and multi-line pattern matching.
• Stage 2 — LLM: Semantic analysis via LiteLLM. Any provider. Requires API key.
• Stage 3 — Behavioral Sandbox: Docker runtime isolation. eBPF syscall tracing.

Near-Zero False Positives

5-layer FP reduction — code fence stripping, negation context, confidence scoring, LLM meta-analysis, and file-type scan profiles. Validated: 21 documentation files → 0 active findings.

VS Code Extension — live in Marketplace

ext install bawbel.bawbel-scanner — inline squiggles, hover detail with "How to fix" guidance, false-positive suppression, auto-scan on save. Zero setup.

GitHub Actions

- uses: bawbel/bawbel-integrations@v1
  with:
    path: .
    fail-on-severity: high

---

What's New Since v0.3.0

25 New AVE Records (00016–00040)

ID	Title	Sev
AVE-2026-00016	Indirect Prompt Injection via RAG	HIGH 8.2
AVE-2026-00017	MCP Server Impersonation	HIGH 8.6
AVE-2026-00018	Tool Result Manipulation	HIGH 8.1
AVE-2026-00019	Agent Memory Poisoning	CRIT 9.2
AVE-2026-00020	Cross-Agent Injection (A2A)	HIGH 8.7
AVE-2026-00021	Autonomous Action — No Confirmation	HIGH 8.3
AVE-2026-00022	Scope Creep — Undeclared Resources	MED 6.8
AVE-2026-00023	Context Window Flooding	HIGH 8.0
AVE-2026-00024	Binary Content Disguised as Skill File	CRIT 9.5
AVE-2026-00025	Fake Conversation History Injection	HIGH 8.5
AVE-2026-00026	Exfiltration via Tool Output Encoding	CRIT 9.1
AVE-2026-00027	Multi-Turn Instruction Persistence	HIGH 8.4
AVE-2026-00028	Prompt Injection via File Content	HIGH 8.3
AVE-2026-00029	Homoglyph & Unicode Obfuscation	HIGH 8.0
AVE-2026-00030	False Role Claim Escalation	CRIT 9.0
AVE-2026-00031	Feedback Loop / RLHF Poisoning	HIGH 8.6
AVE-2026-00032	Internal Network Reconnaissance	HIGH 8.2
AVE-2026-00033	Unsafe Deserialization / Eval	CRIT 9.3
AVE-2026-00034	Dynamic Third-Party Skill Import	CRIT 9.2
AVE-2026-00035	Sensor / Telemetry Falsification	HIGH 7.9
AVE-2026-00036	Lateral Movement — Internal Pivot	CRIT 9.4
AVE-2026-00037	Prompt Injection via Image / Vision	HIGH 8.5
AVE-2026-00038	Excessive Agency — Unbounded Tools	HIGH 8.1
AVE-2026-00039	Steganographic Covert Channel	HIGH 8.3
AVE-2026-00040	Insecure Output — SQL/XSS/Shell Injection	HIGH 8.2

---

bawbel.io · Docs · AVE Standard · PiranhaDB · VS Code

# Bawbel Scanner v1.0.0

The first production-stable release.

40 AVE records. 37 pattern rules. 6 detection engines. 5-layer false-positive
reduction. VS Code extension. GitHub Actions. Near-zero false positives.

---

Highlights

40 AVE Records — the open vulnerability standard for agentic AI

The AVE standard now covers 40 attack classes — from prompt injection and memory
poisoning to lateral movement, steganographic covert channels, and cross-agent
A2A injection. Every finding links to a published record with behavioral
fingerprints, IOC lists, CVSS-AI scores, and remediation steps.
Browse all records at [api.piranha.bawbel.io](https://api.piranha.bawbel.io).

6 Detection Engines

• Stage 0 — Magika: ML content-type verification. Catches binaries and scripts
  disguised as skill files before any text analysis runs.
• Stage 1a — Pattern: 37 regex rules. Always runs. Zero dependencies.
• Stage 1b — YARA: 39 rules. Binary + text matching. Unicode homoglyph detection.
• Stage 1c — Semgrep: 41 rules. Structural and multi-line pattern matching.
• Stage 2 — LLM: Semantic analysis via LiteLLM. Any provider. Requires API key.
• Stage 3 — Behavioral Sandbox: Docker runtime isolation. eBPF syscall tracing.

Near-Zero False Positives

5-layer FP reduction — code fence stripping, negation context, confidence scoring,
LLM meta-analysis, and file-type scan profiles.
Validated: 21 documentation files → 0 active findings.

VS Code Extension — live in Marketplace

ext install bawbel.bawbel-scanner — inline squiggles, hover detail with "How to
fix" guidance, false-positive suppression, auto-scan on save. Zero setup.

GitHub Actions

- uses: bawbel/bawbel-integrations@v1
  with:
    path: .
    fail-on-severity: high

---

What's New Since v0.3.0

25 New AVE Records (00016–00040)

ID	Title	Sev
AVE-2026-00016	Indirect Prompt Injection via RAG	HIGH 8.2
AVE-2026-00017	MCP Server Impersonation	HIGH 8.6
AVE-2026-00018	Tool Result Manipulation	HIGH 8.1
AVE-2026-00019	Agent Memory Poisoning	CRIT 9.2
AVE-2026-00020	Cross-Agent Injection (A2A)	HIGH 8.7
AVE-2026-00021	Autonomous Action — No Confirmation	HIGH 8.3
AVE-2026-00022	Scope Creep — Undeclared Resources	MED 6.8
AVE-2026-00023	Context Window Flooding	HIGH 8.0
AVE-2026-00024	Binary Content Disguised as Skill File	CRIT 9.5
AVE-2026-00025	Fake Conversation History Injection	HIGH 8.5
AVE-2026-00026	Exfiltration via Tool Output Encoding	CRIT 9.1
AVE-2026-00027	Multi-Turn Instruction Persistence	HIGH 8.4
AVE-2026-00028	Prompt Injection via File Content	HIGH 8.3
AVE-2026-00029	Homoglyph & Unicode Obfuscation	HIGH 8.0
AVE-2026-00030	False Role Claim Escalation	CRIT 9.0
AVE-2026-00031	Feedback Loop / RLHF Poisoning	HIGH 8.6
AVE-2026-00032	Internal Network Reconnaissance	HIGH 8.2
AVE-2026-00033	Unsafe Deserialization / Eval	CRIT 9.3
AVE-2026-00034	Dynamic Third-Party Skill Import	CRIT 9.2
AVE-2026-00035	Sensor / Telemetry Falsification	HIGH 7.9
AVE-2026-00036	Lateral Movement — Internal Pivot	CRIT 9.4
AVE-2026-00037	Prompt Injection via Image / Vision	HIGH 8.5
AVE-2026-00038	Excessive Agency — Unbounded Tools	HIGH 8.1
AVE-2026-00039	Steganographic Covert Channel	HIGH 8.3
AVE-2026-00040	Insecure Output — SQL/XSS/Shell Injection	HIGH 8.2

Rule Counts

Engine	v0.3.0	v1.0.0	+Delta
Pattern	15	37	+22
YARA	15	39	+24
Semgrep	15	41	+26

New Engines

Stage 0 — Magika (scanner/engines/magika_engine.py)
ML-based content-type verification. Runs before all text engines. Detects ELF
binaries, Windows PE32, pickles, PHP, and shell scripts disguised as .md/.yaml.

pip install "bawbel-scanner[magika]"

LLM Meta-Analyzer (scanner/engines/meta_analyzer.py)
LLM-based false positive filter. One API call per file covers all medium-confidence
findings. Verdicts: real, false_positive, needs_review. Skips silently if no
LLM configured.

False Positive Reduction — 5 Layers

Layer	Mechanism	Reduction
FP-1	Code fence stripping	~60% on docs
FP-2	Negation context (preceding line)	~15%
FP-3	Confidence scoring	~10%
FP-4	LLM meta-analysis	~7%
FP-5	File-type scan profiles	~3%

Result: 21 documentation files → 0 active findings.

Suppression System

<!-- bawbel-ignore -->
<!-- bawbel-ignore: bawbel-external-fetch -->
<!-- bawbel-ignore: AVE-2026-00001 -->
<!-- bawbel-ignore-start --> ... <!-- bawbel-ignore-end -->

.bawbelignore for file/directory exclusions.
--no-ignore flag to override all suppressions for security audits.
Suppressed findings always present in JSON/SARIF output for audit completeness.

New CLI Commands

bawbel init          # scaffold .bawbelignore, bawbel.yml, CI workflow
bawbel scan --watch  # re-scan on every file change (requires [watch] extra)
bawbel report        # full remediation guide per finding

PiranhaDB

• All 40 AVE records live at api.piranha.bawbel.io
• total_records: 40 | total_mutations: 2113 | CRITICAL: 10 | HIGH: 27 | MEDIUM: 3
• Auto-syncs from bawbel/bawbel-ave on every deploy
• GITHUB_TOKEN support: 60 → 5000 req/hr rate limit
• Hot-reload via POST /reload without container restart

Integrations

• GitHub Actions — bawbel/bawbel-integrations@v1
• VS Code Extension — bawbel.bawbel-scanner v1.0.1 on Marketplace
• GitLab CI, Jenkins, CircleCI, Bitbucket Pipelines, Azure Dev...

v0.2.0 — Full AVE coverage, LiteLLM Stage 2, --watch

Bawbel Scanner v0.2.0

Open-source CLI scanner for agentic AI components — SKILL.md files, MCP servers, system prompts, and plugins.

---

Install

pip install bawbel-scanner

---

What's new in v0.2.0

Full AVE ID coverage — 15/15 rules

Every pattern rule now maps to a published AVE record. All findings in scan output show a linked AVE ID instead of —.

New records added:

• AVE-2026-00009 — AI identity jailbreak (HIGH 8.3)
• AVE-2026-00010 — Covert instruction concealment (HIGH 7.9)
• AVE-2026-00011 — Dynamic tool call injection (HIGH 8.2)
• AVE-2026-00012 — False permission grant (HIGH 7.8)
• AVE-2026-00013 — PII exfiltration (HIGH 8.0)
• AVE-2026-00014 — Trust escalation / authority impersonation (MEDIUM 6.5)
• AVE-2026-00015 — System prompt extraction (MEDIUM 6.2)

LLM Stage 2 — any provider via LiteLLM

Semantic analysis that catches nuanced injections regex cannot. Works with any LiteLLM-supported provider.

pip install "bawbel-scanner[llm]"
export ANTHROPIC_API_KEY=sk-ant-...   # or OPENAI_API_KEY, GEMINI_API_KEY, etc.
bawbel scan ./skill.md

Supported providers:

• Anthropic → claude-haiku-4-5-20251001 (default)
• OpenAI → gpt-4o-mini
• Gemini, Mistral, Groq, Ollama, and 100+ more via BAWBEL_LLM_MODEL

bawbel scan --watch

File watcher for development — re-scans automatically on every change.

pip install "bawbel-scanner[watch]"
bawbel scan ./skills/ --watch

Semgrep fixed

Fixed code=7 error on semgrep v1.159.0 caused by YAML escaping and float metadata values in ave_rules.yaml. Also fixed the URL fetch regex which missed natural language patterns.

---

Full detection coverage

Severity	Rules	Coverage
CRITICAL	3	External fetch, destructive command, crypto drain
HIGH	10	Goal override, jailbreak, hidden instruction, tool call injection, permission escalation, credential exfiltration, PII exfiltration, shell pipe, persistence, MCP tool poisoning
MEDIUM	2	Trust escalation, system prompt extraction

All 15 rules mapped to AVE records at github.com/bawbel/bawbel-ave

---

Documentation

Full docs at bawbel.io/docs

---

Contributing

See CONTRIBUTING.md. Detection rule contributions welcome. Every accepted AVE record earns a $10 researcher bounty.

Report security issues privately: bawbel.io@gmail.com

v0.1.0 - Bawbel Scanner: initial release

Open-source CLI scanner for agentic AI components — SKILL.md files, MCP servers,
system prompts, and plugins. Detects vulnerabilities mapped to the
AVE standard before they reach production.

---

Install

pip install bawbel-scanner

---

What's included

CLI commands

• bawbel scan — scan a file or directory, with --recursive, --fail-on-severity, and --format text|json|sarif
• bawbel report — full remediation guide per finding: AVE ID, CVSS-AI score, OWASP mapping, exact fix instructions
• bawbel version — show installed version and active detection engine status
• bawbel --version — quick version string for CI scripts

Detection — 15 built-in pattern rules

Severity	Count	Rules
CRITICAL	3	external fetch (AVE-2026-00001), destructive command, crypto drain
HIGH	10	goal override, jailbreak, hidden instruction, tool call injection, permission escalation, credential exfiltration (AVE-2026-00003), PII exfiltration, shell pipe, persistence, MCP tool poisoning (AVE-2026-00002)
MEDIUM	2	trust escalation, system prompt extraction

All 15 rules run with zero dependencies — just Python and pip.

Detection engines

• Stage 1a: Pattern matching — stdlib only, always active
• Stage 1b: YARA — pip install "bawbel-scanner[yara]"
• Stage 1c: Semgrep — pip install "bawbel-scanner[semgrep]"
• Stage 2: LLM semantic analysis — set ANTHROPIC_API_KEY or OPENAI_API_KEY

Output formats

• Text — human-readable terminal output
• JSON — structured output for CI/CD pipelines and SIEM integration
• SARIF 2.1.0 — upload directly to the GitHub Security tab

Docker

Three build targets: production (minimal, non-root), dev (hot-reload shell), test (runs 145 tests and exits).

docker build --target production -t bawbel/scanner:0.1.0 .
docker run --rm -v /path/to/skills:/scan:ro bawbel/scanner:0.1.0 scan /scan

Python API

from scanner import scan

result = scan("/path/to/skill.md")
if not result.is_clean:
    for f in result.findings:
        print(f"[{f.severity.value}] {f.title}")

scan() never raises — all errors are captured in ScanResult.error.

Quality

• 145 tests passing, 0 Bandit issues, 0 known CVEs
• Security hardening: symlink protection, 10MB file limit, no exception detail exposed to users
• Stable error codes E001–E020

---

AVE records covered

• AVE-2026-00001 — Metamorphic payload via external instruction fetch — CRITICAL 9.4
• AVE-2026-00002 — MCP tool description prompt injection — HIGH 8.7
• AVE-2026-00003 — Environment variable exfiltration — HIGH 8.5

---

Documentation

Full docs at bawbel.io/docs

• Getting started
• Writing rules
• CI/CD integration
• Docker guide

---

Contributing

See CONTRIBUTING.md — detection rule contributions especially welcome. Every accepted AVE record earns a $10 researcher bounty.

Report security issues privately: bawbel.io@gmail.com — see SECURITY.md.