# Inkog — Pre-Flight Security Scan for Agent Code > Inkog scans AI agent code for prompt-injection sinks, token-bombing loops, and governance gaps, and can run via CLI, GitHub Actions, or MCP. ## Install Merge the JSON below into your `.mcp.json`: ## Quick Use ```bash npx -y @inkog-io/cli scan . # or: brew tap inkog-io/inkog && brew install inkog export INKOG_API_KEY="sk_live_..." inkog . # editor/MCP: npx -y @inkog-io/mcp ``` ## Intro Inkog scans AI agent code for prompt-injection sinks, token-bombing loops, and governance gaps, and can run via CLI, GitHub Actions, or MCP. **Best for:** shipping agent code and wanting guardrails before production **Works with:** Node (npx), Go install, GitHub Actions, MCP-capable clients **Setup time:** 5-12 minutes ### Key facts (verified) - GitHub: 28 stars · 7 forks · pushed 2026-05-12. - License: Apache-2.0 · owner avatar + repo URL verified via GitHub API. - README-verified entrypoint: `npx -y @inkog-io/cli scan .`. ## Main - Use the no-install path (`npx -y @inkog-io/cli scan .`) to get a fast baseline scan before you wire it into CI. - When you want PR visibility, use the README’s GitHub Actions example (SARIF upload) so findings surface in the Security tab. - If you run agent tooling inside editors, start the MCP server via `npx -y @inkog-io/mcp` as shown in the README. ### Source-backed notes - README lists a quick start with `npx -y @inkog-io/cli scan .` and shows `export INKOG_API_KEY=...` then `inkog .`. - README includes a GitHub Actions snippet using `inkog-io/inkog@v1` with SARIF upload enabled. - README states it scanned 500+ open-source agents and reports summary stats (percentages and finding counts) in the project report section. ### FAQ - **Can I use it without installing?**: Yes — README shows an `npx -y @inkog-io/cli` scan path. - **Does it work in CI?**: Yes — README includes a GitHub Actions example and SARIF upload support. - **How do I use it from an agent tool?**: README shows starting an MCP server via `npx -y @inkog-io/mcp`. ## Source & Thanks > Source: https://github.com/inkog-io/inkog > License: Apache-2.0 > GitHub stars: 28 · forks: 7 --- ## Quick Use ```bash npx -y @inkog-io/cli scan . # or: brew tap inkog-io/inkog && brew install inkog export INKOG_API_KEY="sk_live_..." inkog . # editor/MCP: npx -y @inkog-io/mcp ``` ## Intro Inkog 是面向 AI agent 代码的静态分析工具,可识别 prompt 注入“落点”、token 轰炸循环与治理缺口,并支持 CLI、GitHub Actions 与 MCP server 方式接入。 **Best for:** 要上线 agent 代码、希望先做安全兜底的人 **Works with:** Node(npx)、Go 安装、GitHub Actions、MCP 客户端 **Setup time:** 5-12 minutes ### Key facts (verified) - GitHub:28 stars · 7 forks;最近更新 2026-05-12。 - 许可证:Apache-2.0;作者头像与仓库链接均已通过 GitHub API 复核。 - README 中核对过的入口命令:`npx -y @inkog-io/cli scan .`。 ## Main - 先用免安装方式(`npx -y @inkog-io/cli scan .`)跑一遍基线扫描,再逐步接入 CI。 - 需要在 PR 里可视化时,按 README 的 GitHub Actions 示例(SARIF 上传)把告警写进 Security tab。 - 在编辑器/agent 工具里接入时,按 README 用 `npx -y @inkog-io/mcp` 启动 MCP server。 ### Source-backed notes - README 给出 quick start:`npx -y @inkog-io/cli scan .`,以及 `export INKOG_API_KEY=...` 后执行 `inkog .`。 - README 包含 GitHub Actions 示例:`inkog-io/inkog@v1` 并开启 SARIF 上传。 - README 在报告章节写明扫描了 500+ 开源 agent,并给出比例与总发现数等统计。 ### FAQ - **不安装也能用吗?**:能。README 给出 `npx -y @inkog-io/cli` 的扫描方式。 - **能接 CI 吗?**:能。README 提供 GitHub Actions 示例并支持 SARIF 上传。 - **如何在 agent 工具里使用?**:README 展示了用 `npx -y @inkog-io/mcp` 启动 MCP server。 ## Source & Thanks > Source: https://github.com/inkog-io/inkog > License: Apache-2.0 > GitHub stars: 28 · forks: 7 --- Source: https://tokrepo.com/en/workflows/inkog-pre-flight-security-scan-for-agent-code Author: MCP Hub