Defense in depth for AI agents

Security your coding assistants should have had from the start

plsec wraps Trivy, Bandit, Semgrep, and other scanners into a unified CLI with progressive security presets, agent-specific configuration, container isolation, and runtime monitoring. For Claude Code, OpenCode, Gemini CLI, and others.

$ uv tool install plsec

View on GitHub Documentation

MIT License / Homebrew, apt, pip also supported

The problem

Your AI agent has the keys to your machine

AI coding assistants operate with broad filesystem and network access by default. They can read credential files, write secrets to source code, access directories outside the project, and make network requests -- all without explicit permission in most configurations.

Existing permission systems are incomplete. OpenCode's SDK may ignore custom agent deny permissions (#6396). Agents can circumvent denied tools via bash (#4642). The plan agent may ignore edit permissions entirely (#3991).

The tools are not going to set boundaries for you. plsec does.

5-layer security model

Defense in depth, not a single gate

Each layer catches what the previous one missed. Progressive presets let you start light and add layers as your threat model requires.

Static Trivy, Bandit, Semgrep, detect-secrets. Secret scanning, misconfig detection, and code analysis before anything runs.

Config CLAUDE.md, opencode.json, deny patterns. Agent-specific permission constraints restricting filesystem access, commands, and network.

Isolation Podman/Docker containers, macOS sandbox. OS-level confinement so agent escape stays contained.

Runtime Pipelock egress proxy, DLP, response scanning. Live monitoring of network traffic and agent output during execution.

Audit Structured logging, integrity monitoring. Every session logged. Workspace file integrity tracked between agent runs.

Progressive presets

Start where you are, escalate when you need to

Minimal

--preset minimal

Secret scanning only. Lowest friction for personal projects and quick experiments.

Balanced

default

Full static analysis and audit logging. The right default for daily development work.

Strict

--preset strict

Adds container isolation and Pipelock runtime proxy. For production codebases and sensitive environments.

Paranoid

--preset paranoid

Strict mode plus full network isolation. For air-gapped or regulatory-constrained environments.

Quick start

Three commands to a secured environment

# Install
$ uv tool install plsec

# Check system dependencies
$ plsec doctor

# Secure an existing project
$ plsec secure

# Or create a new secure project from scratch
$ plsec create my-api

# Run security scans
$ plsec scan

All commands

Command	Description
plsec create	Create a new project with security built-in
plsec secure	Add security to an existing project
plsec doctor	Check system dependencies and configuration
plsec init	Initialize security configuration (low-level)
plsec scan	Run security scanners (Trivy, Bandit, Semgrep)
plsec validate	Validate configuration files
plsec proxy	Manage Pipelock runtime proxy
plsec integrity	Workspace integrity monitoring

Alternative installers

$ brew tap peerlabs/tap && brew install plsec    # Homebrew
$ pipx install plsec                              # pipx
$ pip install plsec                               # pip

Transparency

What gets installed on your machine

Nothing hidden. Configuration is stored in a single directory, versioned per-project via plsec.yaml.

~/.peerlabs/plsec/
    configs/
        CLAUDE.md              # Agent instruction constraints
        opencode.json          # OpenCode permission rules
        pre-commit             # Git hook template
    trivy/
        trivy-secret.yaml      # LLM-tuned secret detection rules
        trivy.yaml             # Trivy scanner configuration
    logs/                      # Session audit logs
    claude-wrapper.sh          # Logging wrapper for Claude Code
    opencode-wrapper.sh        # Logging wrapper for OpenCode
    scan.sh                    # Manual security scan runner
    plsec-status.sh            # Health check command

./plsec.yaml                   # Per-project configuration

Limitations

What you should know

Permission systems in Claude Code and OpenCode are advisory, not enforced at the OS level. A sufficiently creative agent can circumvent denied tools via bash in some configurations. Layers 3 and 4 (isolation and runtime proxy) address this.

Container isolation and Pipelock runtime proxy require additional software (Podman/Docker and Pipelock respectively). plsec doctor checks for these dependencies.

Trivy regex rules may produce false positives. The generic-secret rule is intentionally broad for LLM contexts where secrets appear in unexpected places.

plsec is pre-1.0 software. Configuration formats and CLI interface may change between releases.

Community

Open source, practitioner-built

plsec is a Peerlabs project, maintained by the same team building practitioner-led competitive intelligence for enterprise technology leadership.

Source code, issues, and discussions live on GitHub. Contributions welcome -- see CONTRIBUTING.md.

Licensed under MIT.

References: OWASP Top 10 for Agentic Applications / Anthropic Claude Code Sandboxing