AI Skill Hub 强烈推荐:pipelock MCP工具 是一款优质的AI工具。AI 综合评分 8.2 分,在同类工具中表现稳健。如果你正在寻找可靠的AI工具解决方案,这是一个值得深入了解的选择。
pipelock MCP工具 是一款基于 Go 开发的开源工具,专注于 MCP安全、代理防火墙、DLP防护 等核心功能。作为 GitHub 开源项目,它拥有活跃的社区支持和持续的版本迭代,代码完全透明可审计,支持本地部署以保护数据隐私。无论是个人使用还是集成到企业工作流,都能提供稳定可靠的解决方案。
pipelock MCP工具 是一款基于 Go 开发的开源工具,专注于 MCP安全、代理防火墙、DLP防护 等核心功能。作为 GitHub 开源项目,它拥有活跃的社区支持和持续的版本迭代,代码完全透明可审计,支持本地部署以保护数据隐私。无论是个人使用还是集成到企业工作流,都能提供稳定可靠的解决方案。
# 方式一:go install(推荐) go install github.com/luckyPipewrench/pipelock@latest # 方式二:从源码编译 git clone https://github.com/luckyPipewrench/pipelock cd pipelock go build -o pipelock . # 方式三:下载预编译二进制 # 访问 Releases 页面下载对应平台二进制文件 # https://github.com/luckyPipewrench/pipelock/releases
# 查看帮助 pipelock --help # 基本运行 pipelock [options] <input> # 详细使用说明请查阅文档 # https://github.com/luckyPipewrench/pipelock
# pipelock 配置说明 # 查看配置选项 pipelock --config-example > config.yml # 常见配置项 # output_dir: ./output # log_level: info # workers: 4 # 环境变量(覆盖配置文件) export PIPELOCK_CONFIG="/path/to/config.yml"
<p align="center"> <img src="assets/pipelock-logo.svg" alt="Pipelock" width="200"> </p>
| Feature | What It Does |
|---|---|
| **Audit Reports** | pipelock report --input events.jsonl generates HTML/JSON reports with risk rating, timeline, and evidence appendix. Ed25519 signing with --sign. ([Sample report](examples/sample-report.html)) |
| **Diagnose** | pipelock diagnose runs 7 local checks to verify your config works end-to-end (no network required) |
| **Enforcement Doctor** (v2.5) | pipelock doctor reports configured-vs-enforceable status for proxying, TLS interception, request-body scanning, Browser Shield, MCP wrapping, MCP binary integrity, tool provenance, file_sentry, Sentry, and deployment-boundary signals. |
| **Request Body Injection Blocking** (v2.5) | Request-body prompt-injection and critical-DLP findings hard-block non-provider destinations in enforce mode across forward, reverse, TLS-intercept, and WebSocket transports, with block-reason headers for operator-visible diagnosis. |
| **Request Policy** (v2.6) | Allow-by-default deny/warn rails on outbound API *operations*: match a request on route plus a GraphQL operation predicate and block the dangerous ones. Enforces across every HTTP egress transport, recurses into JSON $batch envelopes, fails closed on unparseable or opaque bodies, and runs before the contract gate. See the [request policy guide](docs/guides/request-policy.md). |
| **TLS Interception** | Optional CONNECT tunnel MITM: decrypt, scan bodies/headers/responses, re-encrypt. pipelock tls init generates a CA, then pipelock tls install-ca trusts it system-wide. |
| **Block Hints** | Opt-in explain_blocks: true adds fix suggestions to blocked responses |
| **Project Audit** | pipelock audit ./project scans for security risks and generates a tailored config |
| **Config Scoring** (v2.6) | pipelock audit score --config pipelock.yaml evaluates security posture across 23 categories with a 170-point budget and letter grade. Flags overpermissive tool policies and stale coverage across newly shipped detection surfaces. |
| **File Integrity** | SHA256 manifests detect modified, added, or removed workspace files |
| **Git Protection** | git diff \| pipelock git scan-diff catches secrets before they're committed |
| **Ed25519 Signing** | Key management, file signing, and signature verification for multi-agent trust |
| **Session Profiling** | Per-session behavioral analysis (domain bursts, volume spikes) |
| **Adaptive Enforcement** | Per-session threat score with automatic escalation from warn to block, de-escalation timers, and domain burst detection |
| **Adaptive Operator CLI** (v2.5) | pipelock adaptive status / flush / whoami exposes runtime adaptive state through the authenticated admin API. See [docs/cli/adaptive.md](docs/cli/adaptive.md). |
| **Finding Suppression** | Silence known false positives via config rules or inline pipelock:ignore comments |
| **Multi-Agent Support** | Agent identification via X-Pipelock-Agent header for per-agent filtering |
| **Fleet Monitoring** | Per-instance Prometheus metrics + ready-to-import [Grafana dashboard](configs/grafana-dashboard.json). (Free; monitors a single instance — distinct from the Conductor fleet control plane below.) |
| **Conductor — fleet control plane** (v2.7, Enterprise) | The Enterprise control plane for a fleet of Pipelock instances: signed policy-bundle distribution to followers, a signed-evidence audit sink (pipelock fleet-sink) namespaced per org/fleet/instance, and fleet-wide enrollment, remote kill, and policy rollback over mTLS/SPIFFE. Followers enforce locally and stay fail-closed; Conductor holds no agent secrets. Gated by the fleet license feature, fail-closed. See the [Conductor guide](docs/guides/conductor.md). |
| **A2A Scanning** | Agent Card poisoning detection, card drift monitoring, session smuggling prevention for Google's Agent-to-Agent protocol |
| **Behavioral Baseline** | Profile-then-lock for MCP tool behavior. Learns normal patterns during a window, exposes pipelock baseline list/show/ratify/forget for operator approval and relearning, and flags deviations after ratification. See [docs/cli/baseline.md](docs/cli/baseline.md). |
| **Denial-of-Wallet** | Per-agent budgets for retries, fan-out, and concurrent tool calls. Catches loop storms and amplification attacks. |
| **Taint Escalation** | Exposure-based policy escalation across MCP + task boundaries. Sessions that recently observed untrusted content get elevated scanning on protected operations until trust is explicitly restored. |
| **Mediation Envelope** | RFC 8941 sideband metadata on forwarded HTTP requests and MCP _meta, carrying action type, verdict, actor identity, policy hash, taint context, and receipt correlation ID. v2.4 adds inbound verification with replay protection, SPIFFE actor format, and an RFC 9421 well-known signing-key directory at /.well-known/http-message-signatures-directory. See [federation guide](docs/guides/federation.md). |
| **Receipt Conformance** | Cross-implementation receipt verification suite (sdk/conformance/) plus first-party Go, TypeScript, Rust, and Python verifier surfaces, so receipts can be verified outside the Go implementation. EvidenceReceipt v2 uses RFC 8785/JCS canonicalization; the Go verifier verifies individual v2 receipts and chains, and the non-Go verifiers accept spanned proxy_decision_with_spans v2 receipts with pinned-key Ed25519 verification and strict unknown-field rejection. AARP/SVID appraisal remains an offline verifier profile, not runtime identity enforcement. |
| **Learn-and-Lock** (v2.4) | Per-agent behavioral contracts: observe an agent's real traffic, compile a signed candidate contract, replay captured observations in shadow, ratify per rule, promote the signed active manifest, and **enforce live** on every URL-bearing transport plus the MCP tool-call surface (forward, reverse + redirect, intercept, /fetch, WebSocket, MCP HTTP, MCP stdio bridge, MCP stdio subprocess). Lifecycle, shadow, and runtime proxy_decision receipts use EvidenceReceipt v2; shadow receipts are bound to the candidate contract hash, while lifecycle/runtime receipts are bound to the active manifest hash after promotion. Scanner block always wins over contract allow on every gated path. See [learn-and-lock guide](docs/guides/learn-and-lock.md). |
| **Block-Reason Header** (v2.4) | X-Pipelock-Block-Reason response header on every HTTP-capable block path (forward / intercept / fetch / reverse / MCP HTTP / WebSocket close-frame payload) with a fixed reason vocabulary, severity tier, and retry hint. MCP-internal JSON-RPC blocks (tool_poisoning, tool_chain_blocked, MCP stdio) carry the same reason vocabulary on the JSON-RPC error metadata where there is no HTTP response surface. Lets agents react intelligently to a block without parsing the body. See [block-reason header](docs/guides/block-reason-header.md). |
| **Wedge-Detection Watchdog** (v2.4) | health_watchdog returns /health 503 when a subsystem heartbeat goes stale (proxy hot path, MCP listeners, rules-engine reload watcher), so cluster liveness probes detect a wedged scanner automatically. Optional expose_subsystems: true adds a per-subsystem map for operator dashboards. See [health endpoint guide](docs/guides/health.md). |
| **Redaction Provider Plugin Shape** (v2.4) | First-party redaction parsers ship for Anthropic, OpenAI, and Gemini chat APIs. The provider-plugin shape (internal/redact/providers.go::DefaultProviderSpecs()) lets a third-party LLM provider register a body parser without forking the redact package. Wired through forward / intercept / reverse / WebSocket transports. |
| **Audit Packet v0 Schema + Verifiers** (v2.5) | First-party canonical Audit Packet schema with Go, TypeScript, and Rust verifier implementations, plus a standalone [pipelock-verifier](cmd/pipelock-verifier/) CLI. Auditors, SIEMs, and procurement reviewers validate signed evidence without running Pipelock. Schema lives under [sdk/audit-packet/](sdk/audit-packet/); verifier packages live under [sdk/verifiers/](sdk/verifiers/). |
| **Host Containment Lifecycle** (v2.5) | pipelock contain install / run / verify / rollback / add-tool / grant-workspace / revoke-workspace / ca-refresh manages a 3-UID containment model (operator / pipelock-proxy / pipelock-agent) end to end. nftables owner-match rules force the contained agent user through Pipelock on loopback; contain run verifies the boundary, emits a signed posture capsule, and launches registered tools as the contained user; install pins the binary hash for TOFU integrity checks, workspace ACL subcommands avoid root-level inherited read on config roots, and the credential guard re-locks agent-readable token files. See [docs/contain-cli.md](docs/contain-cli.md). |
| **MCP Integrity Manifests** (v2.5) | pipelock mcp integrity manifest generate / verify / sign / verify-signature pins MCP server binaries/scripts by hash and can require a trusted manifest signature before subprocess launch. See [docs/cli/mcp-integrity.md](docs/cli/mcp-integrity.md). |
| **Kubernetes MCP Launcher Contract** (v2.5) | pipelock init sidecar --mcp-upstream emits the companion MCP listener, service port, workload annotations, NetworkPolicy allowance, PIPELOCK_MCP_PROXY_URL, and mounted PIPELOCK_MCP_CONFIG. The agent launcher or MCP client must consume one of those values for MCP traffic to traverse Pipelock. See [docs/cli/init-sidecar.md](docs/cli/init-sidecar.md). |
| **Federation Strict Mode** (v2.5) | Inbound mediation-envelope verification now requires SPIFFE-format actors by default, contract tombstones are enforced at activation and accepted-load time, and a new pipelock envelope trust add/list/remove/verify operator CLI manages the local trust list. See [federation guide](docs/guides/federation.md). |
| **Media Policy** | Controls media response handling: strips steganographic metadata from JPEG/PNG (byte-level surgery, pixel-identical output), rejects audio/video by default, hardens SVG active content (foreignObject, event handlers, external hrefs), and enforces image size limits against decompression bombs. |
| **Compliance Mappings** | OWASP MCP Top 10, OWASP Agentic Top 15, NIST 800-53, EU AI Act, SOC 2 coverage documentation |


go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest
</details>
<details>
<summary>Verify release integrity (SLSA provenance + SBOM)</summary>
bash gh attestation verify pipelock_*_linux_amd64.tar.gz --owner luckyPipewrench gh attestation verify oci://ghcr.io/luckypipewrench/pipelock:<version> --owner luckyPipewrench ```
</details>
brew install luckyPipewrench/tap/pipelock
docker pull ghcr.io/luckypipewrench/pipelock:latest
```bash
docker pull ghcr.io/luckypipewrench/pipelock:latest docker run -p 8888:8888 -v ./pipelock.yaml:/config/pipelock.yaml:ro \ ghcr.io/luckypipewrench/pipelock:latest \ run --config /config/pipelock.yaml --listen 0.0.0.0:8888
pipelock generate docker-compose --agent claude-code -o docker-compose.yaml docker compose up
```bash
.claude.json configurationmcp.jsoncontext_servers block in settings.jsonMCPServerStdio, multi-agent handoffsMcpToolset, StdioConnectionParamsStdioServerParams, mcp_server_tools()MCPServerStdio wrapping, MCPServerAdapterMultiServerMCPClient, StateGraphpipelock cursor install registers Pipelock as a Cursor hook for shell execution, MCP tool calls, and file reads; or use configs/cursor.yaml with the same MCP proxy pattern as Claude Code (walkthrough)pipelock vscode install rewrites .vscode/mcp.json to route every MCP server through the MCP proxy (stdio commands wrapped, HTTP/SSE servers bridged via --upstream); --global targets the user-level mcp.jsonThe examples/tool-response-injection/ harness runs an end-to-end demo where an MCP tool with a harmless name and description hides a prompt-injection payload in its response. Pipelock blocks the response before it reaches the agent and emits signed action receipts that a third party can verify. The same demo runs against three transports with one shared signing key:
cd examples/tool-response-injection
python3 demo.py # needs python3 + cryptography + pipelock on PATH
pipelock init
Generate a config from one of three CLI presets, or let pipelock audit tailor one to your project:
pipelock generate config --preset balanced > pipelock.yaml
pipelock audit ./my-project -o pipelock.yaml
| CLI Preset | Mode | Action | Best For |
|---|---|---|---|
balanced | balanced | warn | General purpose (default) |
strict | strict | block | High-security, regulated industries |
audit | audit | warn | Log-only evaluation |
Four additional preset files ship in configs/ for specific workflows:
| File | Mode | Best For |
|---|---|---|
configs/claude-code.yaml | balanced | Claude Code unattended |
configs/cursor.yaml | balanced | Cursor IDE |
configs/generic-agent.yaml | balanced | New agents (tuning phase) |
configs/hostile-model.yaml | strict | Uncensored/abliterated models |
Config changes are picked up automatically via file watcher or SIGHUP. Full reference: docs/configuration.md
For false positive tuning: docs/false-positive-tuning.md
Evaluation endpoint for programmatic scanning. Any tool, pipeline, or control plane can submit URLs, text, or tool calls and get a structured verdict back (the proxy doesn't need to be in the request path). Four scan kinds: url, dlp, prompt_injection, and tool_call. Returns findings with scanner type, rule ID, and severity. Bearer token auth, per-token rate limiting, and Prometheus metrics.
See docs/scan-api.md for the full API reference.
```yaml
- uses: luckyPipewrench/pipelock@v2 with: scan-diff: 'true' fail-on-findings: 'true' ```
Downloads a pre-built binary, runs pipelock audit, scans the PR diff for leaked secrets, and uploads the audit report as a workflow artifact. See examples/ci-workflow.yaml for a complete workflow.
| Pipelock | Scanners (agent-scan) | Sandboxes (srt) | Kernel agents (agentsh) | |
|---|---|---|---|---|
| Secret exfiltration prevention | Yes | Partial (proxy mode) | Partial (domain-level) | Yes |
| DLP + entropy analysis | Yes | No | No | Partial |
| Prompt injection detection | Yes | Yes | No | No |
| MCP scanning (bidirectional + tool poisoning) | Yes | Yes | No | No |
| WebSocket proxy (frame scanning) | Yes | No | No | No |
| MCP HTTP transport (Streamable HTTP) | Yes | No | No | No |
| Emergency kill switch (4 sources) | Yes | No | No | No |
| Tool call chain detection | Yes | No | No | No |
| Process sandbox (no Docker) | Yes | No | No | Yes (kernel-level) |
| Single binary, zero deps | Yes | No (Python) | No (npm) | No (kernel) |
Reference matrix: docs/comparison.md
Canonical comparison hub: AI runtime security comparison
<details> <summary>OWASP Agentic Top 10 Coverage</summary>
| Threat | Coverage |
|---|---|
| ASI01 Agent Goal Hijack | **Strong:** bidirectional MCP + response scanning |
| ASI02 Tool Misuse | **Partial:** proxy as controlled tool, MCP scanning |
| ASI03 Identity & Privilege Abuse | **Strong:** capability separation + SSRF protection |
| ASI04 Supply Chain Vulnerabilities | **Partial:** integrity monitoring + MCP scanning |
| ASI05 Unexpected Code Execution | **Moderate:** HITL approval, fail-closed defaults |
| ASI06 Memory & Context Poisoning | **Moderate:** injection detection + session taint propagation |
| ASI07 Insecure Inter-Agent Communication | **Partial:** MCP/A2A scanning, agent ID, integrity, signing |
| ASI08 Cascading Failures | **Moderate:** fail-closed architecture, rate limiting |
| ASI09 Human-Agent Trust Exploitation | **Partial:** HITL modes, audit logging |
| ASI10 Rogue Agents | **Strong:** domain allowlist + rate limiting + capability separation |
Details, config examples, and gap analysis: docs/owasp-mapping.md
</details>
Pipelock 是一个强大的安全审计与防护工具,旨在为开发流程提供全方位的安全保障。通过集成先进的审计机制,它能够帮助开发者识别潜在风险并生成详细的安全报告,确保代码与工具链的安全性。
Pipelock 提供丰富的安全功能:支持通过 `pipelock report` 生成包含风险评级、时间线及证据附录的 HTML/JSON 审计报告,并支持使用 Ed25519 进行签名;内置 `pipelock diagnose` 命令,可在无需网络的情况下运行 7 项本地检查,确保配置端到端正常工作;此外还具备强大的安全强制执行能力。
用户可以直接下载预编译的二进制文件使用,无需安装任何依赖。若希望从源码构建,则需要环境安装有 Go 1.25+ 版本。此外,项目支持通过 GitHub Attestation 进行 SLSA 溯源与 SBOM 验证,以确保发布版本的完整性与安全性。
您可以通过多种方式安装 Pipelock:使用 Homebrew 执行 `brew install luckyPipewrench/tap/pipelock` 进行快速安装;对于容器化环境,可以通过 `docker pull ghcr.io/luckypipewrench/pipelock:latest` 获取 Docker 镜像;也可以根据需求进行自定义部署。
本项目提供了丰富的集成指南,支持将 Pipelock 作为 MCP proxy 接入多种主流 AI 开发工具,包括 Claude Code、OpenAI Codex、Cline、OpenCode 以及 Zed 编辑器。通过配置相应的 `.claude.json` 或 `mcp.json`,您可以轻松实现安全代理与沙箱集成。
使用 Pipelock 前需通过 `pipelock init` 进行初始化。您可以利用 CLI 预设(如 `balanced` 模式)生成配置文件,或者直接运行 `pipelock audit` 根据当前项目需求自动定制 `pipelock.yaml`。系统会���动识别 IDE 配置并确保配置文件的安全性。
Pipelock 提供了一个专门的扫描 API 端点,支持程序化扫描。任何工具、流水线或控制平面都可以通过提交 URL、文本或 Tool Call 来获取结构化的判定结果。API 支持四种扫描类型:`url`、`dlp`、`prompt_injection` 以及 `tool_call`,且无需将代理置于请求路径中。
Pipelock 深度集成 CI/CD 工作流,支持在 GitHub Actions 中通过 `luckyPipewrench/pipelock@v2` 直接调用。它能够自动下载二进制文件并执行 `pipelock audit`,扫描 PR Diff 中的敏感信息泄露情况,并将生成的审计报告作为 Workflow Artifact 上传,实现自动化的安全合规检查。
专业的MCP安全解决方案,针对AI代理的典型安全威胁提供综合防护。活跃维护、技术方向清晰,是构建安全AI系统的关键基础设施。
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
✅ Apache 2.0 — 宽松开源协议,可商用,需保留版权声明和 NOTICE 文件,含专利授权条款。
总体来看,pipelock MCP工具 是一款质量优秀的AI工具,在同类工具中具备一定竞争力。AI Skill Hub 将持续追踪其更新动态,建议收藏备用,结合自身场景选择合适时机引入使用。
| 原始名称 | pipelock |
| 原始描述 | 开源MCP工具:Open-source AI agent firewall for MCP security: agent egress control, DLP, SSRF,。⭐589 · Go |
| Topics | MCP安全代理防火墙DLP防护SSRF防御开源安全 |
| GitHub | https://github.com/luckyPipewrench/pipelock |
| License | Apache-2.0 |
| 语言 | Go |
收录时间:2026-05-17 · 更新时间:2026-05-19 · License:Apache-2.0 · AI Skill Hub 不对第三方内容的准确性作法律背书。