plsec is an engine-based security framework for AI coding assistants. It orchestrates Trivy, Bandit, Semgrep, and other scanners through a typed pipeline with cross-layer correlation, progressive presets, container isolation, and audit logging. For Claude Code, OpenCode, Gemini CLI, and others.
$ uv tool install plsec
AI coding assistants operate with broad filesystem and network access by default. They can read credential files, write secrets to source code, access directories outside the project, and make network requests -- all without explicit permission in most configurations.
Existing permission systems are incomplete. OpenCode's SDK may ignore custom agent deny permissions (#6396). Agents can circumvent denied tools via bash (#4642). The plan agent may ignore edit permissions entirely (#3991).
The OWASP Top 10 for Agentic Applications (2026) documents these risks at scale: prompt injection, tool poisoning, privilege escalation, excessive agency. plsec addresses the gap between what agents can do and what they should be allowed to do.
Each layer catches what the previous one missed. Progressive presets let you start light and add layers as your threat model requires.
plsec is not a shell script wrapping scanners. It is an engine-based
pipeline with a typed intermediate representation. Every scanner
produces Finding objects through a common Engine
interface. The Orchestrator walks layers in order, feeds prior findings
forward, runs cross-layer correlation, applies policy, and computes a
verdict.
Adding a new scanner means implementing one Engine subclass.
No control flow changes. No if/elif branches. The registry handles
discovery, and the preset determines whether the engine runs.
plsec.yaml (config + policy) → Orchestrator → Registry (engine catalog) → Layer pipeline STATIC TrivySecrets, Bandit, Semgrep CONFIG TrivyMisconfig ISOLATION ContainerIsolation RUNTIME (planned: EgressProxy, DLP) AUDIT (planned: AuditLog, Integrity) → Correlation (cross-layer compound risk) → Policy (severity floor + suppressions) → Verdict (PASS / WARN / FAIL / ERROR)
The preset is the single knob. It determines scan scope, execution mode, and verdict strategy. At strict/paranoid, the agent runs inside a container automatically -- container isolation is the default execution mode, not an opt-in flag.
Secret scanning only. Host execution. Fails on CRITICAL findings. Lowest friction for personal projects.
Full static analysis, misconfig scanning, audit logging. Host execution. Fails on HIGH or above.
Container execution with network policies. Any finding fails. For production codebases and sensitive environments.
Container execution with egress proxy and DLP. Full network isolation. For air-gapped or regulatory-constrained environments.
plsec install deploys wrapper scripts, agent configs,
and shell aliases. Use claude-safe or opencode-safe
instead of the bare agent command. The wrappers add session logging
and audit capabilities without changing your workflow.
# Deploy wrappers, configs, shell aliases $ plsec install # Source your shell (or restart terminal) $ source ~/.zshrc # Use the wrapped agents $ claude-safe # instead of 'claude' $ opencode-safe # instead of 'opencode'
Git branch/SHA, agent version, security preset, session duration. Agent configs auto-deployed to project on session start.
Every shell command the LLM executes is logged via CLAUDE_CODE_SHELL_PREFIX. Separate daily audit file. The single most impactful enhancement for visibility.
| Alias | Target |
|---|---|
| claude-safe | Session-logged Claude Code with auto-config deploy |
| opencode-safe | Session-logged OpenCode with auto-config deploy |
| plsec-logs | Tail all active plsec log files |
| plsec-status | Health check: installation, configuration, activity |
# Install the CLI $ uv tool install plsec # Deploy wrappers, configs, and shell aliases $ plsec install # Check system dependencies $ plsec doctor # Secure an existing project $ plsec secure # Or create a new secure project from scratch $ plsec create my-api # Run security scans $ plsec scan
| Command | Description |
|---|---|
| plsec install | Deploy global configs, wrapper scripts, and shell aliases |
| plsec create | Create a new project with security built-in |
| plsec secure | Add security to an existing project |
| plsec doctor | Check system dependencies and configuration |
| plsec init | Initialize security configuration (low-level) |
| plsec scan | Run engine pipeline (Trivy, Bandit, Semgrep) |
| plsec validate | Validate configuration files |
| plsec proxy | Manage Pipelock runtime proxy |
| plsec integrity | Workspace integrity monitoring |
| plsec reset | Reset to factory defaults (preserves logs) |
| plsec uninstall | Remove all plsec artifacts from the system |
$ pipx install plsec # pipx $ pip install plsec # pip # Zero-dependency bootstrap (bash + curl only, no Python) $ curl -fsSL https://raw.githubusercontent.com/PeerLabs-ai/plsec/main/build/bootstrap.sh | bash
Nothing hidden. Global configuration lives in a single directory.
Per-project configuration lives in plsec.yaml.
plsec uninstall removes everything cleanly.
~/.peerlabs/plsec/ configs/ CLAUDE.md # Agent instruction constraints opencode.json # OpenCode permission rules pre-commit # Git hook template trivy/ trivy-secret.yaml # LLM-tuned secret detection rules trivy.yaml # Trivy scanner configuration logs/ # Session + audit logs claude-wrapper.sh # Logging wrapper for Claude Code opencode-wrapper.sh # Logging wrapper for OpenCode plsec-audit.sh # Per-command audit logger (Tier 2) plsec-status.sh # Health check command ./plsec.yaml # Per-project configuration
plsec doctor checks for these dependencies.
generic-secret rule is intentionally broad for
LLM contexts where secrets appear in unexpected places.
plsec is a Peerlabs project, maintained by the same team building practitioner-led market intelligence for enterprise technology leadership.
Source code, issues, and discussions live on GitHub. Contributions welcome -- see CONTRIBUTING.md.
Licensed under MIT.
References: OWASP Top 10 for Agentic Applications / Anthropic Claude Code Sandboxing