PeerLabs plsec
Defense in depth for AI agents

Security your coding assistants should have had from the start

plsec is an engine-based security framework for AI coding assistants. It orchestrates Trivy, Bandit, Semgrep, and other scanners through a typed pipeline with cross-layer correlation, progressive presets, container isolation, and audit logging. For Claude Code, OpenCode, Gemini CLI, and others.

$ uv tool install plsec
1,516 Tests passing
5 / 12 Engines (100% cov)
11,645 Lines of source
45 Python modules
The problem

Your AI agent has the keys to your machine

AI coding assistants operate with broad filesystem and network access by default. They can read credential files, write secrets to source code, access directories outside the project, and make network requests -- all without explicit permission in most configurations.

Existing permission systems are incomplete. OpenCode's SDK may ignore custom agent deny permissions (#6396). Agents can circumvent denied tools via bash (#4642). The plan agent may ignore edit permissions entirely (#3991).

The OWASP Top 10 for Agentic Applications (2026) documents these risks at scale: prompt injection, tool poisoning, privilege escalation, excessive agency. plsec addresses the gap between what agents can do and what they should be allowed to do.

5-layer security model

Defense in depth, not a single gate

Each layer catches what the previous one missed. Progressive presets let you start light and add layers as your threat model requires.

Static Trivy, Bandit, Semgrep. Secret scanning, dependency analysis, misconfig detection, and code analysis before anything runs.
Config CLAUDE.md, opencode.json, deny patterns. Agent-specific permission constraints restricting filesystem access, commands, and network.
Isolation Podman/Docker containers, macOS sandbox. OS-level confinement so agent escape stays contained.
Runtime Pipelock egress proxy, DLP, response scanning. Live monitoring of network traffic and agent output during execution.
Audit Structured logging, integrity monitoring. Every session logged. Workspace file integrity tracked between agent runs.
Engine architecture

Orchestration, not scripting

plsec is not a shell script wrapping scanners. It is an engine-based pipeline with a typed intermediate representation. Every scanner produces Finding objects through a common Engine interface. The Orchestrator walks layers in order, feeds prior findings forward, runs cross-layer correlation, applies policy, and computes a verdict.

Adding a new scanner means implementing one Engine subclass. No control flow changes. No if/elif branches. The registry handles discovery, and the preset determines whether the engine runs.

plsec.yaml (config + policy)
   Orchestrator
     Registry (engine catalog)
       Layer pipeline
          STATIC    TrivySecrets, Bandit, Semgrep
          CONFIG    TrivyMisconfig
          ISOLATION ContainerIsolation
          RUNTIME   (planned: EgressProxy, DLP)
          AUDIT     (planned: AuditLog, Integrity)
       Correlation (cross-layer compound risk)
         Policy (severity floor + suppressions)
           Verdict (PASS / WARN / FAIL / ERROR)

Full architecture documentation →

Progressive presets

Start where you are, escalate when you need to

The preset is the single knob. It determines scan scope, execution mode, and verdict strategy. At strict/paranoid, the agent runs inside a container automatically -- container isolation is the default execution mode, not an opt-in flag.

Minimal

--preset minimal

Secret scanning only. Host execution. Fails on CRITICAL findings. Lowest friction for personal projects.

Balanced

default

Full static analysis, misconfig scanning, audit logging. Host execution. Fails on HIGH or above.

Strict

--preset strict

Container execution with network policies. Any finding fails. For production codebases and sensitive environments.

Paranoid

--preset paranoid

Container execution with egress proxy and DLP. Full network isolation. For air-gapped or regulatory-constrained environments.

Daily workflow

Wrapper scripts and audit logging

plsec install deploys wrapper scripts, agent configs, and shell aliases. Use claude-safe or opencode-safe instead of the bare agent command. The wrappers add session logging and audit capabilities without changing your workflow.

# Deploy wrappers, configs, shell aliases
$ plsec install

# Source your shell (or restart terminal)
$ source ~/.zshrc

# Use the wrapped agents
$ claude-safe              # instead of 'claude'
$ opencode-safe            # instead of 'opencode'
Tier 1 -- both agents

Session logging

Git branch/SHA, agent version, security preset, session duration. Agent configs auto-deployed to project on session start.

Tier 2 -- Claude only

Command audit

Every shell command the LLM executes is logged via CLAUDE_CODE_SHELL_PREFIX. Separate daily audit file. The single most impactful enhancement for visibility.

Shell aliases
AliasTarget
claude-safeSession-logged Claude Code with auto-config deploy
opencode-safeSession-logged OpenCode with auto-config deploy
plsec-logsTail all active plsec log files
plsec-statusHealth check: installation, configuration, activity
Quick start

Four commands to a secured environment

# Install the CLI
$ uv tool install plsec

# Deploy wrappers, configs, and shell aliases
$ plsec install

# Check system dependencies
$ plsec doctor

# Secure an existing project
$ plsec secure

# Or create a new secure project from scratch
$ plsec create my-api

# Run security scans
$ plsec scan
All commands
CommandDescription
plsec installDeploy global configs, wrapper scripts, and shell aliases
plsec createCreate a new project with security built-in
plsec secureAdd security to an existing project
plsec doctorCheck system dependencies and configuration
plsec initInitialize security configuration (low-level)
plsec scanRun engine pipeline (Trivy, Bandit, Semgrep)
plsec validateValidate configuration files
plsec proxyManage Pipelock runtime proxy
plsec integrityWorkspace integrity monitoring
plsec resetReset to factory defaults (preserves logs)
plsec uninstallRemove all plsec artifacts from the system
Alternative installers
$ pipx install plsec                              # pipx
$ pip install plsec                               # pip

# Zero-dependency bootstrap (bash + curl only, no Python)
$ curl -fsSL https://raw.githubusercontent.com/PeerLabs-ai/plsec/main/build/bootstrap.sh | bash
Transparency

What gets installed on your machine

Nothing hidden. Global configuration lives in a single directory. Per-project configuration lives in plsec.yaml. plsec uninstall removes everything cleanly.

~/.peerlabs/plsec/
    configs/
        CLAUDE.md              # Agent instruction constraints
        opencode.json          # OpenCode permission rules
        pre-commit             # Git hook template
    trivy/
        trivy-secret.yaml      # LLM-tuned secret detection rules
        trivy.yaml             # Trivy scanner configuration
    logs/                      # Session + audit logs
    claude-wrapper.sh          # Logging wrapper for Claude Code
    opencode-wrapper.sh        # Logging wrapper for OpenCode
    plsec-audit.sh             # Per-command audit logger (Tier 2)
    plsec-status.sh            # Health check command

./plsec.yaml                   # Per-project configuration
Limitations

What you should know

Permission systems in Claude Code and OpenCode are advisory, not enforced at the OS level. A sufficiently creative agent can circumvent denied tools via bash in some configurations. Layers 3 and 4 (isolation and runtime proxy) address this.
Container isolation and Pipelock runtime proxy require additional software (Podman/Docker and Pipelock respectively). plsec doctor checks for these dependencies.
Trivy regex rules may produce false positives. The generic-secret rule is intentionally broad for LLM contexts where secrets appear in unexpected places.
5 of 12 planned engines are implemented. Layers 4 (Runtime) and 5 (Audit) do not yet have engines. The engine architecture is complete; remaining engines are additive.
plsec is pre-1.0 software. Configuration formats and CLI interface may change between releases.
Community

Open source, practitioner-built

plsec is a Peerlabs project, maintained by the same team building practitioner-led market intelligence for enterprise technology leadership.

Source code, issues, and discussions live on GitHub. Contributions welcome -- see CONTRIBUTING.md.

Licensed under MIT.

References: OWASP Top 10 for Agentic Applications / Anthropic Claude Code Sandboxing