OASB
Originally published on opena2a.org

OpenA2A CLI: One-Command Security Reviews for AI Projects

OpenA2A Team|
#cli#security-review#ai-projects#credentials#opena2a

The OpenA2A CLI includes a security review command that scans any project directory and produces a security posture score. One command, no configuration required. It checks for exposed credentials, configuration hygiene issues, and provides actionable fix commands for every finding.

Quick Start

# Install the CLI
$ npm install -g opena2a

# Run a security review in any project
$ cd your-project/
$ opena2a review

The review runs two scanning phases -- credential detection and configuration hygiene -- then combines them into a weighted posture score from 0 to 100.

What It Scans

The review command performs two categories of checks:

Credential scanning detects API keys, tokens, and secrets across your project files. It uses pattern matching for provider-specific key formats (AWS, OpenAI, Anthropic, Stripe, GitHub, and others) and flags any credentials found in source code, configuration files, or documentation.

Configuration hygiene checks for security best practices: whether .env files are gitignored, whether MCP server configurations are properly secured, whether lockfiles are present, and whether sensitive directories are excluded from version control.

OpenA2A CLI review command output showing security posture score

Security posture overview with score breakdown and recovery path.

Actionable Output

Every finding includes three components: a factual description of what was found, a verification command to inspect it, and a fix command to resolve it. There are no dead ends -- every issue has a clear resolution path.

Credential Findings:

  .env
    WHAT: Contains 3 API keys (OpenAI, Anthropic, Stripe)
    VERIFY: grep -n "sk-" .env
    FIX: Add .env to .gitignore: echo ".env" >> .gitignore

  src/config.ts
    WHAT: Hardcoded AWS access key on line 12
    VERIFY: sed -n '12p' src/config.ts
    FIX: Replace with process.env.AWS_ACCESS_KEY_ID
OpenA2A CLI credential scan results

Credential scan results with verify and fix commands for each finding.

Posture Scoring

The review produces a posture score that shows both where you are and how to improve. Scores emphasize the recovery path rather than the deficit:

Security Posture: 54/100

  Credentials:  32/50  (+18 recoverable by fixing 3 findings)
  Hygiene:      22/50  (+14 recoverable by fixing 2 findings)

  Path to 86: Fix credential findings, add .gitignore entries

Read the full post with additional examples on opena2a.org.

OpenA2A is building open security infrastructure for AI agents. Follow our progress at opena2a.org.