One scan for AI risk
opena2a is the umbrella CLI for AI project security. One command reviews a project across credentials, shadow agents, MCP servers, and dependencies, returns a score, and routes each finding to the tool that fixes it. Open source under Apache-2.0.
Why one scan
AI risk in a project is spread across credentials, undeclared agents, MCP configuration, and dependency trust, and each has its own tool. opena2a is the front door: run it in a project root and one review covers all of them, returns a score, and tells you which underlying tool to invoke for each fix. One command instead of four.
Review
One command runs a six-phase assessment across the surfaces that carry AI risk: hardcoded credentials, shadow agents, MCP servers, and dependency trust. Targeted scans run 209 static plus 29 semantic plus 164 adversarial-payload checks through HackMyAgent.
Score
The review returns a single security score and the path to raise it. The documented example moves from 30 to 85 once the credential and config findings are fixed. The score sells the recovery, not the failure.
Route to the fix
Every finding names the command that fixes it. opena2a protect migrates credentials to env-var references; scan, trust, and secrets each delegate to the underlying tool. One front door, the right tool behind each finding.
An opena2a review reports a score, the findings across four surfaces, and the path to fix them.
Run it
Review the current project, no flags required:
npx opena2a-cli reviewFix the credential findings the review surfaces:
npx opena2a-cli protect