Files
wehub-resource-sync 0d3cb498a3
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Waiting to run
Test and Publish Multi-arch Docker Image / test (push) Waiting to run
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Blocked by required conditions
Validate Renovate Config / Validate Renovate Configuration (push) Waiting to run
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

3.2 KiB

title, description, keywords, sidebar_label, sidebar_position
title description keywords sidebar_label sidebar_position
Code Scanning - LLM Security Vulnerability Scanner Scan code changes for LLM security vulnerabilities using AI-powered analysis. Find prompt injection, PII exposure, and other security risks in pull requests.
code security
LLM security
AI security
AI security scanning
security scanning
code scanning
prompt injection detection
PII detection
pull request review
PR review
security automation
GitHub Action security
vulnerability scanner
Overview 1

Code Scanning

Promptfoo Code Scanning uses AI agents to find LLM-related vulnerabilities in your codebase and helps you fix them before you merge. By focusing specifically on LLM-related vulnerabilities, it finds issues that more general security scanners might miss.

How It Works

The scanner examines code changes for common LLM security risks including prompt injection, PII exposure, and excessive agency. Rather than just analyzing the surface-level diff, it traces data flows deep into your codebase to understand how user inputs reach LLM prompts, how outputs are used, and what capabilities your LLM has access to.

This agentic approach catches subtle security issues that span multiple files, while maintaining a high signal-to-noise ratio to avoid alert fatigue.

Getting Started

GitHub Action

Automatically scan pull requests with findings posted as review comments, and optionally publish alerts to GitHub Code Scanning and the repository Security tab. This is the recommended way to use the scanner if your code is on GitHub. Set up the GitHub Action →

VS Code Extension (Enterprise)

Scan code directly in your editor with real-time feedback, inline diagnostics, and quick fixes. Available for enterprise customers. Learn more →

CLI Command

Run scans locally or in any CI environment. Use the CLI →

Severity Levels

Findings are classified by severity to help you prioritize:

  • Critical 🔴: Immediate security risk
  • High 🟠: Significant issue
  • Medium 🟡: Moderate risk
  • Low 🔵: Minor issue

Configure minimum severity thresholds in your scan settings.

Custom Guidance

Tailor scans to your needs by providing custom guidance:

  • Focus on specific vulnerability types or code areas
  • Adjust severity levels based on your context
  • Suggest fixes using your preferred libraries
  • Skip known false positives

Example:

guidance: |
  Ignore the /examples directory—it contains demo code only.
  Treat potential PII exposure as critical.
  For this app, sending proprietary code to OpenAI or Claude is not a vulnerability.
  Use Zod schemas for validation when suggesting fixes.

Cloud and Enterprise

Scans run on Promptfoo Cloud by default. For organizations that need to run scans on their own infrastructure, code scanning is available in Promptfoo Enterprise On-Prem.

See Also