OpenA2A CLI: One-Command Security Reviews for AI Projects

What It Does

Run opena2a review in any project directory. The CLI performs two categories of checks: credential scanning and configuration hygiene.

# Install and run
npm install -g opena2a-cli
opena2a review

# Or run directly without installing
npx opena2a-cli review

The review produces a scored report covering:

• Credential scanning -- Detects API keys, tokens, and secrets in source files, configuration, and environment files
• Configuration hygiene -- Checks .gitignore coverage, file permissions, MCP server configurations, and dependency security
• Posture scoring -- Produces a 0-100 score with category breakdowns showing where points are lost and how to recover them

Review Output

The review output is designed to be actionable. Every finding includes the file path, a description of the issue, and a command to fix it.

Security posture overview with category scores and recovery path

Credential scan results with file locations and fix commands

Every Finding is Actionable

Each finding follows a consistent structure: what was found, where it was found, and how to fix it. No finding is a dead end.

# Example finding output:
#
# CREDENTIAL: OpenAI API key detected
# FILE: src/config.ts:14
# VERIFY: grep -n "sk-" src/config.ts
# FIX: Move to environment variable
#   echo "OPENAI_API_KEY=sk-..." >> .env
#   Replace hardcoded value with process.env.OPENAI_API_KEY

The posture score shows recovery potential: "Score: 42/100 -- recoverable to 78 by addressing 3 credential findings and 2 configuration issues." This frames the score as a path forward rather than a judgment.

CI/CD Integration

The review command supports JSON output for integration with CI pipelines and automated workflows.

# JSON output for CI integration
opena2a review --format json

# Set minimum score threshold (exit code 1 if below)
opena2a review --min-score 60

# Review a specific directory
opena2a review --path ./my-agent-project