7 of 10 OWASP LLM categories
LLM01, LLM02, LLM05, LLM06, LLM07, LLM08, and LLM10 covered — 2 strong, 5 partial. In progress: contributions welcome.
OWASP LLM Top 10 security scanner for AI apps
Find OWASP LLM Top 10 vulnerabilities in your Python AI app — before attackers do. No agents, no API calls, no runtime overhead. Just fast, free static analysis that runs in seconds.
Explore
Section titled “Explore” Documentation Install LLMArmor and run your first scan in 60 seconds.
CLI Reference Full command reference and flags.
OWASP LLM Top 10 Coverage See which OWASP LLM risks LLMArmor detects.
CI/CD Integration Run LLMArmor in GitHub Actions, GitLab CI, and more.
Compare How LLMArmor compares to garak, Promptfoo, and Lakera.
Blog Announcements, deep dives, and security guides.
Python
Static analysis for Python LLM applications: OpenAI, Anthropic, LangChain, CrewAI, Smolagents, Google ADK, and more.
MIT Licensed
Fully open source under the MIT license. Audit the code, fork it, extend it — no vendor lock-in.
Zero Runtime Overhead
Pure static analysis — no agents, no proxies, no API calls. Runs offline in seconds.
See it in action
Section titled “See it in action”The snippet below shows a common LLM01 (prompt injection) vulnerability — user-controlled input
interpolated into the system role — and the llmarmor scan finding it produces.
from flask import requestfrom langchain.chat_models import ChatOpenAI
llm = ChatOpenAI(model="gpt-4o")
def handle_query(): user_input = request.json["query"] # taint source system_role = request.json.get("role", "assistant") messages = [ {"role": "system", "content": f"You are a {system_role}. Answer concisely."}, {"role": "user", "content": user_input}, ] response = llm.invoke(messages) return response.contentLLM01 — Prompt Injection [HIGH] app.py:11 f"You are a {system_role}. Answer concisely." Tainted variable `system_role` reaches the system role — attacker can override system instructions. Fix: validate or allowlist `system_role` before interpolating it into the system message. Ref: https://owasp.org/www-project-top-10-for-large-language-model-applications/Why LLMArmor
Section titled “Why LLMArmor”Open Source & MIT Licensed
Fully open source under the MIT license. Audit the code, fork it, extend it — no vendor lock-in.
OWASP LLM Top 10 Aligned
Rules map directly to LLM01–LLM10. Every finding includes the OWASP reference and a suggested fix.
CI/CD Friendly
Structured exit codes (0 clean, 1 HIGH/MEDIUM, 2 CRITICAL) and SARIF output let you gate pipelines instantly.
Regex + AST Taint Tracking
Two complementary layers: fast regex for common patterns, plus Python AST taint analysis for aliasing, dict spreading, and multi-line concatenation.
Zero Runtime Overhead
Pure static analysis — no agents, no proxies, no instrumentation. Runs offline with no external calls.
Works With Any LLM Stack
Covers OpenAI, Anthropic, LangChain, CrewAI, Smolagents, Google ADK, Semantic Kernel, MCP, and more.
Get started in 60 seconds
Section titled “Get started in 60 seconds”pip install llmarmorllmarmor scan ./your-app/OWASP LLM Top 10 Coverage
Section titled “OWASP LLM Top 10 Coverage”LLM01 — Prompt Injection 🟢
Supported. 6 injection vectors with role-aware AST taint analysis and str.join() detection.
LLM02 — Sensitive Info Disclosure 🟡
Partial. Detects leaked API keys (OpenAI, Anthropic, Google, HuggingFace) across all file types.
LLM03 — Supply Chain Vulnerabilities 🔴
Out of scope. Requires dependency-tree analysis beyond static source scanning.
LLM04 — Data & Model Poisoning 🔴
Out of scope. Requires runtime monitoring, not static analysis.
LLM05 — Improper Output Handling 🟡
Partial. eval/exec/shell/SQL/HTML sinks with taint tracking.
LLM06 — Insecure Plugin Design 🟡
Partial. @tool functions with dangerous sinks flagged.
LLM07 — System Prompt Leakage 🟡
Partial. Hardcoded prompts in source code and config files.
LLM08 — Excessive Agency 🟢
Supported. 8 pattern categories including dynamic dispatch and disabled approval gates.
LLM09 — Misinformation 🔴
Out of scope. Requires runtime factual verification.
LLM10 — Unbounded Consumption 🟡
Partial. Missing max_tokens on LLM API calls with **config dict spread resolution.
See the full OWASP LLM Top 10 Coverage reference for rule-by-rule details.
How LLMArmor compares
Section titled “How LLMArmor compares”LLMArmor is purpose-built for OWASP LLM Top 10 static analysis. See how it differs from dynamic fuzzing tools and commercial runtime guards.
LLMArmor vs garak garak is a dynamic LLM red-teaming framework. See when to use each.
LLMArmor vs Promptfoo Promptfoo focuses on LLM evaluation and testing. See the differences.
LLMArmor vs Lakera Guard Lakera Guard is a runtime API proxy. See why static analysis is complementary.
Start securing your LLM app today
Section titled “Start securing your LLM app today” Get started in 60 seconds Install from PyPI and run your first scan instantly.
⭐ Star us on GitHub LLMArmor is free and open source. Stars help others discover it.
Frequently asked questions
Section titled “Frequently asked questions”- Is LLMArmor free and open source?
- Yes. LLMArmor is 100% free and released under the MIT license. You can audit the code, fork it, and contribute on GitHub. There is no paid tier, no API key required, and no vendor lock-in.
- Does LLMArmor cover the OWASP LLM Top 10?
- LLMArmor covers 7 of the 10 OWASP LLM risk categories, with strong detection for LLM01 (Prompt Injection) and LLM08 (Excessive Agency), and partial coverage for LLM02, LLM05, LLM06, LLM07, and LLM10. See the full OWASP LLM Top 10 coverage reference for rule-by-rule details.
- What languages and frameworks are supported?
- LLMArmor currently supports Python. It detects vulnerabilities in applications using OpenAI, Anthropic, LangChain, CrewAI, Smolagents, Google ADK, Semantic Kernel, MCP, and other popular LLM frameworks. Support for additional languages is on the roadmap.
- How is LLMArmor different from Garak, Promptfoo, and Lakera Guard?
- LLMArmor performs static source-code analysis — it scans your Python files for OWASP LLM Top 10 misconfigurations before your app runs. Garak dynamically probes live LLM endpoints; Promptfoo evaluates LLM output quality; Lakera Guard is a commercial runtime API proxy. These approaches are complementary, not competing.
- Can I run LLMArmor in CI/CD?
- Yes — that is one of the primary use cases. LLMArmor has structured exit codes (
0clean,1HIGH/MEDIUM findings,2CRITICAL) and SARIF output for GitHub Code Scanning. See the CI/CD integration guide for step-by-step GitHub Actions examples. - Does LLMArmor send my code anywhere?
- No. LLMArmor is pure static analysis that runs entirely on your local machine or CI runner. It makes no network calls, requires no API keys, and never transmits your source code to any external service.
- How do I install LLMArmor?
- Install from PyPI with
pip install llmarmor, then runllmarmor scan ./your-app/. See the Quick Start guide to scan your first project in under 60 seconds. - How do I report or suppress false positives?
- Add a
# llmarmor: ignorecomment on the flagged line, list paths in a.llmarmorignorefile, or configure rule exclusions in.llmarmor.yaml. See the suppressing false positives guide for full details. To report a false positive in the rules, open an issue on GitHub.