The A2A Scanner includes a Development Mode (--dev) that relaxes security checks for easier local testing. This mode is designed for development and testing environments only.
DO NOT USE DEVELOPMENT MODE IN PRODUCTION!
Dev mode disables critical security features and should only be used in controlled development environments.
When development mode is enabled, the scanner relaxes the following security checks:
- Production:
http://localhost:8000→ ❌ Blocked (SSRF protection) - Dev Mode:
http://localhost:8000→ ✅ Allowed
- Production:
http://192.168.1.1→ ❌ Blocked (SSRF protection) - Dev Mode:
http://192.168.1.1→ ✅ Allowed
- Production: Self-signed certs → ❌ Rejected
- Dev Mode: Self-signed certs → ✅ Accepted
- Production: HTTP flagged as HIGH severity
- Dev Mode: HTTP allowed without warnings (for local testing)
Add the --dev flag to any scanner command:
# Scan a local agent endpoint
a2a-scanner --dev scan-endpoint http://localhost:8000
# Scan an agent card from local URL
a2a-scanner --dev scan-card agent.json
# Fetch agent card from local server
# (POST with agent_card_url to API)
# Combine with debug for more visibility
a2a-scanner --dev --debug scan-endpoint http://localhost:9999Set the environment variable before starting the API server:
# Enable dev mode via environment variable
export A2A_SCANNER_DEV_MODE=true
# Start API server
uvicorn a2ascanner.api.server:app --reload
# Now all API requests will use dev mode
curl -X POST http://localhost:8000/scan/endpoint \
-H "Content-Type: application/json" \
-d '{"endpoint_url": "http://localhost:8000"}'Enable dev mode when creating the Config object:
from a2ascanner.config.config import Config
from a2ascanner.core.scanner import Scanner
# Enable dev mode
config = Config(dev_mode=True)
scanner = Scanner(config)
# Now scanner allows localhost and skips SSL verification
result = await scanner.scan_endpoint("http://localhost:8000")# Enable dev mode
export A2A_SCANNER_DEV_MODE=true
# Disable dev mode (default)
export A2A_SCANNER_DEV_MODE=false
# or unset
unset A2A_SCANNER_DEV_MODE# Enable dev mode
config = Config(dev_mode=True)
# Disable dev mode (default)
config = Config(dev_mode=False)
# or simply
config = Config()# Enable dev mode
a2a-scanner --dev scan-endpoint http://localhost:8000
# Disable dev mode (default)
a2a-scanner scan-endpoint https://agent.example.com# Start your agent locally
python my_agent.py
# Scan it with dev mode
a2a-scanner --dev scan-endpoint http://localhost:8000# Scan agent with self-signed cert
a2a-scanner --dev scan-endpoint https://localhost:8443# Scan agent on private network
a2a-scanner --dev scan-endpoint http://192.168.1.100:8000# .github/workflows/test.yml
- name: Test A2A Scanner
env:
A2A_SCANNER_DEV_MODE: true
run: |
python -m pytest tests/When dev mode is enabled via CLI, you'll see a warning:
⚠️ Development mode enabled:
- Localhost URLs allowed
- Private IP addresses allowed
- SSL certificate verification disabled
- HTTP connections allowed
DO NOT use in production!
Dev mode only relaxes network-related security checks. The following still work normally:
✅ YARA Rules - All pattern detection rules ✅ Heuristic Analysis - Suspicious code patterns ✅ LLM Analysis - AI-powered threat detection ✅ Agent Card Validation - Schema validation ✅ Threat Detection - All threat categories ✅ Finding Reports - Full scan results
- Local agent development and testing
- Internal network testing
- CI/CD pipelines in isolated environments
- Development workstations
- Integration tests with mock agents
- Production deployments
- Public-facing agents
- Security assessments of real agents
- Compliance scanning
- Any internet-facing services
Problem: Getting SSRF errors when testing locally
Solution: Enable dev mode
a2a-scanner --dev scan-endpoint http://localhost:8000Problem: Self-signed certificate rejected
Solution: Enable dev mode to skip SSL verification
a2a-scanner --dev scan-endpoint https://localhost:8443Problem: Cannot scan agents on private network
Solution: Enable dev mode
a2a-scanner --dev scan-endpoint http://192.168.1.100-
a2ascanner/config/config.py- Added
dev_modeparameter - Added
A2A_SCANNER_DEV_MODEenvironment variable
- Added
-
a2ascanner/utils/http_client.py- Added
allow_private_ipsparameter tofetch_agent_card()
- Added
-
a2ascanner/api/routes.py- Uses
config.dev_modefor URL fetching and endpoint scanning
- Uses
-
a2ascanner/cli.py- Added
--devflag to CLI - Shows warning when dev mode enabled
- Added
-
a2ascanner/core/scanner.py- Passes dev mode settings to analyzers
- SSRF Protection: Prevents scanning of internal services that might expose sensitive data
- SSL Verification: Ensures you're connecting to the intended server
- Private IP Blocking: Prevents access to internal network resources
- HTTP Restrictions: Encourages secure communication
Always keep security restrictions enabled when:
- Scanning production agents
- Scanning third-party agents
- Running in cloud environments
- Performing security audits
- Operating in shared environments
# Terminal 1: Start local agent
cd my-agent
python agent.py
# Listening on http://localhost:8000
# Terminal 2: Scan with dev mode
cd a2a-scanner
a2a-scanner --dev scan-endpoint http://localhost:8000
# Output shows findings without SSRF errors# Agent card hosted locally
a2a-scanner --dev scan-card --url http://localhost:8000/agent-card.jsonimport requests
# Enable dev mode in API server first:
# export A2A_SCANNER_DEV_MODE=true
# Scan local endpoint via API
response = requests.post(
"http://localhost:8000/scan/endpoint",
json={"endpoint_url": "http://localhost:9999"}
)
print(response.json())Dev mode (--dev) is a powerful feature for local development that:
- ✅ Makes testing easier by allowing localhost and private IPs
- ✅ Skips SSL verification for self-signed certificates
- ✅ Maintains all security analysis capabilities
⚠️ Should NEVER be used in production environments
Usage: a2a-scanner --dev <command> or export A2A_SCANNER_DEV_MODE=true