CWE Mapping
Every AgentCop finding maps to a Common Weakness Enumeration (CWE) ID for integration with security scanners, SBOMs, and compliance workflows.
What is CWE?
Common Weakness Enumeration (CWE) is a community-developed list of common software and hardware security weaknesses. Maintained by MITRE, it provides a shared language for describing security flaws across tools and teams.
- Used in CVE descriptions to classify the root cause of known vulnerabilities
- Referenced in SBOMs (Software Bill of Materials) for supply chain compliance
- Consumed natively by SAST tools, GitHub Advanced Security, and SARIF-compatible scanners
- AgentCop maps every detection to a CWE so findings plug directly into your existing security workflows — no translation layer needed
Complete CWE Mapping
| AgentCop Detection | OWASP | CWE | CWE Name | Severity |
|---|---|---|---|---|
| Prompt injection (f-string) | LLM01 | CWE-20 | Improper Input Validation | HIGH |
| Prompt injection (.format) | LLM01 | CWE-20 | Improper Input Validation | HIGH |
eval() on LLM output |
LLM02 | CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code | CRITICAL |
exec() on LLM output |
LLM02 | CWE-78 | OS Command Injection | CRITICAL |
| Hardcoded API key | LLM06 | CWE-798 | Use of Hard-coded Credentials | HIGH |
| Hardcoded password | LLM06 | CWE-259 | Use of Hard-coded Password | HIGH |
| Shell tool without gate | LLM08 | CWE-78 | OS Command Injection | HIGH |
| Unvalidated vector store write | LLM03 | CWE-20 | Improper Input Validation | MEDIUM |
| Infinite loop (DoS) | LLM04 | CWE-400 | Uncontrolled Resource Consumption | MEDIUM |
| Unsafe HTML rendering | LLM02 | CWE-79 | Cross-site Scripting | MEDIUM |
| File write without gate | LLM08 | CWE-73 | External Control of File Name or Path | MEDIUM |
| Email send without approval | LLM08 | CWE-20 | Improper Input Validation | MEDIUM |
| Unverified network POST | LLM08 | CWE-918 | Server-Side Request Forgery | MEDIUM |
Using CWE IDs in CI
Filter findings by CWE in your CI pipeline to enforce severity thresholds or block on specific weakness classes.
# Filter by CWE in CI pipeline
agentcop scan agent.py --output json | \
jq '[.issues[] | select(.cwe == "CWE-95")]'
# Returns only eval-on-LLM-output issues
# Fail CI on any CRITICAL finding
agentcop scan agent.py --output json | \
jq 'if [.issues[] | select(.severity == "CRITICAL")] | length > 0 then error else . end'Integration with GitHub Code Scanning (SARIF)
AgentCop can export findings as SARIF (Static Analysis Results Interchange Format) for direct integration with GitHub Advanced Security and other SARIF-compatible platforms.
# Export as SARIF for GitHub Advanced Security
agentcop scan agent.py --output sarif > agentcop.sarif
# In .github/workflows/security.yml:
# - uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: agentcop.sarifThe SARIF output includes full CWE and OWASP cross-references on every rule, so findings appear in GitHub's Security tab with complete classification metadata:
{
"version": "2.1.0",
"runs": [{
"tool": {
"driver": {
"name": "AgentCop",
"version": "1.0.0",
"rules": [{
"id": "LLM02-eval",
"name": "InsecureOutputHandling",
"shortDescription": { "text": "eval() called on LLM-generated content" },
"properties": { "cwe": ["CWE-95"], "owasp": ["LLM02"] }
}]
}
},
"results": [{
"ruleId": "LLM02-eval",
"level": "error",
"locations": [{
"physicalLocation": {
"artifactLocation": { "uri": "agent.py" },
"region": { "startLine": 31 }
}
}]
}]
}]
}