Important
Experimental. This is an early experiment to validate our approach to securing coding agents; not a production-ready product, and not meant for dogfooding at scale. The deployment method here does not reflect the final product, which will use a more secure approach with full data-privacy guarantees. Do not use this project in data-sensitive coding sessions.
A CLI that runs AI coding agent actions through Datadog AI Guard before they are executed.
When a coding agent reads a file, runs a command, or loads a skill or plugin, that content can carry malicious intent: prompt-injection payloads, instructions to exfiltrate secrets, attempts to install hostile tools, and similar. This CLI hooks into the agent's lifecycle, evaluates each tool call against AI Guard, and denies the operation when policy is violated.
Denied tool calls provide a useful remediation to the user so they can clearly see what steps are required to fix the
issue. Setting DD_AI_GUARD_BLOCK=false switches to observe-only: evaluations are still emitted, but no decision is
enforced. Every evaluation (allow or deny) is emitted to Datadog with the session, tool, model, and risk category
attached.
A single command bootstraps the CLI on Linux and macOS — it downloads the latest signed binary, verifies its SHA-256
checksum and Sigstore build-provenance signature, and wires AI Guard hooks into your coding
agent. The hooks run AI Guard in-process when the agent invokes them; there is no background service. Everything lives
under $HOME: no root, no sudo, no system-wide changes.
The installer is published as a signed release asset, so you can verify it with the GitHub CLI before running it:
# Download the installer and its signature from the latest release
curl -fsSLO https://github.com/DataDog/ai-guard-coding-agents/releases/latest/download/install.sh
curl -fsSLO https://github.com/DataDog/ai-guard-coding-agents/releases/latest/download/install.sh.sigstore.json
# Verify it was built by this repo's release workflow, then run it
gh attestation verify install.sh \
--bundle install.sh.sigstore.json \
--repo DataDog/ai-guard-coding-agents \
--cert-identity-regex '^https://github\.com/DataDog/ai-guard-coding-agents/\.github/workflows/build\.yml@refs/tags/v[0-9].*$' \
&& sh install.shWithout gh you can run sh install.sh directly, but you then trust the bootstrap on the strength of the HTTPS
download alone, the script still verifies the downloaded binary as described in
Verifying the download.
Windows support is coming via install.ps1.
| Platform | Architectures |
|---|---|
| Linux | x86_64, arm64 |
| macOS | Apple Silicon (arm64) |
The bootstrap script checks for these upfront and exits with a clear error if any are missing.
- HTTP downloader:
curlorwget - Checksum tool:
sha256sumorshasum - Archive tools:
tarandmktemp - GitHub CLI:
ghoptional but recommended, used to verify the binary's signature
The SHA-256 checksum only proves the download wasn't corrupted in transit, it can't prove the bytes came from Datadog, since anyone able to tamper with a release could replace the tarball and its checksum together. To prove authenticity, each release artifact is signed with a Sigstore build-provenance attestation generated by the release workflow (keyless: bound to the workflow's identity and recorded in a public transparency log — there is no long-lived signing key).
To verify a download yourself:
# Verify installer script
gh attestation verify install.sh \
--bundle install.sh.sigstore.json \
--repo DataDog/ai-guard-coding-agents \
--cert-identity-regex '^https://github\.com/DataDog/ai-guard-coding-agents/\.github/workflows/build\.yml@refs/tags/v[0-9].*$'
# Verify native package
gh attestation verify ai-guard-linux-x86_64.tar.gz \
--bundle ai-guard-linux-x86_64.tar.gz.sigstore.json \
--repo DataDog/ai-guard-coding-agents \
--cert-identity-regex '^https://github\.com/DataDog/ai-guard-coding-agents/\.github/workflows/build\.yml@refs/tags/v[0-9].*$'Every path the installer creates or modifies is listed below — nothing else on your machine is touched.
| Path | Purpose | Agent |
|---|---|---|
~/.local/share/ai-guard/ |
PyInstaller onedir bundle (launcher + _internal/). |
* |
~/.local/bin/ai-guard |
Symlink to the bundle launcher — the command the hooks call. | * |
${XDG_STATE_HOME:-~/.local/state}/ai-guard/ai-guard.log |
Rotating application log. | * |
${XDG_CONFIG_HOME:-~/.config}/ai-guard/config.env |
Persisted configuration values (mode 0600). |
* |
OS keychain (ai-guard service) |
DD_API_KEY / DD_APP_KEY via keychain when available. |
* |
${CLAUDE_CONFIG_DIR:-~/.claude}/settings.json |
Hook block under hooks.*. |
Claude Code |
Paths follow the XDG Base Directory Specification and honour
$XDG_CONFIG_HOME / $XDG_STATE_HOME if set.
The hooks read their configuration (DD_AI_GUARD_BLOCK, site, log settings) from config.env and log to
~/.local/state/ai-guard/ai-guard.log (rotating), including uncaught Python exceptions. The Datadog API and
application keys are credentials, so they are stored in the OS keychain (macOS Keychain, Linux Secret Service) via the
keyring library rather than in plaintext config.env. On a host with no usable
keychain backend (e.g. headless Linux without gnome-keyring) the installer falls back to keeping them in config.env.
ai-guard uninstallRemoves the AI Guard hooks from your coding agent config, deletes the binary and config.env, and clears the
DD_API_KEY / DD_APP_KEY entries from the OS keychain. ~/.local/state/ai-guard/ai-guard.log* is preserved as a
forensic trail.
DD_AI_GUARD_PRIVACY_MODE controls how much of the coding trajectory is surfaced in the Datadog AI Guard UI.
| Value | Behavior |
|---|---|
CODING_AGENT |
Default. Every message is kept but its content is redacted to [redacted]. |
DEFAULT |
Full conversation and message contents are shown for every evaluation. |
See CONTRIBUTING.md for development setup and the PR workflow. For an in-depth tour of the codebase, see AGENTS.md.
For questions, feature requests, or bug reports, open an issue on this repository.
For security issues, follow the responsible-disclosure process at https://www.datadoghq.com/security/. Do not open a public GitHub issue.
Apache 2.0. See LICENSE and NOTICE. Third-party components bundled into the released binary are tracked in LICENSE-3rdparty.csv.