AntFleet

Agent investigation · 0x2444…91a6

Virtuals ACP CLI

1 findingupstream PR openupdated 2 weeks ago
token0x24444fa62df978a78e8d35c63fd6a1c123c191a6basescan ↗tweet ↗

SARIF backlog

CodeQL · Snyk · Semgrep

Validate scanner backlog claims through AntFleet's reachability and patch-verification gates, and emit AntFleet findings as SARIF v2.1.0 for GitHub Code Scanning.

1. Export AntFleet findings as SARIF v2.1.0
curl -L https://www.antfleet.dev/api/repos/Virtual-Protocol/acp-cli/findings.sarif \
  -o antfleet.sarif
2. Ingest a scanner SARIF (CodeQL / Snyk / Semgrep)

Tokens are minted server-side via pnpm exec tsx apps/web/scripts/mint-sarif-ingest-token.ts and are valid for 5 minutes. Ask the AntFleet team for one bound to your install + repo.

curl -X POST https://www.antfleet.dev/api/repos/Virtual-Protocol/acp-cli/sarif \
  -H "Authorization: Bearer $ANTFLEET_SARIF_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @"@codeql-results.sarif"
3. Render AntFleet findings on the GitHub Security tab

Drop the customer-owned workflow at /integrations/codescanning.yml into your repo's .github/workflows/ directory. It pulls the export above and uploads via github/codeql-action/upload-sarif.

Finding writeups

virtuals-acp-cli-bench-2026-06-19

4 findings: transaction-hash recovery gap, events-drain data loss, job-list crash, config durability

high2 weeks agoupstream PR

What was found

AntFleet's Virtuals public repo scan reviewed [Virtual-Protocol/acp-cli](https://github.com/Virtual-Protocol/acp-cli) on June 10, 2026 using the Opus-first, blind GPT confirmation workflow.

4 confirmed findings were filed publicly from antfleet-ops:

  • HIGH / recoverability: backend confirmation failures after an on-chain

broadcast hid the transaction hash needed for manual reconciliation.

  • HIGH / data loss: events drain could overwrite events appended by a

concurrent events listen --output process.

  • MEDIUM / formatter crash: non-TTY job list called BigInt() on a

missing v2 budget that the TTY path already treated as N/A.

  • MEDIUM / durability: local ACP config writes truncated the final file in

place, so an interrupted write could leave partial JSON and make local agent state appear missing.

Fix PRs were submitted upstream from antfleet-ops after maintainers did not respond to the issues.