If you're running AI agents in production or building on MCP, this scanner gives you the blast radius view you actually need. It inventories agents, MCP servers, tools, packages, and credential references, then maps vulnerabilities from OSV and GHSA through the dependency graph to show you which agents can reach which exposed attack paths. You get CLI output for CI gates, MCP tools for agent driven security queries, and a self hosted dashboard that visualizes the full mesh. The quickstart command seeds demo data so you can see graph backed findings before pointing it at your own stack. Useful when you need to answer "what breaks if this package is compromised" or enforce pre install guards across a fleet.
Public tool metadata for what this MCP can expose to an agent.
scanRun a full AI supply chain security scan. Discovers local MCP configurations (Claude Desktop, Cursor, Windsurf, VS Code Copilot, OpenClaw, etc.), extracts package dependencies, queries OSV.dev for CVEs, assesses config security (credential exposure, tool access), computes blas...13 paramsRun a full AI supply chain security scan. Discovers local MCP configurations (Claude Desktop, Cursor, Windsurf, VS Code Copilot, OpenClaw, etc.), extracts package dependencies, queries OSV.dev for CVEs, assesses config security (credential exposure, tool access), computes blas...
imagevalueenrichbooleanpolicyvaluesbom_pathvaluescorecardbooleandb_sourcesvaluetransitivebooleanconfig_pathvaluefail_severityvalueoutput_formatstringwarn_severityvalueauto_update_dbbooleanverify_integritybooleancheckCheck a specific package for known CVEs before installing. Queries OSV.dev for vulnerabilities in the given package. Use this before installing an MCP server or dependency to verify it is safe. Args: package: Package name with optional version, e.g. "express@4.18.2", "@modelco...2 paramsCheck a specific package for known CVEs before installing. Queries OSV.dev for vulnerabilities in the given package. Use this before installing an MCP server or dependency to verify it is safe. Args: package: Package name with optional version, e.g. "express@4.18.2", "@modelco...
packagestringecosystemstringblast_radiusLook up the blast radius of a specific CVE across your AI agent setup. Scans local MCP configurations, finds the specified CVE, and returns the full attack chain: which packages are affected, which MCP servers use those packages, which agents connect to those servers, and what...1 paramsLook up the blast radius of a specific CVE across your AI agent setup. Scans local MCP configurations, finds the specified CVE, and returns the full attack chain: which packages are affected, which MCP servers use those packages, which agents connect to those servers, and what...
cve_idstringpolicy_checkEvaluate a security policy against current scan results. Runs a scan, then evaluates the provided policy rules against the findings. Policies can gate on severity thresholds, CISA KEV status, AI risk flags, credential exposure, and denied packages. Args: policy_json: JSON stri...1 paramsEvaluate a security policy against current scan results. Runs a scan, then evaluates the provided policy rules against the findings. Policies can gate on severity thresholds, CISA KEV status, AI risk flags, credential exposure, and denied packages. Args: policy_json: JSON stri...
policy_jsonstringregistry_lookupQuery the agent-bom MCP server threat intelligence registry. Look up risk level, known tools, credential requirements, and verification status for known MCP servers. The registry contains 109+ servers with security metadata. Args: server_name: MCP server name to look up (e.g....2 paramsQuery the agent-bom MCP server threat intelligence registry. Look up risk level, known tools, credential requirements, and verification status for known MCP servers. The registry contains 109+ servers with security metadata. Args: server_name: MCP server name to look up (e.g....
server_namevaluepackage_namevaluegenerate_sbomGenerate a Software Bill of Materials (SBOM) for your AI agent setup. Discovers AI agents and MCP servers, extracts all package dependencies, and generates a standards-compliant SBOM. Args: format: SBOM format — "cyclonedx" (CycloneDX 1.6) or "spdx" (SPDX 3.0). config_path: Pa...2 paramsGenerate a Software Bill of Materials (SBOM) for your AI agent setup. Discovers AI agents and MCP servers, extracts all package dependencies, and generates a standards-compliant SBOM. Args: format: SBOM format — "cyclonedx" (CycloneDX 1.6) or "spdx" (SPDX 3.0). config_path: Pa...
formatstringconfig_pathvaluecomplianceGet OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture. Scans local MCP configurations, maps findings to 47 security controls across four AI security frameworks, and returns per-control pass/warning/fail status with an overall compliance score....2 paramsGet OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture. Scans local MCP configurations, maps findings to 47 security controls across four AI security frameworks, and returns per-control pass/warning/fail status with an overall compliance score....
imagevalueconfig_pathvalueremediateGenerate a remediation plan for vulnerabilities in your AI agent setup. Scans for vulnerabilities, then generates actionable fix commands for each affected package (npm install, pip install), credential scope reduction guidance, and reports on unfixable vulnerabilities. Args:...2 paramsGenerate a remediation plan for vulnerabilities in your AI agent setup. Scans for vulnerabilities, then generates actionable fix commands for each affected package (npm install, pip install), credential scope reduction guidance, and reports on unfixable vulnerabilities. Args:...
imagevalueconfig_pathvalueskill_scanScan skill and instruction files for trust, findings, and provenance. Discovers supported files such as `CLAUDE.md`, `AGENTS.md`, `.cursorrules`, and `skills/*.md`, then parses referenced packages, MCP servers, credential env vars, audit findings, and trust verdicts.1 paramsScan skill and instruction files for trust, findings, and provenance. Discovers supported files such as `CLAUDE.md`, `AGENTS.md`, `.cursorrules`, and `skills/*.md`, then parses referenced packages, MCP servers, credential env vars, audit findings, and trust verdicts.
pathstringskill_verifyVerify Sigstore provenance for skill and instruction files.1 paramsVerify Sigstore provenance for skill and instruction files.
pathstringskill_trustAssess the trust level of a SKILL.md file using ClawHub-style categories. Parses a SKILL.md file, runs security audit checks, then evaluates trust across 5 categories: Purpose & Capability, Instruction Scope, Install Mechanism, Credentials, and Persistence & Privilege. Returns...1 paramsAssess the trust level of a SKILL.md file using ClawHub-style categories. Parses a SKILL.md file, runs security audit checks, then evaluates trust across 5 categories: Purpose & Capability, Instruction Scope, Install Mechanism, Credentials, and Persistence & Privilege. Returns...
skill_pathstringverifyVerify package integrity and SLSA provenance against registries. Checks SHA-256/SRI hashes against npm/PyPI registries and looks up SLSA build provenance attestations to confirm the package was built from its claimed source repository. Returns: JSON with integrity verification...2 paramsVerify package integrity and SLSA provenance against registries. Checks SHA-256/SRI hashes against npm/PyPI registries and looks up SLSA build provenance attestations to confirm the package was built from its claimed source repository. Returns: JSON with integrity verification...
packagestringecosystemstringwhereShow all MCP discovery paths and which config files exist. Lists every known MCP client config path per platform, indicating which files are present on the current system. Useful for debugging discovery issues or understanding where MCP configs live. Returns: JSON with per-cli...Show all MCP discovery paths and which config files exist. Lists every known MCP client config path per platform, indicating which files are present on the current system. Useful for debugging discovery issues or understanding where MCP configs live. Returns: JSON with per-cli...
No parameter schema in public metadata yet.
inventoryList all discovered MCP configurations and servers without CVE scanning. Performs fast discovery and package extraction only — no vulnerability scanning. Use this for a quick inventory of configs, servers, and packages. Returns: JSON with discovered agents, their MCP servers,...1 paramsList all discovered MCP configurations and servers without CVE scanning. Performs fast discovery and package extraction only — no vulnerability scanning. Use this for a quick inventory of configs, servers, and packages. Returns: JSON with discovered agents, their MCP servers,...
config_pathvaluetool_risk_assessmentScore live-introspected MCP tool capabilities and server risk. Uses runtime `tools/list` data to classify tool capabilities (READ/WRITE/EXECUTE/NETWORK/etc.) and compute a per-server risk profile. Returns: JSON with per-server tool profiles, capability counts, dangerous combin...2 paramsScore live-introspected MCP tool capabilities and server risk. Uses runtime `tools/list` data to classify tool capabilities (READ/WRITE/EXECUTE/NETWORK/etc.) and compute a per-server risk profile. Returns: JSON with per-server tool profiles, capability counts, dangerous combin...
timeoutnumberconfig_pathvaluediffCompare a fresh scan against a baseline to find new and resolved vulns. Runs a new scan, then diffs it against the provided baseline (or the latest saved report). Shows new vulnerabilities, resolved ones, and changes in the package inventory. Returns: JSON with new findings, r...1 paramsCompare a fresh scan against a baseline to find new and resolved vulns. Runs a new scan, then diffs it against the provided baseline (or the latest saved report). Shows new vulnerabilities, resolved ones, and changes in the package inventory. Returns: JSON with new findings, r...
baselinevaluemarketplace_checkPre-install trust check for an MCP server package. Queries the package registry (npm or PyPI) for metadata and cross-references against the agent-bom MCP threat intelligence registry. Returns trust signals including download count, CVE status, and registry verification. Args:...2 paramsPre-install trust check for an MCP server package. Queries the package registry (npm or PyPI) for metadata and cross-references against the agent-bom MCP threat intelligence registry. Returns trust signals including download count, CVE status, and registry verification. Args:...
packagestringecosystemstringcode_scanRun SAST (Static Application Security Testing) on source code via Semgrep. Scans for security flaws: SQL injection, XSS, command injection, hardcoded credentials, insecure deserialization, path traversal, etc. Returns findings with CWE classifications and severity levels. Requ...2 paramsRun SAST (Static Application Security Testing) on source code via Semgrep. Scans for security flaws: SQL injection, XSS, command injection, hardcoded credentials, insecure deserialization, path traversal, etc. Returns findings with CWE classifications and severity levels. Requ...
pathstringconfigstringcontext_graphBuild an agent context graph with lateral movement analysis. Models reachability between agents, servers, credentials, tools, and vulnerabilities. Answers: "If agent X is compromised, what else becomes reachable?" Returns: JSON with nodes, edges, lateral_paths, interaction_ris...3 paramsBuild an agent context graph with lateral movement analysis. Models reachability between agents, servers, credentials, tools, and vulnerabilities. Answers: "If agent X is compromised, what else becomes reachable?" Returns: JSON with nodes, edges, lateral_paths, interaction_ris...
max_depthintegerconfig_pathvaluesource_agentvaluegraph_exportExport the agent dependency graph in graph-native formats. Formats: - **graphml** — yEd, Gephi, NetworkX compatible with AIBOM-typed attributes - **cypher** — Neo4j import script with AIBOM node labels (AIAgent, MCPServer, Package, Vulnerability) - **dot** — Graphviz (pipe thr...2 paramsExport the agent dependency graph in graph-native formats. Formats: - **graphml** — yEd, Gephi, NetworkX compatible with AIBOM-typed attributes - **cypher** — Neo4j import script with AIBOM node labels (AIAgent, MCPServer, Package, Vulnerability) - **dot** — Graphviz (pipe thr...
formatstringconfig_pathvalueanalytics_queryQuery vulnerability trends, posture history, and runtime event summaries from ClickHouse. Requires AGENT_BOM_CLICKHOUSE_URL to be set. Returns empty results if ClickHouse is not configured.5 paramsQuery vulnerability trends, posture history, and runtime event summaries from ClickHouse. Requires AGENT_BOM_CLICKHOUSE_URL to be set. Returns empty results if ClickHouse is not configured.
daysintegeragentvaluehoursintegerlimitintegerquery_typestringcis_benchmarkRun CIS benchmark checks against a cloud account. Evaluates security posture against CIS Foundations Benchmarks: - AWS Foundations v3.0: 18 checks (IAM, Storage, Logging, Networking) - Snowflake v1.0: 12 checks (Auth, Network, Data Protection, Monitoring, Access Control) - Azu...6 paramsRun CIS benchmark checks against a cloud account. Evaluates security posture against CIS Foundations Benchmarks: - AWS Foundations v3.0: 18 checks (IAM, Storage, Logging, Networking) - Snowflake v1.0: 12 checks (Auth, Network, Data Protection, Monitoring, Access Control) - Azu...
checksvalueregionvalueprofilevalueproviderstringproject_idvaluesubscription_idvaluefleet_scanBatch-scan a list of MCP server names against the security metadata registry. Designed for fleet inventory data (CrowdStrike, SIEM, CSV exports) where you have server names but not versions. Returns per-server risk assessment with registry match status, risk category, tools, c...1 paramsBatch-scan a list of MCP server names against the security metadata registry. Designed for fleet inventory data (CrowdStrike, SIEM, CSV exports) where you have server names but not versions. Returns per-server risk assessment with registry match status, risk category, tools, c...
serversstringruntime_correlateCross-reference vulnerability scan results with proxy runtime audit logs. Identifies which vulnerable tools were ACTUALLY CALLED in production, distinguishing confirmed attack surface from theoretical risk. Produces risk-amplified findings: a vulnerable tool that was called 10...3 paramsCross-reference vulnerability scan results with proxy runtime audit logs. Identifies which vulnerable tools were ACTUALLY CALLED in production, distinguishing confirmed attack surface from theoretical risk. Produces risk-amplified findings: a vulnerable tool that was called 10...
audit_logstringotel_tracestringconfig_pathstringvector_db_scanScan for running vector databases and assess their security posture. Probes well-known ports for Qdrant (6333), Weaviate (8080), Chroma (8000), and Milvus (9091). For each discovered instance checks: - Authentication required (no_auth flag if collections accessible without cre...1 paramsScan for running vector databases and assess their security posture. Probes well-known ports for Qdrant (6333), Weaviate (8080), Chroma (8000), and Milvus (9091). For each discovered instance checks: - Authentication required (no_auth flag if collections accessible without cre...
hostsvalueaisvs_benchmarkRun AISVS v1.0 (AI Security Verification Standard) compliance checks. Evaluates the local AI system stack against OWASP AISVS v1.0 controls: - AI-4.1 Model files use safe serialization (not pickle/pt/bin) - AI-4.2 Model files have cryptographic integrity digest - AI-4.3 Ollama...1 paramsRun AISVS v1.0 (AI Security Verification Standard) compliance checks. Evaluates the local AI system stack against OWASP AISVS v1.0 controls: - AI-4.1 Model files use safe serialization (not pickle/pt/bin) - AI-4.2 Model files have cryptographic integrity digest - AI-4.3 Ollama...
checksvaluegpu_infra_scanDiscover GPU/AI compute infrastructure: containers, K8s nodes, and DCGM endpoints. Scans for GPU-enabled workloads from the local Docker daemon and Kubernetes clusters. Identifies NVIDIA base images, CUDA/cuDNN versions, explicit GPU device assignments, and unauthenticated DCG...2 paramsDiscover GPU/AI compute infrastructure: containers, K8s nodes, and DCGM endpoints. Scans for GPU-enabled workloads from the local Docker daemon and Kubernetes clusters. Identifies NVIDIA base images, CUDA/cuDNN versions, explicit GPU device assignments, and unauthenticated DCG...
probe_dcgmbooleank8s_contextvaluedataset_card_scanScan a directory for ML dataset card metadata and provenance. Discovers and parses: - HuggingFace dataset_info.json (auto-generated metadata) - HuggingFace README.md YAML frontmatter (dataset cards) - DVC .dvc tracking files (data versioning provenance) Flags: UNLICENSED_DATAS...1 paramsScan a directory for ML dataset card metadata and provenance. Discovers and parses: - HuggingFace dataset_info.json (auto-generated metadata) - HuggingFace README.md YAML frontmatter (dataset cards) - DVC .dvc tracking files (data versioning provenance) Flags: UNLICENSED_DATAS...
directorystringtraining_pipeline_scanScan a directory for ML training pipeline lineage and provenance. Discovers and parses: - MLflow: meta.yaml, MLmodel, requirements.txt, conda.yaml - Kubeflow: Argo workflow YAML, KFP v2 pipelineSpec YAML - W&B: wandb-metadata.json, config.yaml, wandb-summary.json Flags: UNSAFE...1 paramsScan a directory for ML training pipeline lineage and provenance. Discovers and parses: - MLflow: meta.yaml, MLmodel, requirements.txt, conda.yaml - Kubeflow: Argo workflow YAML, KFP v2 pipelineSpec YAML - W&B: wandb-metadata.json, config.yaml, wandb-summary.json Flags: UNSAFE...
directorystringbrowser_extension_scanScan installed browser extensions for dangerous permissions. Scans Chrome, Chromium, Brave, Edge, and Firefox for extensions with: - nativeMessaging (can execute arbitrary commands) - debugger (can intercept all browser traffic) - cookies/clipboardRead on AI domains - Broad ho...1 paramsScan installed browser extensions for dangerous permissions. Scans Chrome, Chromium, Brave, Edge, and Firefox for extensions with: - nativeMessaging (can execute arbitrary commands) - debugger (can intercept all browser traffic) - cookies/clipboardRead on AI domains - Broad ho...
include_low_riskbooleanmodel_provenance_scanCheck ML model provenance and supply chain metadata. Queries HuggingFace Hub or Ollama for: - Serialization format (safetensors=safe, pickle/pt=unsafe) - SHA256 digest verification - Gated/private status - Model card presence - Risk assessment (critical/high/medium/safe) Retur...2 paramsCheck ML model provenance and supply chain metadata. Queries HuggingFace Hub or Ollama for: - Serialization format (safetensors=safe, pickle/pt=unsafe) - SHA256 digest verification - Gated/private status - Model card presence - Risk assessment (critical/high/medium/safe) Retur...
sourcestringmodel_idstringprompt_scanScan prompt template files for injection risks and security issues. Discovers and analyzes: - .prompt files - system_prompt.* files - Files in prompts/ directories Checks for injection patterns, unsafe variable interpolation, and missing guardrails in prompt templates.1 paramsScan prompt template files for injection risks and security issues. Discovers and analyzes: - .prompt files - system_prompt.* files - Files in prompts/ directories Checks for injection patterns, unsafe variable interpolation, and missing guardrails in prompt templates.
directorystringmodel_file_scanScan a directory for ML model files and assess serialization risks. Discovers model files and checks: - Serialization format (safetensors=safe, pickle/joblib=unsafe) - File size and format metadata - GGUF/GGML quantization details - Known unsafe patterns in pickle-based format...1 paramsScan a directory for ML model files and assess serialization risks. Discovers model files and checks: - Serialization format (safetensors=safe, pickle/joblib=unsafe) - File size and format metadata - GGUF/GGML quantization details - Known unsafe patterns in pickle-based format...
directorystringai_inventory_scanScan source code for AI component usage patterns. Detects: - AI SDK imports (openai, anthropic, langchain, etc.) across 7 languages - Model string references (gpt-4o, claude-3-5-sonnet, llama-3, etc.) - Hardcoded API keys (sk-proj-*, sk-ant-*, hf_*, etc.) - Deprecated model us...1 paramsScan source code for AI component usage patterns. Detects: - AI SDK imports (openai, anthropic, langchain, etc.) across 7 languages - Model string references (gpt-4o, claude-3-5-sonnet, llama-3, etc.) - Hardcoded API keys (sk-proj-*, sk-ant-*, hf_*, etc.) - Deprecated model us...
directorystringlicense_compliance_scanEvaluate package licenses against compliance policy. Categorizes each package license using the full SPDX catalog (2,500+ licenses) with proper expression parsing (OR/AND/WITH), deprecated ID normalization, and network-copyleft detection (AGPL, EUPL, OSL). Risk tiers: permissi...2 paramsEvaluate package licenses against compliance policy. Categorizes each package license using the full SPDX catalog (2,500+ licenses) with proper expression parsing (OR/AND/WITH), deprecated ID normalization, and network-copyleft detection (AGPL, EUPL, OSL). Risk tiers: permissi...
scan_jsonstringpolicy_jsonstringingest_external_scanIngest Trivy, Grype, or Syft JSON scan output and return packages with blast radius analysis. Auto-detects the scanner format from the JSON structure: - Trivy (``trivy fs --format json``): Results + Vulnerabilities - Grype (``grype --output json``): matches array - Syft (``syf...1 paramsIngest Trivy, Grype, or Syft JSON scan output and return packages with blast radius analysis. Auto-detects the scanner format from the JSON structure: - Trivy (``trivy fs --format json``): Results + Vulnerabilities - Grype (``grype --output json``): matches array - Syft (``syf...
scan_jsonstring
Open security scanner and self-hosted control plane for AI, MCP, and cloud infrastructure.
Headless agent primitives and human cockpit surfaces over one shared evidence model.
Live demo (read-only sandbox) · Docs · First Run · Self-host · GitHub Action · Docker · Changelog
pip install agent-bom
agent-bom scan -p .
agent-bom scan -p . prints a posture grade, blast radius, and fix-first
findings inline — nothing to open. Optional next steps:
agent-bom db update # local vuln DB for --offline package/image scans
agent-bom quickstart --run --offline # sample scan, gateway policy seed, dashboard data
agent-bom scan -p . -f html -o agent-bom-report.html
Then review posture as a team: pip install 'agent-bom[ui]' && agent-bom serve.
Guided path: docs/FIRST_RUN.md · UI screenshots:
docs/CAPTURE.md
Overview command center — posture ring, findings breakdown, scan coverage, environment tabs
Overview — exposure path with feed and analytics tabs
Connections hub — connector gallery across cloud, code, AI, and data sources
New Scan — connected account, ad-hoc, and public repo modes
Security graph — fix-first attack-path queue with evidence export
Lineage graph — bounded topology across environment, identity, MCP, package, credential, model, dataset, and finding nodes
Context map — agent-scoped reachable MCP servers with lateral-movement panel
Blast radius — agent → MCP server → package → tool → CVE
Runtime gateway — KPI rollup and live tool-call feed
Fleet — lifecycle review state, owner, and environment
Audit — identity lifecycle with tamper-evident HMAC counters
Findings — package and CVE evidence from the seeded demo estate
Remediation — prioritized fix list with framework context
Synthetic seeded evidence for docs proof, captured from the real Next.js
routes with a visible Demo data — sample environment label — not a
claim these entities came from a buyer environment. Regenerate from the UI package
with npm run capture:product-proof (see
docs/CAPTURE.md). CLI demo GIF:
bash scripts/render_demo_gif.sh.
Four buyer lanes · one shared evidence model from scan → graph → report
MCP server mode
One package, full stack: a React / Next.js cockpit and every headless caller
hit the same FastAPI control plane, behind one middleware seam, over the same
scan pipeline and stores. Everything normalizes into one Finding and one
ContextGraph, so posture, blast radius, and enforcement read from a single
evidence set. Deeper module and surface detail lives in
docs/ARCHITECTURE.md.
The stack — UI ⇄ API + middleware ⇄ pipeline/enrichment ⇄ stores:
flowchart TB
UI["React / Next.js UI<br/>exec single-pane · engineer drill"]
HL["Headless<br/>CLI · MCP server · agents / CI"]
MW["Middleware — one seam for every caller<br/>auth · tenant scope · RLS · rate-limit · audit"]
API["FastAPI + uvicorn control plane<br/>REST API · MCP tools"]
PIPE["Scan pipeline + scanners<br/>discover · OSV / advisories · reachability · cloud / CIS · IaC"]
ENR["Enrichment<br/>NVD CVSS · EPSS · CISA KEV · distro advisories"]
ST["Stores<br/>SQLite / Postgres + correlated graph store"]
UI --> MW
HL --> MW
MW --> API
API --> PIPE --> ENR --> ST
API --> ST
The workflow — one read-only pipeline from source to answer:
flowchart LR
C["connect<br/>read-only · brokered"] --> D["discover<br/>estate · agents · MCP"]
D --> S["scan<br/>OSV · advisories · CIS · IaC"]
S --> E["enrich<br/>CVSS · EPSS · KEV · reachability"]
E --> R["correlate<br/>finding → asset → identity → config"]
R --> G["graph<br/>blast radius · attack paths"]
G --> X["serve<br/>exec read + engineer drill"]
Every stage is read-only and agentless; the dashboard shows live per-stage status rather than a black box.
ui/), built with next build.src/agent_bom/api/server.py).src/agent_bom/api/pipeline.py, ScanPipeline) runs on a
bounded ThreadPoolExecutor — heavy scan/DB work is offloaded off the event
loop so reads stay responsive.src/agent_bom/scanners/ — OSV batch, GHSA, distro
and vendor advisories); src/agent_bom/enrichment.py layers NVD CVSS · EPSS ·
CISA KEV and distro advisory data on top.src/agent_bom/reachability_cve.py) resolves whether a
vulnerable symbol is actually reachable — ranking by exploitability, not just CVSS.ContextGraph / UnifiedGraph (src/agent_bom/context_graph.py) fuses
assets → identities → configs/misconfigs → findings → attack paths into one
connected model.CONTAINS roll-up keeps it readable and sargable at scale; the
full contract is in docs/graph/CONTRACT.md.The honest model — connect once, then every action runs through the stored connection. There is never a per-action credential prompt and no "paste your laptop login" to run a scan or push a result.
src/agent_bom/api/{oidc,saml,scim}.py,
snowflake_oauth.py).sts:AssumeRole); connection secrets are write-only (encrypted at rest,
never read back). Setup and the exact grant per provider live in
docs/CLOUD_CONNECT.md; the enterprise auth surface is
in docs/ENTERPRISE.md.Auth, tenant isolation, and audit are enforced once in middleware for the UI, agents, and SDKs alike — there is no privileged backdoor.
package -> vulnerability finding -> MCP server -> tools + credential refs -> agent
Coverage depth and honest boundaries: AI infrastructure scanning · product boundaries
agent-bom normalizes advisory and distro evidence into canonical CVE findings with match-confidence tiers:
distro_confirmed > osv_range > osv_ecosystem > unfixed_distro > nvd_cpe_candidate
Distro-confirmed findings are treated as confirmed. Optional NVD CPE candidate matching widens long-tail OS/vendor software coverage, but remains review-grade and off by default.
NVD key model. End users do not need an NVD API key. CVE/CPE enrichment
ships through the distributed vulnerability database. NVD_API_KEY is only an
optional self-hosted freshness knob for operators rebuilding or refreshing the
database.
Matching mechanics and release evidence: vulnerability matching · scanner accuracy baseline
Two ladders: how you consume the shared evidence model, and where you run the control plane. You run it in your own boundary — no managed public SaaS in this repo yet.
Surfaces — one real command each:
agent-bom scan -p . (or the GitHub Action).pip install 'agent-bom[ui]' && agent-bom serve — dashboard + API on one host.agent-bom serve --no-ui + agent-bom mcp server for agents and CI.agent-bom gateway serve — allow/warn/block audit trail.agent-bom scan -p . -f sarif -o findings.sarif.Deploy targets — where the control plane runs, fastest → most-managed:
curl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml
docker compose -f docker-compose.pilot.yml up -d
# Dashboard -> http://localhost:3000
Pilot compose binds to 127.0.0.1 with loopback CORS only. Use
docker-compose.platform.yml or docs/HOSTED_POC.md before
sharing a link. Full guides: Deploy anywhere.
Every lane writes into the same Finding and ContextGraph model. Pick the
entry point that matches your role; see docs/PRODUCT_MAP.md
for all entry points, auth boundaries, and surface detail.
| Need | Surface | First action | Main artifact |
|---|---|---|---|
| Scan a repo, image, or local agent config | CLI / CI | agent-bom scan -p . | JSON, SARIF, SBOM, HTML |
| Connect cloud and data-estate evidence | Cloud connectors | agent-bom connect aws then agent-bom cloud scan | assets, CIS findings, graph edges |
| Review posture as a team | API + dashboard | pip install 'agent-bom[ui]' && agent-bom serve | findings, graph, audit, compliance |
| Give agents security tools | MCP server | agent-bom mcp server | strict MCP tool responses |
| Govern runtime tool calls | Proxy / gateway | agent-bom gateway serve | allow/warn/block audit trail |
| Package evidence for audit | Reports / exports | agent-bom scan -p . -f html -o report.html | SARIF, CycloneDX, SPDX, JSON, HTML/PDF, compliance bundle |
| Goal | Command |
|---|---|
| Multi-hop exposure paths | agent-bom graph |
| LLM cost forecast | agent-bom cost forecast |
| Non-human identity posture | agent-bom identity credential-expiry |
| Advisory remediation plan | agent-bom remediate -p . |
| Gated-capability readiness | agent-bom capabilities |
| CI gate | uses: msaad00/agent-bom@v0.96.3 |
Full command map: docs/CLI_MAP.md · role routing: docs/START_HERE.md · repo layout: PROJECT_STRUCTURE.md
Cloud (read-only). Four connectors — AWS, Azure, GCP, Snowflake — are
opt-in, agentless, and default-off. No secret values are read or stored.
agent-bom connect <provider> prints the grant template and enable flag without
network I/O until you opt in. Full intake map:
docs/DATA_SOURCES.md
| Cloud | Enable | Scan |
|---|---|---|
| AWS | AGENT_BOM_AWS_INVENTORY=1 | agent-bom cloud aws |
| Azure | AGENT_BOM_AZURE_INVENTORY=1 | agent-bom cloud azure |
| GCP | AGENT_BOM_GCP_INVENTORY=1 | agent-bom cloud gcp |
| Snowflake | SSO or key-pair auth | pip install 'agent-bom[snowflake]' then agent-bom scan --snowflake |
Snowflake auth defaults to browser SSO (externalbrowser); use
SNOWFLAKE_AUTHENTICATOR=snowflake_jwt with SNOWFLAKE_PRIVATE_KEY_PATH for
CI. agent-bom authenticates through the Python connector — no snowsql session
needed. Setup and grants: docs/CLOUD_CONNECT.md
Deploy. Run in your own boundary — the Run It Anywhere ladders above cover Compose, Helm, EKS, CloudFormation, and the Snowflake SPCS native app. Full deploy guides: Deploy anywhere · Hosted POC · Helm · EKS module · CloudFormation · Snowflake native app · Docker Hub
Trust.
Threat model · Pentest readiness · Python client · Go client · Release verification · MCP security model
Contributions are welcome. Start with CONTRIBUTING.md, .agents/AGENTS.md, and the open issues.
License: Apache-2.0.
NVD_API_KEYsecretNVD API key for higher rate limits on vulnerability enrichment
io.github.ericm1018/skillfm-llm-cost-optimizer-openai-anthropic-usage
io.github.mikerawsonnz/llm-orchestration-agent
io.github.mikerawsonnz/authenticated-llm-agent
labforgedev/copilot-memory-mcp
csoai-org/agent-prompt-injection-firewall-mcp
io.github.mikerawsonnz/authenticated-multi-llm-agent