agent-bom is a comprehensive AI supply chain security scanner and runtime enforcement MCP server for discovering, assessing, and remediating vulnerabilities across AI agent infrastructure, MCP servers, and dependencies.
Core Scanning & Discovery
scan– Full AI supply chain scan: auto-discovers MCP configs (Claude Desktop, Cursor, Windsurf, VS Code Copilot, etc.), extracts packages, queries OSV.dev for CVEs, assesses credential exposure, computes blast radius, and returns a structured report. Supports Docker image scanning, policy evaluation, SBOM ingestion, and NVD/EPSS/CISA KEV enrichment.inventory– Fast discovery and package extraction without CVE scanning; quick inventory of MCP configs, servers, packages, and transport types.where– List all MCP client config discovery paths and show which files exist on the current system.check– Check a specific package (npm, PyPI, Go, Cargo, Maven, NuGet) for known CVEs before installing, with severity, CVSS score, and fix version.
Risk Analysis
blast_radius– Map the full attack chain for a CVE: affected packages → MCP servers → agents → exposed credentials and tools.context_graph– Build an agent context graph with lateral movement analysis (BFS paths) to answer "if agent X is compromised, what else is reachable?"runtime_correlate– Cross-reference scan results with proxy runtime audit logs to identify which vulnerable tools were actually called in production.
Policy, Compliance & Remediation
policy_check– Evaluate security policy rules (severity thresholds, CISA KEV, AI risk flags, denied packages) against scan results; returns pass/fail with violations.compliance– Map findings to 47 controls across OWASP LLM Top 10, OWASP MCP Top 10, MITRE ATLAS, and NIST AI RMF with per-control status and an overall score.remediate– Generate actionable fix commands (npm/pip upgrades), credential scope reduction guidance, and flag unfixable vulnerabilities.cis_benchmark– Run CIS Foundations Benchmark checks against AWS (18 checks) or Snowflake (12 checks) with per-check pass/fail results.
Trust & Integrity
skill_trust– Assess SKILL.md/instruction files across 5 trust categories with a benign/suspicious/malicious verdict.verify– Verify package integrity via SHA-256/SRI hashes and SLSA build provenance attestations against npm/PyPI registries.marketplace_check– Pre-install trust check for an MCP server package: download count, CVE status, registry verification, and trust signals.registry_lookup– Query the built-in threat intelligence registry (109+ MCP servers) for risk level, known tools, credential requirements, and verification status.
Advanced Capabilities
generate_sbom– Generate a standards-compliant SBOM in CycloneDX 1.6 or SPDX 3.0 format.diff– Compare a fresh scan against a baseline to identify new/resolved vulnerabilities and package inventory changes.code_scan– Run SAST via Semgrep on source code to detect SQL injection, XSS, command injection, hardcoded credentials, and more.fleet_scan– Batch-scan a list of MCP server names against the security registry for fleet-wide risk assessment.analytics_query– Query vulnerability trends, posture history, and runtime event summaries from ClickHouse.
Additional features: real-time runtime enforcement proxy with behavioral attack pattern detection, MCP config drift watching, SIEM integration (Splunk, Datadog, Elasticsearch), output in JSON/SARIF/HTML/Mermaid formats, and AI-specific scanning for GPU/ML packages and model provenance (HuggingFace, Ollama, MLflow, W&B).
Scans AWS cloud infrastructure and Amazon Q configurations to identify security vulnerabilities and ensure compliance with CIS benchmarks.
Integrates with ClickHouse to provide security scan analytics, visualization, and posture scoring for AI infrastructure.
Performs security scanning of Databricks environments to detect misconfigurations and dependency vulnerabilities.
Scans Docker images and Docker-based MCP servers for security risks, tool poisoning, and dependency vulnerabilities.
Integrates as a CI/CD gate to automate security scans and enforce compliance policies during the development lifecycle.
Supports deployment and fleet-wide security scanning of AI agent infrastructure within Kubernetes using Helm charts.
Discovers and analyzes JetBrains AI configurations to identify potential credential leaks and security risks.
Enables dispatching security alerts and vulnerability findings to Jira for incident management and remediation tracking.
Scans Kubernetes clusters to map vulnerability propagation and assess the security posture of AI agent deployments.
Discovers and scans MLflow platforms to identify security risks and verify the provenance of AI models.
Provides integration with OpenTelemetry for monitoring and tracing the security scan pipeline and execution.
Dispatches real-time security alerts and scan reports to Slack channels via webhooks for immediate notification.
Provides governance and security scanning for Snowflake instances, including compliance checks against CIS Snowflake benchmarks.
Generates standardized Software Bill of Materials (SBOM) reports in the SPDX format for security compliance and transparency.
Analyzes security risks and maps the blast radius for AI agent tools and MCP servers utilizing SQLite databases.
CVE-2025-1234 (CRITICAL · CVSS 9.8 · CISA KEV)
|── better-sqlite3@9.0.0 (npm)
|── sqlite-mcp (MCP Server · unverified · root)
|── Cursor IDE (Agent · 4 servers · 12 tools)
|── ANTHROPIC_KEY, DB_URL, AWS_SECRET (Credentials exposed)
|── query_db, read_file, write_file, run_shell (Tools at risk)
Fix: upgrade better-sqlite3 → 11.7.0agent-bom maps the blast radius: CVE → package → MCP server → AI agent → credentials → tools.
Quick start
pip install agent-bom
# AI agent and MCP scan
agent-bom agents
# Workstation posture summary
agent-bom agents --posture
# Pre-install CVE and supply chain gate
agent-bom check flask@2.0.0# Container image scan
agent-bom image nginx:latest
# IaC and Kubernetes scan
agent-bom iac Dockerfile k8s/ infra/main.tf
# Cloud AI and infrastructure inventory
agent-bom cloud aws
# AI BOM / SBOM export
agent-bom agents -p . -f cyclonedx -o ai-bom.jsonWhat it scans
30 MCP client types — Claude Desktop, Cursor, Windsurf, VS Code, Codex CLI, Gemini CLI, Continue, Cline, Zed, and more
Packages and supply chain — 15 ecosystems, OSV + NVD + GHSA + EPSS + CISA KEV
Container images and filesystems — native image scanning, running containers, Docker contexts
IaC and Kubernetes — Dockerfile, Terraform, CloudFormation, Helm, and Kubernetes manifests
AI code and frameworks — prompts, guardrails, tool signatures, instruction files
Cloud AI and AI infrastructure — AWS, Azure, GCP, Databricks, Snowflake, Hugging Face, Ollama, W&B, OpenAI, vector DBs
Secrets and PII — source, config, environment, and credential exposure paths
Why this is different
Discovers AI agents and MCP servers across real developer environments
Maps vulnerabilities into reachable credentials and tools instead of stopping at the artifact
Adds runtime protection with an MCP security proxy, enforcement policies, and evidence
Tool | Best at | Limits |
Trivy | General vulnerability, misconfiguration, secret, and SBOM scanning | Stops at the artifact; no AI-agent blast radius |
Grype | Vulnerability matching from packages and SBOMs | No MCP, agent, runtime, or trust modeling |
Syft | SBOM generation and software inventory | Not a runtime or blast-radius security tool |
Snyk AI-BOM | Enterprise AI BOM workflows | Narrower local AI-agent/MCP discovery and runtime coverage |
agent-bom | AI agent, MCP, blast-radius, runtime protection, and governance | Less mature as a generic scanner than Trivy |
Use Trivy when you need a great general-purpose scanner. Use Syft and Grype when you want dedicated SBOM and vulnerability point tools. Use agent-bom when you need to know which AI agents, MCP servers, credentials, and tools are actually exposed.
How it works
flowchart TB
subgraph DISCOVER["🔍 DISCOVER"]
direction LR
D1["Claude Desktop\nCursor · Windsurf\nVS Code · Codex\n+ 25 more"]
D2["AWS · Azure · GCP\nSnowflake · Databricks"]
D3["Docker Images\nFilesystems\nIaC Files"]
end
subgraph SCAN["🛡️ SCAN"]
direction LR
S1["CVE Scanning\nOSV · NVD · GHSA"]
S2["EPSS · CISA KEV\nCVSS v3/v4"]
S3["Secret Detection\n34 credential patterns\n11 PII patterns"]
S4["IaC Security\n138 rules\nTerraform · Docker\nHelm · K8s"]
end
subgraph ANALYZE["📊 ANALYZE"]
direction LR
A1["Blast Radius\nCVE → pkg → server\n→ agent → credentials"]
A2["Compliance\n14 frameworks\nOWASP · MITRE ATLAS\nNIST · EU AI Act"]
A3["Trust Scoring\n6-category model\n0-100 per agent"]
end
subgraph OUTPUT["📤 OUTPUT"]
direction LR
O1["CycloneDX AI BOM\nSPDX · SARIF\n19 formats"]
O2["Next.js Dashboard\n20 interactive pages\nSecurity Graph"]
O3["CI/CD Gating\n--fail-on critical\nJira · Slack"]
end
subgraph PROTECT["🔒 RUNTIME PROTECTION"]
direction LR
P1["MCP Proxy\n112 detection patterns"]
P2["PII Redaction\nKill Switch\nSession Isolation"]
P3["Shield SDK\nDrop-in Python\nmiddleware"]
end
DISCOVER --> SCAN --> ANALYZE --> OUTPUT
DISCOVER -.-> PROTECT
style DISCOVER stroke:#58a6ff,stroke-width:2px
style SCAN stroke:#f85149,stroke-width:2px
style ANALYZE stroke:#d29922,stroke-width:2px
style OUTPUT stroke:#3fb950,stroke-width:2px
style PROTECT stroke:#f778ba,stroke-width:2px,stroke-dasharray: 5 5Blast Radius — what makes agent-bom different
flowchart LR
CVE["🔴 CVE-2025-1234\nCRITICAL · CVSS 9.8\nCISA KEV · EPSS 94%"]
PKG["📦 better-sqlite3\n@9.0.0"]
SRV["🔧 sqlite-mcp\nMCP Server\nunverified"]
AGT["🤖 Cursor IDE\n4 servers · 12 tools"]
CRED["🔑 ANTHROPIC_KEY\nDB_URL\nAWS_SECRET"]
TOOL["⚙️ query_db\nread_file\nwrite_file"]
CVE --> PKG --> SRV --> AGT --> CRED
AGT --> TOOL
style CVE stroke:#f85149,stroke-width:2px
style PKG stroke:#d29922,stroke-width:2px
style SRV stroke:#58a6ff,stroke-width:2px
style AGT stroke:#3fb950,stroke-width:2px
style CRED stroke:#f85149,stroke-width:2px
style TOOL stroke:#8b949e,stroke-width:2pxWhat it does
Security scanner purpose-built for AI infrastructure and supply chain.
AI Supply Chain Security:
Discovers AI agents + MCP servers — 30 client types, auto-detected from config files
Scans source code — AST analysis extracts system prompts, guardrails, tool signatures from Python AI frameworks (LangChain, CrewAI, OpenAI Agents SDK, and 7 more)
Generates an AI BOM — CycloneDX 1.6 with native ML extensions (modelCard, datasets, training metadata)
Scans for CVEs — 15 ecosystems checked against OSV + NVD + GHSA + EPSS + CISA KEV
Maps blast radius — CVE → package → MCP server → AI agent → credentials → tools
Detects secrets — 34 credential patterns + 11 PII patterns across source, config, and .env files
Enforces at runtime — MCP proxy with 112 detection patterns, PII redaction, zero-trust session isolation
Verifies supply chain — SLSA provenance (npm), PEP 740 attestations (PyPI), Go checksum DB
Also scans: container images, filesystems, IaC (138 rules), cloud posture (AWS/Azure/GCP CIS benchmarks).
Shield SDK — drop-in Python middleware for any AI agent pipeline:
from agent_bom.shield import Shield
shield = Shield(deep=True)
alerts = shield.check_tool_call("exec", {"command": "rm -rf /"})
safe = shield.redact(response_text) # [REDACTED:OpenAI API Key]Read-only. Agentless. No secrets leave your machine.
Extended quick start
# MCP security proxy (112 patterns, 8 detectors, PII redaction)
agent-bom proxy "npx @mcp/server-filesystem /tmp"
# Dependency graph export (Neo4j, GraphML, Graphviz, Mermaid)
agent-bom graph report.json --format cypher --output import.cypher
# Red team — test your defenses (100% detection, 0% false positives)
python -c "from agent_bom.red_team import run_red_team; print(run_red_team()['detection_rate'])"Scanning: agents, image, fs, iac, sbom, secrets, code, cloud, check, verify
Runtime: proxy, audit
MCP: mcp [inventory|introspect|registry|server|where|validate]
Reporting: graph, report [history|diff|rescan|analytics|dashboard]
Governance: policy [check|template|apply], fleet [sync|list|stats], serve, api, schedule
Database: db [update|status]
Utility: completions, upgrade# GitHub Actions
- run: agent-bom agents --format sarif --output results.sarif
- run: agent-bom image myapp:latest --fail-on-severity critical
- run: agent-bom iac infra/ --format sarif
- run: agent-bom cloud aws --format json
- run: agent-bom check flask@2.0.0Instruction file trust
AI agents run on instruction files — CLAUDE.md, .cursorrules, AGENTS.md. A malicious instruction file is a supply chain attack with full agent permissions.
agent-bom agents --skill-only
CLAUDE.md → SUSPICIOUS (high confidence)
[CRITICAL] Credential/secret file access
"cat ~/.aws/credentials" detected — reads secret files
[HIGH] Safety confirmation bypass
"--dangerously-skip-permissions" found — disables all guardrails
[HIGH] Typosquatting risk: server name "filessystem" (→ filesystem)MCP server
33 security tools available inside any MCP-compatible AI assistant.
pip install 'agent-bom[mcp-server]'
agent-bom mcp server{
"mcpServers": {
"agent-bom": {
"command": "agent-bom",
"args": ["mcp", "server"]
}
}
}Also on Glama, Smithery, MCP Registry, and OpenClaw.
Install & deploy
pip install agent-bom # CLI
docker run --rm agentbom/agent-bom agents # Docker (linux/amd64 + arm64)Mode | Command | Best for |
CLI |
| Local audit |
GitHub Action | `uses: msaad00/agent-bom@v0.75.8 | CI/CD + SARIF |
Docker |
| Isolated scans |
MCP Server |
| Inside any AI assistant |
Runtime proxy |
| MCP traffic enforcement |
Shield SDK |
| In-process protection |
Dashboard |
| API + Next.js UI |
- uses: msaad00/agent-bom@v0.75.8
with:
severity-threshold: high
upload-sarif: true
enrich: true
fail-on-kev: trueExtra | Command |
Cloud (core providers) |
|
MCP server |
|
REST API |
|
Dashboard |
|
How it works
Discover — auto-detect MCP configs, Docker images, K8s pods, cloud resources, model files
Scan — package names + versions sent to OSV.dev, NVD, EPSS, CISA KEV (no secrets leave your machine)
Analyze — blast radius mapping, tool poisoning detection, compliance tagging, posture scoring
Report — JSON, SARIF, CycloneDX 1.6, SPDX 3.0, HTML, JUnit XML, and more
Source | How |
MCP configs | Auto-discover (30 clients + Docker Compose) |
Docker images | Native OCI/package extraction + Docker image tar parsing |
Kubernetes | kubectl across namespaces |
Cloud providers | AWS, Azure, GCP, Databricks, Snowflake |
AI platforms | OpenAI, HuggingFace, W&B, Ollama |
IaC files | Dockerfile, K8s, Terraform, CloudFormation, Helm (138 rules) |
Model files | 13 formats (.gguf, .safetensors, .pkl, ...) |
Instruction files | CLAUDE.md, .cursorrules, AGENTS.md |
Existing SBOMs | CycloneDX / SPDX import |
15 ecosystems | Python, Node.js, Go, Rust, Java, .NET, Ruby, PHP, Swift, Conda, Alpine, Debian, RPM, Hex, Pub |
JSON, SARIF, CycloneDX 1.6 (with ML BOM), SPDX 3.0, HTML, GraphML, Neo4j Cypher, JUnit XML, CSV, Markdown, Mermaid, SVG, Graph HTML, Prometheus, Badge, OCSF v1.1 — 19 formats.
agent-bom agents -f sarif -o results.sarif # GitHub Security tab
agent-bom agents -f html -o report.html # Interactive dashboard
agent-bom agents -f cyclonedx -o sbom.json # CycloneDX 1.6Compliance (14 frameworks)
Every finding is tagged with applicable controls across 14 security and compliance frameworks:
Framework | Coverage |
OWASP LLM Top 10 | 7/10 categories (3 out of scope) |
OWASP MCP Top 10 | 10/10 categories |
OWASP Agentic Top 10 | 10/10 categories |
MITRE ATLAS | 30+ techniques mapped |
MITRE ATT&CK | Enterprise technique mapping |
NIST AI RMF | All subcategories |
NIST CSF 2.0 | All functions |
NIST 800-53 Rev 5 | 24 controls |
FedRAMP Moderate | Baseline controls |
CIS Controls v8 | 12 controls |
ISO 27001:2022 | 9 controls |
SOC 2 TSC | All 5 criteria |
EU AI Act | 6 articles |
CMMC 2.0 Level 2 | 17 practices |
Policy-as-code enforcement: write rules against any framework tag in YAML/JSON expressions.
Trust & transparency
When | What's sent | Where | Opt out |
| Package names + versions only | OSV API |
|
| CVE IDs only | NVD, EPSS, KEV APIs | Don't use |
Everything else | Nothing | Nowhere | N/A |
No source code, no secrets, no telemetry ever leave your machine. Every release is Sigstore-signed. See SECURITY_ARCHITECTURE.md for the full trust model.
Blast radius — how it maps
graph LR
CVE["CVE-2025-1234<br/>CRITICAL · CVSS 9.8"]
PKG["better-sqlite3@9.0.0<br/>npm"]
SRV["sqlite-mcp<br/>MCP Server · unverified"]
AGT["Cursor IDE<br/>4 servers · 12 tools"]
CRED["ANTHROPIC_KEY<br/>DB_URL · AWS_SECRET"]
TOOL["query_db · read_file<br/>write_file · run_shell"]
CVE -->|affects| PKG
PKG -->|dependency of| SRV
SRV -->|connected to| AGT
AGT -->|exposes| CRED
AGT -->|grants access to| TOOL
style CVE stroke:#dc2626,stroke-width:2px
style CRED stroke:#f59e0b,stroke-width:2px
style TOOL stroke:#f59e0b,stroke-width:2pxTraditional scanners stop at CVE → Package. agent-bom maps the full chain to show which credentials and tools are actually at risk.
AI supply chain — what we scan
Model weights ─── HuggingFace, Ollama ──── provenance + hash verification
│
AI Framework ─── LangChain, CrewAI, OpenAI ── AST analysis: prompts, guardrails, tools
│
MCP Server ───── npx @mcp/server-fs ──────── config parsing + tool poisoning detection
│
Packages ─────── express@4.17.1 ───────────── 15 ecosystems, CVE/EPSS/KEV scanning
│
AI Agent ─────── Claude Desktop, Cursor ───── 30 MCP clients auto-detected
│
Credentials ──── API keys, tokens ──────────── exposure mapping + PII redaction
│
Tools ────────── read_file, exec_cmd ──────── capability classification + blast radiusAlso scans: container images, filesystems, IaC (Dockerfile/K8s/Terraform/CloudFormation/Helm), cloud infrastructure (AWS/Azure/GCP CIS benchmarks), secrets in source code.
Architecture
graph LR
subgraph D["🔍 Discover"]
D1["MCP Configs · Cloud · Containers · Models"]
end
subgraph A["🛡 Analyze"]
A1["15 ecosystems"] --> A2["CVE · EPSS · KEV"] --> A3["Blast Radius"] --> A4["14 frameworks"]
end
subgraph O["📊 Output"]
O1["CLI · Dashboard · SARIF · CycloneDX · API"]
end
subgraph R["⚡ Runtime"]
R1["MCP Proxy · 112 patterns · Shield SDK"]
end
D --> A --> O
D --> RSee docs/ARCHITECTURE.md for full diagrams. New to MCP security? docs/MCP_SECURITY_MODEL.md explains attack vectors and how agent-bom addresses them.
Contributing
git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev]"
pytest && ruff check src/See CONTRIBUTING.md | SECURITY.md | CODE_OF_CONDUCT.md
Apache 2.0 — LICENSE