agent-bom
agent-bom is a comprehensive AI supply chain security scanner and runtime enforcement MCP server for discovering, assessing, and remediating vulnerabilities across AI agent infrastructure, MCP servers, and dependencies.
Core Scanning & Discovery
scan– Full AI supply chain scan: auto-discovers MCP configs (Claude Desktop, Cursor, Windsurf, VS Code Copilot, etc.), extracts packages, queries OSV.dev for CVEs, assesses credential exposure, computes blast radius, and returns a structured report. Supports Docker image scanning, policy evaluation, SBOM ingestion, and NVD/EPSS/CISA KEV enrichment.inventory– Fast discovery and package extraction without CVE scanning; quick inventory of MCP configs, servers, packages, and transport types.where– List all MCP client config discovery paths and show which files exist on the current system.check– Check a specific package (npm, PyPI, Go, Cargo, Maven, NuGet) for known CVEs before installing, with severity, CVSS score, and fix version.
Risk Analysis
blast_radius– Map the full attack chain for a CVE: affected packages → MCP servers → agents → exposed credentials and tools.context_graph– Build an agent context graph with lateral movement analysis (BFS paths) to answer "if agent X is compromised, what else is reachable?"runtime_correlate– Cross-reference scan results with proxy runtime audit logs to identify which vulnerable tools were actually called in production.
Policy, Compliance & Remediation
policy_check– Evaluate security policy rules (severity thresholds, CISA KEV, AI risk flags, denied packages) against scan results; returns pass/fail with violations.compliance– Map findings to 47 controls across OWASP LLM Top 10, OWASP MCP Top 10, MITRE ATLAS, and NIST AI RMF with per-control status and an overall score.remediate– Generate actionable fix commands (npm/pip upgrades), credential scope reduction guidance, and flag unfixable vulnerabilities.cis_benchmark– Run CIS Foundations Benchmark checks against AWS (18 checks) or Snowflake (12 checks) with per-check pass/fail results.
Trust & Integrity
skill_trust– Assess SKILL.md/instruction files across 5 trust categories with a benign/suspicious/malicious verdict.verify– Verify package integrity via SHA-256/SRI hashes and SLSA build provenance attestations against npm/PyPI registries.marketplace_check– Pre-install trust check for an MCP server package: download count, CVE status, registry verification, and trust signals.registry_lookup– Query the built-in threat intelligence registry (109+ MCP servers) for risk level, known tools, credential requirements, and verification status.
Advanced Capabilities
generate_sbom– Generate a standards-compliant SBOM in CycloneDX 1.6 or SPDX 3.0 format.diff– Compare a fresh scan against a baseline to identify new/resolved vulnerabilities and package inventory changes.code_scan– Run SAST via Semgrep on source code to detect SQL injection, XSS, command injection, hardcoded credentials, and more.fleet_scan– Batch-scan a list of MCP server names against the security registry for fleet-wide risk assessment.analytics_query– Query vulnerability trends, posture history, and runtime event summaries from ClickHouse.
Additional features: real-time runtime enforcement proxy with behavioral attack pattern detection, MCP config drift watching, SIEM integration (Splunk, Datadog, Elasticsearch), output in JSON/SARIF/HTML/Mermaid formats, and AI-specific scanning for GPU/ML packages and model provenance (HuggingFace, Ollama, MLflow, W&B).
Scans AWS cloud infrastructure and Amazon Q configurations to identify security vulnerabilities and ensure compliance with CIS benchmarks.
Integrates with ClickHouse to provide security scan analytics, visualization, and posture scoring for AI infrastructure.
Performs security scanning of Databricks environments to detect misconfigurations and dependency vulnerabilities.
Scans Docker images and Docker-based MCP servers for security risks, tool poisoning, and dependency vulnerabilities.
Integrates as a CI/CD gate to automate security scans and enforce compliance policies during the development lifecycle.
Supports deployment and fleet-wide security scanning of AI agent infrastructure within Kubernetes using Helm charts.
Discovers and analyzes JetBrains AI configurations to identify potential credential leaks and security risks.
Enables dispatching security alerts and vulnerability findings to Jira for incident management and remediation tracking.
Scans Kubernetes clusters to map vulnerability propagation and assess the security posture of AI agent deployments.
Discovers and scans MLflow platforms to identify security risks and verify the provenance of AI models.
Provides integration with OpenTelemetry for monitoring and tracing the security scan pipeline and execution.
Dispatches real-time security alerts and scan reports to Slack channels via webhooks for immediate notification.
Provides governance and security scanning for Snowflake instances, including compliance checks against CIS Snowflake benchmarks.
Generates standardized Software Bill of Materials (SBOM) reports in the SPDX format for security compliance and transparency.
Analyzes security risks and maps the blast radius for AI agent tools and MCP servers utilizing SQLite databases.
agent-bom scans local and fleet AI infrastructure, builds an AI BOM across
agents, MCP servers, tools, packages, credential environment names, cloud,
runtime, and skills, then turns that inventory into findings, compliance
evidence, and graph-backed exposure paths.
The same evidence is available through CLI/CI, REST API, MCP tools, and a self-hosted dashboard. Runtime proxy/gateway controls are optional and scoped to environments where enforcement is worth the operational cost.
package -> vulnerability finding -> MCP server -> tools + credential refs -> agentBlast radius is the core idea. A vulnerable package is not just a CVE row; it is linked to the MCP server that loads it, the tools exposed by that server, the credential environment names in reach, and the agents that can call it.
First Run
pip install agent-bom
agent-bom agents --demo --offlineThe demo uses real OSV/GHSA advisories against intentionally vulnerable sample packages and produces graph-ready inventory without touching your source tree. For a real local scan:
agent-bom agents -p . -f html -o agent-bom-report.htmlWant an inspectable sample stack first?
agent-bom samples first-run
agent-bom agents --inventory agent-bom-first-run/inventory.json -p agent-bom-first-run --enrichSee docs/FIRST_RUN.md for the guided path from CLI output to the dashboard.
Product Proof
The dashboard screenshots below are captured from the packaged UI with bundled demo data, not mockups. The README keeps the first screen focused; expand the gallery when you want to inspect the control-plane surfaces.
Screenshot capture rules and the full manifest live in docs/CAPTURE.md and docs/images/product-screenshots.json.
Start Here
Goal | Command | Artifact |
Local agent and MCP inventory |
| findings, AI BOM, graph-ready JSON |
Repo and lockfile scan |
| package findings, SARIF/SBOM/HTML when requested |
Pre-install guard |
| deterministic allow/warn/block result |
Container image scan |
| image findings and remediation |
IaC scan |
| IaC findings and policy context |
Cloud posture check |
| runtime CIS posture evidence |
CI gate |
| SARIF, PR summary, optional code-scanning upload |
MCP tools |
| strict-args security tools for MCP clients |
Local API/UI |
| API plus bundled dashboard |
Self-hosted pilot |
| API and dashboard in your environment |
The base wheel is the scanner and CLI path. Optional runtime surfaces fail fast with install hints when their extras are missing.
MCP registry publishing is tracked through the committed Smithery manifest and other registry metadata; install and liveness checks stay in the linked integration docs instead of this front door.
Shipped Surfaces
Surface | Primary user | Current boundary |
CLI / CI | developers and release gates | local scans, SARIF/SBOM/HTML/JSON, deterministic exit codes |
REST API | control-plane integrations | scans, bulk findings, dataset versions, evaluation runs, graph evidence, audit, runtime summaries |
MCP tools | agents and assistants | strict arguments, read-mostly security queries, exposure paths, deploy decisions, audited Shield actions |
Dashboard | security teams and operators | inventory, findings, graph cockpit, compliance, evidence, runtime posture |
Runtime proxy/gateway | runtime operators | scoped MCP traffic inspection, policy decisions, redacted audit evidence |
Python client | services, notebooks, and automation | typed helper for stable REST endpoints in the packaged wheel |
TypeScript client | services and agent runtimes | typed helper for stable REST endpoints |
MCP server mode advertises 55 MCP tools, 6 resources, and 6 workflow prompts.
Most tools are read-only. The three Shield write actions fail closed unless
the caller supplies operator_role=admin, operator_scopes=shield:write, and
an audit reason.
CLI scan commands run local scan pipelines today. They share lower scanner and discovery libraries with the API, but they are not API wrappers yet.
Deploy In Your Boundary
agent-bom is designed for customer-controlled deployment: local CLI, Docker,
GitHub Action, Helm, EKS, Postgres, and optional runtime proxy/gateway.
curl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml
docker compose -f docker-compose.pilot.yml up -d
# Dashboard -> http://localhost:3000Production self-hosting starts with the deployment chooser:
There is no managed cloud offering in this repository today. Product lane boundaries are documented in docs/PRODUCT_BOUNDARIES.md.
Trust Model
Read-only discovery by default for cloud and local inventory.
No mandatory telemetry.
Credential values are redacted; credential environment names are preserved as evidence so exposure paths stay explainable.
Findings can export as JSON, SARIF, CycloneDX, SPDX, Markdown, HTML, and compliance evidence bundles.
API and runtime paths are designed for tenant scope, auth boundaries, and audit evidence.
OpenAPI artifacts are committed for SDK and client contract checks.
Security and release references:
Product Views
The docs site carries the deployment-oriented walkthroughs behind those screenshots:
Contributing
Contributions are welcome. Start with:
License: Apache-2.0.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/msaad00/agent-bom'
If you have feedback or need assistance with the MCP directory API, please join our Discord server