agent-bom
agent-bom is a comprehensive AI supply chain security scanner and runtime enforcement MCP server for discovering, assessing, and remediating vulnerabilities across AI agent infrastructure, MCP servers, and dependencies.
Core Scanning & Discovery
scan– Full AI supply chain scan: auto-discovers MCP configs (Claude Desktop, Cursor, Windsurf, VS Code Copilot, etc.), extracts packages, queries OSV.dev for CVEs, assesses credential exposure, computes blast radius, and returns a structured report. Supports Docker image scanning, policy evaluation, SBOM ingestion, and NVD/EPSS/CISA KEV enrichment.inventory– Fast discovery and package extraction without CVE scanning; quick inventory of MCP configs, servers, packages, and transport types.where– List all MCP client config discovery paths and show which files exist on the current system.check– Check a specific package (npm, PyPI, Go, Cargo, Maven, NuGet) for known CVEs before installing, with severity, CVSS score, and fix version.
Risk Analysis
blast_radius– Map the full attack chain for a CVE: affected packages → MCP servers → agents → exposed credentials and tools.context_graph– Build an agent context graph with lateral movement analysis (BFS paths) to answer "if agent X is compromised, what else is reachable?"runtime_correlate– Cross-reference scan results with proxy runtime audit logs to identify which vulnerable tools were actually called in production.
Policy, Compliance & Remediation
policy_check– Evaluate security policy rules (severity thresholds, CISA KEV, AI risk flags, denied packages) against scan results; returns pass/fail with violations.compliance– Map findings to 47 controls across OWASP LLM Top 10, OWASP MCP Top 10, MITRE ATLAS, and NIST AI RMF with per-control status and an overall score.remediate– Generate actionable fix commands (npm/pip upgrades), credential scope reduction guidance, and flag unfixable vulnerabilities.cis_benchmark– Run CIS Foundations Benchmark checks against AWS (18 checks) or Snowflake (12 checks) with per-check pass/fail results.
Trust & Integrity
skill_trust– Assess SKILL.md/instruction files across 5 trust categories with a benign/suspicious/malicious verdict.verify– Verify package integrity via SHA-256/SRI hashes and SLSA build provenance attestations against npm/PyPI registries.marketplace_check– Pre-install trust check for an MCP server package: download count, CVE status, registry verification, and trust signals.registry_lookup– Query the built-in threat intelligence registry (109+ MCP servers) for risk level, known tools, credential requirements, and verification status.
Advanced Capabilities
generate_sbom– Generate a standards-compliant SBOM in CycloneDX 1.6 or SPDX 3.0 format.diff– Compare a fresh scan against a baseline to identify new/resolved vulnerabilities and package inventory changes.code_scan– Run SAST via Semgrep on source code to detect SQL injection, XSS, command injection, hardcoded credentials, and more.fleet_scan– Batch-scan a list of MCP server names against the security registry for fleet-wide risk assessment.analytics_query– Query vulnerability trends, posture history, and runtime event summaries from ClickHouse.
Additional features: real-time runtime enforcement proxy with behavioral attack pattern detection, MCP config drift watching, SIEM integration (Splunk, Datadog, Elasticsearch), output in JSON/SARIF/HTML/Mermaid formats, and AI-specific scanning for GPU/ML packages and model provenance (HuggingFace, Ollama, MLflow, W&B).
Scans AWS cloud infrastructure and Amazon Q configurations to identify security vulnerabilities and ensure compliance with CIS benchmarks.
Integrates with ClickHouse to provide security scan analytics, visualization, and posture scoring for AI infrastructure.
Performs security scanning of Databricks environments to detect misconfigurations and dependency vulnerabilities.
Scans Docker images and Docker-based MCP servers for security risks, tool poisoning, and dependency vulnerabilities.
Integrates as a CI/CD gate to automate security scans and enforce compliance policies during the development lifecycle.
Supports deployment and fleet-wide security scanning of AI agent infrastructure within Kubernetes using Helm charts.
Discovers and analyzes JetBrains AI configurations to identify potential credential leaks and security risks.
Enables dispatching security alerts and vulnerability findings to Jira for incident management and remediation tracking.
Scans Kubernetes clusters to map vulnerability propagation and assess the security posture of AI agent deployments.
Discovers and scans MLflow platforms to identify security risks and verify the provenance of AI models.
Provides integration with OpenTelemetry for monitoring and tracing the security scan pipeline and execution.
Dispatches real-time security alerts and scan reports to Slack channels via webhooks for immediate notification.
Provides governance and security scanning for Snowflake instances, including compliance checks against CIS Snowflake benchmarks.
Generates standardized Software Bill of Materials (SBOM) reports in the SPDX format for security compliance and transparency.
Analyzes security risks and maps the blast radius for AI agent tools and MCP servers utilizing SQLite databases.
What Is agent-bom
agent-bom is a read-only scanner and self-hosted control plane for local
projects, agent fleets, MCP runtimes, containers, and cloud estates. Scan in
your environment, centralize evidence in your VPC, and govern selected runtime
hops — one model (Finding + ContextGraph) for CLI, CI, API, dashboard, MCP
tools, exports, and optional proxy/gateway enforcement.
Three lanes: scan → self-hosted control plane → runtime proxy/gateway. We are not a managed MCP connector catalog — we prove blast radius and enforce policy on your agents and upstream MCP servers.
Blast radius is the core idea: a vulnerable package is linked to the MCP server that loads it, the tools it exposes, reachable credential references, and the agents that can call it — not just a CVE row.
Coverage depth and honest boundaries: AI infrastructure scanning · product boundaries
Synthetic seeded evidence for docs proof, captured from the real Next.js routes with a visible Demo data — simulated estate label — not a claim these entities came from a buyer environment. Regenerate with npm run capture:product-proof (see docs/CAPTURE.md).
AppSec / GRC — SARIF, compliance packs, and audit-ready exports from the same scan that powers the dashboard.
Platform / SRE — fleet sync, Helm deploy, CI gates, and SBOM output without a separate scanner stack.
Agent builders — MCP inventory, Shield SDK, and optional runtime proxy or gateway enforcement on the same graph.
Security engineers — findings queue, attack-path drilldown, and blast-radius context in CLI, API, and UI.
Snowflake is a supported connector lane, not the product center. MCP server mode advertises 70 MCP tools, 6 resources, and 8 workflow prompts — registry metadata via the Smithery manifest and Glama listing.
package -> vulnerability finding -> MCP server -> tools + credential refs -> agentagent-bom normalizes advisory and distro evidence into canonical CVE findings with match-confidence tiers:
distro_confirmed > osv_range > osv_ecosystem > unfixed_distro > nvd_cpe_candidate
Distro-confirmed findings are treated as confirmed. Optional NVD CPE candidate matching widens long-tail OS/vendor software coverage, but remains review-grade and off by default.
NVD key model. End users do not need an NVD API key. CVE/CPE enrichment
ships through the distributed vulnerability database. NVD_API_KEY is only an
optional self-hosted freshness knob for operators rebuilding or refreshing the
database.
Matching mechanics and release evidence: vulnerability matching · scanner accuracy baseline
Machine-readable detail lives in docs/AGENT_CAPABILITY.md.
Summary:
MCP security tools 70 tools · 6 resources · 8 workflow prompts
REST API 295 ops · OpenAPI docs/openapi/v1.json
Runtime proxy / gateway stdio policy · HTTP/SSE relay · KPI rollup
Full manifest docs/AGENT_CAPABILITY.mdRelated MCP server: agent-audit
Quickstart
pip install agent-bom
agent-bom scan -p . # scan this repo: rich console panel with posture gradeFor a reproducible, offline demo (safe to screenshot or attach to a bug report):
agent-bom scan --demo --offline # curated sample, no network, deterministicExport when you need a file:
agent-bom db update # populate ~/.agent-bom vuln DB before --offline scans
agent-bom scan -p . -f html -o agent-bom-report.htmlRun agent-bom db update before --offline image or package scans. Guided path:
docs/FIRST_RUN.md
Start Here
Pick the entry point for your role — ingest lanes, auth boundaries, and surface detail in docs/PRODUCT_MAP.md.
Need | Surface | First action | Main artifact |
Scan a repo, image, or local agent config | CLI / CI |
| JSON, SARIF, SBOM, HTML |
Ingest external scanner / SARIF evidence | CLI / CI |
| JSON, SARIF, blast radius |
Connect cloud and data-estate evidence | Cloud connectors |
| assets, CIS findings, graph edges |
Review posture as a team | API + dashboard |
| findings, graph, audit, compliance |
Give agents security tools | MCP server |
| strict MCP tool responses |
Govern runtime tool calls | Proxy / gateway | configure proxy or gateway policy | allow/warn/block audit trail |
Package evidence for audit | Reports / exports |
| SARIF, CycloneDX, SPDX, OCSF, compliance bundle |
Goal | Command |
Multi-hop exposure paths |
|
LLM cost forecast (FinOps) |
|
External scanner / SARIF ingest |
|
Non-human identity posture |
|
Advisory remediation plan |
|
Gated-capability readiness |
|
CI gate |
|
Full command map: docs/CLI_MAP.md · role routing: docs/START_HERE.md · repo layout: PROJECT_STRUCTURE.md
Cloud Connectors
Read-only, opt-in, and default-off. No secret values are read or stored.
agent-bom connect <provider> prints the grant template and enable flag —
no network I/O until you opt in.
Cloud | Enable | Scan |
AWS |
|
|
Azure |
|
|
GCP |
|
|
Snowflake | SSO or key-pair auth |
|
Setup and grants: docs/CLOUD_CONNECT.md · full intake map: docs/DATA_SOURCES.md
Snowflake auth defaults to browser SSO (externalbrowser); use
SNOWFLAKE_AUTHENTICATOR=snowflake_jwt with SNOWFLAKE_PRIVATE_KEY_PATH for
CI. agent-bom authenticates through the Python connector — no snowsql session
needed.
Deploy in Your Boundary
OSS CLI, self-hosted API/UI, gated hosted POC, or optional Snowflake-native lane — no managed public SaaS in this repo yet. One compose file starts a local control plane:
curl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml
docker compose -f docker-compose.pilot.yml up -d
# Dashboard -> http://localhost:3000Pilot compose binds to 127.0.0.1 with loopback CORS only. Use
docker-compose.platform.yml or docs/HOSTED_POC.md before
sharing a link.
Target | Path |
Any container platform | |
Kubernetes | |
AWS EKS | |
AWS one-click | |
Images |
Trust
Read-only discovery by default; no mandatory telemetry.
Credential values redacted; env names preserved for explainable exposure paths.
Exports: JSON, SARIF, CycloneDX, SPDX, OCSF, Markdown, HTML, compliance bundles.
Tenant scope, auth boundaries, and audit evidence on API/runtime paths.
Threat model · Pentest readiness · Release verification · MCP security model · Python client · Go client
Contributing
Contributions are welcome. Start with CONTRIBUTING.md, .agents/AGENTS.md, and the open issues.
License: Apache-2.0.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/msaad00/agent-bom'
If you have feedback or need assistance with the MCP directory API, please join our Discord server