agent-bom is a comprehensive AI supply chain security scanner and runtime enforcement MCP server for discovering, assessing, and remediating vulnerabilities across AI agent infrastructure, MCP servers, and dependencies.
Core Scanning & Discovery
scan– Full AI supply chain scan: auto-discovers MCP configs (Claude Desktop, Cursor, Windsurf, VS Code Copilot, etc.), extracts packages, queries OSV.dev for CVEs, assesses credential exposure, computes blast radius, and returns a structured report. Supports Docker image scanning, policy evaluation, SBOM ingestion, and NVD/EPSS/CISA KEV enrichment.inventory– Fast discovery and package extraction without CVE scanning; quick inventory of MCP configs, servers, packages, and transport types.where– List all MCP client config discovery paths and show which files exist on the current system.check– Check a specific package (npm, PyPI, Go, Cargo, Maven, NuGet) for known CVEs before installing, with severity, CVSS score, and fix version.
Risk Analysis
blast_radius– Map the full attack chain for a CVE: affected packages → MCP servers → agents → exposed credentials and tools.context_graph– Build an agent context graph with lateral movement analysis (BFS paths) to answer "if agent X is compromised, what else is reachable?"runtime_correlate– Cross-reference scan results with proxy runtime audit logs to identify which vulnerable tools were actually called in production.
Policy, Compliance & Remediation
policy_check– Evaluate security policy rules (severity thresholds, CISA KEV, AI risk flags, denied packages) against scan results; returns pass/fail with violations.compliance– Map findings to 47 controls across OWASP LLM Top 10, OWASP MCP Top 10, MITRE ATLAS, and NIST AI RMF with per-control status and an overall score.remediate– Generate actionable fix commands (npm/pip upgrades), credential scope reduction guidance, and flag unfixable vulnerabilities.cis_benchmark– Run CIS Foundations Benchmark checks against AWS (18 checks) or Snowflake (12 checks) with per-check pass/fail results.
Trust & Integrity
skill_trust– Assess SKILL.md/instruction files across 5 trust categories with a benign/suspicious/malicious verdict.verify– Verify package integrity via SHA-256/SRI hashes and SLSA build provenance attestations against npm/PyPI registries.marketplace_check– Pre-install trust check for an MCP server package: download count, CVE status, registry verification, and trust signals.registry_lookup– Query the built-in threat intelligence registry (109+ MCP servers) for risk level, known tools, credential requirements, and verification status.
Advanced Capabilities
generate_sbom– Generate a standards-compliant SBOM in CycloneDX 1.6 or SPDX 3.0 format.diff– Compare a fresh scan against a baseline to identify new/resolved vulnerabilities and package inventory changes.code_scan– Run SAST via Semgrep on source code to detect SQL injection, XSS, command injection, hardcoded credentials, and more.fleet_scan– Batch-scan a list of MCP server names against the security registry for fleet-wide risk assessment.analytics_query– Query vulnerability trends, posture history, and runtime event summaries from ClickHouse.
Additional features: real-time runtime enforcement proxy with behavioral attack pattern detection, MCP config drift watching, SIEM integration (Splunk, Datadog, Elasticsearch), output in JSON/SARIF/HTML/Mermaid formats, and AI-specific scanning for GPU/ML packages and model provenance (HuggingFace, Ollama, MLflow, W&B).
Scans AWS cloud infrastructure and Amazon Q configurations to identify security vulnerabilities and ensure compliance with CIS benchmarks.
Integrates with ClickHouse to provide security scan analytics, visualization, and posture scoring for AI infrastructure.
Performs security scanning of Databricks environments to detect misconfigurations and dependency vulnerabilities.
Scans Docker images and Docker-based MCP servers for security risks, tool poisoning, and dependency vulnerabilities.
Integrates as a CI/CD gate to automate security scans and enforce compliance policies during the development lifecycle.
Supports deployment and fleet-wide security scanning of AI agent infrastructure within Kubernetes using Helm charts.
Discovers and analyzes JetBrains AI configurations to identify potential credential leaks and security risks.
Enables dispatching security alerts and vulnerability findings to Jira for incident management and remediation tracking.
Scans Kubernetes clusters to map vulnerability propagation and assess the security posture of AI agent deployments.
Discovers and scans MLflow platforms to identify security risks and verify the provenance of AI models.
Provides integration with OpenTelemetry for monitoring and tracing the security scan pipeline and execution.
Dispatches real-time security alerts and scan reports to Slack channels via webhooks for immediate notification.
Provides governance and security scanning for Snowflake instances, including compliance checks against CIS Snowflake benchmarks.
Generates standardized Software Bill of Materials (SBOM) reports in the SPDX format for security compliance and transparency.
Analyzes security risks and maps the blast radius for AI agent tools and MCP servers utilizing SQLite databases.
Why agent-bom?
Traditional scanners tell you a package has a CVE. agent-bom tells you which AI agents are compromised, which credentials leak, which tools an attacker reaches — and then blocks it in real time.
Two capabilities, one tool: scanner (CVEs, blast radius, compliance, supply chain) + proxy (intercepts MCP traffic, enforces policy, detects 7 behavioral attack patterns). Read-only. Agentless. Open source.
CVE-2025-1234 (CRITICAL . CVSS 9.8 . CISA KEV)
|-- better-sqlite3@9.0.0 (npm)
|-- sqlite-mcp (MCP Server . unverified . root)
|-- Cursor IDE (Agent . 4 servers . 12 tools)
|-- ANTHROPIC_KEY, DB_URL, AWS_SECRET (Credentials exposed)
|-- query_db, read_file, write_file, run_shell (Tools at risk)
Fix: upgrade better-sqlite3 -> 11.7.0Get started
pip install agent-bom
agent-bom scan # auto-discover + scan
agent-bom scan --enrich # + NVD CVSS + EPSS + CISA KEV
agent-bom scan -f html -o report.html # HTML dashboard
agent-bom scan --enforce # tool poisoning detection
agent-bom scan --fail-on-severity high -q # CI gate
agent-bom scan --image myapp:latest # Docker image scanning
agent-bom scan --k8s --all-namespaces # K8s image scanning (cluster-wide)
agent-bom scan --k8s-mcp # Discover MCP pods + CRDs in Kubernetes
agent-bom scan --include-processes # Scan running host MCP processes (psutil)
agent-bom scan --include-containers # Scan Docker containers for MCP servers
agent-bom scan --health-check # Probe discovered servers for liveness
agent-bom scan --siem splunk --siem-url https://... # Push findings to SIEM
agent-bom scan --aws --snowflake --databricks # Multi-cloud
agent-bom scan --hf-model meta-llama/Llama-3.1-8B # model provenance
agent-bom scan --vector-db-scan # Scan self-hosted + Pinecone cloud vector DBs
agent-bom scan --gpu-scan # Discover GPU containers + K8s nodes, detect unauthenticated DCGM exporters
agent-bom graph report.json --format dot # Export dependency graph (DOT/Mermaid/JSON)
agent-bom proxy-configure --apply # Auto-wrap MCP configs with security proxyRuntime enforcement — sit between your MCP client and server, enforce policy in real time:
# Wrap a single server — intercept every tool call
agent-bom proxy --command "uvx mcp-server-filesystem /" --policy policy.yml
# Protect mode — run standalone detector engine
agent-bom protect --mode http
# Watch MCP configs for drift — alert on changes
agent-bom watch --webhook https://hooks.slack.com/...
# Policy file — 17 conditions, zero code required
# policy.yml:
# blocked_tools: [run_shell, exec_command]
# require_agent_identity: true
# rate_limit: {threshold: 50, window_seconds: 60}Auto-discovers 20 MCP clients: Claude Desktop, Claude Code, Cursor, Windsurf, Cline, VS Code Copilot, Continue, Zed, Cortex Code, Codex CLI, Gemini CLI, Goose, Snowflake CLI, OpenClaw, Roo Code, Amazon Q, ToolHive, Docker MCP Toolkit, JetBrains AI, and Junie.
Mode | Command |
Core CLI |
|
Cloud (all) |
|
REST API |
|
MCP server |
|
OIDC/SSO auth |
|
Dashboard |
|
Docker |
|
pip install --upgrade agent-bom # upgrade
pip uninstall agent-bom # uninstall
rm -rf ~/.agent-bom # remove local dataHow it works
Discover -- auto-detect MCP configs, Docker images, K8s pods, cloud resources, model files
Scan -- send package names + versions to public APIs (OSV.dev, NVD, EPSS, CISA KEV). No secrets leave your machine.
Analyze -- blast radius mapping, tool poisoning detection, compliance tagging, posture scoring
Report -- JSON, SARIF, CycloneDX, SPDX, HTML, Mermaid, or console. Alert dispatch to Slack/webhooks.
Read-only guarantee. Never writes configs, never runs servers, never stores secrets. --dry-run previews everything. Every release is Sigstore-signed.
What it covers
Traditional scanners | agent-bom | |
Package CVE detection | Yes | Yes (OSV + NVD + EPSS + CISA KEV + GHSA + NVIDIA CSAF) |
SBOM generation | Yes | Yes (CycloneDX 1.6, SPDX 3.0, SARIF) |
AI agent discovery | -- | 20 MCP clients + Docker Compose + running processes + containers + K8s pods/CRDs |
GPU/ML package scanning | -- | NVIDIA CSAF advisories for CUDA, cuDNN, PyTorch, TensorFlow, JAX, vLLM + AMD ROCm via OSV |
AI supply chain | -- | Model provenance (pickle risk, digest, gating), HuggingFace Hub, Ollama, MLflow, W&B |
AI cloud inventory | -- | Coreweave, Nebius, Snowflake, Databricks, OpenAI, HuggingFace Hub — config discovery + CVE tagging |
Blast radius mapping | -- | CVE -> package -> server -> agent -> credentials -> tools |
Credential exposure | -- | Which secrets leak per vulnerability, per agent |
Tool poisoning detection | -- | Description injection, capability combos, drift detection |
Privilege detection | -- | root, shell access, privileged containers, per-tool permissions |
10-framework compliance | -- | OWASP LLM + MCP + Agentic, MITRE ATLAS, NIST AI RMF + CSF, EU AI Act, SOC 2, ISO 27001, CIS |
MITRE ATT&CK mapping | -- | Dynamic technique lookup by tactic phase (no hardcoded T-codes) |
Posture scorecard | -- | Letter grade (A-F), 6 dimensions, incident correlation (P1-P4) |
Policy-as-code + Jira | -- | 17 conditions, CI gate, auto-create Jira tickets for violations |
SIEM push | -- | Splunk HEC, Datadog Logs, Elasticsearch — raw or OCSF format |
Proxy auto-configure | -- | Wrap every MCP server config with |
Server health checks | -- | Lightweight liveness probe — reachable, tool count, latency, protocol |
Lateral movement analysis | -- | Agent context graph, shared credentials, BFS attack paths |
427+ server MCP registry | -- | Risk levels, tool inventories, auto-synced weekly |
Cloud vector DB scanning | -- | Pinecone index inventory, risk flags, replica counts via API key |
Dependency graph export | -- | DOT, Mermaid, JSON — agent → server → package → CVE graph |
OIDC/SSO authentication | -- | JWT verification (Okta, Google, Azure AD, Auth0) for REST API |
Source | How |
MCP configs | Auto-discover (20 clients + Docker Compose) |
Docker images | Grype / Syft / Docker CLI fallback |
Kubernetes | kubectl across namespaces |
Cloud providers | AWS, Azure, GCP, Databricks, Snowflake, Coreweave, Nebius |
AI cloud services | OpenAI, HuggingFace Hub, W&B, MLflow, Ollama |
GPU/ML packages | PyTorch, TF, JAX, vLLM, CUDA toolkit, cuDNN, TensorRT, ROCm |
Terraform / GitHub Actions | AI resources + env vars |
Jupyter notebooks | AI library imports + model refs |
Model files | 13 formats (.gguf, .safetensors, .pkl, ...) |
Skill files | CLAUDE.md, .cursorrules, AGENTS.md |
Existing SBOMs | CycloneDX / SPDX import |
Console, HTML dashboard, SARIF, CycloneDX 1.6, SPDX 3.0, Prometheus, OTLP, JSON, Mermaid, Cytoscape graph JSON, REST API.
agent-bom scan -f cyclonedx -o ai-bom.cdx.json # CycloneDX 1.6
agent-bom scan -f spdx -o ai-bom.spdx.json # SPDX 3.0
agent-bom scan -f sarif -o results.sarif # GitHub Security tab
agent-bom scan -f html -o report.html # Interactive dashboard
agent-bom scan -f graph -o graph.json # Cytoscape-compatibleDeployment
Mode | Command | Best for |
CLI |
| Local audit |
GitHub Action | `uses: msaad00/agent-bom@v0.63.3 | CI/CD + SARIF |
Docker |
| Isolated scans |
REST API |
| Dashboards, SIEM |
MCP Server |
| Inside any MCP client |
Dashboard |
| API + Next.js UI (15 pages) |
Runtime proxy |
| Intercept + enforce MCP traffic in real time |
Protect engine |
| 7 behavioral detectors (rug pull, injection, exfil, credential leak) |
Config watcher |
| Filesystem watch on MCP configs, alert on drift |
Pre-install guard |
| Block vulnerable installs |
Snowflake | Snowpark + SiS |
- uses: msaad00/agent-bom@v0.63.3
with:
severity-threshold: high
upload-sarif: true
enrich: true
fail-on-kev: truepip install agent-bom[api]
agent-bom api --api-key $SECRET --rate-limit 30 # http://127.0.0.1:8422/docsEndpoint | Description |
| Start async scan |
| Results + status |
| Per-CVE blast radius graph |
| 427+ server registry |
| Full 10-framework compliance posture |
| Enterprise posture scorecard (A-F) |
| Credential risk ranking |
| Incident correlation (P1-P4) |
| OpenTelemetry trace ingestion |
| Lateral movement paths |
| Malicious package check |
| Live proxy metrics (tool calls, blocked, latency p95) |
| Runtime behavioral alerts from audit log |
| Query JSONL audit trail (HMAC integrity verified) |
Scan packages against OSV and NVD before they are installed. Blocks installs when critical/high CVEs are found.
agent-bom guard pip install requests flask # scan then install
agent-bom guard npm install express # same for npm
# Shell alias — intercept every install automatically
alias pip='agent-bom guard pip'
alias npm='agent-bom guard npm'Options:
--min-severity— minimum severity to block (critical,high,medium; default:high)--allow-risky— warn but proceed instead of blocking
Provider | Depth | Install |
Snowflake | Deep (Cortex, MCP, governance, observability) |
|
AWS | Standard (Bedrock, Lambda, EKS, ECS, SageMaker) |
|
Azure | Standard (OpenAI, Functions, AI Foundry, Container Apps) |
|
GCP | Standard (Vertex AI, Cloud Functions, GKE, Cloud Run) |
|
Databricks | Preview (Cluster packages, model serving) |
|
Nebius | Preview (Managed K8s, containers) |
|
CoreWeave | Via K8s |
|
Ecosystem
Platform | Link |
PyPI |
|
Docker |
|
GitHub Action | `uses: msaad00/agent-bom@v0.63.3 |
Glama | |
MCP Registry | |
ToolHive | |
OpenClaw | |
Smithery | |
Railway |
Architecture
See docs/ARCHITECTURE.md for full diagrams: data flow pipeline, blast radius propagation, compliance framework mapping, integration architecture, and deployment topology.
Trust & permissions
Read-only -- never writes configs, runs servers, provisions resources, or stores secrets
Credential redaction -- only env var names in reports; values never read or logged
No shell injection -- subprocess uses
asyncio.create_subprocess_exec; command + args validated before every spawnNo SSRF -- all outbound URLs hardcoded or validated; DNS rebinding defense blocks private/loopback/cloud-metadata ranges
No path traversal --
validate_path(restrict_to_home=True)on all user-supplied paths; MCP tool inputs sanitizedNo SQL injection -- all database queries use parameterized statements
Proxy size guard -- messages >10 MB dropped before parsing; protects against DoS
Audit integrity -- JSONL audit logs stored at
0600, HMAC-signed (SHA-256). SetAGENT_BOM_AUDIT_HMAC_KEYin production for cross-restart verifiability.API security -- scrypt KDF for API keys, RBAC (admin/analyst/viewer), OIDC/JWT (RS256/ES256,
nonealgorithm rejected), constant-time comparison--dry-run-- preview every file and API URL before accessSigstore signed -- releases v0.7.0+ signed via cosign OIDC
OpenSSF Scorecard -- automated supply chain scoring
OpenSSF Best Practices -- passing badge (100%) — 67/67 criteria
Continuous fuzzing -- ClusterFuzzLite fuzzes SBOM parsers, policy evaluator, and skill parser
PERMISSIONS.md -- full auditable trust contract
Roadmap
GPU / AI compute
GPU container discovery (Docker — NVIDIA images, CUDA labels,
--gpusruntime)Kubernetes GPU node inventory (nvidia.com/gpu capacity/allocatable, CUDA driver labels)
Unauthenticated DCGM exporter detection (port 9400 metrics leak)
Remote Docker host scanning (currently local daemon only)
NVIDIA GPU CVE feed — CUDA/cuDNN specific advisories beyond OSV
GPU utilization and memory anomaly detection
AI supply chain
OSV + GHSA + NVD + EPSS + CISA KEV vulnerability enrichment
ML model file scanning (.gguf, .safetensors, .onnx) + SHA-256 + Sigstore
HuggingFace model provenance and dataset card scanning
Dataset poisoning detection
Training pipeline scanning (MLflow DAGs, Kubeflow pipelines)
Model card authenticity verification (beyond hash/sigstore)
Agents / MCP
20 MCP client config discovery paths, live introspection, tool drift detection
Runtime proxy with 7 behavioral detectors (rug pull, injection, credential leak, exfil sequences, response cloaking, vector DB injection, semantic injection scoring)
Semantic injection scoring — weighted 10-signal model, 0.0–1.0 risk score, MEDIUM/HIGH alerts
Agent memory / vector store content scanning for injected instructions
LLM API call tracing (which model was called, with what context)
Identity / access
OIDC/JWT auth for REST API (Okta, Google Workspace, Azure AD, Auth0, GitHub OIDC)
Agent-level identity — JWT/opaque token in
_meta.agent_identity, tracked on every audit log entry,require_agent_identitypolicy enforcementMCP server identity attestation — cryptographic proof of server identity at runtime
Agent-to-agent permission boundary enforcement
Compliance / standards
10 frameworks: OWASP LLM, OWASP MCP, OWASP Agentic, ATLAS, NIST AI RMF, EU AI Act, NIST CSF, ISO 27001, SOC 2, CIS Controls
CIS AI benchmarks (pending CIS publication)
License compliance engine (OSS license risk flagging)
Workflow engine scanning (n8n, Zapier, Make)
Ecosystem coverage
Maven / Go ecosystem — test coverage thin (PyPI, npm, cargo, pip best covered)
Windows container support (currently Linux-focused for Docker GPU discovery)
See the full list of shipped features.
Contributing
git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev]"
pytest && ruff check src/See CONTRIBUTING.md | SECURITY.md | CODE_OF_CONDUCT.md
Apache 2.0 -- LICENSE