Scans AWS cloud infrastructure and Amazon Q configurations to identify security vulnerabilities and ensure compliance with CIS benchmarks.
Integrates with ClickHouse to provide security scan analytics, visualization, and posture scoring for AI infrastructure.
Performs security scanning of Databricks environments to detect misconfigurations and dependency vulnerabilities.
Scans Docker images and Docker-based MCP servers for security risks, tool poisoning, and dependency vulnerabilities.
Integrates as a CI/CD gate to automate security scans and enforce compliance policies during the development lifecycle.
Supports deployment and fleet-wide security scanning of AI agent infrastructure within Kubernetes using Helm charts.
Discovers and analyzes JetBrains AI configurations to identify potential credential leaks and security risks.
Enables dispatching security alerts and vulnerability findings to Jira for incident management and remediation tracking.
Scans Kubernetes clusters to map vulnerability propagation and assess the security posture of AI agent deployments.
Discovers and scans MLflow platforms to identify security risks and verify the provenance of AI models.
Provides integration with OpenTelemetry for monitoring and tracing the security scan pipeline and execution.
Dispatches real-time security alerts and scan reports to Slack channels via webhooks for immediate notification.
Provides governance and security scanning for Snowflake instances, including compliance checks against CIS Snowflake benchmarks.
Generates standardized Software Bill of Materials (SBOM) reports in the SPDX format for security compliance and transparency.
Analyzes security risks and maps the blast radius for AI agent tools and MCP servers utilizing SQLite databases.
Why agent-bom?
Traditional scanners tell you a package has a CVE. agent-bom tells you which AI agents are compromised, which credentials leak, which tools an attacker reaches, and what the business impact is.
CVE-2025-1234 (CRITICAL . CVSS 9.8 . CISA KEV)
|-- better-sqlite3@9.0.0 (npm)
|-- sqlite-mcp (MCP Server . unverified . root)
|-- Cursor IDE (Agent . 4 servers . 12 tools)
|-- ANTHROPIC_KEY, DB_URL, AWS_SECRET (Credentials exposed)
|-- query_db, read_file, write_file, run_shell (Tools at risk)
Fix: upgrade better-sqlite3 -> 11.7.0Get started
pip install agent-bom
agent-bom scan # auto-discover + scan
agent-bom scan --enrich # + NVD CVSS + EPSS + CISA KEV
agent-bom scan -f html -o report.html # HTML dashboard
agent-bom scan --enforce # tool poisoning detection
agent-bom scan --fail-on-severity high -q # CI gate
agent-bom scan --image myapp:latest # Docker image scanning
agent-bom scan --k8s --all-namespaces # K8s cluster
agent-bom scan --aws --snowflake --databricks # Multi-cloud
agent-bom scan --hf-model meta-llama/Llama-3.1-8B # model provenanceAuto-discovers 20 MCP clients: Claude Desktop, Claude Code, Cursor, Windsurf, Cline, VS Code Copilot, Continue, Zed, Cortex Code, Codex CLI, Gemini CLI, Goose, Snowflake CLI, OpenClaw, Roo Code, Amazon Q, ToolHive, Docker MCP Toolkit, JetBrains AI, and Junie.
Mode | Command |
Core CLI |
|
Cloud (all) |
|
REST API |
|
MCP server |
|
Dashboard |
|
Docker |
|
pip install --upgrade agent-bom # upgrade
pip uninstall agent-bom # uninstall
rm -rf ~/.agent-bom # remove local dataHow it works
Discover -- auto-detect MCP configs, Docker images, K8s pods, cloud resources, model files
Scan -- send package names + versions to public APIs (OSV.dev, NVD, EPSS, CISA KEV). No secrets leave your machine.
Analyze -- blast radius mapping, tool poisoning detection, compliance tagging, posture scoring
Report -- JSON, SARIF, CycloneDX, SPDX, HTML, Mermaid, or console. Alert dispatch to Slack/webhooks.
Read-only guarantee. Never writes configs, never runs servers, never stores secrets. --dry-run previews everything. Every release is Sigstore-signed.
What it covers
Traditional scanners | agent-bom | |
Package CVE detection | Yes | Yes (OSV + NVD + EPSS + CISA KEV + GHSA + NVIDIA CSAF) |
SBOM generation | Yes | Yes (CycloneDX 1.6, SPDX 3.0, SARIF) |
AI agent discovery | -- | 20 MCP clients + Docker Compose |
Blast radius mapping | -- | CVE -> package -> server -> agent -> credentials -> tools |
Credential exposure | -- | Which secrets leak per vulnerability, per agent |
Tool poisoning detection | -- | Description injection, capability combos, drift detection |
Privilege detection | -- | root, shell access, privileged containers, per-tool permissions |
10-framework compliance | -- | OWASP LLM + MCP + Agentic, MITRE ATLAS, NIST AI RMF + CSF, EU AI Act, SOC 2, ISO 27001, CIS |
Posture scorecard | -- | Letter grade (A-F), 6 dimensions, incident correlation (P1-P4) |
Policy-as-code | -- | 17 conditions, CI gate, block unverified servers |
Lateral movement analysis | -- | Agent context graph, shared credentials, BFS attack paths |
427+ server MCP registry | -- | Risk levels, tool inventories, auto-synced weekly |
Source | How |
MCP configs | Auto-discover (20 clients + Docker Compose) |
Docker images | Grype / Syft / Docker CLI fallback |
Kubernetes | kubectl across namespaces |
Cloud providers | AWS, Azure, GCP, Databricks, Snowflake, Nebius |
Terraform / GitHub Actions | AI resources + env vars |
AI platforms | HuggingFace, W&B, MLflow, OpenAI |
Jupyter notebooks | AI library imports + model refs |
Model files | 13 formats (.gguf, .safetensors, .pkl, ...) |
Skill files | CLAUDE.md, .cursorrules, AGENTS.md |
Existing SBOMs | CycloneDX / SPDX import |
Console, HTML dashboard, SARIF, CycloneDX 1.6, SPDX 3.0, Prometheus, OTLP, JSON, Mermaid, Cytoscape graph JSON, REST API.
agent-bom scan -f cyclonedx -o ai-bom.cdx.json # CycloneDX 1.6
agent-bom scan -f spdx -o ai-bom.spdx.json # SPDX 3.0
agent-bom scan -f sarif -o results.sarif # GitHub Security tab
agent-bom scan -f html -o report.html # Interactive dashboard
agent-bom scan -f graph -o graph.json # Cytoscape-compatibleDeployment
Mode | Command | Best for |
CLI |
| Local audit |
GitHub Action |
| CI/CD + SARIF |
Docker |
| Isolated scans |
REST API |
| Dashboards, SIEM |
MCP Server |
| Inside any MCP client |
Dashboard |
| API + Next.js UI (15 pages) |
Runtime proxy |
| MCP traffic audit |
Snowflake | Snowpark + SiS |
- uses: msaad00/agent-bom@v0
with:
severity-threshold: high
upload-sarif: true
enrich: true
fail-on-kev: truepip install agent-bom[api]
agent-bom api --api-key $SECRET --rate-limit 30 # http://127.0.0.1:8422/docsEndpoint | Description |
| Start async scan |
| Results + status |
| Per-CVE blast radius graph |
| 427+ server registry |
| Full 10-framework compliance posture |
| Enterprise posture scorecard (A-F) |
| Credential risk ranking |
| Incident correlation (P1-P4) |
| OpenTelemetry trace ingestion |
| Lateral movement paths |
| Malicious package check |
Provider | Depth | Install |
Snowflake | Deep (Cortex, MCP, governance, observability) |
|
AWS | Standard (Bedrock, Lambda, EKS, ECS, SageMaker) |
|
Azure | Standard (OpenAI, Functions, AI Foundry, Container Apps) |
|
GCP | Standard (Vertex AI, Cloud Functions, GKE, Cloud Run) |
|
Databricks | Preview (Cluster packages, model serving) |
|
Nebius | Preview (Managed K8s, containers) |
|
CoreWeave | Via K8s |
|
Ecosystem
Platform | Link |
PyPI |
|
Docker |
|
GitHub Action |
|
Glama | |
MCP Registry | |
ToolHive | |
OpenClaw | |
Smithery | |
Railway |
Architecture
See docs/ARCHITECTURE.md for full diagrams: data flow pipeline, blast radius propagation, compliance framework mapping, integration architecture, and deployment topology.
Trust & permissions
Read-only -- never writes configs, runs servers, provisions resources, or stores secrets
Credential redaction -- only env var names in reports; values never read
--dry-run-- preview every file and API URL before accessSigstore signed -- releases v0.7.0+ signed via cosign OIDC
OpenSSF Scorecard -- automated supply chain scoring
PERMISSIONS.md -- full auditable trust contract
Roadmap
CIS Foundations benchmarks (AWS v3.0, Snowflake v1.0)
CIS AI benchmarks (pending CIS publication)
License compliance engine
Workflow engine scanning (n8n, Zapier, Make)
See the full list of shipped features.
Contributing
git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev]"
pytest && ruff check src/See CONTRIBUTING.md | SECURITY.md | CODE_OF_CONDUCT.md
Apache 2.0 -- LICENSE