agent-bom

Open-source security scanner for AI agent infrastructure.Discover configurations, scan dependencies, map blast radius, enforce compliance.

Get started

pip install agent-bom

agent-bom scan                                     # auto-discover + scan
agent-bom scan --enrich                            # + NVD CVSS + EPSS + CISA KEV
agent-bom scan -f html -o report.html              # HTML dashboard
agent-bom scan --enforce                           # tool poisoning detection
agent-bom scan --fail-on-severity high -q          # CI gate
agent-bom scan --image myapp:latest                # Docker image scanning
agent-bom scan --k8s --all-namespaces              # K8s cluster
agent-bom scan --aws --snowflake --databricks      # Multi-cloud
agent-bom scan --aws-cis-benchmark                 # CIS AWS Foundations v3.0
agent-bom scan --snowflake-cis-benchmark           # CIS Snowflake v1.0
agent-bom scan --hf-model meta-llama/Llama-3.1-8B  # model provenance

Auto-discovers Claude Desktop, Claude Code, Cursor, Windsurf, Cline, VS Code Copilot, Continue, Zed, Cortex Code (CoCo), Codex CLI, Gemini CLI, Goose, Snowflake CLI, OpenClaw, Roo Code, Amazon Q, ToolHive, Docker MCP, JetBrains AI, and Junie.

Architecture

Why agent-bom

Traditional scanners tell you a package has a CVE. agent-bom tells you which AI agents are compromised, which credentials leak, which tools an attacker reaches, and gives you a fix-first priority across your entire AI stack.

What sets it apart: AI agent discovery (20 clients), blast radius mapping (CVE → agent → creds → tools), CIS benchmarks (AWS, Snowflake), 10-framework compliance, and policy-as-code — all open source.

How a CVE propagates through your AI stack

CVE-2025-1234  (CRITICAL · CVSS 9.8 · CISA KEV)
  └─ [email protected]  (npm)
       └─ sqlite-mcp  (MCP Server · unverified · 🛡 root)
            ├─ Cursor IDE  (Agent · 4 servers · 12 tools)
            ├─ ANTHROPIC_KEY, DB_URL, AWS_SECRET  (Credentials exposed)
            └─ query_db, read_file, write_file, run_shell  (Tools at risk)

 Fix: upgrade better-sqlite3 → 11.7.0

Scan pipeline

1. Discover — auto-detect MCP configs across 20 clients (Claude Desktop, Cursor, JetBrains AI, Junie, Codex CLI, Gemini CLI, Goose, etc.)
2. Extract — pull server names, package names, env var names, and tool lists. Credential values are never read.
3. Scan — send only package names + versions to public APIs (OSV.dev, NVD, EPSS, CISA KEV). NVD status tracking (Analyzed/Modified/Rejected) with remediation links.
4. Analyze — CVE blast radius mapping, per-CVE compliance tagging across 10 frameworks, tool poisoning detection (--enforce), model provenance
5. Score — posture scorecard (grade A–F), credential risk ranking, incident correlation by agent (P1–P4)
6. Report — JSON, SARIF, CycloneDX, SPDX, HTML, or console output. Alert dispatch to Slack/webhooks. Nothing stored server-side.

Individual developers: Steps 1–4 are automatic. Enterprise features (steps 5–6) activate with --enrich, --posture, or the REST API.

How to deploy

Enterprise scan workflow

Trust guarantees: Read-only (no file writes, no config changes, no servers started). --dry-run previews all files and API calls then exits. Every release is Sigstore-signed. Run agent-bom verify agent-bom to check integrity. See PERMISSIONS.md for the full auditable trust contract.

graph TB
    subgraph Input["Input Sources"]
        MCP["MCP Configs\n20 Clients"]
        Docker["Docker Images"]
        K8s["Kubernetes"]
        Cloud["Cloud APIs\nAWS / Azure / GCP / Snowflake"]
        SBOM["Existing SBOMs\nCycloneDX / SPDX"]
        AI["AI Platforms\nHuggingFace / W&B / MLflow"]
    end

    subgraph Core["Core Engine"]
        Discovery["Discovery Engine"]
        Parser["Package Parser"]
        Scanner["Vulnerability Scanner\nOSV + NVD + EPSS + KEV"]
        Blast["Blast Radius Analyzer"]
        Compliance["Compliance Tagger\n10 Frameworks"]
        Posture["Posture Scorer"]
    end

    subgraph Output["Output Channels"]
        Console["Console / HTML"]
        SBOM_Out["CycloneDX / SPDX / SARIF"]
        API["REST API + MCP Server"]
        Alerts["Slack / Webhook / Jira"]
    end

    MCP --> Discovery
    Docker --> Discovery
    K8s --> Discovery
    Cloud --> Discovery
    SBOM --> Discovery
    AI --> Discovery

    Discovery --> Parser
    Parser --> Scanner
    Scanner --> Blast
    Blast --> Compliance
    Compliance --> Posture

    Posture --> Console
    Posture --> SBOM_Out
    Posture --> API
    Posture --> Alerts

See docs/ARCHITECTURE.md for the full set of architecture diagrams including data flow pipeline, blast radius propagation, compliance framework mapping, and integration architecture.

What it scans

For individual developers

Auto-discover your MCP configs, scan for CVEs, understand blast radius, and fix what matters. No compliance paperwork needed.

CVE scanning + blast radius

Every vulnerability is mapped through your AI stack: which agents are affected, which credentials are exposed, which MCP tools an attacker can reach, and what to fix first.

Enrichment sources: OSV batch (primary), NVD CVSS v4 + status tracking (Analyzed/Modified/Rejected), FIRST EPSS exploit probability, CISA KEV active exploitation catalog, GHSA, NVIDIA CSAF. Each CVE includes remediation source links from NVD references.

Guided remediation

Each fix tells you exactly what will be protected — named agents, credentials, tools, impact percentages, and risk narratives. Fixed versions are identified automatically.

Privilege detection

Every MCP server is assessed for privilege escalation risk:

Privilege levels: critical (privileged container, CAP_SYS_ADMIN) → high (root, shell) → medium (fs write, network) → low (read-only).

MCP runtime introspection

Connect to live servers to discover runtime tools/resources and detect drift from configs. Read-only — only calls tools/list and resources/list.

agent-bom scan --introspect

Tool poisoning detection

Static analysis of MCP tool descriptions for prompt injection patterns, dangerous capability combinations (EXECUTE + WRITE), CVE exposure in server dependencies, and tool drift detection via introspection.

agent-bom scan --enforce                       # tool poisoning + enforcement checks
agent-bom scan --enforce --introspect          # + drift detection against live servers

Malicious package detection

OSV MAL- prefix flagging + typosquat heuristics against 57 popular AI/ML packages. Catches known-malicious npm/PyPI packages before they enter your MCP stack.

Scan CLAUDE.md, .cursorrules, AGENTS.md for embedded MCP servers, packages, and credentials. 7 security checks: typosquat detection, shell access, dangerous server names, unverified servers, excessive credentials, external URLs, unknown packages.

agent-bom scan --skill CLAUDE.md    # explicit
agent-bom scan --scan-prompts       # prompt template security

SHA-256 hash verification, Sigstore signature file detection, and HuggingFace model metadata (author, license, model card, gated status, download count).

agent-bom scan --hf-model meta-llama/Llama-3.1-8B          # HuggingFace provenance
agent-bom scan --model-files ./models --model-provenance   # hash + signature checks

3-tier container scanning (Grype → Syft → Docker CLI fallback). Detect 29+ AI libraries, pip installs, credentials in notebooks. Scan 13 model file formats.

agent-bom scan --image myapp:latest        # Docker image scanning
agent-bom scan --jupyter ./notebooks       # notebook audit
agent-bom scan --model-files ./models      # model file scanning

That's all you need. Run agent-bom scan and you're done.Everything below is for teams deploying agent-bom as an enterprise security platform.

For enterprise teams

Compliance mapping, SBOM export, policy-as-code, posture scoring, CI/CD gates, cloud discovery, and fleet management.

10-framework compliance mapping

Every finding is tagged against ten frameworks simultaneously — both at the blast radius level (deployment context) and at the individual CVE level (severity, KEV, EPSS, CWE, AI package, fix availability):

• OWASP Agentic Top 10 — ASI01 through ASI10 (agent autonomy, tool misuse, spawn persistence)
• OWASP LLM Top 10 — LLM01 through LLM10 (7 categories triggered)
• OWASP MCP Top 10 — MCP01 through MCP10 (8 categories triggered) — token exposure, tool poisoning, supply chain, shadow servers
• MITRE ATLAS — AML.T0010, AML.T0043, AML.T0051, etc. (13 techniques mapped)
• NIST AI RMF 1.0 — Govern, Map, Measure, Manage (12 subcategories mapped)
• EU AI Act — ART-5 through ART-17 (prohibited practices, high-risk classification, cybersecurity)
• NIST CSF 2.0 — Govern, Identify, Protect, Detect, Respond (14 categories mapped)
• ISO 27001:2022 — Annex A controls A.5.19 through A.8.28 (9 controls mapped)
• SOC 2 — Trust Services Criteria CC6 through CC9 (9 criteria mapped)
• CIS Controls v8 — Safeguards CIS-02, CIS-07, CIS-16 (10 safeguards mapped)

CIS Controls v8 vs. CIS Benchmarks: agent-bom ships both. CIS Controls v8 maps generic security safeguards ("what to do"). Platform-specific CIS Benchmarks run live checks ("how to verify"): --aws-cis-benchmark (18 checks, IAM/Storage/Logging/Networking) and --snowflake-cis-benchmark (12 checks, Auth/Network/Data/Monitoring/Access). GCP, Azure, and Kubernetes benchmarks are planned.

AI-BOM export

agent-bom scan -f cyclonedx -o ai-bom.cdx.json   # CycloneDX 1.6
agent-bom scan -f spdx -o ai-bom.spdx.json       # SPDX 3.0
agent-bom scan -f sarif -o results.sarif           # GitHub Security tab
agent-bom scan -f json -o ai-bom.json             # Full AI-BOM
agent-bom scan -f html -o report.html              # Interactive dashboard
agent-bom scan -f mermaid                          # Mermaid supply chain diagram
agent-bom scan -f graph -o graph.json              # Cytoscape-compatible graph JSON

Policy-as-code

agent-bom scan --policy policy.json --fail-on-severity high

Supported policy conditions: severity_gte, is_kev, ai_risk, has_credentials, ecosystem, package_name_contains, min_agents, min_tools, unverified_server, registry_risk_gte, owasp_tag, owasp_mcp_tag, is_malicious, min_scorecard_score, max_epss_score, has_kev_with_no_fix. See policy.json for an example template.

Enterprise security operations

Posture scorecard — letter grade (A–F), numeric score (0–100), 6-dimension breakdown:

Incident correlation — group vulnerabilities by agent for SOC workflows:

• Priority levels: P1 (KEV/multi-critical) → P2 (critical+creds) → P3 (high) → P4 (monitor)
• Per-agent: unique CVEs, KEV IDs, exposed credentials, affected packages, recommended actions

Credential risk ranking — rank all exposed credentials by blast radius:

• Risk tiers: critical (critical CVE exposure) → high → medium → low
• Aggregated across all agents and servers per credential

Cloud provider discovery

See AI Infrastructure Scanning Guide for GPU container scanning examples (NVIDIA + AMD ROCm).

agent-bom scan --aws --aws-region us-east-1       # Bedrock, Lambda, EKS, ECS, EC2, Step Functions
agent-bom scan --aws --aws-cis-benchmark          # CIS AWS Foundations v3.0 (18 checks)
agent-bom scan --snowflake                         # Cortex Agents, MCP Servers, Search, Snowpark
agent-bom scan --snowflake-cis-benchmark          # CIS Snowflake Benchmark v1.0 (12 checks)
agent-bom scan --databricks                        # Cluster libraries, model serving
agent-bom scan --nebius --nebius-project-id proj   # GPU cloud K8s + containers
agent-bom scan --k8s --context=coreweave-cluster   # CoreWeave / any K8s

Snowflake is the deepest integration — includes governance audit (access history, privilege grants, data classification), agent activity timeline, and Cortex observability. Other providers have functional discovery at varying depth. PRs welcome.

The dashboard (agent-bom api) serves interactive React Flow graphs:

• Agent Mesh (/mesh) — cross-agent topology with vulnerability overlay, shared server detection, credential blast analysis
• Attack Flow (/scan?view=attack-flow) — CVE-centric blast radius graph: CVE → Package → Server → Agent → Credentials → Tools
• Supply Chain Lineage (/graph) — full dependency lineage with hover highlighting and detail panels
• Context Graph (/context) — lateral movement analysis: agent-to-agent attack paths via shared servers, credentials, and tools

LLM-generated risk narratives, executive summaries, and threat chain analysis. Works with local Ollama (free) or 100+ providers via litellm.

agent-bom scan --ai-enrich                              # auto-detect Ollama
agent-bom scan --ai-enrich --ai-model ollama/llama3      # specific model

Beyond OSV.dev, agent-bom checks supplemental sources to catch CVEs not yet indexed:

• GitHub Security Advisories (GHSA) — all ecosystems (PyPI, npm, Go, Maven, Cargo, NuGet)
• NVIDIA CSAF advisories — GPU/ML packages (CUDA, cuDNN, TensorRT, NCCL)

Both sources deduplicate by CVE ID against OSV results.

Deployment

GitHub Action

- uses: msaad00/[email protected]
  with:
    severity-threshold: high
    upload-sarif: true
    enrich: true
    fail-on-kev: true

REST API

pip install agent-bom[api]
agent-bom api --api-key $SECRET --rate-limit 30   # http://127.0.0.1:8422/docs

MCP Server

pip install agent-bom[mcp-server]
agent-bom mcp-server                    # stdio
agent-bom mcp-server --transport sse    # remote

18 tools: scan, check, blast_radius, policy_check, registry_lookup, generate_sbom, compliance, remediate, verify, where, inventory, diff, skill_trust, marketplace_check, code_scan, context_graph, analytics_query, cis_benchmark

Cloud UI

cd ui && npm install && npm run dev   # http://localhost:3000

15-section Next.js dashboard:

Snowflake Deployment

pip install 'agent-bom[api,snowflake]'

Set SNOWFLAKE_ACCOUNT + SNOWFLAKE_USER + auth (SNOWFLAKE_PRIVATE_KEY_PATH or SNOWFLAKE_PASSWORD) and the API auto-switches to Snowflake persistence.

See DEPLOYMENT.md for full Snowflake architecture and setup instructions.

MCP Server Registry (427+ servers)

Registry of 427+ known MCP servers with risk levels, tool inventories, credential env vars, categories, and version pins. Risk levels are derived from server category (filesystem/shell = high, database/cloud = medium, search/monitoring = low). Credential env vars are inferred from package-name heuristics (21 patterns). Auto-synced weekly from the Official MCP Registry. 375 servers manually verified; 52 auto-enriched. Unverified servers trigger warnings. Policy rules can block them in CI.

Browse: mcp_registry.json | Expand: python scripts/expand_registry.py

AI supply chain coverage

See AI Infrastructure Scanning Guide for GPU container scanning examples (NVIDIA + AMD ROCm).

Trust & permissions

• --dry-run — preview every file and API URL before access, then exit without reading anything
• PERMISSIONS.md — auditable trust contract with all config paths enumerated
• Read-only — never writes configs, runs servers, provisions resources, or stores secrets
• Credential redaction — only env var names in reports; values, tokens, passwords never read
• Sigstore signed — releases v0.7.0+ signed via cosign OIDC; verify PyPI integrity with agent-bom verify [email protected] (SHA-256 + SLSA provenance)
• No binary needed (MCP) — SSE transport requires zero local install; local CLI available for air-gapped use
• OpenSSF Scorecard — automated supply chain scoring

Roadmap

Shipped:

• Cloud AI inventory — AWS Bedrock, Azure AI Foundry, GCP Vertex, Snowflake Cortex, Databricks, Nebius
• Tool poisoning / prompt injection detection — --enforce with description injection, capability combos, CVE exposure, drift
• Model weight provenance — SHA-256 hash, Sigstore file detection, HuggingFace metadata (--model-provenance, --hf-model)
• 20 MCP client discovery — JetBrains AI, Junie, Codex CLI, Gemini CLI, Goose, Snowflake CLI, full Cortex Code (CoCo) coverage
• K8s AI workload discovery — --k8s --all-namespaces with pod-level scanning
• OWASP MCP Top 10 compliance mapping — MCP01–MCP10 risk tagging
• Malicious package detection — OSV MAL- prefix flagging + typosquat heuristics
• OpenSSF Scorecard enrichment — --scorecard for package health scoring
• AI framework package recognition — GPU/ML packages (CUDA, ROCm, vLLM, JAX, etc.) flagged as high-risk in image scans
• Runtime MCP proxy — opt-in stdio proxy (agent-bom proxy) wraps individual MCP server commands for traffic interception; requires per-server client reconfiguration
• Enterprise integrations — Jira, Slack, Vanta, Drata
• Runtime sidecar Docker container — Dockerfile.runtime + Docker Compose for MCP proxy deployment
• EU AI Act compliance mapping — ART-5 through ART-17 risk classification
• OWASP Agentic Top 10 — ASI01 through ASI10 agent-specific risk tagging
• Marketplace trust check — marketplace_check MCP tool for pre-install validation
• OpenTelemetry trace ingestion — POST /v1/traces for vulnerable tool call flagging
• CMMC/FedRAMP compliance evidence export — --compliance-export ZIP bundles
• Agent spawn tree visualization — parent-child delegation chains
• RSP v3.0 alignment badge — Anthropic Responsible Scaling Policy compliance indicator
• Claude Code config security scanner — Check Point CVE vector detection
• Over-permission analyzer — mission profile enforcement per agent type
• Alert pipeline — AlertDispatcher with Slack, webhook, and in-memory channels; auto-trigger on scan
• Runtime protection engine — unified 5-detector orchestration with OTel trace ingestion
• Multi-tenant fleet — tenant_id scoping, X-Tenant-ID header, per-tenant stats
• Enterprise posture scorecard — letter grade (A–F), 6-dimension breakdown, auto-computed in scan output
• Incident correlation — per-agent vulnerability grouping with P1–P4 priority for SOC workflows
• Credential risk ranking — blast radius severity ranking for all exposed credentials
• Slack blast radius enrichment — webhook payloads include risk score, agents, credentials, fix versions
• Advanced policy conditions — min_scorecard_score, max_epss_score, has_kev_with_no_fix
• Enterprise hardening — bounded caches, SQLite indexes, stuck job cleanup, Content-Length validation
• Agent context graph — lateral movement analysis via shared servers, credentials, and tools; BFS attack path discovery
• Enterprise security hardening — per-job thread locks, SSRF protection, error sanitization, RBAC least privilege, path traversal guards
• NIST CSF 2.0 compliance mapping (14 categories across Govern, Identify, Protect, Detect, Respond)
• ISO 27001:2022 compliance mapping (9 Annex A controls, A.5.19–A.8.28)
• SOC 2 Trust Services Criteria (9 criteria, CC6–CC9)
• CIS Controls v8 (10 safeguards, CIS-02/CIS-07/CIS-16)
• Critical-only severity triggers (EU AI Act ART-5 Prohibited Practices)
• SSH/OAuth/PKI/SCIM credential detection
• SAST code scanning — Semgrep wrapper with CWE-based compliance mapping across all 10 frameworks (code_scan MCP tool)
• NVD vulnerability status tracking — Analyzed/Modified/Rejected status per CVE + remediation source links from NVD references
• CVE-level compliance tagging — per-vulnerability framework mapping across all 10 frameworks (severity, KEV, EPSS, CWE, AI package, fix availability)
• CIS AWS Foundations Benchmark v3.0 — 18 live checks across IAM, Storage, Logging, Networking (--aws-cis-benchmark)
• CIS Snowflake Benchmark v1.0 — 12 live checks across Auth, Network, Data Protection, Monitoring, Access Control (--snowflake-cis-benchmark)

Planned:

• Platform-specific CIS Benchmarks:
  • GCP Foundations Benchmark v3.0
  • Azure Foundations Benchmark v2.1
  • Kubernetes Benchmark v1.9
• Snowflake org-level multi-account CIS evaluation
• License compliance engine
• Workflow engine scanning (n8n, Zapier, Make)

Contributing

git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev]"
pytest && ruff check src/

See CONTRIBUTING.md | SECURITY.md | CODE_OF_CONDUCT.md | Skills

Apache 2.0 — LICENSE