agent-bom

2236 toolsauthSTDIOregistry active

Summary

If you're running AI agents in production or building on MCP, this scanner gives you the blast radius view you actually need. It inventories agents, MCP servers, tools, packages, and credential references, then maps vulnerabilities from OSV and GHSA through the dependency graph to show you which agents can reach which exposed attack paths. You get CLI output for CI gates, MCP tools for agent driven security queries, and a self hosted dashboard that visualizes the full mesh. The quickstart command seeds demo data so you can see graph backed findings before pointing it at your own stack. Useful when you need to answer "what breaks if this package is compromised" or enforce pre install guards across a fleet.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Tools

Public tool metadata for what this MCP can expose to an agent.

36 tools

scanRun a full AI supply chain security scan. Discovers local MCP configurations (Claude Desktop, Cursor, Windsurf, VS Code Copilot, OpenClaw, etc.), extracts package dependencies, queries OSV.dev for CVEs, assesses config security (credential exposure, tool access), computes blas...13 params

Run a full AI supply chain security scan. Discovers local MCP configurations (Claude Desktop, Cursor, Windsurf, VS Code Copilot, OpenClaw, etc.), extracts package dependencies, queries OSV.dev for CVEs, assesses config security (credential exposure, tool access), computes blas...

Parameters* required

imagevalue

Docker image to scan (e.g. 'nginx:1.25', 'ghcr.io/org/app:v1').

enrichboolean

Enable NVD CVSS, EPSS probability, and CISA KEV enrichment.default: false

policyvalue

Policy object to evaluate alongside scan results, e.g. {"rules": [{"id": "no-critical", "severity_gte": "critical", "action": "fail"}]}.

sbom_pathvalue

Path to existing CycloneDX or SPDX JSON SBOM file to ingest.

scorecardboolean

Enrich packages with OpenSSF Scorecard scores (requires resolvable GitHub repos).default: false

db_sourcesvalue

Comma-separated DB sources to sync before scanning (e.g. 'nvd,ghsa,osv,epss,kev').

transitiveboolean

Resolve transitive dependencies for npx/uvx packages.default: false

config_pathvalue

Path to MCP client config directory. Auto-discovers all if omitted.

fail_severityvalue

Return failure status if vulns at this severity or higher: critical, high, medium, low.

output_formatstring

Output format: 'json' (default), 'sarif', 'cyclonedx', 'spdx', 'junit', 'csv', or 'markdown'.default: json

warn_severityvalue

Return warning status (gate_status=warn, exit 0) when vulns at this severity or higher exist. Use with fail_severity for two-tier CI gates, e.g. warn_severity='medium', fail_severity='critical'.

auto_update_dbboolean

Auto-refresh local vuln DB if stale (>7 days) before scanning.default: true

verify_integrityboolean

Verify package SHA-256/SRI hashes and SLSA provenance against registries.default: false

checkCheck a specific package for known CVEs before installing. Queries OSV.dev for vulnerabilities in the given package. Use this before installing an MCP server or dependency to verify it is safe. Args: package: Package name with optional version, e.g. "express@4.18.2", "@modelco...2 params

Check a specific package for known CVEs before installing. Queries OSV.dev for vulnerabilities in the given package. Use this before installing an MCP server or dependency to verify it is safe. Args: package: Package name with optional version, e.g. "express@4.18.2", "@modelco...

Parameters* required

packagestring

Package name with optional version, e.g. 'express@4.18.2', '@modelcontextprotocol/server-filesystem@2025.1.14', or 'requests' (resolves @latest).

ecosystemstring

Package ecosystem: 'npm', 'pypi', 'go', 'cargo', 'maven', 'nuget', 'rubygems', 'composer', 'swift', 'pub', 'hex', 'conda', 'deb', 'apk', or 'rpm'.default: npm

blast_radiusLook up the blast radius of a specific CVE across your AI agent setup. Scans local MCP configurations, finds the specified CVE, and returns the full attack chain: which packages are affected, which MCP servers use those packages, which agents connect to those servers, and what...1 params

Look up the blast radius of a specific CVE across your AI agent setup. Scans local MCP configurations, finds the specified CVE, and returns the full attack chain: which packages are affected, which MCP servers use those packages, which agents connect to those servers, and what...

Parameters* required

cve_idstring

CVE identifier to look up, e.g. 'CVE-2024-1234' or 'GHSA-xxxx'.

policy_checkEvaluate a security policy against current scan results. Runs a scan, then evaluates the provided policy rules against the findings. Policies can gate on severity thresholds, CISA KEV status, AI risk flags, credential exposure, and denied packages. Args: policy_json: JSON stri...1 params

Evaluate a security policy against current scan results. Runs a scan, then evaluates the provided policy rules against the findings. Policies can gate on severity thresholds, CISA KEV status, AI risk flags, credential exposure, and denied packages. Args: policy_json: JSON stri...

Parameters* required

policy_jsonstring

JSON string containing policy rules, e.g. {"rules": [{"id": "no-critical", "severity_gte": "critical", "action": "fail"}]}.

registry_lookupQuery the agent-bom MCP server threat intelligence registry. Look up risk level, known tools, credential requirements, and verification status for known MCP servers. The registry contains 109+ servers with security metadata. Args: server_name: MCP server name to look up (e.g....2 params

Query the agent-bom MCP server threat intelligence registry. Look up risk level, known tools, credential requirements, and verification status for known MCP servers. The registry contains 109+ servers with security metadata. Args: server_name: MCP server name to look up (e.g....

Parameters* required

server_namevalue

MCP server name to look up, e.g. 'filesystem', '@modelcontextprotocol/server-github'.

package_namevalue

Package name to search for, e.g. 'mcp-server-sqlite'. At least one of server_name or package_name is required.

generate_sbomGenerate a Software Bill of Materials (SBOM) for your AI agent setup. Discovers AI agents and MCP servers, extracts all package dependencies, and generates a standards-compliant SBOM. Args: format: SBOM format — "cyclonedx" (CycloneDX 1.6) or "spdx" (SPDX 3.0). config_path: Pa...2 params

Generate a Software Bill of Materials (SBOM) for your AI agent setup. Discovers AI agents and MCP servers, extracts all package dependencies, and generates a standards-compliant SBOM. Args: format: SBOM format — "cyclonedx" (CycloneDX 1.6) or "spdx" (SPDX 3.0). config_path: Pa...

Parameters* required

formatstring

SBOM format: 'cyclonedx' (CycloneDX 1.6) or 'spdx' (SPDX 3.0).default: cyclonedx

config_pathvalue

Path to MCP client config directory. Auto-discovers all if omitted.

complianceGet OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture. Scans local MCP configurations, maps findings to 47 security controls across four AI security frameworks, and returns per-control pass/warning/fail status with an overall compliance score....2 params

Get OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture. Scans local MCP configurations, maps findings to 47 security controls across four AI security frameworks, and returns per-control pass/warning/fail status with an overall compliance score....

Parameters* required

imagevalue

Docker image to scan, e.g. 'nginx:1.25'.

config_pathvalue

Path to MCP client config directory. Auto-discovers all if omitted.

remediateGenerate a remediation plan for vulnerabilities in your AI agent setup. Scans for vulnerabilities, then generates actionable fix commands for each affected package (npm install, pip install), credential scope reduction guidance, and reports on unfixable vulnerabilities. Args:...2 params

Generate a remediation plan for vulnerabilities in your AI agent setup. Scans for vulnerabilities, then generates actionable fix commands for each affected package (npm install, pip install), credential scope reduction guidance, and reports on unfixable vulnerabilities. Args:...

Parameters* required

imagevalue

Docker image to scan, e.g. 'nginx:1.25'.

config_pathvalue

Path to MCP client config directory. Auto-discovers all if omitted.

skill_scanScan skill and instruction files for trust, findings, and provenance. Discovers supported files such as `CLAUDE.md`, `AGENTS.md`, `.cursorrules`, and `skills/*.md`, then parses referenced packages, MCP servers, credential env vars, audit findings, and trust verdicts.1 params

Scan skill and instruction files for trust, findings, and provenance. Discovers supported files such as `CLAUDE.md`, `AGENTS.md`, `.cursorrules`, and `skills/*.md`, then parses referenced packages, MCP servers, credential env vars, audit findings, and trust verdicts.

Parameters* required

pathstring

Path to a skill/instruction file or directory to scan.default: .

skill_verifyVerify Sigstore provenance for skill and instruction files.1 params

Verify Sigstore provenance for skill and instruction files.

Parameters* required

pathstring

Path to a skill/instruction file or directory to verify.default: .

skill_trustAssess the trust level of a SKILL.md file using ClawHub-style categories. Parses a SKILL.md file, runs security audit checks, then evaluates trust across 5 categories: Purpose & Capability, Instruction Scope, Install Mechanism, Credentials, and Persistence & Privilege. Returns...1 params

Assess the trust level of a SKILL.md file using ClawHub-style categories. Parses a SKILL.md file, runs security audit checks, then evaluates trust across 5 categories: Purpose & Capability, Instruction Scope, Install Mechanism, Credentials, and Persistence & Privilege. Returns...

Parameters* required

skill_pathstring

Path to a SKILL.md file (or any skill/instruction file) to assess.

verifyVerify package integrity and SLSA provenance against registries. Checks SHA-256/SRI hashes against npm/PyPI registries and looks up SLSA build provenance attestations to confirm the package was built from its claimed source repository. Returns: JSON with integrity verification...2 params

Verify package integrity and SLSA provenance against registries. Checks SHA-256/SRI hashes against npm/PyPI registries and looks up SLSA build provenance attestations to confirm the package was built from its claimed source repository. Returns: JSON with integrity verification...

Parameters* required

packagestring

Package name with optional version, e.g. 'express@4.18.2' or 'requests==2.31.0'.

ecosystemstring

Package ecosystem: 'npm' or 'pypi'.default: npm

whereShow all MCP discovery paths and which config files exist. Lists every known MCP client config path per platform, indicating which files are present on the current system. Useful for debugging discovery issues or understanding where MCP configs live. Returns: JSON with per-cli...

Show all MCP discovery paths and which config files exist. Lists every known MCP client config path per platform, indicating which files are present on the current system. Useful for debugging discovery issues or understanding where MCP configs live. Returns: JSON with per-cli...

No parameter schema in public metadata yet.

inventoryList all discovered MCP configurations and servers without CVE scanning. Performs fast discovery and package extraction only — no vulnerability scanning. Use this for a quick inventory of configs, servers, and packages. Returns: JSON with discovered agents, their MCP servers,...1 params

List all discovered MCP configurations and servers without CVE scanning. Performs fast discovery and package extraction only — no vulnerability scanning. Use this for a quick inventory of configs, servers, and packages. Returns: JSON with discovered agents, their MCP servers,...

Parameters* required

config_pathvalue

Path to MCP client config directory. Auto-discovers all if omitted.

tool_risk_assessmentScore live-introspected MCP tool capabilities and server risk. Uses runtime `tools/list` data to classify tool capabilities (READ/WRITE/EXECUTE/NETWORK/etc.) and compute a per-server risk profile. Returns: JSON with per-server tool profiles, capability counts, dangerous combin...2 params

Score live-introspected MCP tool capabilities and server risk. Uses runtime `tools/list` data to classify tool capabilities (READ/WRITE/EXECUTE/NETWORK/etc.) and compute a per-server risk profile. Returns: JSON with per-server tool profiles, capability counts, dangerous combin...

Parameters* required

timeoutnumber

Per-server introspection timeout in seconds.default: 10

config_pathvalue

Path to MCP client config directory. Auto-discovers all if omitted.

diffCompare a fresh scan against a baseline to find new and resolved vulns. Runs a new scan, then diffs it against the provided baseline (or the latest saved report). Shows new vulnerabilities, resolved ones, and changes in the package inventory. Returns: JSON with new findings, r...1 params

Compare a fresh scan against a baseline to find new and resolved vulns. Runs a new scan, then diffs it against the provided baseline (or the latest saved report). Shows new vulnerabilities, resolved ones, and changes in the package inventory. Returns: JSON with new findings, r...

Parameters* required

baselinevalue

Baseline report JSON object. If omitted, uses the latest saved report from history.

marketplace_checkPre-install trust check for an MCP server package. Queries the package registry (npm or PyPI) for metadata and cross-references against the agent-bom MCP threat intelligence registry. Returns trust signals including download count, CVE status, and registry verification. Args:...2 params

Pre-install trust check for an MCP server package. Queries the package registry (npm or PyPI) for metadata and cross-references against the agent-bom MCP threat intelligence registry. Returns trust signals including download count, CVE status, and registry verification. Args:...

Parameters* required

packagestring

Package name, e.g. 'express', 'langchain'.

ecosystemstring

Package ecosystem: 'npm' or 'pypi'.default: npm

code_scanRun SAST (Static Application Security Testing) on source code via Semgrep. Scans for security flaws: SQL injection, XSS, command injection, hardcoded credentials, insecure deserialization, path traversal, etc. Returns findings with CWE classifications and severity levels. Requ...2 params

Run SAST (Static Application Security Testing) on source code via Semgrep. Scans for security flaws: SQL injection, XSS, command injection, hardcoded credentials, insecure deserialization, path traversal, etc. Returns findings with CWE classifications and severity levels. Requ...

Parameters* required

pathstring

Path to source code directory to scan.

configstring

Semgrep config. 'auto' = Semgrep Registry rules. Can be a path or registry string.default: auto

context_graphBuild an agent context graph with lateral movement analysis. Models reachability between agents, servers, credentials, tools, and vulnerabilities. Answers: "If agent X is compromised, what else becomes reachable?" Returns: JSON with nodes, edges, lateral_paths, interaction_ris...3 params

Build an agent context graph with lateral movement analysis. Models reachability between agents, servers, credentials, tools, and vulnerabilities. Answers: "If agent X is compromised, what else becomes reachable?" Returns: JSON with nodes, edges, lateral_paths, interaction_ris...

Parameters* required

max_depthinteger

Max BFS depth for lateral path discovery (1-6, default 4).default: 4

config_pathvalue

Path to MCP config directory. Omit to auto-discover.

source_agentvalue

Agent name to compute lateral paths from. Omit for all agents.

graph_exportExport the agent dependency graph in graph-native formats. Formats: - **graphml** — yEd, Gephi, NetworkX compatible with AIBOM-typed attributes - **cypher** — Neo4j import script with AIBOM node labels (AIAgent, MCPServer, Package, Vulnerability) - **dot** — Graphviz (pipe thr...2 params

Export the agent dependency graph in graph-native formats. Formats: - **graphml** — yEd, Gephi, NetworkX compatible with AIBOM-typed attributes - **cypher** — Neo4j import script with AIBOM node labels (AIAgent, MCPServer, Package, Vulnerability) - **dot** — Graphviz (pipe thr...

Parameters* required

formatstring

Export format: graphml, cypher, dot, mermaid, or json (default).default: json

config_pathvalue

Path to MCP config directory. Omit to auto-discover.

analytics_queryQuery vulnerability trends, posture history, and runtime event summaries from ClickHouse. Requires AGENT_BOM_CLICKHOUSE_URL to be set. Returns empty results if ClickHouse is not configured.5 params

Query vulnerability trends, posture history, and runtime event summaries from ClickHouse. Requires AGENT_BOM_CLICKHOUSE_URL to be set. Returns empty results if ClickHouse is not configured.

Parameters* required

daysinteger

Lookback window in days (default 30). Used by vuln_trends and posture_history.default: 30

agentvalue

Filter by agent name. Used by vuln_trends and posture_history.

hoursinteger

Lookback window in hours (default 24). Used by event_summary.default: 24

limitinteger

Max results for top_cves (default 20).default: 20

query_typestring

Query type: vuln_trends, top_cves, posture_history, or event_summary

cis_benchmarkRun CIS benchmark checks against a cloud account. Evaluates security posture against CIS Foundations Benchmarks: - AWS Foundations v3.0: 18 checks (IAM, Storage, Logging, Networking) - Snowflake v1.0: 12 checks (Auth, Network, Data Protection, Monitoring, Access Control) - Azu...6 params

Run CIS benchmark checks against a cloud account. Evaluates security posture against CIS Foundations Benchmarks: - AWS Foundations v3.0: 18 checks (IAM, Storage, Logging, Networking) - Snowflake v1.0: 12 checks (Auth, Network, Data Protection, Monitoring, Access Control) - Azu...

Parameters* required

checksvalue

Comma-separated check IDs to run (e.g. '1.1,2.1'). Omit to run all.

regionvalue

AWS region (only for provider=aws). Defaults to us-east-1.

profilevalue

AWS CLI profile (only for provider=aws).

providerstring

Cloud provider: 'aws', 'snowflake', 'azure', or 'gcp'.

project_idvalue

GCP project ID (only for provider=gcp). Falls back to GOOGLE_CLOUD_PROJECT env var.

subscription_idvalue

Azure subscription ID (only for provider=azure). Falls back to AZURE_SUBSCRIPTION_ID env var.

fleet_scanBatch-scan a list of MCP server names against the security metadata registry. Designed for fleet inventory data (CrowdStrike, SIEM, CSV exports) where you have server names but not versions. Returns per-server risk assessment with registry match status, risk category, tools, c...1 params

Batch-scan a list of MCP server names against the security metadata registry. Designed for fleet inventory data (CrowdStrike, SIEM, CSV exports) where you have server names but not versions. Returns per-server risk assessment with registry match status, risk category, tools, c...

Parameters* required

serversstring

Comma-separated or newline-separated list of MCP server names to scan. E.g. '@modelcontextprotocol/server-filesystem, brave-search, glean, 50 sleep'.

runtime_correlateCross-reference vulnerability scan results with proxy runtime audit logs. Identifies which vulnerable tools were ACTUALLY CALLED in production, distinguishing confirmed attack surface from theoretical risk. Produces risk-amplified findings: a vulnerable tool that was called 10...3 params

Cross-reference vulnerability scan results with proxy runtime audit logs. Identifies which vulnerable tools were ACTUALLY CALLED in production, distinguishing confirmed attack surface from theoretical risk. Produces risk-amplified findings: a vulnerable tool that was called 10...

Parameters* required

audit_logstring

Path to proxy audit JSONL log file (generated by 'agent-bom proxy --log audit.jsonl').default:

otel_tracestring

Path to OTel OTLP JSON trace file for ML API provenance (detects deprecated/vulnerable model versions).default:

config_pathstring

Path to MCP config directory (e.g. ~/.config/claude) or 'auto' for default discovery.default: auto

vector_db_scanScan for running vector databases and assess their security posture. Probes well-known ports for Qdrant (6333), Weaviate (8080), Chroma (8000), and Milvus (9091). For each discovered instance checks: - Authentication required (no_auth flag if collections accessible without cre...1 params

Scan for running vector databases and assess their security posture. Probes well-known ports for Qdrant (6333), Weaviate (8080), Chroma (8000), and Milvus (9091). For each discovered instance checks: - Authentication required (no_auth flag if collections accessible without cre...

Parameters* required

hostsvalue

Comma-separated hosts to probe (default: 127.0.0.1). Example: '127.0.0.1,10.0.0.5'.

aisvs_benchmarkRun AISVS v1.0 (AI Security Verification Standard) compliance checks. Evaluates the local AI system stack against OWASP AISVS v1.0 controls: - AI-4.1 Model files use safe serialization (not pickle/pt/bin) - AI-4.2 Model files have cryptographic integrity digest - AI-4.3 Ollama...1 params

Run AISVS v1.0 (AI Security Verification Standard) compliance checks. Evaluates the local AI system stack against OWASP AISVS v1.0 controls: - AI-4.1 Model files use safe serialization (not pickle/pt/bin) - AI-4.2 Model files have cryptographic integrity digest - AI-4.3 Ollama...

Parameters* required

checksvalue

Comma-separated AISVS check IDs to run (e.g. 'AI-4.1,AI-6.1'). Omit to run all 9 checks.

gpu_infra_scanDiscover GPU/AI compute infrastructure: containers, K8s nodes, and DCGM endpoints. Scans for GPU-enabled workloads from the local Docker daemon and Kubernetes clusters. Identifies NVIDIA base images, CUDA/cuDNN versions, explicit GPU device assignments, and unauthenticated DCG...2 params

Discover GPU/AI compute infrastructure: containers, K8s nodes, and DCGM endpoints. Scans for GPU-enabled workloads from the local Docker daemon and Kubernetes clusters. Identifies NVIDIA base images, CUDA/cuDNN versions, explicit GPU device assignments, and unauthenticated DCG...

Parameters* required

probe_dcgmboolean

Whether to probe DCGM exporter endpoints on port 9400 (unauthenticated metrics leak detection).default: true

k8s_contextvalue

kubectl context to use for K8s GPU node discovery. Omit for current context.

dataset_card_scanScan a directory for ML dataset card metadata and provenance. Discovers and parses: - HuggingFace dataset_info.json (auto-generated metadata) - HuggingFace README.md YAML frontmatter (dataset cards) - DVC .dvc tracking files (data versioning provenance) Flags: UNLICENSED_DATAS...1 params

Scan a directory for ML dataset card metadata and provenance. Discovers and parses: - HuggingFace dataset_info.json (auto-generated metadata) - HuggingFace README.md YAML frontmatter (dataset cards) - DVC .dvc tracking files (data versioning provenance) Flags: UNLICENSED_DATAS...

Parameters* required

directorystring

Directory path to scan for dataset cards (dataset_info.json, README.md frontmatter, .dvc files).

training_pipeline_scanScan a directory for ML training pipeline lineage and provenance. Discovers and parses: - MLflow: meta.yaml, MLmodel, requirements.txt, conda.yaml - Kubeflow: Argo workflow YAML, KFP v2 pipelineSpec YAML - W&B: wandb-metadata.json, config.yaml, wandb-summary.json Flags: UNSAFE...1 params

Scan a directory for ML training pipeline lineage and provenance. Discovers and parses: - MLflow: meta.yaml, MLmodel, requirements.txt, conda.yaml - Kubeflow: Argo workflow YAML, KFP v2 pipelineSpec YAML - W&B: wandb-metadata.json, config.yaml, wandb-summary.json Flags: UNSAFE...

Parameters* required

directorystring

Directory path to scan for training pipeline artifacts (MLflow, Kubeflow, W&B).

browser_extension_scanScan installed browser extensions for dangerous permissions. Scans Chrome, Chromium, Brave, Edge, and Firefox for extensions with: - nativeMessaging (can execute arbitrary commands) - debugger (can intercept all browser traffic) - cookies/clipboardRead on AI domains - Broad ho...1 params

Scan installed browser extensions for dangerous permissions. Scans Chrome, Chromium, Brave, Edge, and Firefox for extensions with: - nativeMessaging (can execute arbitrary commands) - debugger (can intercept all browser traffic) - cookies/clipboardRead on AI domains - Broad ho...

Parameters* required

include_low_riskboolean

Include low-risk extensions in results (default: only medium+ risk).default: false

model_provenance_scanCheck ML model provenance and supply chain metadata. Queries HuggingFace Hub or Ollama for: - Serialization format (safetensors=safe, pickle/pt=unsafe) - SHA256 digest verification - Gated/private status - Model card presence - Risk assessment (critical/high/medium/safe) Retur...2 params

Check ML model provenance and supply chain metadata. Queries HuggingFace Hub or Ollama for: - Serialization format (safetensors=safe, pickle/pt=unsafe) - SHA256 digest verification - Gated/private status - Model card presence - Risk assessment (critical/high/medium/safe) Retur...

Parameters* required

sourcestring

Model source: 'huggingface' or 'ollama' (default: huggingface).default: huggingface

model_idstring

HuggingFace model ID (e.g. 'meta-llama/Llama-3-8B') or Ollama model name (e.g. 'llama3').

prompt_scanScan prompt template files for injection risks and security issues. Discovers and analyzes: - .prompt files - system_prompt.* files - Files in prompts/ directories Checks for injection patterns, unsafe variable interpolation, and missing guardrails in prompt templates.1 params

Scan prompt template files for injection risks and security issues. Discovers and analyzes: - .prompt files - system_prompt.* files - Files in prompts/ directories Checks for injection patterns, unsafe variable interpolation, and missing guardrails in prompt templates.

Parameters* required

directorystring

Directory path to scan for prompt template files (.prompt, system_prompt.*, prompts/ directories).

model_file_scanScan a directory for ML model files and assess serialization risks. Discovers model files and checks: - Serialization format (safetensors=safe, pickle/joblib=unsafe) - File size and format metadata - GGUF/GGML quantization details - Known unsafe patterns in pickle-based format...1 params

Scan a directory for ML model files and assess serialization risks. Discovers model files and checks: - Serialization format (safetensors=safe, pickle/joblib=unsafe) - File size and format metadata - GGUF/GGML quantization details - Known unsafe patterns in pickle-based format...

Parameters* required

directorystring

Directory path to scan for ML model files (.gguf, .safetensors, .onnx, .pt, .pkl, .h5, etc.).

ai_inventory_scanScan source code for AI component usage patterns. Detects: - AI SDK imports (openai, anthropic, langchain, etc.) across 7 languages - Model string references (gpt-4o, claude-3-5-sonnet, llama-3, etc.) - Hardcoded API keys (sk-proj-*, sk-ant-*, hf_*, etc.) - Deprecated model us...1 params

Scan source code for AI component usage patterns. Detects: - AI SDK imports (openai, anthropic, langchain, etc.) across 7 languages - Model string references (gpt-4o, claude-3-5-sonnet, llama-3, etc.) - Hardcoded API keys (sk-proj-*, sk-ant-*, hf_*, etc.) - Deprecated model us...

Parameters* required

directorystring

Directory to scan for AI SDK imports, model refs, API keys, shadow AI (Python/JS/TS/Java/Go/Rust/Ruby).

license_compliance_scanEvaluate package licenses against compliance policy. Categorizes each package license using the full SPDX catalog (2,500+ licenses) with proper expression parsing (OR/AND/WITH), deprecated ID normalization, and network-copyleft detection (AGPL, EUPL, OSL). Risk tiers: permissi...2 params

Evaluate package licenses against compliance policy. Categorizes each package license using the full SPDX catalog (2,500+ licenses) with proper expression parsing (OR/AND/WITH), deprecated ID normalization, and network-copyleft detection (AGPL, EUPL, OSL). Risk tiers: permissi...

Parameters* required

scan_jsonstring

JSON string of a previous scan result (from the 'scan' tool) containing agents with packages. Or a JSON array of {"name": "pkg", "version": "1.0", "ecosystem": "npm", "license": "MIT"} objects.

policy_jsonstring

Optional JSON policy: {"license_block": ["GPL-*"], "license_warn": ["LGPL-*"]}. Uses default policy (block GPL/AGPL/SSPL/BUSL/EUPL/OSL, warn LGPL/MPL/EPL/CDDL) if empty.default:

ingest_external_scanIngest Trivy, Grype, or Syft JSON scan output and return packages with blast radius analysis. Auto-detects the scanner format from the JSON structure: - Trivy (``trivy fs --format json``): Results + Vulnerabilities - Grype (``grype --output json``): matches array - Syft (``syf...1 params

Ingest Trivy, Grype, or Syft JSON scan output and return packages with blast radius analysis. Auto-detects the scanner format from the JSON structure: - Trivy (``trivy fs --format json``): Results + Vulnerabilities - Grype (``grype --output json``): matches array - Syft (``syf...

Parameters* required

scan_jsonstring

JSON string from Trivy, Grype, or Syft scan output

Open security scanner and self-hosted control plane for AI/MCP infrastructure.

Headless agent primitives and human cockpit surfaces over the same evidence model.

Docs · First Run · Self-host · GitHub Action · Docker · Changelog

agent-bom scans local and fleet AI infrastructure, builds an AI BOM across agents, MCP servers, tools, packages, credential environment names, cloud estate, non-human identities, runtime, and skills, then turns that inventory into findings, compliance evidence, LLM cost posture, and graph-backed multi-hop exposure paths.

The same evidence is available through CLI/CI, REST API, MCP tools, and a self-hosted dashboard. Runtime proxy/gateway controls — including inline firewall enforcement and a secure-by-default gateway — are optional and scoped to environments where enforcement is worth the operational cost.

agent-bom blast-radius drilldown — package to finding to MCP server to agent

package
  -> vulnerability finding
  -> MCP server
  -> tools + credential refs
  -> agent

Blast radius is the core idea. A vulnerable package is not just a CVE row; it is linked to the MCP server that loads it, the tools exposed by that server, the credential environment names in reach, and the agents that can call it.

What It Scans

Domain	Coverage
Supply chain	15 package ecosystems (npm, PyPI, Maven, Go, Cargo, NuGet, Composer, RubyGems, conda, Hex, Pub, Swift, plus OS packages apk/deb/rpm) with OSV/GHSA enrichment, transitive resolution, and dependency-confusion detection
Agents + MCP	MCP clients, servers, tools, transports, trust posture, and live introspection across 29 first-class client types
AI models + datasets	Malicious-model detection via safe pickle-opcode disassembly (no deserialization), model/dataset cards, and PII/PHI dataset scanning
Cloud estate	Read-only, gated asset inventory across AWS, Azure, and GCP plus AI/GPU provider posture and CIS benchmarks
Identity (NHI)	Non-human identity discovery (Okta/Entra, gated), credential-expiry posture, and access-review recertification campaigns
LLM cost	Spend forecasting, budget runway, chargeback/allocation, and seasonal-aware spend-anomaly detection
Containers + IaC	Native OCI image parsing plus Dockerfile, Terraform, CloudFormation, Helm, and Kubernetes
Secrets + runtime	Secret detection, MCP proxy/gateway, A2A and MCP auth-posture checks, inline firewall enforcement, and redaction surfaces
Compliance	Mapped governance frameworks plus ZIP evidence bundles for auditors

Findings converge on one unified Finding model and a unified ContextGraph, so multi-hop attack-path fusion, blast radius, and exposure scoring all read from the same evidence.

agent-bom control loop from discovery to graph evidence to gateway policy and runtime enforcement

First Run

pip install agent-bom
agent-bom quickstart --dry-run --offline   # print the onboarding plan
agent-bom quickstart --run --offline        # write sample, scan, seed gateway policy, populate the cockpit
agent-bom agents --demo --offline

The demo uses bundled advisory-backed OSV/GHSA ranges against intentionally vulnerable sample packages and produces graph-ready inventory without touching your source tree. For a real local scan:

agent-bom agents -p . -f html -o agent-bom-report.html

Want an inspectable sample stack first?

agent-bom samples first-run
agent-bom agents --inventory agent-bom-first-run/inventory.json -p agent-bom-first-run --enrich

See docs/FIRST_RUN.md for the guided path from CLI output to the dashboard.

To reproduce the dashboard screenshots from a clean local control-plane store:

make build-ui
uv run agent-bom serve --persist /tmp/agent-bom-demo.db --allow-insecure-no-auth
uv run agent-bom agents --demo --offline --no-auto-update-db -f json -o /tmp/agent-bom-demo.json
curl -sS -H 'content-type: application/json' --data-binary @/tmp/agent-bom-demo.json \
  http://127.0.0.1:8422/v1/results/push

agent-bom terminal demo

Product Proof

The dashboard screenshots below are captured from the packaged UI with bundled demo scan data and seeded control-plane records, not static mockups. The data is synthetic where needed, but the routes are the real scan, graph, fleet, identity, audit, and gateway surfaces. The README keeps the first screen focused; expand the gallery when you want to inspect the control-plane surfaces.

Evidence cockpit and agent mesh

agent-bom risk overview dashboard with posture score, findings, and attack path summary

agent-bom agent mesh graph showing agent, MCP server, package, tool, credential reference, and finding path

Graph views beyond the agent mesh

The graph proof set is intentionally split across modes: fix-first exposure paths, root-centered lineage, lateral context, and package risk distribution. That keeps each view readable instead of forcing every relationship into one sprawling canvas.

agent-bom security graph with attack-path queue, graph evidence export, and remediation handoff

agent-bom lineage graph centered on an agent with bounded paths, filters, and graph evidence export

agent-bom context map showing agent-to-server reachability and lateral movement context

Environment state and identity lifecycle

Fleet and identity views use the same control-plane APIs that operators use for customer-owned deployments. The sample below seeds environment, owner, lifecycle state, and agent identity events so the screenshots show how local scan evidence connects to reviewable governance records.

agent-bom fleet state dashboard showing lifecycle distribution, approved and discovered agents, owner metadata, environment labels, and discovery state

agent-bom audit log filtered to identity lifecycle events with HMAC integrity counters and issue, rotate, revoke rows

Dependency and remediation views

agent-bom dependency map with scan pipeline counts, supply-chain treemap, blast-radius chart, and EPSS by CVSS risk map

agent-bom remediation dashboard with prioritized package fixes and compliance context

Runtime policy and audit posture

agent-bom gateway policy dashboard showing advisory runtime posture, enabled policy count, rule counts, and bound agents

Screenshot capture rules and the full manifest live in docs/CAPTURE.md and docs/images/product-screenshots.json.

Start Here

Goal	Command	Artifact
Local agent and MCP inventory	`agent-bom agents`	findings, AI BOM, graph-ready JSON
Guided local onboarding	`agent-bom quickstart --dry-run --offline`	scan, sample-data, and local API/UI next steps
One-command onboarding	`agent-bom quickstart --run --offline`	writes sample, runs a graph-persisting scan, seeds a baseline gateway policy
Repo and lockfile scan	`agent-bom agents -p .`	package findings, SARIF/SBOM/HTML when requested
Pre-install guard	`agent-bom check flask@2.0.0 --ecosystem pypi`	deterministic allow/warn/block result
Container image scan	`agent-bom image nginx:latest`	image findings and remediation
IaC scan	`agent-bom iac Dockerfile k8s/ infra/main.tf`	IaC findings and policy context
Cloud posture check	`agent-bom cloud aws --cis`	runtime CIS posture evidence
Cloud estate inventory	`agent-bom cloud inventory --provider aws`	read-only, gated asset inventory (AWS/Azure/GCP)
LLM cost forecast	`agent-bom cost forecast`	spend burn-rate, budget runway, and chargeback posture
Non-human identity posture	`agent-bom identity credential-expiry`	expiring/overdue NHI credentials and access reviews
CI gate	`uses: msaad00/agent-bom@v0.89.2`	SARIF, PR summary, optional code-scanning upload
MCP tools	`pip install 'agent-bom[mcp-server]' && agent-bom mcp server`	strict-args security tools for MCP clients
Local API/UI	`pip install 'agent-bom[ui]' && agent-bom serve`	API plus bundled dashboard
First-run extras	`pip install 'agent-bom[all]'`	supported onboarding extras; MLflow remains separately installed
Self-hosted pilot	`docker compose -f docker-compose.pilot.yml up -d`	API and dashboard in your environment

The base wheel is the scanner and CLI path. Optional runtime surfaces fail fast with install hints when their extras are missing.

New to the repo? PROJECT_STRUCTURE.md is the repo map, docs/START_HERE.md routes you by role, and docs/CLI_MAP.md groups every command by domain.

MCP registry publishing is tracked through the committed Smithery manifest and other registry metadata; install and liveness checks stay in the linked integration docs instead of this front door.

Shipped Surfaces

Surface	Primary user	Current boundary
CLI / CI	developers and release gates	local scans, SARIF/SBOM/HTML/JSON, deterministic exit codes
REST API	control-plane integrations	scans, bulk findings, dataset versions, evaluation runs, graph evidence, audit, runtime summaries
MCP tools	agents and assistants	strict arguments, read-mostly security queries, exposure paths, deploy decisions, audited Shield actions
Dashboard	security teams and operators	inventory, findings, graph cockpit, compliance, evidence, runtime posture
Runtime proxy/gateway	runtime operators	scoped MCP traffic inspection, policy decisions, redacted audit evidence
Python client	services, notebooks, and automation	typed helper for stable REST endpoints in the packaged wheel
TypeScript client	services and agent runtimes	typed helper for stable REST endpoints

MCP server mode advertises 69 MCP tools, 6 resources, and 6 workflow prompts. Most tools are read-only. The three Shield write actions fail closed unless the caller supplies operator_role=admin, operator_scopes=shield:write, and an audit reason.

CLI scan commands run local scan pipelines today. They share lower scanner and discovery libraries with the API, but they are not API wrappers yet.

Runtime enforcement is explicit. Proxy mode either wraps a target MCP server for audit and policy decisions, or runs that server through Docker/Podman isolation when a sandbox image is supplied:

agent-bom proxy --no-isolate --policy policy.json --detect-credentials --block-undeclared -- npx @mcp/server-github
agent-bom proxy --sandbox-image ghcr.io/acme/mcp-runtime@sha256:<digest> \
  --sandbox-image-pin-policy enforce --block-undeclared -- npx @mcp/server-postgres

Deploy In Your Boundary

agent-bom is designed for customer-controlled deployment: local CLI, Docker, GitHub Action, Helm, EKS, Postgres, and optional runtime proxy/gateway.

curl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml
docker compose -f docker-compose.pilot.yml up -d
# Dashboard -> http://localhost:3000

Production self-hosting starts with the deployment chooser:

There is no managed cloud offering in this repository today. Product lane boundaries are documented in docs/PRODUCT_BOUNDARIES.md.

Trust Model

Read-only discovery by default for cloud and local inventory.
No mandatory telemetry.
Credential values are redacted; credential environment names are preserved as evidence so exposure paths stay explainable.
Findings can export as JSON, SARIF, CycloneDX, SPDX, OCSF, Markdown, HTML, and compliance evidence bundles.
API and runtime paths are designed for tenant scope, auth boundaries, and audit evidence.
OpenAPI artifacts are committed for SDK and client contract checks.

Security and release references:

Product Views

The docs site carries the deployment-oriented walkthroughs behind those screenshots:

Contributing

Contributions are welcome. Start with:

License: Apache-2.0.

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Configuration

NVD_API_KEYsecret

NVD API key for higher rate limits on vulnerability enrichment

What It Scans

Domain	Coverage
Supply chain	15 package ecosystems (npm, PyPI, Maven, Go, Cargo, NuGet, Composer, RubyGems, conda, Hex, Pub, Swift, plus OS packages apk/deb/rpm) with OSV/GHSA enrichment, transitive resolution, and dependency-confusion detection
Agents + MCP	MCP clients, servers, tools, transports, trust posture, and live introspection across 29 first-class client types
AI models + datasets	Malicious-model detection via safe pickle-opcode disassembly (no deserialization), model/dataset cards, and PII/PHI dataset scanning
Cloud estate	Read-only, gated asset inventory across AWS, Azure, and GCP plus AI/GPU provider posture and CIS benchmarks
Identity (NHI)	Non-human identity discovery (Okta/Entra, gated), credential-expiry posture, and access-review recertification campaigns
LLM cost	Spend forecasting, budget runway, chargeback/allocation, and seasonal-aware spend-anomaly detection
Containers + IaC	Native OCI image parsing plus Dockerfile, Terraform, CloudFormation, Helm, and Kubernetes
Secrets + runtime	Secret detection, MCP proxy/gateway, A2A and MCP auth-posture checks, inline firewall enforcement, and redaction surfaces
Compliance	Mapped governance frameworks plus ZIP evidence bundles for auditors

Findings converge on one unified Finding model and a unified ContextGraph, so multi-hop attack-path fusion, blast radius, and exposure scoring all read from the same evidence.

agent-bom control loop from discovery to graph evidence to gateway policy and runtime enforcement

First Run

pip install agent-bom
agent-bom quickstart --dry-run --offline   # print the onboarding plan
agent-bom quickstart --run --offline        # write sample, scan, seed gateway policy, populate the cockpit
agent-bom agents --demo --offline

The demo uses bundled advisory-backed OSV/GHSA ranges against intentionally vulnerable sample packages and produces graph-ready inventory without touching your source tree. For a real local scan:

agent-bom agents -p . -f html -o agent-bom-report.html

Want an inspectable sample stack first?

agent-bom samples first-run
agent-bom agents --inventory agent-bom-first-run/inventory.json -p agent-bom-first-run --enrich

See docs/FIRST_RUN.md for the guided path from CLI output to the dashboard.

To reproduce the dashboard screenshots from a clean local control-plane store:

make build-ui
uv run agent-bom serve --persist /tmp/agent-bom-demo.db --allow-insecure-no-auth
uv run agent-bom agents --demo --offline --no-auto-update-db -f json -o /tmp/agent-bom-demo.json
curl -sS -H 'content-type: application/json' --data-binary @/tmp/agent-bom-demo.json \
  http://127.0.0.1:8422/v1/results/push

agent-bom terminal demo

Product Proof

Evidence cockpit and agent mesh

agent-bom risk overview dashboard with posture score, findings, and attack path summary

agent-bom agent mesh graph showing agent, MCP server, package, tool, credential reference, and finding path

Graph views beyond the agent mesh

agent-bom security graph with attack-path queue, graph evidence export, and remediation handoff

agent-bom lineage graph centered on an agent with bounded paths, filters, and graph evidence export

agent-bom context map showing agent-to-server reachability and lateral movement context

Environment state and identity lifecycle

agent-bom fleet state dashboard showing lifecycle distribution, approved and discovered agents, owner metadata, environment labels, and discovery state

agent-bom audit log filtered to identity lifecycle events with HMAC integrity counters and issue, rotate, revoke rows

Dependency and remediation views

agent-bom dependency map with scan pipeline counts, supply-chain treemap, blast-radius chart, and EPSS by CVSS risk map

agent-bom remediation dashboard with prioritized package fixes and compliance context

Runtime policy and audit posture

agent-bom gateway policy dashboard showing advisory runtime posture, enabled policy count, rule counts, and bound agents

Screenshot capture rules and the full manifest live in docs/CAPTURE.md and docs/images/product-screenshots.json.

Start Here

Goal	Command	Artifact
Local agent and MCP inventory	`agent-bom agents`	findings, AI BOM, graph-ready JSON
Guided local onboarding	`agent-bom quickstart --dry-run --offline`	scan, sample-data, and local API/UI next steps
One-command onboarding	`agent-bom quickstart --run --offline`	writes sample, runs a graph-persisting scan, seeds a baseline gateway policy
Repo and lockfile scan	`agent-bom agents -p .`	package findings, SARIF/SBOM/HTML when requested
Pre-install guard	`agent-bom check flask@2.0.0 --ecosystem pypi`	deterministic allow/warn/block result
Container image scan	`agent-bom image nginx:latest`	image findings and remediation
IaC scan	`agent-bom iac Dockerfile k8s/ infra/main.tf`	IaC findings and policy context
Cloud posture check	`agent-bom cloud aws --cis`	runtime CIS posture evidence
Cloud estate inventory	`agent-bom cloud inventory --provider aws`	read-only, gated asset inventory (AWS/Azure/GCP)
LLM cost forecast	`agent-bom cost forecast`	spend burn-rate, budget runway, and chargeback posture
Non-human identity posture	`agent-bom identity credential-expiry`	expiring/overdue NHI credentials and access reviews
CI gate	`uses: msaad00/agent-bom@v0.89.2`	SARIF, PR summary, optional code-scanning upload
MCP tools	`pip install 'agent-bom[mcp-server]' && agent-bom mcp server`	strict-args security tools for MCP clients
Local API/UI	`pip install 'agent-bom[ui]' && agent-bom serve`	API plus bundled dashboard
First-run extras	`pip install 'agent-bom[all]'`	supported onboarding extras; MLflow remains separately installed
Self-hosted pilot	`docker compose -f docker-compose.pilot.yml up -d`	API and dashboard in your environment

The base wheel is the scanner and CLI path. Optional runtime surfaces fail fast with install hints when their extras are missing.

New to the repo? PROJECT_STRUCTURE.md is the repo map, docs/START_HERE.md routes you by role, and docs/CLI_MAP.md groups every command by domain.

MCP registry publishing is tracked through the committed Smithery manifest and other registry metadata; install and liveness checks stay in the linked integration docs instead of this front door.

Shipped Surfaces

Surface	Primary user	Current boundary
CLI / CI	developers and release gates	local scans, SARIF/SBOM/HTML/JSON, deterministic exit codes
REST API	control-plane integrations	scans, bulk findings, dataset versions, evaluation runs, graph evidence, audit, runtime summaries
MCP tools	agents and assistants	strict arguments, read-mostly security queries, exposure paths, deploy decisions, audited Shield actions
Dashboard	security teams and operators	inventory, findings, graph cockpit, compliance, evidence, runtime posture
Runtime proxy/gateway	runtime operators	scoped MCP traffic inspection, policy decisions, redacted audit evidence
Python client	services, notebooks, and automation	typed helper for stable REST endpoints in the packaged wheel
TypeScript client	services and agent runtimes	typed helper for stable REST endpoints

CLI scan commands run local scan pipelines today. They share lower scanner and discovery libraries with the API, but they are not API wrappers yet.

Runtime enforcement is explicit. Proxy mode either wraps a target MCP server for audit and policy decisions, or runs that server through Docker/Podman isolation when a sandbox image is supplied:

agent-bom proxy --no-isolate --policy policy.json --detect-credentials --block-undeclared -- npx @mcp/server-github
agent-bom proxy --sandbox-image ghcr.io/acme/mcp-runtime@sha256:<digest> \
  --sandbox-image-pin-policy enforce --block-undeclared -- npx @mcp/server-postgres

Deploy In Your Boundary

agent-bom is designed for customer-controlled deployment: local CLI, Docker, GitHub Action, Helm, EKS, Postgres, and optional runtime proxy/gateway.

curl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml
docker compose -f docker-compose.pilot.yml up -d
# Dashboard -> http://localhost:3000

Production self-hosting starts with the deployment chooser:

There is no managed cloud offering in this repository today. Product lane boundaries are documented in docs/PRODUCT_BOUNDARIES.md.

Trust Model

Read-only discovery by default for cloud and local inventory.
No mandatory telemetry.
Credential values are redacted; credential environment names are preserved as evidence so exposure paths stay explainable.
Findings can export as JSON, SARIF, CycloneDX, SPDX, OCSF, Markdown, HTML, and compliance evidence bundles.
API and runtime paths are designed for tenant scope, auth boundaries, and audit evidence.
OpenAPI artifacts are committed for SDK and client contract checks.

Security and release references:

Product Views

The docs site carries the deployment-oriented walkthroughs behind those screenshots:

Contributing

Contributions are welcome. Start with:

License: Apache-2.0.

agent-bom

Tools

What It Scans

First Run

Product Proof

Start Here

Shipped Surfaces

Deploy In Your Boundary

Trust Model

Product Views

Contributing

Configuration

agent-bom

Tools

What It Scans

First Run

Product Proof

Start Here

Shipped Surfaces

Deploy In Your Boundary

Trust Model

Product Views

Contributing

Configuration

Related AI & LLM Tools MCP Servers

Related AI & LLM Tools MCP Servers