Open security scanner for AI supply chain — agents, MCP servers, packages, containers, cloud, GPU, and runtime.

Start with the demo, then choose the entrypoint that matches your first job: repo scan, image scan, cloud posture, fix plan, dashboard, or runtime review.

CVE-2025-1234  (CRITICAL · CVSS 9.8 · CISA KEV)
  |── better-sqlite3@9.0.0  (npm)
       |── sqlite-mcp  (MCP Server · unverified · root)
            |── Cursor IDE  (Agent · 4 servers · 12 tools)
            |── ANTHROPIC_KEY, DB_URL, AWS_SECRET  (Credentials exposed)
            |── query_db, read_file, write_file, run_shell  (Tools at risk)

 Fix: upgrade better-sqlite3 → 11.7.0

Blast radius is the core idea: CVE -> package -> MCP server -> agent -> credentials -> tools.

agent-bom scans local agent configs, MCP servers, instruction files, lockfiles, containers, cloud posture, GPU surfaces, and runtime evidence. CWE-aware impact keeps a DoS from being reported like credential compromise.

Try the built-in demo first:

agent-bom agents --demo --offline

The GIF uses that same curated sample so the output stays reproducible across releases. For real scans, run agent-bom agents, or add -p . to fold project manifests and lockfiles into the same result.

Recommended starting points

Pick the entrypoint that matches your first job:

Goal	Run	What you get
Find what is installed and reachable	agent-bom agents -p .	Agent discovery, MCP mapping, project dependency findings, blast radius
Turn findings into a fix plan	agent-bom agents -p . --remediate remediation.md	Prioritized remediation plan with fix versions and reachable impact
Check a package before install	agent-bom check flask@2.2.0 --ecosystem pypi	Machine-readable pre-install verdict
Scan a container image	agent-bom image nginx:latest	OS and package CVEs with fixability
Audit IaC or cloud posture	agent-bom iac Dockerfile k8s/ infra/main.tf	Misconfigurations and posture findings
Review findings in a persistent graph	agent-bom serve	API, dashboard, unified graph, current-state and diff views. Requires pip install 'agent-bom[ui]' once.
Inspect live MCP traffic	agent-bom proxy "<server command>"	Inline runtime inspection, detector chaining, response/argument review

Quick start

pip install agent-bom                  # Standard CLI install
# pipx install agent-bom               # Isolated global install
# uvx agent-bom --help                 # Ephemeral run without installing

agent-bom agents                              # Discover + scan local AI agents and MCP servers
agent-bom agents -p .                         # Scan project lockfiles/manifests plus agent/MCP context
agent-bom where                               # Show MCP discovery paths checked on this machine
agent-bom mesh --project .                    # Show the live agent / MCP topology
agent-bom skills scan .                       # Scan CLAUDE.md, AGENTS.md, .cursorrules, skills/*
agent-bom check flask@2.0.0 --ecosystem pypi  # Pre-install CVE gate
agent-bom image nginx:latest                  # Container image scan
agent-bom iac Dockerfile k8s/ infra/main.tf   # IaC scan across one or more paths

What to do after the first scan

agent-bom agents -p . --remediate remediation.md                    # Fix-first plan with versions and reachable impact
agent-bom agents -p . --compliance-export fedramp -o evidence.zip   # ZIP evidence bundle for auditors
pip install 'agent-bom[ui]'                                         # once, for API + dashboard
agent-bom serve                                                     # Review the same findings in the dashboard and graph

More commands

agent-bom cloud aws                     # Cloud AI posture + CIS benchmarks
agent-bom agents -f cyclonedx -o bom.json  # AI BOM / SBOM export
agent-bom check requests@2.33.0 -e pypi -f json  # Machine-readable pre-install verdict
agent-bom report diff before.json after.json -f json  # CI-friendly diff output
agent-bom agents -p . --compliance-export fedramp -o fedramp-evidence.zip  # Auditor-ready evidence bundle
agent-bom graph report.json                # Blast radius graph / graph HTML inputs
agent-bom proxy "npx @mcp/server-fs /ws"   # MCP security proxy
agent-bom secrets src/                  # Hardcoded secrets + PII
agent-bom verify agent-bom              # Verify this installation
agent-bom verify requests@2.33.0        # Package integrity verification
agent-bom verify --model-dir ./models   # Model weight hash verification
agent-bom serve                         # API + Next.js dashboard

---

Why teams use it

• Blast radius that maps CVE -> package -> MCP server -> agent -> credentials -> tools
• AI-native coverage across agents, MCP, instruction files, runtime proxy traffic, containers, cloud, IaC, and GPU surfaces
• Unified graph explorer with snapshots, diff, search, impact, attack paths, and OCSF-ready export
• Supply-chain depth across lockfiles, transitive dependencies, model artifacts, provenance, and hash verification
• Compliance evidence bundles for cmmc, fedramp, and nist-ai-rmf
• One operator path across CLI, CI, API, dashboard, reports, and MCP tools

Graph explorer

The README starts from the same scoped graph view as the product: one focused path first, then expand by agent, depth, or findings only when needed.

Use whichever entrypoint fits your workflow:

agent-bom serve                    # Persist scans and explore them in the dashboard
agent-bom graph report.json        # Generate graph-facing output from an existing report
agent-bom mesh --project .         # Quick local topology view from the CLI

If the dashboard says API Offline, install the UI extra and run agent-bom serve. If the UI is already running separately, start just the backend with pip install 'agent-bom[api]' and agent-bom api.

Framework catalogs

Default scans use the bundled MITRE ATT&CK + CAPEC catalog, so results stay deterministic and offline-friendly. Refresh to a newer upstream snapshot only when you want to:

agent-bom db update-frameworks
agent-bom db status

The active catalog metadata is also surfaced in JSON output (framework_catalogs) and the API at /v1/frameworks/catalogs. Long-lived connected deployments can point at a synced catalog or opt into runtime refresh with AGENT_BOM_MITRE_CATALOG_MODE.

Architecture at a glance

One graph, one path: discover, analyze, persist, then operate across CLI, CI, API, dashboard, and exports.

Install & deploy

pip install agent-bom                        # CLI
docker run --rm agentbom/agent-bom agents    # Docker

Mode	Command	Best for
CLI	agent-bom agents	Local audit + project scan
GitHub Action	uses: msaad00/agent-bom@v0.76.2	CI/CD + SARIF
Docker	docker run agentbom/agent-bom	Isolated scans
MCP Server	agent-bom mcp server	Claude Desktop, Claude Code, Cursor, Codex, Windsurf, Cortex
Runtime proxy	agent-bom proxy	MCP traffic enforcement
Shield SDK	from agent_bom.shield import Shield	In-process protection
API + dashboard	agent-bom serve	Fleet visibility, audit exports, and central review. Requires pip install 'agent-bom[ui]' once.

Product references:

• docs/PRODUCT_BRIEF.md
• docs/PRODUCT_METRICS.md
• docs/ENTERPRISE.md

CI/CD in 60 seconds

Use the GitHub Action when you want a fast CI gate: one step, one gate, SARIF in the Security tab, and a clean exit code for CI.

Repo + MCP + instruction files

- uses: msaad00/agent-bom@v0.76.2
  with:
    scan-type: scan
    severity-threshold: high
    upload-sarif: true
    enrich: true
    fail-on-kev: true

Container image gate

- uses: msaad00/agent-bom@v0.76.2
  with:
    scan-type: image
    scan-ref: ghcr.io/acme/agent-runtime:sha-abcdef
    severity-threshold: critical

IaC gate

- uses: msaad00/agent-bom@v0.76.2
  with:
    scan-type: iac
    iac: Dockerfile,k8s/,infra/main.tf
    severity-threshold: high

Air-gapped / pre-synced CI

- uses: msaad00/agent-bom@v0.76.2
  with:
    auto-update-db: false
    enrich: false

Enterprise rollout

• Developer endpoints: run agent-bom agents locally or via MDM for workstation inventory and posture.
• CI/CD: use the GitHub Action for PR gates, SARIF upload, image gates, and IaC checks.
• Central security team: deploy agent-bom serve for fleet ingestion, posture, and audit exports.
• Air-gapped / isolated: run the Docker image with --offline and auto-update-db: false using a pre-synced local DB.

See docs/ENTERPRISE_DEPLOYMENT.md for rollout patterns, auth models, and storage backends.

Install extras

Extra	Command
Cloud providers	pip install 'agent-bom[cloud]'
MCP server	pip install 'agent-bom[mcp-server]'
REST API	pip install 'agent-bom[api]'
Dashboard	pip install 'agent-bom[ui]'

Output formats

JSON, SARIF, CycloneDX 1.6 (with ML BOM), SPDX 3.0, HTML, Graph JSON, Graph HTML, GraphML, Neo4j Cypher, JUnit XML, CSV, Markdown, Mermaid, SVG, Prometheus, Badge, OCSF, Attack Flow, plain text.

---

MCP server

36 security tools available inside any MCP-compatible AI assistant:

{
  "mcpServers": {
    "agent-bom": {
      "command": "uvx",
      "args": ["agent-bom", "mcp", "server"]
    }
  }
}

Also on Glama, Smithery, MCP Registry, and OpenClaw.

---

Trust & transparency

When	What's sent	Where	Opt out
Default CVE lookups (agents, scan, check, image)	Package names + versions	OSV API	--offline
Floating version resolution	Package names, requested version/latest lookup	npm, PyPI, Go proxy	--offline
--enrich	CVE IDs	NVD, EPSS; KEV catalog download from CISA	Don't use --enrich
--deps-dev	Package names + versions	deps.dev	Don't use --deps-dev
verify	Package name + version	PyPI or npm integrity endpoints	Don't run verify
Optional push/integrations	Finding summaries or evidence bundles	Slack, Jira, Vanta, Drata	Don't pass those flags

No source code, config contents, or credential values are sent. No telemetry or analytics. Sigstore-signed releases. See SECURITY_ARCHITECTURE.md and PERMISSIONS.md for the full trust model.

---

Contributing

git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev-all]"
pytest && ruff check src/

See CONTRIBUTING.md | docs/CLI_DEBUG_GUIDE.md | SECURITY.md | CODE_OF_CONDUCT.md

---

Apache 2.0 — LICENSE