Context
agent-bom currently tags findings with 14 compliance frameworks, but only for findings generated by agent-bom scans. Enterprise teams need to map findings from ANY source (SARIF imports, CycloneDX SBOMs, CSV exports from other tools) to compliance frameworks.
What to Build
Compliance Hub Engine
POST /v1/compliance/ingest — accept findings from external sources (SARIF, CycloneDX, CSV, JSON)- Auto-map imported findings to applicable frameworks based on finding type and context
- Store mapped findings alongside agent-bom scan results
- Unified compliance posture across all sources
Context-Aware Framework Selection
The hub should automatically select relevant frameworks based on scan/finding type:
| Finding Source |
Frameworks Applied |
| Agent/MCP scan |
OWASP LLM Top 10, MITRE ATLAS, OWASP MCP Top 10, OWASP Agentic, NIST AI RMF, EU AI Act |
| Container image |
CIS Docker, NIST CSF, PCI DSS, SOC 2 |
| Cloud posture |
CIS AWS/Azure/GCP, SOC 2, ISO 27001, NIST 800-53 |
| IaC scan |
CIS Terraform, NIST 800-53, FedRAMP |
| Code/secrets |
OWASP Top 10, PCI DSS, SOC 2 |
| Runtime proxy |
OWASP LLM, OWASP Agentic, MITRE ATLAS |
| Fleet/enterprise |
All frameworks, aggregate posture |
| External import |
Auto-detect from finding metadata, or user-specified |
Independent Framework Views
Each framework gets its own isolated view:
- SOC 2 TSC → Trust Service Criteria mapped to findings
- ISO 27001:2022 → Annex A controls mapped
- NIST CSF 2.0 → Functions/Categories/Subcategories
- CIS Controls v8 → Implementation Groups
- CMMC 2.0 → Levels/Practices
Integration Points
- Dashboard:
/compliance page shows unified posture across all sources
- CLI:
agent-bom comply import findings.sarif --framework soc2
- API:
GET /v1/compliance/hub/posture returns aggregate across all sources
- Export:
GET /v1/compliance/hub/export/{framework} returns evidence bundle
Ingest Formats
- SARIF 2.1 (GitHub Security, CodeQL, Semgrep output)
- CycloneDX 1.6 JSON (with vulnerabilities array)
- SPDX 3.0 JSON-LD
- CSV (columns: id, severity, package, description, framework_tags)
- JSON (agent-bom native format)
Non-Goals (v0.76.0)
- Not a GRC platform (no workflow management, no user assignments)
- Not a policy editor (use
agent-bom policy for that)
- Not a ticketing system (use Jira integration for that)
Implementation
- New module:
src/agent_bom/compliance_hub.py
- New API routes:
src/agent_bom/api/routes/compliance_hub.py
- New CLI command:
agent-bom comply import
- New skill:
comply (already exists, extend with import capability)
- Storage: reuse existing job/scan store with
source_type field
Priority
v0.76.0
Labels: enhancement, compliance, v0.76.0
Context
agent-bom currently tags findings with 14 compliance frameworks, but only for findings generated by agent-bom scans. Enterprise teams need to map findings from ANY source (SARIF imports, CycloneDX SBOMs, CSV exports from other tools) to compliance frameworks.
What to Build
Compliance Hub Engine
POST /v1/compliance/ingest— accept findings from external sources (SARIF, CycloneDX, CSV, JSON)Context-Aware Framework Selection
The hub should automatically select relevant frameworks based on scan/finding type:
Independent Framework Views
Each framework gets its own isolated view:
Integration Points
/compliancepage shows unified posture across all sourcesagent-bom comply import findings.sarif --framework soc2GET /v1/compliance/hub/posturereturns aggregate across all sourcesGET /v1/compliance/hub/export/{framework}returns evidence bundleIngest Formats
Non-Goals (v0.76.0)
agent-bom policyfor that)Implementation
src/agent_bom/compliance_hub.pysrc/agent_bom/api/routes/compliance_hub.pyagent-bom comply importcomply(already exists, extend with import capability)source_typefieldPriority
v0.76.0
Labels: enhancement, compliance, v0.76.0