AI Bill of Materials generator. CVE scanning for AI agents and MCP servers. Blast radius mapping. Privilege detection. OWASP LLM Top 10 + MITRE ATLAS + NIST AI RMF.

---

Why agent-bom?

Grype tells you a package has a CVE. agent-bom tells you which AI agents are compromised, which credentials leak, which tools an attacker reaches, and what the business impact is.

CVE-2025-1234  (CRITICAL · CVSS 9.8 · CISA KEV)
  └─ [email protected]  (npm)
       └─ sqlite-mcp  (MCP Server · unverified · 🛡 root)
            ├─ Cursor IDE  (Agent · 4 servers · 12 tools)
            ├─ ANTHROPIC_KEY, DB_URL, AWS_SECRET  (Credentials exposed)
            └─ query_db, read_file, write_file, run_shell  (Tools at risk)

 Fix: upgrade better-sqlite3 → 11.7.0

	Grype / Syft / Trivy	agent-bom
Package CVE detection	Yes	Yes — OSV + NVD CVSS v4 + EPSS + CISA KEV
SBOM generation	Yes (Syft)	Yes — CycloneDX 1.6, SPDX 3.0, SARIF
AI agent discovery	—	13 MCP clients + Docker Compose auto-discovered
Blast radius mapping	—	CVE → package → server → agent → credentials → tools
Credential exposure	—	Which secrets leak per vulnerability, per agent
MCP tool reachability	—	Which tools an attacker reaches post-exploit
Privilege detection	—	runs_as_root, shell_access, container_privileged, per-tool permissions
Enterprise remediation	—	Named assets, impact percentages, risk narratives
Triple-framework tagging	—	OWASP LLM Top 10 + MITRE ATLAS + NIST AI RMF
Policy-as-code	—	Block unverified servers, enforce thresholds in CI/CD
427+ server MCP registry	—	Risk levels, tool inventories, auto-synced weekly

What it scans: Source How MCP configs Auto-discover (13 clients + Docker Compose) Docker images Grype / Syft / Docker CLI fallback Kubernetes kubectl across namespaces Cloud providers AWS, Azure, GCP, Databricks, Snowflake, Nebius Terraform / GitHub Actions AI resources + env vars AI platforms HuggingFace, W&B, MLflow, OpenAI Jupyter notebooks AI library imports + model refs Model files 13 formats (.gguf, .safetensors, .pkl, ...) Skill files CLAUDE.md, .cursorrules, AGENTS.md Prompt templates .prompt, .promptfile, prompt.yaml Ollama models Local inventory via API + manifests Existing SBOMs CycloneDX / SPDX import

What it outputs: Console, HTML dashboard, SARIF, CycloneDX 1.6, SPDX 3.0, Prometheus, OTLP, JSON, REST API Read-only guarantee: Never writes configs, never runs servers, never stores secrets. All API calls are read-only. See PERMISSIONS.md. Ecosystem: Platform Link PyPI pip install agent-bom Docker docker run agentbom/agent-bom scan GitHub Action uses: msaad00/[email protected] MCP Registry server.json ToolHive registry entry OpenClaw SKILL.md Smithery smithery.yaml Railway Dockerfile.sse

---

Get started

pip install agent-bom

agent-bom scan                                     # auto-discover + scan
agent-bom scan --enrich                            # + NVD CVSS + EPSS + CISA KEV
agent-bom scan -f html -o report.html              # HTML dashboard
agent-bom scan --fail-on-severity high -q          # CI gate
agent-bom scan --image myapp:latest                # Docker image scanning
agent-bom scan --k8s --all-namespaces              # K8s cluster
agent-bom scan --aws --snowflake --databricks      # Multi-cloud

Auto-discovers Claude Desktop, Claude Code, Cursor, Windsurf, Cline, VS Code Copilot, Continue, Zed, Cortex Code, OpenClaw, ToolHive, Docker MCP Toolkit, and VS Code native MCP.

Install extras

Mode	Command
Core CLI	pip install agent-bom
Cloud (all)	pip install 'agent-bom[cloud]'
AWS	pip install 'agent-bom[aws]'
Snowflake	pip install 'agent-bom[snowflake]'
Databricks	pip install 'agent-bom[databricks]'
Nebius GPU cloud	pip install 'agent-bom[nebius]'
REST API	pip install 'agent-bom[api]'
Dashboard	pip install 'agent-bom[ui]'
AI enrichment	pip install 'agent-bom[ai-enrich]'
MCP server	pip install 'agent-bom[mcp-server]'
OpenTelemetry	pip install 'agent-bom[otel]'
Docker	docker run --rm -v ~/.config:/root/.config:ro agentbom/agent-bom scan

---

Core capabilities

CVE scanning + blast radius

Every vulnerability is mapped through your AI stack: which agents are affected, which credentials are exposed, which MCP tools an attacker can reach, and what to fix first.

Enrichment sources: OSV batch (primary), NVD CVSS v4, FIRST EPSS exploit probability, CISA KEV active exploitation catalog.

Privilege detection

Every MCP server is assessed for privilege escalation risk:

Signal	Detection
runs_as_root	sudo in command/args, Docker Config.User empty/"0"/"root"
shell_access	bash/sh/zsh/powershell command, exec/shell tools
container_privileged	Docker HostConfig.Privileged, CapAdd/CapDrop
tool_permissions	Per-tool read/write/execute/destructive classification

Privilege levels: critical (privileged container, CAP_SYS_ADMIN) → high (root, shell) → medium (fs write, network) → low (read-only).

Triple-framework threat mapping

Every finding is tagged against three frameworks simultaneously:

• OWASP LLM Top 10 — LLM01 through LLM10 (6 categories triggered)
• MITRE ATLAS — AML.T0010, AML.T0043, AML.T0051, etc. (8 techniques mapped)
• NIST AI RMF 1.0 — Govern, Map, Measure, Manage (12 subcategories mapped)

Enterprise remediation

Each fix tells you exactly what will be protected — named agents, credentials, tools, percentages, threat tags, and risk narratives.

AI-BOM export

agent-bom scan -f cyclonedx -o ai-bom.cdx.json   # CycloneDX 1.6
agent-bom scan -f spdx -o ai-bom.spdx.json       # SPDX 3.0
agent-bom scan -f sarif -o results.sarif           # GitHub Security tab
agent-bom scan -f json -o ai-bom.json             # Full AI-BOM
agent-bom scan -f html -o report.html              # Interactive dashboard

Policy-as-code

agent-bom scan --policy policy.json --fail-on-severity high

Cloud provider discovery

agent-bom scan --aws --aws-region us-east-1       # Bedrock, Lambda, EKS, ECS, SageMaker, EC2
agent-bom scan --snowflake                         # Cortex Agents, MCP Servers, Search, Snowpark
agent-bom scan --databricks                        # Cluster libraries, model serving
agent-bom scan --nebius --nebius-project-id proj   # GPU cloud K8s + containers
agent-bom scan --k8s --context=coreweave-cluster   # CoreWeave / any K8s

Cloud provider details

Provider	What's discovered	Install
AWS	Bedrock agents, Lambda, EKS, Step Functions, EC2, ECS, SageMaker	pip install 'agent-bom[aws]'
Snowflake	Cortex Agents, native MCP Servers, Search, Snowpark, Streamlit, query history	pip install 'agent-bom[snowflake]'
Databricks	Cluster packages, model serving endpoints	pip install 'agent-bom[databricks]'
Azure	AI Foundry agents, Container Apps	pip install 'agent-bom[azure]'
GCP	Vertex AI endpoints, Cloud Run	pip install 'agent-bom[gcp]'
Nebius	Managed K8s, container services	pip install 'agent-bom[nebius]'
CoreWeave	K8s-native — --k8s --context=coreweave-cluster	(core CLI)
Ollama	Local model inventory via API + manifests	(core CLI)

Additional capabilities

MCP runtime introspection

Connect to live servers to discover runtime tools/resources and detect drift from configs. Read-only — only calls tools/list and resources/list.

agent-bom scan --introspect

Skill file scanning + security audit

Scan CLAUDE.md, .cursorrules, AGENTS.md for embedded MCP servers, packages, and credentials. 7 security checks: typosquat detection, shell access, dangerous server names, unverified servers, excessive credentials, external URLs, unknown packages.

agent-bom scan --skill CLAUDE.md    # explicit
agent-bom scan --skill-only         # skills only
agent-bom scan --no-skill           # skip skills

Prompt template scanning

Scan .prompt, .promptfile, system_prompt.*, prompt.yaml/json files for hardcoded secrets, prompt injection patterns, unsafe instructions, and sensitive data exposure.

agent-bom scan --scan-prompts

AI-powered enrichment

LLM-generated risk narratives, executive summaries, and threat chain analysis. Works with local Ollama (free) or 100+ providers via litellm.

agent-bom scan --ai-enrich                              # auto-detect Ollama
agent-bom scan --ai-enrich --ai-model ollama/llama3      # specific model
agent-bom scan --ai-enrich --ai-model openai/gpt-4o-mini # cloud LLM

Jupyter notebook + model file scanning

Detect 29+ AI libraries, pip installs, credentials in notebooks. Scan 13 model file formats with security flags for pickle-based formats.

agent-bom scan --jupyter ./notebooks
agent-bom scan --model-files ./models

Attack flow visualization

CLI attack flow tree, interactive HTML graphs (Cytoscape.js), per-CVE React Flow diagrams via REST API.

agent-bom scan --aws -f graph -o graph.json   # export graph data

---

Deployment

Mode	Command	Best for
CLI	agent-bom scan	Local audit
Pre-install check	agent-bom check [email protected] -e npm	Before running MCP servers
GitHub Action	uses: msaad00/[email protected]	CI/CD + SARIF
Docker	docker run agentbom/agent-bom scan	Isolated scans
REST API	agent-bom api	Dashboards, SIEM
MCP Server	agent-bom mcp-server	Inside any MCP client
Dashboard	agent-bom serve	Team UI
Prometheus	--push-gateway / --otel-endpoint	Monitoring

GitHub Action

- uses: msaad00/[email protected]
  with:
    severity-threshold: high
    upload-sarif: true
    enrich: true
    fail-on-kev: true

REST API

pip install agent-bom[api]
agent-bom api --api-key $SECRET --rate-limit 30   # http://127.0.0.1:8422/docs

Endpoint	Description
POST /v1/scan	Start async scan
GET /v1/scan/{id}	Results + status
GET /v1/scan/{id}/attack-flow	Per-CVE blast radius graph
GET /v1/registry	427+ server registry

MCP Server

pip install agent-bom[mcp-server]
agent-bom mcp-server                    # stdio
agent-bom mcp-server --transport sse    # remote

8 tools: scan, check, blast_radius, policy_check, registry_lookup, generate_sbom, compliance, remediate

Cloud UI

cd ui && npm install && npm run dev   # http://localhost:3000

Security posture dashboard, vulnerability explorer, attack flow diagrams, supply chain graph, registry browser, enterprise scan form.

---

MCP Server Registry (427+ servers)

Curated registry of 427+ known MCP servers with risk levels, tool inventories, credential env vars, categories, and version pins. Auto-synced weekly from the Official MCP Registry. Unverified servers trigger warnings. Policy rules can block them in CI.

Browse: mcp_registry.json | Expand: python scripts/expand_registry.py

---

AI supply chain coverage

Layer	Coverage	Examples
GPU clouds	--k8s	CoreWeave, Lambda Labs, Paperspace
AI platforms	Cloud modules	Bedrock, Vertex AI, Snowflake Cortex, Databricks
Containers	--image	NVIDIA NIM, vLLM, Ollama, any OCI image
AI frameworks	Dependency scan	LangChain, LlamaIndex, AutoGen, PyTorch
MCP ecosystem	Auto-discovery + registry	13 clients, 427+ servers
LLM providers	API key + SDK detection	OpenAI, Anthropic, Cohere, Mistral
IaC + CI/CD	--tf-dir, --gha	Terraform AI resources, GitHub Actions

---

Trust & permissions

• --dry-run — preview every file and API URL before access
• PERMISSIONS.md — auditable trust contract
• Read-only — never writes configs, runs servers, or stores secrets
• Sigstore signed — releases v0.7.0+ signed via cosign
• Credential redaction — only env var names in reports

---

Roadmap

• CIS AI benchmarks
• Agent guardrails engine — runtime policy enforcement
• EU AI Act compliance mapping
• Multi-language SDK detection (Go, Rust, Java)
• Workflow engine scanning (n8n, Zapier, Make)
• License compliance engine

---

Contributing

git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev]"
pytest && ruff check src/

See CONTRIBUTING.md | SECURITY.md | Skills

---

Apache 2.0 — LICENSE