Security scanner and runtime enforcement proxy for AI infrastructure.
Find CVEs, map blast radius, and detect credential exposure — then sit in the MCP data path and enforce policy in real time.
Traditional scanners tell you a package has a CVE. agent-bom tells you which AI agents are compromised, which credentials leak, which tools an attacker reaches — and then blocks it in real time.
Three capabilities, one tool: scanner (CVEs, blast radius, compliance, supply chain) + proxy (intercepts MCP traffic, enforces policy, detects 7 behavioral attack patterns) + instruction file trust (audits CLAUDE.md, .cursorrules, AGENTS.md, SKILL.md for malicious patterns, typosquatting, and Sigstore provenance). Read-only. Agentless. Open source.
CVE-2025-1234 (CRITICAL . CVSS 9.8 . CISA KEV)
|-- better-sqlite3@9.0.0 (npm)
|-- sqlite-mcp (MCP Server . unverified . root)
|-- Cursor IDE (Agent . 4 servers . 12 tools)
|-- ANTHROPIC_KEY, DB_URL, AWS_SECRET (Credentials exposed)
|-- query_db, read_file, write_file, run_shell (Tools at risk)
Fix: upgrade better-sqlite3 -> 11.7.0
AI agents run on instruction — CLAUDE.md, .cursorrules, AGENTS.md, SKILL.md. A malicious or compromised instruction file is a supply chain attack that executes with full agent permissions. agent-bom audits every instruction file it finds.
agent-bom scan --skill-only
CLAUDE.md → SUSPICIOUS (high confidence)
[CRITICAL] Credential/secret file access
"cat ~/.aws/credentials" detected — reads secret files
[HIGH] Safety confirmation bypass
"--dangerously-skip-permissions" found — disables all guardrails
[HIGH] Typosquatting risk: server name "filessystem" (→ filesystem)
[MEDIUM] External URL in instructions: https://malicious-cdn.com/hook.js
Trust categories
Purpose & Capability WARN — description vs. actual tool mismatch
Instruction Scope FAIL — file reads outside home directory
Install Mechanism FAIL — unverified install source, no Sigstore sig
Credentials WARN — 3 env vars undocumented
Persistence/Privilege PASS — no persistence, no privilege escalation
Five trust categories, 17 behavioral risk patterns, Sigstore signature verification. No network calls — fully local static analysis.
agent-bom scan --skill-only # audit all discovered instruction files
agent-bom scan --skill CLAUDE.md # audit a single specific fileOr via MCP — ask your AI assistant to audit any instruction file before running it:
skill_trust(skill_content="<paste CLAUDE.md content>")
# → { verdict: "suspicious", confidence: "high", findings: [...], categories: [...] }
pip install agent-bom
agent-bom scan # auto-discover + scan
agent-bom scan --enrich # + NVD CVSS + EPSS + CISA KEV
agent-bom scan -f html -o report.html # HTML dashboard
agent-bom scan --enforce # tool poisoning detection
agent-bom scan --fail-on-severity high -q # CI gate
agent-bom scan --image myapp:latest # Docker image scanning
agent-bom scan --k8s --all-namespaces # K8s image scanning (cluster-wide)
agent-bom scan --k8s-mcp # Discover MCP pods + CRDs in Kubernetes
agent-bom scan --include-processes # Scan running host MCP processes (psutil)
agent-bom scan --include-containers # Scan Docker containers for MCP servers
agent-bom scan --health-check # Probe discovered servers for liveness
agent-bom scan --siem splunk --siem-url https://... # Push findings to SIEM
agent-bom scan --aws --snowflake --databricks # Multi-cloud
agent-bom scan --hf-model meta-llama/Llama-3.1-8B # model provenance
agent-bom scan --vector-db-scan # Scan self-hosted + Pinecone cloud vector DBs
agent-bom scan --gpu-scan # Discover GPU containers + K8s nodes, detect unauthenticated DCGM exporters
agent-bom scan --browser-extensions # Scan Chrome/Edge/Brave/Firefox extensions for dangerous permissions
agent-bom scan --skill-only # Audit AI instruction files (CLAUDE.md, .cursorrules, AGENTS.md)
agent-bom graph report.json --format dot # Export dependency graph (DOT/Mermaid/JSON)
agent-bom proxy-configure --apply # Auto-wrap MCP configs with security proxyRuntime enforcement — sit between your MCP client and server, enforce policy in real time:
# Wrap a single server — intercept every tool call
agent-bom proxy --command "uvx mcp-server-filesystem /" --policy policy.yml
# Protect mode — run standalone detector engine
agent-bom protect --mode http
# Watch MCP configs for drift — alert on changes
agent-bom watch --webhook https://hooks.slack.com/...
# Introspect a live MCP server — list tools, detect drift
agent-bom introspect --command "uvx mcp-server-filesystem /"
agent-bom introspect --all # auto-discover all configured servers
agent-bom introspect --all --baseline baseline.json # exit 1 on new/removed tools
# Policy file — 17 conditions, zero code required
# policy.yml:
# blocked_tools: [run_shell, exec_command]
# require_agent_identity: true
# rate_limit: {threshold: 50, window_seconds: 60}Auto-discovers 20 MCP clients: Claude Desktop, Claude Code, Cursor, Windsurf, Cline, VS Code Copilot, Continue, Zed, Cortex Code, Codex CLI, Gemini CLI, Goose, Snowflake CLI, OpenClaw, Roo Code, Amazon Q, ToolHive, Docker MCP Toolkit, JetBrains AI, and Junie.
Install extras
| Mode | Command |
|---|---|
| Core CLI | pip install agent-bom |
| Cloud (all) | pip install 'agent-bom[cloud]' |
| REST API | pip install 'agent-bom[api]' |
| MCP server | pip install 'agent-bom[mcp-server]' |
| OIDC/SSO auth | pip install 'agent-bom[oidc]' |
| Dashboard | pip install 'agent-bom[ui]' |
| Docker | docker run --rm -v ~/.config:/root/.config:ro agentbom/agent-bom scan |
Upgrade / Uninstall
pip install --upgrade agent-bom # upgrade
pip uninstall agent-bom # uninstall
rm -rf ~/.agent-bom # remove local data- Discover -- auto-detect MCP configs, Docker images, K8s pods, cloud resources, model files
- Scan -- send package names + versions to public APIs (OSV.dev, NVD, EPSS, CISA KEV). No secrets leave your machine.
- Analyze -- blast radius mapping, tool poisoning detection, compliance tagging, posture scoring
- Report -- JSON, SARIF, CycloneDX, SPDX, HTML, Mermaid, or console. Alert dispatch to Slack/webhooks.
Read-only guarantee. Never writes configs, never runs servers, never stores secrets. --dry-run previews everything. Every release is Sigstore-signed.
| Traditional scanners | agent-bom | |
|---|---|---|
| Package CVE detection | Yes | Yes (OSV + NVD + EPSS + CISA KEV + GHSA + NVIDIA CSAF) |
| SBOM generation | Yes | Yes (CycloneDX 1.6, SPDX 3.0, SARIF) |
| AI agent discovery | -- | 20 MCP clients + Docker Compose + running processes + containers + K8s pods/CRDs |
| GPU/ML package scanning | -- | NVIDIA CSAF advisories for CUDA, cuDNN, PyTorch, TensorFlow, JAX, vLLM + AMD ROCm via OSV |
| AI supply chain | -- | Model provenance (pickle risk, digest, gating), HuggingFace Hub, Ollama, MLflow, W&B |
| AI cloud inventory | -- | Coreweave, Nebius, Snowflake, Databricks, OpenAI, HuggingFace Hub — config discovery + CVE tagging |
| Blast radius mapping | -- | CVE -> package -> server -> agent -> credentials -> tools |
| Credential exposure | -- | Which secrets leak per vulnerability, per agent |
| Tool poisoning detection | -- | Description injection, capability combos, drift detection |
| Privilege detection | -- | root, shell access, privileged containers, per-tool permissions |
| 11-framework compliance | -- | OWASP LLM + MCP + Agentic + AISVS v1.0, MITRE ATLAS, NIST AI RMF + CSF, EU AI Act, SOC 2, ISO 27001, CIS |
| MITRE ATT&CK mapping | -- | Dynamic technique lookup by tactic phase (no hardcoded T-codes) |
| Posture scorecard | -- | Letter grade (A-F), 6 dimensions, incident correlation (P1-P4) |
| Policy-as-code + Jira | -- | 17 conditions, CI gate, auto-create Jira tickets for violations |
| SIEM push | -- | Splunk HEC, Datadog Logs, Elasticsearch — raw or OCSF format |
| Proxy auto-configure | -- | Wrap every MCP server config with agent-bom proxy in one command |
| Server health checks | -- | Lightweight liveness probe — reachable, tool count, latency, protocol |
| Lateral movement analysis | -- | Agent context graph, shared credentials, BFS attack paths |
| 427+ server MCP registry | -- | Risk levels, tool inventories, auto-synced weekly |
| Cloud vector DB scanning | -- | Pinecone index inventory, risk flags, replica counts via API key |
| Dependency graph export | -- | DOT, Mermaid, JSON — agent → server → package → CVE graph |
| OIDC/SSO authentication | -- | JWT verification (Okta, Google, Azure AD, Auth0) for REST API |
| Instruction file trust | -- | SKILL.md/CLAUDE.md/.cursorrules — 17 behavioral patterns, typosquat detection, Sigstore provenance verification |
| Browser extension scanning | -- | Chrome/Edge/Firefox manifest.json — nativeMessaging, dangerous permissions, AI assistant domain access |
What it scans
| Source | How |
|---|---|
| MCP configs | Auto-discover (20 clients + Docker Compose) |
| Docker images | Grype / Syft / Docker CLI fallback |
| Kubernetes | kubectl across namespaces |
| Cloud providers | AWS, Azure, GCP, Databricks, Snowflake, Coreweave, Nebius |
| AI cloud services | OpenAI, HuggingFace Hub, W&B, MLflow, Ollama |
| GPU/ML packages | PyTorch, TF, JAX, vLLM, CUDA toolkit, cuDNN, TensorRT, ROCm |
| Terraform / GitHub Actions | AI resources + env vars |
| Jupyter notebooks | AI library imports + model refs |
| Model files | 13 formats (.gguf, .safetensors, .pkl, ...) |
| Skill files | CLAUDE.md, .cursorrules, AGENTS.md — behavioral audit, typosquat detection, Sigstore trust verification |
| Browser extensions | Chrome, Brave, Edge, Firefox — dangerous permission detection (nativeMessaging, cookies, AI host access) |
| Existing SBOMs | CycloneDX / SPDX import |
What it outputs
Console, HTML dashboard, SARIF, CycloneDX 1.6, SPDX 3.0, Prometheus, OTLP, JSON, Mermaid, Cytoscape graph JSON, REST API.
agent-bom scan -f cyclonedx -o ai-bom.cdx.json # CycloneDX 1.6
agent-bom scan -f spdx -o ai-bom.spdx.json # SPDX 3.0
agent-bom scan -f sarif -o results.sarif # GitHub Security tab
agent-bom scan -f html -o report.html # Interactive dashboard
agent-bom scan -f graph -o graph.json # Cytoscape-compatible| Mode | Command | Best for |
|---|---|---|
| CLI | agent-bom scan |
Local audit |
| GitHub Action | `uses: msaad00/agent-bom@v0.64.0 | CI/CD + SARIF |
| Docker | docker run agentbom/agent-bom scan |
Isolated scans |
| REST API | agent-bom api |
Dashboards, SIEM |
| MCP Server | agent-bom mcp-server (23 tools) |
Inside any MCP client |
| Dashboard | agent-bom serve · Full deploy guide |
API + Next.js UI (15 pages) · Postgres/Supabase |
| Runtime proxy | agent-bom proxy |
Intercept + enforce MCP traffic in real time |
| Protect engine | agent-bom protect |
7 behavioral detectors (rug pull, injection, exfil, credential leak) |
| Config watcher | agent-bom watch |
Filesystem watch on MCP configs, alert on drift |
| Pre-install guard | agent-bom guard pip install <pkg> |
Block vulnerable installs |
| Snowflake | DEPLOYMENT.md | Snowpark + SiS |
GitHub Action
- uses: msaad00/agent-bom@v0.64.0
with:
severity-threshold: high
upload-sarif: true
enrich: true
fail-on-kev: trueREST API
pip install agent-bom[api]
agent-bom api --api-key $SECRET --rate-limit 30 # http://127.0.0.1:8422/docs| Endpoint | Description |
|---|---|
POST /v1/scan |
Start async scan |
GET /v1/scan/{id} |
Results + status |
GET /v1/scan/{id}/attack-flow |
Per-CVE blast radius graph |
GET /v1/registry |
427+ server registry |
GET /v1/compliance |
Full 11-framework compliance posture |
GET /v1/posture |
Enterprise posture scorecard (A-F) |
GET /v1/posture/credentials |
Credential risk ranking |
GET /v1/posture/incidents |
Incident correlation (P1-P4) |
POST /v1/traces |
OpenTelemetry trace ingestion |
GET /v1/scan/{id}/context-graph |
Lateral movement paths |
GET /v1/malicious/check |
Malicious package check |
GET /v1/proxy/status |
Live proxy metrics (tool calls, blocked, latency p95) |
GET /v1/proxy/alerts |
Runtime behavioral alerts from audit log |
GET /v1/audit |
Query JSONL audit trail (HMAC integrity verified) |
WS /ws/proxy/metrics |
Live metrics push every second (tool_calls, blocked, latency_p95) |
WS /ws/proxy/alerts |
Real-time alert stream — new alerts arrive as they happen |
Pre-install guard
Scan packages against OSV and NVD before they are installed. Blocks installs when critical/high CVEs are found.
agent-bom guard pip install requests flask # scan then install
agent-bom guard npm install express # same for npm
# Shell alias — intercept every install automatically
alias pip='agent-bom guard pip'
alias npm='agent-bom guard npm'Options:
--min-severity— minimum severity to block (critical,high,medium; default:high)--allow-risky— warn but proceed instead of blocking
Cloud providers
| Provider | Depth | Install |
|---|---|---|
| Snowflake | Deep (Cortex, MCP, governance, observability) | pip install 'agent-bom[snowflake]' |
| AWS | Standard (Bedrock, Lambda, EKS, ECS, SageMaker) | pip install 'agent-bom[aws]' |
| Azure | Standard (OpenAI, Functions, AI Foundry, Container Apps) | pip install 'agent-bom[azure]' |
| GCP | Standard (Vertex AI, Cloud Functions, GKE, Cloud Run) | pip install 'agent-bom[gcp]' |
| Databricks | Preview (Cluster packages, model serving) | pip install 'agent-bom[databricks]' |
| Nebius | Preview (Managed K8s, containers) | pip install 'agent-bom[nebius]' |
| CoreWeave | Via K8s | --k8s --context=coreweave-cluster |
| Platform | Link |
|---|---|
| PyPI | pip install agent-bom |
| Docker | docker run agentbom/agent-bom scan |
| GitHub Action | `uses: msaad00/agent-bom@v0.64.0 |
| Glama | glama.ai/mcp/servers/@msaad00/agent-bom |
| MCP Registry | server.json |
| ToolHive | registry entry |
| OpenClaw | SKILL.md |
| Smithery | smithery.yaml |
| Railway | Dockerfile.sse |
Engine internals
See docs/ARCHITECTURE.md for full diagrams: data flow pipeline, blast radius propagation, compliance framework mapping, integration architecture, and deployment topology.
- Read-only -- never writes configs, runs servers, provisions resources, or stores secrets
- Credential redaction -- only env var names in reports; values never read or logged
- No shell injection -- subprocess uses
asyncio.create_subprocess_exec; command + args validated before every spawn - No SSRF -- all outbound URLs hardcoded or validated; DNS rebinding defense blocks private/loopback/cloud-metadata ranges
- No path traversal --
validate_path(restrict_to_home=True)on all user-supplied paths; MCP tool inputs sanitized - No SQL injection -- all database queries use parameterized statements
- Proxy size guard -- messages >10 MB dropped before parsing; protects against DoS
- Audit integrity -- JSONL audit logs stored at
0600, HMAC-signed (SHA-256). SetAGENT_BOM_AUDIT_HMAC_KEYin production for cross-restart verifiability. - API security -- scrypt KDF for API keys, RBAC (admin/analyst/viewer), OIDC/JWT (RS256/ES256,
nonealgorithm rejected), constant-time comparison --dry-run-- preview every file and API URL before access- Sigstore signed -- releases v0.7.0+ signed via cosign OIDC
- OpenSSF Scorecard -- automated supply chain scoring
- OpenSSF Best Practices -- passing badge (100%) — 67/67 criteria
- Continuous fuzzing -- ClusterFuzzLite fuzzes SBOM parsers, policy evaluator, and skill parser
- PERMISSIONS.md -- full auditable trust contract
GPU / AI compute
- GPU container discovery (Docker — NVIDIA images, CUDA labels,
--gpusruntime) - Kubernetes GPU node inventory (nvidia.com/gpu capacity/allocatable, CUDA driver labels)
- Unauthenticated DCGM exporter detection (port 9400 metrics leak)
- Remote Docker host scanning (currently local daemon only)
- NVIDIA GPU CVE feed — CUDA/cuDNN specific advisories beyond OSV
- GPU utilization and memory anomaly detection
AI supply chain
- OSV + GHSA + NVD + EPSS + CISA KEV vulnerability enrichment
- ML model file scanning (.gguf, .safetensors, .onnx) + SHA-256 + Sigstore
- HuggingFace model provenance and dataset card scanning
- Dataset poisoning detection
- Training pipeline scanning (MLflow DAGs, Kubeflow pipelines)
- Model card authenticity verification (beyond hash/sigstore)
Agents / MCP
- 20 MCP client config discovery paths, live introspection, tool drift detection
- Runtime proxy with 7 behavioral detectors (rug pull, injection, credential leak, exfil sequences, response cloaking, vector DB injection, semantic injection scoring)
- Semantic injection scoring — weighted 10-signal model, 0.0–1.0 risk score, MEDIUM/HIGH alerts
- Agent memory / vector store content scanning for injected instructions
- LLM API call tracing (which model was called, with what context)
Identity / access
- OIDC/JWT auth for REST API (Okta, Google Workspace, Azure AD, Auth0, GitHub OIDC)
- Agent-level identity — JWT/opaque token in
_meta.agent_identity, tracked on every audit log entry,require_agent_identitypolicy enforcement - MCP server identity attestation — cryptographic proof of server identity at runtime
- Agent-to-agent permission boundary enforcement
Compliance / standards
- 11 frameworks: OWASP LLM, OWASP MCP, OWASP Agentic, OWASP AISVS v1.0, ATLAS, NIST AI RMF, EU AI Act, NIST CSF, ISO 27001, SOC 2, CIS Controls
- CIS AI benchmarks (pending CIS publication)
- License compliance engine (OSS license risk flagging)
- Workflow engine scanning (n8n, Zapier, Make)
Ecosystem coverage
- Maven / Go ecosystem — test coverage thin (PyPI, npm, cargo, pip best covered)
- Windows container support (currently Linux-focused for Docker GPU discovery)
See the full list of shipped features.
git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev]"
pytest && ruff check src/See CONTRIBUTING.md | SECURITY.md | CODE_OF_CONDUCT.md
Apache 2.0 -- LICENSE