Open security platform for agentic infrastructure. Broad scanning, blast radius, runtime, and trust.

Your AI agent's dependencies have a CVE. Which credentials leak?

CVE-2025-1234  (CRITICAL · CVSS 9.8 · CISA KEV)
  |── better-sqlite3@9.0.0  (npm)
       |── sqlite-mcp  (MCP Server · unverified · root)
            |── Cursor IDE  (Agent · 4 servers · 12 tools)
            |── ANTHROPIC_KEY, DB_URL, AWS_SECRET  (Credentials exposed)
            |── query_db, read_file, write_file, run_shell  (Tools at risk)

 Fix: upgrade better-sqlite3 → 11.7.0

agent-bom maps the blast radius: CVE → package → MCP server → AI agent → credentials → tools.

Traditional scanners often stop at CVE → package. agent-bom shows which credentials and tools are actually at risk — with CWE-aware impact classification so a DoS vuln doesn't falsely claim credential exposure.

Quick start

pip install agent-bom

agent-bom agents                              # Discover + scan local AI agents and MCP servers
agent-bom agents -p .                         # Scan project manifests plus agent/MCP context
agent-bom mesh --project .                    # Show the live agent / MCP topology
agent-bom skills scan .                       # Scan CLAUDE.md, AGENTS.md, .cursorrules, skills/*
agent-bom check flask@2.0.0 --ecosystem pypi  # Pre-install CVE gate
agent-bom image nginx:latest                  # Container image scan
agent-bom iac Dockerfile k8s/ infra/main.tf   # IaC scan across one or more paths

More commands

agent-bom cloud aws                     # Cloud AI posture + CIS benchmarks
agent-bom agents -f cyclonedx -o bom.json  # AI BOM / SBOM export
agent-bom graph report.json                # Blast radius graph / graph HTML inputs
agent-bom proxy "npx @mcp/server-fs /ws"   # MCP security proxy
agent-bom secrets src/                  # Hardcoded secrets + PII
agent-bom verify requests@2.33.0        # Package integrity verification
agent-bom serve                         # API + Next.js dashboard

---

Use it by environment

Environment	Recommendation
Developer laptop	pip install agent-bom is fine. It is read-only, does not install a daemon, and does not open a network listener by default.
CI/CD	Use the GitHub Action or docker run --rm agentbom/agent-bom. It is isolated by default and easy to gate on exit code or SARIF.
Enterprise fleet	Deploy agent-bom serve in its own container or namespace with OIDC/RBAC and a real backend. Use the CLI or Action on endpoints and repos; use the API for fleet visibility.
Air-gapped / isolated	Pre-sync the local DB, copy the cache, and run with --offline or auto-update-db: false.

Claude, Cortex, and MCP integration

Use agent-bom itself as an MCP tool surface:

agent-bom mcp server

That lets Claude Desktop, Claude Code, Cortex CoCo, Cursor, Windsurf, and other MCP-capable clients call the scanner directly through the MCP server mode.

Claude Code

claude mcp add agent-bom -- uvx agent-bom mcp server

Cortex CoCo

Add to ~/.snowflake/cortex/mcp.json:

{
  "mcpServers": {
    "agent-bom": {
      "command": "uvx",
      "args": ["agent-bom", "mcp", "server"]
    }
  }
}

Runtime monitoring / proxy mode

Wrap a third-party MCP server with the proxy when you want runtime inspection instead of just scanning:

agent-bom proxy "npx @modelcontextprotocol/server-filesystem /workspace"

The proxy inspects MCP JSON-RPC traffic with drift, credential, injection, sequence, and capability-aware detectors before forwarding to the real server.

---

How it works

flowchart LR
    DISCOVER["🔍 Discover\n30 MCP clients\nProjects · Images · Cloud"] --> SCAN["🛡️ Scan\n15 ecosystems\nCVE · Secrets · IaC"]
    SCAN --> ANALYZE["📊 Analyze\nBlast radius\n14 frameworks · CWE impact"]
    ANALYZE --> OUTPUT["📤 Output\nCI/CD gates · SARIF · SBOM\nAPI · Dashboard · MCP tools"]
    DISCOVER -.-> PROTECT["🔒 Protect\nRuntime proxy\nShield SDK · policy"]

    style DISCOVER stroke:#58a6ff,stroke-width:2px
    style SCAN stroke:#f85149,stroke-width:2px
    style ANALYZE stroke:#d29922,stroke-width:2px
    style OUTPUT stroke:#3fb950,stroke-width:2px
    style PROTECT stroke:#f778ba,stroke-width:2px,stroke-dasharray: 5 5

Loading

Blast radius — what makes agent-bom different

flowchart LR
    CVE["🔴 CVE-2025-1234\nCRITICAL · CVSS 9.8\nCISA KEV · EPSS 94%"]
    PKG["📦 better-sqlite3\n@9.0.0"]
    SRV["🔧 sqlite-mcp\nMCP Server"]
    AGT["🤖 Cursor IDE\n4 servers · 12 tools"]
    CRED["🔑 ANTHROPIC_KEY\nDB_URL · AWS_SECRET"]

    CVE --> PKG --> SRV --> AGT --> CRED

    style CVE stroke:#f85149,stroke-width:2px
    style PKG stroke:#d29922,stroke-width:2px
    style SRV stroke:#58a6ff,stroke-width:2px
    style AGT stroke:#3fb950,stroke-width:2px
    style CRED stroke:#f85149,stroke-width:2px

Loading

Blast radius is CWE-aware: an RCE (CWE-94) shows full credential exposure, a DoS (CWE-400) does not. Impact categories: code-execution, credential-access, file-access, injection, ssrf, data-leak, availability, client-side.

---

Coverage at a glance

Agents, MCP, and skills

• 30 MCP client types auto-detected: Claude Desktop, Claude Code, Cursor, Windsurf, VS Code, Codex CLI, Gemini CLI, and more
• MCP servers, tools, transports, trust posture, and capability risk scoring
• Instruction files and skills: CLAUDE.md, AGENTS.md, .cursorrules, .windsurfrules, skills/*
• Deterministic skill bundle identity, trust analysis, and tool-poisoning detection

Supply chain, packages, and SBOM

• 15 ecosystems across language, OS, and agent package surfaces
• OSV, NVD, GHSA, EPSS, and CISA KEV enrichment
• Blast radius mapping: CVE → package → MCP server → agent → credentials → tools
• CycloneDX 1.6 with ML BOM extensions, SPDX 3.0, VEX, SARIF, HTML, graph, JSON, and more

Containers, IaC, cloud, and secrets

• Native OCI parser for images and running containers
• IaC coverage for Dockerfile, Terraform, CloudFormation, Helm, and Kubernetes manifests
• Cloud AI and infra discovery across AWS, Azure, GCP, Databricks, Snowflake, GPU/DCGM probes, and vector data stores
• Secrets and PII scanning across source, config, lockfiles, and environment-adjacent files

Runtime, policy, and trust

• MCP proxy enforcement with 8 behavioral detectors and 112 detection patterns
• Capability-aware risk, drift detection, credential redaction, and kill-switch controls
• 14 compliance frameworks mapped onto findings, including OWASP, MITRE, NIST, ISO, SOC 2, CIS, CMMC, and the EU AI Act

Read-only. Agentless. No secrets leave your machine.

---

Runtime protection

MCP security proxy with 112 detection patterns, 8 detectors, PII redaction, and kill switch:

agent-bom proxy "npx @mcp/server-filesystem /workspace"

Shield SDK — drop-in Python middleware:

from agent_bom.shield import Shield
shield = Shield(deep=True)
alerts = shield.check_tool_call("exec", {"command": "rm -rf /"})
safe = shield.redact(response_text)  # [REDACTED:OpenAI API Key]

---

Compliance (14 frameworks)

Every finding is tagged with mapped framework controls:

Framework	Coverage
OWASP LLM Top 10	10 mapped categories
OWASP MCP Top 10	10 mapped categories
OWASP Agentic Top 10	10 mapped categories
MITRE ATLAS	65 mapped techniques
MITRE ATT&CK Enterprise	Official MITRE catalog via fetched ATT&CK data
NIST AI RMF 1.0	14 mapped subcategories
NIST CSF 2.0	14 mapped categories
NIST 800-53 Rev 5	29 mapped controls
FedRAMP Moderate	25 mapped controls
ISO 27001:2022	9 controls
SOC 2 TSC	9 mapped criteria
CIS Controls v8	10 mapped controls
EU AI Act	6 articles
CMMC 2.0 Level 2	17 practices

---

Install & deploy

pip install agent-bom                        # CLI
docker run --rm agentbom/agent-bom agents    # Docker

Mode	Command	Best for
CLI	agent-bom agents	Local audit + project scan
GitHub Action	uses: msaad00/agent-bom@v0.75.12	CI/CD + SARIF
Docker	docker run agentbom/agent-bom	Isolated scans
MCP Server	agent-bom mcp server	Claude Desktop, Claude Code, Cursor, Codex, Windsurf, Cortex
Runtime proxy	agent-bom proxy	MCP traffic enforcement
Shield SDK	from agent_bom.shield import Shield	In-process protection
API + dashboard	agent-bom serve	Fleet visibility, audit exports, and central review

CI/CD in 60 seconds

Use the GitHub Action when you want Trivy-style adoption: one step, one gate, SARIF in the Security tab, and a clean exit code for CI.

Repo + MCP + instruction files

- uses: msaad00/agent-bom@v0.75.12
  with:
    scan-type: scan
    severity-threshold: high
    upload-sarif: true
    enrich: true
    fail-on-kev: true

Container image gate

- uses: msaad00/agent-bom@v0.75.12
  with:
    scan-type: image
    scan-ref: ghcr.io/acme/agent-runtime:sha-abcdef
    severity-threshold: critical

IaC gate

- uses: msaad00/agent-bom@v0.75.12
  with:
    scan-type: iac
    iac: Dockerfile,k8s/,infra/main.tf
    severity-threshold: high

Air-gapped / pre-synced CI

- uses: msaad00/agent-bom@v0.75.12
  with:
    auto-update-db: false
    enrich: false

GitHub Action

- uses: msaad00/agent-bom@v0.75.12
  with:
    scan-type: scan
    severity-threshold: high
    upload-sarif: true
    enrich: true
    fail-on-kev: true

Enterprise rollout

• Developer endpoints: run agent-bom agents locally or via MDM for workstation inventory and posture.
• CI/CD: use the GitHub Action for PR gates, SARIF upload, image gates, and IaC checks.
• Central security team: deploy agent-bom serve for fleet ingestion, posture, and audit exports.
• Air-gapped / isolated: run the Docker image with --offline and auto-update-db: false using a pre-synced local DB.

See docs/ENTERPRISE_DEPLOYMENT.md for rollout patterns, auth models, and storage backends.

Install extras

Extra	Command
Cloud providers	pip install 'agent-bom[cloud]'
MCP server	pip install 'agent-bom[mcp-server]'
REST API	pip install 'agent-bom[api]'
Dashboard	pip install 'agent-bom[ui]'

Output formats (19)

JSON, SARIF, CycloneDX 1.6 (with ML BOM), SPDX 3.0, HTML, Graph JSON, Graph HTML, GraphML, Neo4j Cypher, JUnit XML, CSV, Markdown, Mermaid, SVG, Prometheus, Badge, OCSF, Attack Flow, plain text.

---

MCP server

36 security tools available inside any MCP-compatible AI assistant:

{
  "mcpServers": {
    "agent-bom": {
      "command": "uvx",
      "args": ["agent-bom", "mcp", "server"]
    }
  }
}

Also on Glama, Smithery, MCP Registry, and OpenClaw.

---

Trust & transparency

When	What's sent	Where	Opt out
Default CVE lookups (agents, scan, check, image)	Package names + versions	OSV API	--offline
Floating version resolution	Package names, requested version/latest lookup	npm, PyPI, Go proxy	--offline
--enrich	CVE IDs	NVD, EPSS; KEV catalog download from CISA	Don't use --enrich
--deps-dev	Package names + versions	deps.dev	Don't use --deps-dev
verify	Package name + version	PyPI or npm integrity endpoints	Don't run verify
Optional push/integrations	Finding summaries or evidence bundles	Slack, Jira, Vanta, Drata	Don't pass those flags

No source code, config contents, or credential values are sent. No telemetry or analytics. Sigstore-signed releases. See SECURITY_ARCHITECTURE.md and PERMISSIONS.md for the full trust model.

---

Contributing

git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev]"
pytest && ruff check src/

See CONTRIBUTING.md | SECURITY.md | CODE_OF_CONDUCT.md

---

Apache 2.0 — LICENSE