This document answers the security questions enterprise teams ask before adopting agent-bom.
agent-bom sends only the minimum data needed for the feature in use: package names and versions for CVE lookups and version resolution, CVE IDs for enrichment, and finding summaries only for explicitly enabled push integrations. No source code, configuration contents, or credential values leave your machine.
| API | Data Sent | Data Received | When |
|---|---|---|---|
| OSV (Google) | Bulk download (no query) | All vulnerability advisories | db update --source osv |
| GHSA (GitHub) | Ecosystem name, page number | Security advisories | db update --source ghsa |
| NVD (NIST) | CVE IDs | CVSS scores, CWE mappings | --enrich flag |
| EPSS (FIRST) | Bulk download (no query) | Exploit probability scores | db update --source epss |
| KEV (CISA) | Bulk download (no query) | Known-exploited CVE list | db update --source kev |
| deps.dev (Google) | Package name + version | Transitive dependencies | --deps-dev flag |
| npm / PyPI / Go proxy | Package name (+ version/latest lookup) | Package metadata / latest version | Floating version resolution |
| PyPI | Package name | Latest version number | Update check (1x/24h) |
# Pre-sync databases
agent-bom db update --source osv --source ghsa --source epss --source kev
# Scan with zero network calls
agent-bom agents --offlineIn offline mode, zero external API calls are made. All scanning uses the pre-synced local database only.
- All external calls use HTTPS with full TLS certificate verification (
verify=True) http://andfile://URLs are rejected by_validate_sync_url()- API keys (NVD, GitHub) are read from environment variables, never hardcoded
- URL query parameters are redacted from logs to prevent token leakage
The agent-bom proxy is a stdio relay, not a network MITM proxy. It does not:
- Generate certificates
- Intercept TLS connections
- Modify network traffic
- Inject CA bundles
MCP Client (Claude Desktop) → agent-bom proxy → MCP Server (stdio)
The proxy sits between the MCP client and server on the stdio transport layer (stdin/stdout). It:
- Reads JSON-RPC messages from the client
- Inspects message content (tool calls, tool responses)
- Applies policy rules (allow/deny/log)
- Runs 7 inline proxy detectors (tool drift, prompt injection, credential/PII leak, rate-limit abuse, exfiltration sequences, response cloaking, vector DB injection)
- Forwards allowed messages to the server
- Logs all activity to JSONL audit file
For cross-agent correlation and the broader 8-detector protection engine, run agent-bom runtime protect --shield alongside the proxy workflow.
- Message size limit: 10 MB max per JSON-RPC message (DoS mitigation)
- Regex timeout: 0.1s per pattern evaluation (ReDoS mitigation)
- PII detection: Email, SSN, credit card, phone, internal IP
- Secrets detection: API keys, tokens, private keys
- Audit trail: JSONL logging to configurable path (
AGENT_BOM_LOG) - Rate limiting: Per-tool call rate limits (configurable)
| Tool | What It Checks | Frequency |
|---|---|---|
| Bandit | Python SAST (injection, hardcoded secrets, unsafe functions) | Every PR |
| CodeQL | Semantic code analysis (Python + GitHub Actions) | Every PR |
| pip-audit | Python dependency vulnerabilities | Every PR |
| npm audit | npm dependency vulnerabilities (ui/) | Every PR |
| OSV Scanner | Lockfile vulnerability scanning | Every PR |
| Trivy | Filesystem vulnerability scanning (HIGH/CRITICAL) | Every PR |
| ClusterFuzzLite | Fuzz testing (crash/OOM/timeout detection) | Every PR |
| Self-scan | agent-bom scanning its own dependencies | Every release |
| Container rescan | Weekly Trivy scan of Docker images (amd64 + arm64) | Weekly cron |
| Dependency review | License + vulnerability check on new deps | Every PR |
If engaging a third-party auditor, the recommended scope:
- MCP Server API (FastAPI, port 8422): Authentication bypass, injection, IDOR
- Proxy message handling: Malformed JSON-RPC, oversized messages, Unicode edge cases
- Policy engine regex: ReDoS, bypass via encoding, null byte injection
- Database sync: TOCTOU in file writes, symlink attacks, path traversal
- CLI argument handling: Injection via
--command,--argspassthrough - SARIF/HTML output: XSS in generated reports (especially HTML format)
- OWASP ZAP — Automated scan of the FastAPI REST API endpoints
- Nuclei — Template-based API fuzzing
- mitmproxy — Test proxy behavior from the client side
- Semgrep — Rule-based SAST (complement to Bandit)
- A local CLI tool that scans your infrastructure
- An MCP server that exposes scan tools to AI agents
- A runtime proxy that monitors MCP traffic
- Apache 2.0 licensed open source software
- Not a SaaS product (no ATO/FedRAMP required for the tool itself)
- Not a data processor (no customer data stored externally)
- Not SOC 2 certified (no SaaS to certify)
agent-bom maps findings TO compliance controls across 14 frameworks:
OWASP LLM Top 10, OWASP MCP Top 10, OWASP Agentic Top 10, EU AI Act, NIST AI RMF, NIST CSF, ISO 27001, SOC 2, CIS Controls, MITRE ATLAS, CMMC 2.0
This means every finding includes which compliance controls it violates — enabling teams to prioritize by regulatory impact.
Security vulnerabilities should be reported via GitHub Security Advisories (private). See SECURITY.md for the full policy.