agent-bom/policy.json at main · msaad00/agent-bom · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
{
  "version": "2",
  "name": "my-security-policy",
  "rules": [
    {
      "id": "no-kev",
      "description": "CISA Known Exploited Vulnerabilities must be fixed immediately",
      "is_kev": true,
      "action": "fail"
    },
    {
      "id": "no-critical",
      "description": "No critical vulnerabilities allowed",
      "severity_gte": "CRITICAL",
      "action": "fail"
    },
    {
      "id": "no-ai-creds-high",
      "description": "AI framework packages with exposed credentials must not have high+ vulnerabilities",
      "ai_risk": true,
      "has_credentials": true,
      "severity_gte": "HIGH",
      "action": "fail"
    },
    {
      "id": "high-epss-with-creds",
      "description": "High exploit probability with exposed credentials",
      "condition": "epss_score > 0.7 and has_credentials",
      "action": "fail"
    },
    {
      "id": "risky-ai-or-kev",
      "description": "AI packages that are either KEV or have poor maintainer reputation",
      "condition": "ai_risk and (is_kev or scorecard_score < 3.0)",
      "action": "fail"
    },
    {
      "id": "warn-high-with-creds",
      "description": "High vulnerabilities in servers with credentials trigger a warning",
      "has_credentials": true,
      "severity_gte": "HIGH",
      "action": "warn"
    },
    {
      "id": "warn-medium",
      "description": "Medium vulnerabilities generate advisory warnings",
      "severity_gte": "MEDIUM",
      "action": "warn"
    },
    {
      "id": "no-unverified-high",
      "description": "Unverified MCP servers with high+ vulnerabilities are blocked",
      "unverified_server": true,
      "severity_gte": "HIGH",
      "action": "fail"
    },
    {
      "id": "warn-excessive-agency",
      "description": "Servers with >5 tools and any CVE trigger excessive agency warning",
      "condition": "tool_count > 5",
      "action": "warn"
    },
    {
      "id": "no-high-risk-server-cve",
      "description": "High-risk registry servers must not have critical CVEs",
      "registry_risk_gte": "high",
      "severity_gte": "CRITICAL",
      "action": "fail"
    },
    {
      "id": "wide-blast-radius",
      "description": "Vulnerabilities affecting 3+ agents with credentials",
      "condition": "agent_count >= 3 and credential_count > 0 and severity >= MEDIUM",
      "action": "fail"
    }
  ]
}