AI supply chain security scanner. Scan packages and images for CVEs. Assess config security — credential exposure, tool access, privilege escalation. Map blast radius from vulnerabilities to credentials and tools. Enterprise posture scoring, incident correlation, credential risk ranking. OWASP LLM Top 10 + OWASP MCP Top 10 + MITRE ATLAS + NIST AI RMF + EU AI Act.
Traditional scanners tell you a package has a CVE. agent-bom tells you which AI agents are compromised, which credentials leak, which tools an attacker reaches, and what the business impact is.
CVE-2025-1234 (CRITICAL · CVSS 9.8 · CISA KEV)
└─ better-sqlite3@9.0.0 (npm)
└─ sqlite-mcp (MCP Server · unverified · 🛡 root)
├─ Cursor IDE (Agent · 4 servers · 12 tools)
├─ ANTHROPIC_KEY, DB_URL, AWS_SECRET (Credentials exposed)
└─ query_db, read_file, write_file, run_shell (Tools at risk)
Fix: upgrade better-sqlite3 → 11.7.0
| Grype / Syft / Trivy | agent-bom | |
|---|---|---|
| Package CVE detection | Yes | Yes — OSV + NVD CVSS v4 + EPSS + CISA KEV + GHSA + NVIDIA CSAF |
| SBOM generation | Yes (Syft) | Yes — CycloneDX 1.6, SPDX 3.0, SARIF |
| AI agent discovery | — | 18 MCP clients + Docker Compose auto-discovered |
| Blast radius mapping | — | CVE → package → server → agent → credentials → tools |
| Credential exposure | — | Which secrets leak per vulnerability, per agent |
| MCP tool reachability | — | Which tools an attacker reaches post-exploit |
| Privilege detection | — | runs_as_root, shell_access, container_privileged, per-tool permissions |
| Enterprise remediation | — | Named assets, impact percentages, risk narratives |
| 6-framework compliance | — | OWASP Agentic Top 10 + OWASP LLM Top 10 + OWASP MCP Top 10 + MITRE ATLAS + NIST AI RMF + EU AI Act |
| Malicious package detection | — | OSV MAL- prefix + typosquat heuristics (57 popular packages) |
| OpenSSF Scorecard enrichment | — | Package health scores from api.securityscorecards.dev |
| Tool poisoning detection | — | Description injection, capability combos, CVE exposure, drift |
| Model weight provenance | — | SHA-256 hash, Sigstore file detection, HuggingFace metadata |
| Policy-as-code | — | Block unverified servers, enforce thresholds in CI/CD, EPSS/scorecard conditions |
| Posture scorecard | — | Letter grade (A–F), 6-dimension scoring, weighted enterprise posture |
| Incident correlation | — | Group vulns by agent, P1–P4 priority, SOC-ready incident summaries |
| Credential risk ranking | — | Rank exposed credentials by blast radius severity tier |
| AI framework recognition | — | GPU/ML packages flagged as high-risk in image scans (via Grype/Syft) |
| 427+ server MCP registry | — | Risk levels, tool inventories, auto-synced weekly |
|
What it scans:
|
What it outputs: Console, HTML dashboard, SARIF, CycloneDX 1.6, SPDX 3.0, Prometheus, OTLP, JSON, REST API Read-only guarantee: Never writes configs, never runs servers, never stores secrets. All API calls are read-only. See PERMISSIONS.md. Ecosystem:
|
- Discover — auto-detect MCP configs across 18 clients (Claude Desktop, Cursor, Codex CLI, Gemini CLI, Goose, etc.)
- Extract — pull server names, package names, env var names, and tool lists. Credential values are never read.
- Scan — send only package names + versions to public APIs (OSV.dev, NVD, EPSS, CISA KEV). No hostnames, no secrets, no auth tokens.
- Analyze — CVE blast radius mapping, tool poisoning detection (
--enforce), OWASP/ATLAS/NIST threat models, model provenance (--hf-model) - Score — posture scorecard (grade A–F), credential risk ranking, incident correlation by agent (P1–P4)
- Report — JSON, SARIF, CycloneDX, SPDX, HTML, or console output. Alert dispatch to Slack/webhooks. Nothing stored server-side.
Trust guarantees: Read-only (no file writes, no config changes, no servers started). --dry-run previews all files and API calls then exits. Every release is Sigstore-signed. Run agent-bom verify agent-bom to check integrity. See PERMISSIONS.md for the full auditable trust contract.
Architecture data flow
┌─────────────────────┐
│ Input Sources │
├─────────────────────┤
│ MCP configs (18) │
│ Docker images │
│ K8s clusters │
│ Cloud APIs │
│ SBOMs (CDX/SPDX) │
│ SaaS connectors │
└────────┬────────────┘
│
┌────────────▼────────────┐
│ Discovery Engine │
│ Agents → Servers → │
│ Packages → Tools │
└────────────┬────────────┘
│
┌──────────────────▼──────────────────┐
│ Vulnerability Scanner │
│ OSV batch, NVD, EPSS, KEV, GHSA │
│ OpenSSF Scorecard, NVIDIA CSAF │
└──────────────────┬──────────────────┘
│
┌──────────────────▼──────────────────┐
│ Blast Radius Analysis │
│ CVE → pkg → server → agent → │
│ credentials → tools → risk score │
│ 6-framework threat tagging │
└──────────────────┬──────────────────┘
│
┌───────────────────────▼───────────────────────┐
│ Enterprise Analytics │
│ Posture scorecard (A–F, 6 dimensions) │
│ Incident correlation (P1–P4 by agent) │
│ Credential risk ranking (severity tiers) │
│ Policy evaluation (16 rule conditions) │
└───────────────────────┬───────────────────────┘
│
┌───────────┬───────────┬───▼───┬────────────┬──────────┐
│ Console │ JSON/SBOM │ API │ Alerts │ Fleet │
│ HTML │ CDX/SPDX │ REST │ Slack │ Trust │
│ Graphs │ SARIF │ MCP │ Webhook │ Scoring │
│ Badges │ Prometheus│ SSE │ PagerDuty │ Tenants │
└───────────┴───────────┴───────┴────────────┴──────────┘
pip install agent-bom
agent-bom scan # auto-discover + scan
agent-bom scan --enrich # + NVD CVSS + EPSS + CISA KEV
agent-bom scan -f html -o report.html # HTML dashboard
agent-bom scan --enforce # tool poisoning detection
agent-bom scan --fail-on-severity high -q # CI gate
agent-bom scan --image myapp:latest # Docker image scanning
agent-bom scan --k8s --all-namespaces # K8s cluster
agent-bom scan --aws --snowflake --databricks # Multi-cloud
agent-bom scan --hf-model meta-llama/Llama-3.1-8B # model provenanceAuto-discovers Claude Desktop, Claude Code, Cursor, Windsurf, Cline, VS Code Copilot, Continue, Zed, Cortex Code (CoCo), Codex CLI, Gemini CLI, Goose, Snowflake CLI, OpenClaw, Roo Code, Amazon Q, ToolHive, and Docker MCP Toolkit.
Install extras
| Mode | Command |
|---|---|
| Core CLI | pip install agent-bom |
| Cloud (all) | pip install 'agent-bom[cloud]' |
| AWS | pip install 'agent-bom[aws]' |
| Snowflake | pip install 'agent-bom[snowflake]' |
| Databricks | pip install 'agent-bom[databricks]' |
| Nebius GPU cloud | pip install 'agent-bom[nebius]' |
| REST API | pip install 'agent-bom[api]' |
| Dashboard | pip install 'agent-bom[ui]' |
| AI enrichment | pip install 'agent-bom[ai-enrich]' |
| MCP server | pip install 'agent-bom[mcp-server]' |
| OpenTelemetry | pip install 'agent-bom[otel]' |
| Docker | docker run --rm -v ~/.config:/root/.config:ro agentbom/agent-bom scan |
Every vulnerability is mapped through your AI stack: which agents are affected, which credentials are exposed, which MCP tools an attacker can reach, and what to fix first.
Enrichment sources: OSV batch (primary), NVD CVSS v4, FIRST EPSS exploit probability, CISA KEV active exploitation catalog.
Every MCP server is assessed for privilege escalation risk:
| Signal | Detection |
|---|---|
| runs_as_root | sudo in command/args, Docker Config.User empty/"0"/"root" |
| shell_access | bash/sh/zsh/powershell command, exec/shell tools |
| container_privileged | Docker HostConfig.Privileged, CapAdd/CapDrop |
| tool_permissions | Per-tool read/write/execute/destructive classification |
Privilege levels: critical (privileged container, CAP_SYS_ADMIN) → high (root, shell) → medium (fs write, network) → low (read-only).
Every finding is tagged against six frameworks simultaneously:
- OWASP Agentic Top 10 — ASI01 through ASI10 (agent autonomy, tool misuse, spawn persistence)
- OWASP LLM Top 10 — LLM01 through LLM10 (7 categories triggered)
- OWASP MCP Top 10 — MCP01 through MCP10 (8 categories triggered) — token exposure, tool poisoning, supply chain, shadow servers
- MITRE ATLAS — AML.T0010, AML.T0043, AML.T0051, etc. (9 techniques mapped)
- NIST AI RMF 1.0 — Govern, Map, Measure, Manage (12 subcategories mapped)
- EU AI Act — ART-5 through ART-17 (prohibited practices, high-risk classification, cybersecurity)
Each fix tells you exactly what will be protected — named agents, credentials, tools, percentages, threat tags, and risk narratives.
agent-bom scan -f cyclonedx -o ai-bom.cdx.json # CycloneDX 1.6
agent-bom scan -f spdx -o ai-bom.spdx.json # SPDX 3.0
agent-bom scan -f sarif -o results.sarif # GitHub Security tab
agent-bom scan -f json -o ai-bom.json # Full AI-BOM
agent-bom scan -f html -o report.html # Interactive dashboard
agent-bom scan -f mermaid # Mermaid supply chain diagram
agent-bom scan -f graph -o graph.json # Cytoscape-compatible graph JSONagent-bom scan --policy policy.json --fail-on-severity highSupported policy conditions: severity_gte, is_kev, ai_risk, has_credentials, ecosystem, package_name_contains, min_agents, min_tools, unverified_server, registry_risk_gte, owasp_tag, owasp_mcp_tag, is_malicious, min_scorecard_score, max_epss_score, has_kev_with_no_fix
Posture scorecard — letter grade (A–F), numeric score (0–100), 6-dimension breakdown:
| Dimension | Weight | Measures |
|---|---|---|
| Vulnerability Posture | 30% | Severity distribution, fix availability |
| Credential Hygiene | 20% | Credential exposure footprint |
| Supply Chain Quality | 15% | OpenSSF Scorecard coverage |
| Compliance Coverage | 15% | Threat framework tag mapping |
| Active Exploitation | 10% | KEV, high-EPSS presence |
| Configuration Quality | 10% | Registry verification, tool declarations |
Incident correlation — group vulnerabilities by agent for SOC workflows:
- Priority levels: P1 (KEV/multi-critical) → P2 (critical+creds) → P3 (high) → P4 (monitor)
- Per-agent: unique CVEs, KEV IDs, exposed credentials, affected packages, recommended actions
Credential risk ranking — rank all exposed credentials by blast radius:
- Risk tiers: critical (critical CVE exposure) → high → medium → low
- Aggregated across all agents and servers per credential
agent-bom scan --aws --aws-region us-east-1 # Bedrock, Lambda, EKS, ECS, EC2, Step Functions
agent-bom scan --snowflake # Cortex Agents, MCP Servers, Search, Snowpark
agent-bom scan --databricks # Cluster libraries, model serving
agent-bom scan --nebius --nebius-project-id proj # GPU cloud K8s + containers
agent-bom scan --k8s --context=coreweave-cluster # CoreWeave / any K8sCloud provider details
| Provider | Depth | What's discovered | Install |
|---|---|---|---|
| Snowflake | Deep | Cortex Agents, native MCP Servers, Search, Snowpark, Streamlit, query history, governance, activity, observability | pip install 'agent-bom[snowflake]' |
| AWS | Standard | Bedrock agents, Lambda package extraction, EKS, ECS, Step Functions, EC2, SageMaker | pip install 'agent-bom[aws]' |
| Databricks | Preview | Cluster packages, model serving endpoints | pip install 'agent-bom[databricks]' |
| Azure | Standard | OpenAI deployments, Functions, Container Instances, ML endpoints, AI Foundry workspaces, Container Apps | pip install 'agent-bom[azure]' |
| GCP | Standard | Vertex AI endpoints, Cloud Functions, GKE, Cloud Run | pip install 'agent-bom[gcp]' |
| Nebius | Preview | Managed K8s, container services | pip install 'agent-bom[nebius]' |
| CoreWeave | Via K8s | K8s-native — --k8s --context=coreweave-cluster |
(core CLI) |
| Ollama | Standard | Local model inventory via API + manifests | (core CLI) |
Snowflake is the deepest integration — includes governance audit (access history, privilege grants, data classification), agent activity timeline, and Cortex observability. Other providers have functional discovery at varying depth. PRs welcome.
MCP runtime introspection
Connect to live servers to discover runtime tools/resources and detect drift from configs. Read-only — only calls tools/list and resources/list.
agent-bom scan --introspectSkill file scanning + security audit
Scan CLAUDE.md, .cursorrules, AGENTS.md for embedded MCP servers, packages, and credentials. 7 security checks: typosquat detection, shell access, dangerous server names, unverified servers, excessive credentials, external URLs, unknown packages.
agent-bom scan --skill CLAUDE.md # explicit
agent-bom scan --skill-only # skills only
agent-bom scan --no-skill # skip skillsPrompt template scanning
Scan .prompt, .promptfile, system_prompt.*, prompt.yaml/json files for hardcoded secrets, prompt injection patterns, unsafe instructions, and sensitive data exposure.
agent-bom scan --scan-promptsAI-powered enrichment
LLM-generated risk narratives, executive summaries, and threat chain analysis. Works with local Ollama (free) or 100+ providers via litellm.
agent-bom scan --ai-enrich # auto-detect Ollama
agent-bom scan --ai-enrich --ai-model ollama/llama3 # specific model
agent-bom scan --ai-enrich --ai-model openai/gpt-4o-mini # cloud LLMTool poisoning detection + enforcement
Static analysis of MCP tool descriptions for prompt injection patterns, dangerous capability combinations (EXECUTE + WRITE), CVE exposure in server dependencies, and tool drift detection via introspection.
agent-bom scan --enforce # tool poisoning + enforcement checks
agent-bom scan --enforce --introspect # + drift detection against live serversModel weight provenance
SHA-256 hash verification, Sigstore signature file detection (.sig/.sigstore/.bundle presence — not cryptographic verification), and HuggingFace model metadata (author, license, model card, gated status, download count).
agent-bom scan --model-files ./models --model-provenance # hash + signature checks
agent-bom scan --hf-model meta-llama/Llama-3.1-8B # HuggingFace provenanceJupyter notebook + model file scanning
Detect 29+ AI libraries, pip installs, credentials in notebooks. Scan 13 model file formats with security flags for pickle-based formats.
agent-bom scan --jupyter ./notebooks
agent-bom scan --model-files ./modelsInteractive security graph visualization
The dashboard (agent-bom api) serves interactive React Flow graphs — the same rendering approach used by enterprise security platforms:
- Agent Mesh (
/mesh) — cross-agent topology with vulnerability overlay, shared server detection, credential blast analysis, severity filtering, and search - Attack Flow (
/scan?view=attack-flow) — CVE-centric blast radius graph: CVE → Package → Server → Agent → Credentials → Tools - Supply Chain Lineage (
/graph) — full dependency lineage with hover highlighting and detail panels
All graph views include: dagre auto-layout, hover highlighting (BFS connected nodes), click-to-inspect detail panels, minimap, OWASP LLM Top 10 + OWASP MCP Top 10 + MITRE ATLAS + NIST AI RMF framework tagging on every node.
CLI output formats for CI/CD and automation:
agent-bom scan -f graph -o graph.json # Cytoscape-compatible JSON
agent-bom scan -f html -o report.html # standalone interactive HTML report
agent-bom scan -f mermaid # Mermaid text (for docs/markdown)
agent-bom scan -f sarif -o results.sarif # GitHub Security tab integrationSupplemental advisory enrichment
Beyond OSV.dev, agent-bom checks supplemental sources to catch CVEs not yet indexed:
- GitHub Security Advisories (GHSA) — all ecosystems (PyPI, npm, Go, Maven, Cargo, NuGet)
- NVIDIA CSAF advisories — GPU/ML packages (CUDA, cuDNN, TensorRT, NCCL)
Both sources deduplicate by CVE ID against OSV results. Packages without a pinned version are auto-resolved from npm/PyPI registries before scanning.
| Mode | Command | Best for |
|---|---|---|
| CLI | agent-bom scan |
Local audit |
| Pre-install check | agent-bom check express@4.18.2 -e npm |
Before running MCP servers |
| GitHub Action | uses: msaad00/agent-bom@v0.38.0 |
CI/CD + SARIF |
| Docker | docker run agentbom/agent-bom scan |
Isolated scans |
| REST API | agent-bom api |
Dashboards, SIEM |
| Runtime proxy | agent-bom proxy |
Opt-in MCP traffic audit (per-server) |
| MCP Server | agent-bom mcp-server |
Inside any MCP client |
| Dashboard | agent-bom serve |
API + Next.js dashboard |
| Snowflake | SNOWFLAKE_ACCOUNT=... agent-bom api |
Snowpark + SiS |
| Prometheus | --push-gateway / --otel-endpoint |
Monitoring |
- uses: msaad00/agent-bom@v0.38.0
with:
severity-threshold: high
upload-sarif: true
enrich: true
fail-on-kev: truepip install agent-bom[api]
agent-bom api --api-key $SECRET --rate-limit 30 # http://127.0.0.1:8422/docs| Endpoint | Description |
|---|---|
POST /v1/scan |
Start async scan |
GET /v1/scan/{id} |
Results + status |
GET /v1/scan/{id}/attack-flow |
Per-CVE blast radius graph |
GET /v1/registry |
427+ server registry |
GET /v1/compliance |
Full 6-framework compliance posture |
GET /v1/compliance/{framework} |
Single framework (owasp-llm, owasp-mcp, owasp-agentic, atlas, nist, eu-ai-act) |
GET /v1/posture |
Enterprise posture scorecard (grade A–F, 6 dimensions) |
GET /v1/posture/credentials |
Credential risk ranking by blast radius |
GET /v1/posture/incidents |
Incident correlation by agent (P1–P4) |
POST /v1/traces |
OpenTelemetry trace ingestion + vulnerable tool call flagging |
GET /v1/malicious/check |
Malicious package / typosquat check |
pip install agent-bom[mcp-server]
agent-bom mcp-server # stdio
agent-bom mcp-server --transport sse # remote14 tools: scan, check, blast_radius, policy_check, registry_lookup, generate_sbom, compliance, remediate, verify, where, inventory, diff, skill_trust, marketplace_check
cd ui && npm install && npm run dev # http://localhost:300014-section Next.js dashboard:
| Page | Description |
|---|---|
| Dashboard | Security posture summary + stat cards |
| Scan | Enterprise scan form with cloud options |
| Vulnerabilities | CVE browser with severity/EPSS/KEV filters |
| Agents | Fleet registry + lifecycle state management |
| Compliance | 6-framework compliance posture (OWASP Agentic, OWASP LLM, OWASP MCP, ATLAS, NIST, EU AI Act) |
| Lineage Graph | Interactive supply chain graph — dagre layout, 7 node types, filter panel |
| Agent Mesh | Cross-agent topology — shared server detection, credential blast radius, tool overlap |
| Gateway | Runtime MCP policy rules + audit log |
| Registry | 427+ MCP server browser |
| Fleet | Agent trust scoring + fleet management |
| Activity | Agent activity timeline + AI observability |
| Governance | Snowflake access, privileges, data classification |
| Traces | OpenTelemetry trace ingestion + vulnerable tool call flagging |
| Jobs | Background scan job management |
pip install 'agent-bom[api,snowflake]'| Component | Description |
|---|---|
| Snowflake Table Storage | SnowflakeJobStore, SnowflakeFleetStore, SnowflakePolicyStore — auto-detect key-pair or password auth |
| Snowpark Container Services | Dockerfile.snowpark + snowflake/setup.sql — run the API inside Snowflake |
| Streamlit in Snowflake | snowflake/streamlit_app.py — 6-tab SiS dashboard reading from shared tables |
| Native App | snowflake/native-app/ — Marketplace-distributable package |
Set SNOWFLAKE_ACCOUNT + SNOWFLAKE_USER + auth (SNOWFLAKE_PRIVATE_KEY_PATH or SNOWFLAKE_PASSWORD) and the API auto-switches to Snowflake persistence.
See DEPLOYMENT.md for full Snowflake architecture and setup instructions.
Curated registry of 427+ known MCP servers with risk levels, tool inventories, credential env vars, categories, and version pins. Auto-synced weekly from the Official MCP Registry. Unverified servers trigger warnings. Policy rules can block them in CI.
Browse: mcp_registry.json | Expand: python scripts/expand_registry.py
| Layer | Coverage | Examples |
|---|---|---|
| GPU/ML packages | --image via Grype/Syft |
NVIDIA CUDA, cuDNN, TensorRT, AMD ROCm — flagged by package name matching |
| GPU clouds | --k8s pod discovery |
CoreWeave, Lambda Labs, Nebius, Paperspace — image-level scanning |
| AI platforms | Cloud modules | Bedrock, Vertex AI, Snowflake Cortex, Databricks |
| Containers | --image via Grype/Syft |
NVIDIA NGC, ROCm, vLLM, Triton, Ollama — any OCI image |
| AI frameworks | Dependency scan | LangChain, LlamaIndex, AutoGen, PyTorch, JAX, TensorFlow |
| Inference servers | --image |
vLLM, Triton, TGI, llama.cpp |
| MLOps | Dependency scan | MLflow, W&B, Ray, ClearML |
| MCP ecosystem | Auto-discovery + registry | 18 clients, 427+ servers |
| LLM providers | API key + SDK detection | OpenAI, Anthropic, Cohere, Mistral |
| IaC + CI/CD | --tf-dir, --gha |
Terraform AI resources, GitHub Actions |
See AI Infrastructure Scanning Guide for GPU container scanning examples (NVIDIA + AMD ROCm).
--dry-run— preview every file and API URL before access, then exit without reading anything- PERMISSIONS.md — auditable trust contract with all config paths enumerated
- Read-only — never writes configs, runs servers, provisions resources, or stores secrets
- Credential redaction — only env var names in reports; values, tokens, passwords never read
- Sigstore signed — releases v0.7.0+ signed via cosign OIDC; verify PyPI integrity with
agent-bom verify agent-bom@0.38.0(SHA-256 + SLSA provenance) - No binary needed (MCP) — SSE transport requires zero local install; local CLI available for air-gapped use
- OpenSSF Scorecard — automated supply chain scoring
Shipped:
- Cloud AI inventory — AWS Bedrock, Azure AI Foundry, GCP Vertex, Snowflake Cortex, Databricks, Nebius
- Tool poisoning / prompt injection detection —
--enforcewith description injection, capability combos, CVE exposure, drift - Model weight provenance — SHA-256 hash, Sigstore file detection, HuggingFace metadata (
--model-provenance,--hf-model) - 18 MCP client discovery — Codex CLI, Gemini CLI, Goose, Snowflake CLI, full Cortex Code (CoCo) coverage
- K8s AI workload discovery —
--k8s --all-namespaceswith pod-level scanning - OWASP MCP Top 10 compliance mapping — MCP01–MCP10 risk tagging
- Malicious package detection — OSV MAL- prefix flagging + typosquat heuristics
- OpenSSF Scorecard enrichment —
--scorecardfor package health scoring - AI framework package recognition — GPU/ML packages (CUDA, ROCm, vLLM, JAX, etc.) flagged as high-risk in image scans
- Runtime MCP proxy — opt-in stdio proxy (
agent-bom proxy) wraps individual MCP server commands for traffic interception; requires per-server client reconfiguration - Enterprise integrations — Jira, Slack, Vanta, Drata
- Runtime sidecar Docker container —
Dockerfile.runtime+ Docker Compose for MCP proxy deployment - EU AI Act compliance mapping — ART-5 through ART-17 risk classification
- OWASP Agentic Top 10 — ASI01 through ASI10 agent-specific risk tagging
- Marketplace trust check —
marketplace_checkMCP tool for pre-install validation - OpenTelemetry trace ingestion —
POST /v1/tracesfor vulnerable tool call flagging - CMMC/FedRAMP compliance evidence export —
--compliance-exportZIP bundles - Agent spawn tree visualization — parent-child delegation chains
- RSP v3.0 alignment badge — Anthropic Responsible Scaling Policy compliance indicator
- Claude Code config security scanner — Check Point CVE vector detection
- Over-permission analyzer — mission profile enforcement per agent type
- Alert pipeline — AlertDispatcher with Slack, webhook, and in-memory channels; auto-trigger on scan
- Runtime protection engine — unified 5-detector orchestration with OTel trace ingestion
- Multi-tenant fleet — tenant_id scoping, X-Tenant-ID header, per-tenant stats
- Enterprise posture scorecard — letter grade (A–F), 6-dimension breakdown, auto-computed in scan output
- Incident correlation — per-agent vulnerability grouping with P1–P4 priority for SOC workflows
- Credential risk ranking — blast radius severity ranking for all exposed credentials
- Slack blast radius enrichment — webhook payloads include risk score, agents, credentials, fix versions
- Advanced policy conditions —
min_scorecard_score,max_epss_score,has_kev_with_no_fix - Enterprise hardening — bounded caches, SQLite indexes, stuck job cleanup, Content-Length validation
Planned:
- CIS AI benchmarks
- License compliance engine
- Workflow engine scanning (n8n, Zapier, Make)
git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev]"
pytest && ruff check src/See CONTRIBUTING.md | SECURITY.md | CODE_OF_CONDUCT.md | Skills
Apache 2.0 — LICENSE