Skip to content

msaad00/agent-bom

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2,361 Commits
.agents
.agents
 
 
.clusterfuzzlite
.clusterfuzzlite
 
 
.github
.github
 
 
config
config
 
 
contracts
contracts
 
 
dashboard
dashboard
 
 
deploy
deploy
 
 
docs
docs
 
 
examples
examples
 
 
fuzz
fuzz
 
 
integrations
integrations
 
 
scripts
scripts
 
 
sdks
sdks
 
 
security
security
 
 
site-docs
site-docs
 
 
src/agent_bom
src/agent_bom
 
 
tests
tests
 
 
ui
ui
 
 
.agent-bom.yaml.example
.agent-bom.yaml.example
 
 
.dockerignore
.dockerignore
 
 
.editorconfig
.editorconfig
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
.gitleaksignore
.gitleaksignore
 
 
.image-scan-ignore
.image-scan-ignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
AGENTS.md
AGENTS.md
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CLAUDE.md
CLAUDE.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
DOCKER_HUB_README.md
DOCKER_HUB_README.md
 
 
DOCKER_HUB_UI_README.md
DOCKER_HUB_UI_README.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
NOTICE
NOTICE
 
 
PYPI_README.md
PYPI_README.md
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
action.yml
action.yml
 
 
mkdocs.yml
mkdocs.yml
 
 
osv-scanner.toml
osv-scanner.toml
 
 
policy.json
policy.json
 
 
pyproject.toml
pyproject.toml
 
 
railway.json
railway.json
 
 
uv.lock
uv.lock
 
 

Repository files navigation

agent-bom

Build PyPI Docker License OpenSSF Scorecard

Open security scanner and self-hosted control plane for AI/MCP infrastructure.

Headless agent primitives and human cockpit surfaces over the same evidence model.

Docs · First Run · Self-host · GitHub Action · Docker · Changelog

agent-bom scans local and fleet AI infrastructure, builds an AI BOM across agents, MCP servers, tools, packages, credential environment names, cloud, runtime, and skills, then turns that inventory into findings, compliance evidence, and graph-backed exposure paths.

The same evidence is available through CLI/CI, REST API, MCP tools, and a self-hosted dashboard. Runtime proxy/gateway controls are optional and scoped to environments where enforcement is worth the operational cost.

agent-bom blast-radius drilldown — package to finding to MCP server to agent 

package
  -> vulnerability finding
  -> MCP server
  -> tools + credential refs
  -> agent

Blast radius is the core idea. A vulnerable package is not just a CVE row; it is linked to the MCP server that loads it, the tools exposed by that server, the credential environment names in reach, and the agents that can call it.

agent-bom control loop from discovery to graph evidence to gateway policy and runtime enforcement

First Run

pip install agent-bom
agent-bom quickstart --dry-run --offline   # print the onboarding plan
agent-bom quickstart --run --offline        # write sample, scan, seed gateway policy, populate the cockpit
agent-bom agents --demo --offline

The demo uses real OSV/GHSA advisories against intentionally vulnerable sample packages and produces graph-ready inventory without touching your source tree. For a real local scan:

agent-bom agents -p . -f html -o agent-bom-report.html

Want an inspectable sample stack first?

agent-bom samples first-run
agent-bom agents --inventory agent-bom-first-run/inventory.json -p agent-bom-first-run --enrich

See docs/FIRST_RUN.md for the guided path from CLI output to the dashboard.

To reproduce the dashboard screenshots from a clean local control-plane store:

make build-ui
uv run agent-bom serve --persist /tmp/agent-bom-demo.db --allow-insecure-no-auth
uv run agent-bom agents --demo --offline --no-auto-update-db -f json -o /tmp/agent-bom-demo.json
curl -sS -H 'content-type: application/json' --data-binary @/tmp/agent-bom-demo.json \
  http://127.0.0.1:8422/v1/results/push

agent-bom terminal demo

Product Proof

The dashboard screenshots below are captured from the packaged UI with bundled demo scan data and seeded control-plane records, not static mockups. The data is synthetic where needed, but the routes are the real scan, graph, fleet, identity, audit, and gateway surfaces. The README keeps the first screen focused; expand the gallery when you want to inspect the control-plane surfaces.

Evidence cockpit and agent mesh

agent-bom risk overview dashboard with posture score, findings, and attack path summary

agent-bom agent mesh graph showing agent, MCP server, package, tool, credential reference, and finding path

Graph views beyond the agent mesh

The graph proof set is intentionally split across modes: fix-first exposure paths, root-centered lineage, lateral context, and package risk distribution. That keeps each view readable instead of forcing every relationship into one sprawling canvas.

agent-bom security graph with attack-path queue, graph evidence export, and remediation handoff

agent-bom lineage graph centered on an agent with bounded paths, filters, and graph evidence export

agent-bom context map showing agent-to-server reachability and lateral movement context

Environment state and identity lifecycle

Fleet and identity views use the same control-plane APIs that operators use for customer-owned deployments. The sample below seeds environment, owner, lifecycle state, and agent identity events so the screenshots show how local scan evidence connects to reviewable governance records.

agent-bom fleet state dashboard showing lifecycle distribution, approved and discovered agents, owner metadata, environment labels, and discovery state

agent-bom audit log filtered to identity lifecycle events with HMAC integrity counters and issue, rotate, revoke rows

Dependency and remediation views

agent-bom dependency map with scan pipeline counts, supply-chain treemap, blast-radius chart, and EPSS by CVSS risk map

agent-bom remediation dashboard with prioritized package fixes and compliance context

Runtime policy and audit posture

agent-bom gateway policy dashboard showing advisory runtime posture, enabled policy count, rule counts, and bound agents

Screenshot capture rules and the full manifest live in docs/CAPTURE.md and docs/images/product-screenshots.json.

Start Here

Goal Command Artifact
Local agent and MCP inventory agent-bom agents findings, AI BOM, graph-ready JSON
Guided local onboarding agent-bom quickstart --dry-run --offline scan, sample-data, and local API/UI next steps
One-command onboarding agent-bom quickstart --run --offline writes sample, runs a graph-persisting scan, seeds a baseline gateway policy
Repo and lockfile scan agent-bom agents -p . package findings, SARIF/SBOM/HTML when requested
Pre-install guard agent-bom check flask@2.0.0 --ecosystem pypi deterministic allow/warn/block result
Container image scan agent-bom image nginx:latest image findings and remediation
IaC scan agent-bom iac Dockerfile k8s/ infra/main.tf IaC findings and policy context
Cloud posture check agent-bom cis-benchmark --provider aws runtime CIS posture evidence
CI gate uses: msaad00/agent-bom@v0.88.6 SARIF, PR summary, optional code-scanning upload
MCP tools pip install 'agent-bom[mcp-server]' && agent-bom mcp server strict-args security tools for MCP clients
Local API/UI pip install 'agent-bom[ui]' && agent-bom serve API plus bundled dashboard
First-run extras pip install 'agent-bom[all]' supported onboarding extras; MLflow remains separately installed
Self-hosted pilot docker compose -f docker-compose.pilot.yml up -d API and dashboard in your environment

The base wheel is the scanner and CLI path. Optional runtime surfaces fail fast with install hints when their extras are missing.

MCP registry publishing is tracked through the committed Smithery manifest and other registry metadata; install and liveness checks stay in the linked integration docs instead of this front door.

Shipped Surfaces

Surface Primary user Current boundary
CLI / CI developers and release gates local scans, SARIF/SBOM/HTML/JSON, deterministic exit codes
REST API control-plane integrations scans, bulk findings, dataset versions, evaluation runs, graph evidence, audit, runtime summaries
MCP tools agents and assistants strict arguments, read-mostly security queries, exposure paths, deploy decisions, audited Shield actions
Dashboard security teams and operators inventory, findings, graph cockpit, compliance, evidence, runtime posture
Runtime proxy/gateway runtime operators scoped MCP traffic inspection, policy decisions, redacted audit evidence
Python client services, notebooks, and automation typed helper for stable REST endpoints in the packaged wheel
TypeScript client services and agent runtimes typed helper for stable REST endpoints

MCP server mode advertises 63 MCP tools, 6 resources, and 6 workflow prompts. Most tools are read-only. The three Shield write actions fail closed unless the caller supplies operator_role=admin, operator_scopes=shield:write, and an audit reason.

CLI scan commands run local scan pipelines today. They share lower scanner and discovery libraries with the API, but they are not API wrappers yet.

Runtime enforcement is explicit. Proxy mode either wraps a target MCP server for audit and policy decisions, or runs that server through Docker/Podman isolation when a sandbox image is supplied:

agent-bom proxy --no-isolate --policy policy.json --detect-credentials --block-undeclared -- npx @mcp/server-github
agent-bom proxy --sandbox-image ghcr.io/acme/mcp-runtime@sha256:<digest> \
  --sandbox-image-pin-policy enforce --block-undeclared -- npx @mcp/server-postgres

Deploy In Your Boundary

agent-bom is designed for customer-controlled deployment: local CLI, Docker, GitHub Action, Helm, EKS, Postgres, and optional runtime proxy/gateway.

curl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml
docker compose -f docker-compose.pilot.yml up -d
# Dashboard -> http://localhost:3000

Production self-hosting starts with the deployment chooser:

There is no managed cloud offering in this repository today. Product lane boundaries are documented in docs/PRODUCT_BOUNDARIES.md.

Trust Model

  • Read-only discovery by default for cloud and local inventory.
  • No mandatory telemetry.
  • Credential values are redacted; credential environment names are preserved as evidence so exposure paths stay explainable.
  • Findings can export as JSON, SARIF, CycloneDX, SPDX, Markdown, HTML, and compliance evidence bundles.
  • API and runtime paths are designed for tenant scope, auth boundaries, and audit evidence.
  • OpenAPI artifacts are committed for SDK and client contract checks.

Security and release references:

Product Views

The docs site carries the deployment-oriented walkthroughs behind those screenshots:

Contributing

Contributions are welcome. Start with:

License: Apache-2.0.

About

AI supply-chain security scanner and self-hosted control plane for agents, MCP, SBOM/SARIF, graph findings, runtime enforcement, and compliance evidence.

pypi.org/project/agent-bom/

Topics

kubernetes mcp owasp compliance security-scanner sarif devsecops ai-agents vulnerability-scanning cloud-security container-security ai-security sbom cyclonedx supply-chain-security llm-security aibom blast-radius mcp-server ai-supply-chain

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

22 stars

Watchers

0 watching

Forks

8 forks
Report repository

Releases 111

agent-bom v0.88.5 Latest
Jun 1, 2026
+ 110 releases

Packages

 
 
 

Contributors

Languages