MCP Servers

agent-bom

AI supply chain security scanner for MCP servers and AI agents. 18 tools for CVE scanning, blast radius mapping, CIS benchmarks, SBOM generation, and compliance enforcement across OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, and EU AI Act.

README

AI supply chain security scanner. Scan packages and images for CVEs. Assess config security — credential exposure, tool access, privilege escalation. Map blast radius from vulnerabilities to credentials and tools. Enterprise posture scoring, incident correlation, credential risk ranking. OWASP LLM Top 10 + OWASP MCP Top 10 + MITRE ATLAS + NIST AI RMF + EU AI Act.

Why agent-bom?

Traditional scanners tell you a package has a CVE. agent-bom tells you which AI agents are compromised, which credentials leak, which tools an attacker reaches, and what the business impact is.

CVE-2025-1234  (CRITICAL · CVSS 9.8 · CISA KEV)
  └─ better-sqlite3@9.0.0  (npm)
       └─ sqlite-mcp  (MCP Server · unverified · 🛡 root)
            ├─ Cursor IDE  (Agent · 4 servers · 12 tools)
            ├─ ANTHROPIC_KEY, DB_URL, AWS_SECRET  (Credentials exposed)
            └─ query_db, read_file, write_file, run_shell  (Tools at risk)

 Fix: upgrade better-sqlite3 → 11.7.0

	Grype / Syft / Trivy	agent-bom
Package CVE detection	Yes	Yes — OSV + NVD CVSS v4 + EPSS + CISA KEV + GHSA + NVIDIA CSAF
SBOM generation	Yes (Syft)	Yes — CycloneDX 1.6, SPDX 3.0, SARIF
AI agent discovery	—	18 MCP clients + Docker Compose auto-discovered
Blast radius mapping	—	CVE → package → server → agent → credentials → tools
Credential exposure	—	Which secrets leak per vulnerability, per agent
MCP tool reachability	—	Which tools an attacker reaches post-exploit
Privilege detection	—	runs_as_root, shell_access, container_privileged, per-tool permissions
Enterprise remediation	—	Named assets, impact percentages, risk narratives
6-framework compliance	—	OWASP Agentic Top 10 + OWASP LLM Top 10 + OWASP MCP Top 10 + MITRE ATLAS + NIST AI RMF + EU AI Act
Malicious package detection	—	OSV MAL- prefix + typosquat heuristics (57 popular packages)
OpenSSF Scorecard enrichment	—	Package health scores from api.securityscorecards.dev
Tool poisoning detection	—	Description injection, capability combos, CVE exposure, drift
Model weight provenance	—	SHA-256 hash, Sigstore file detection, HuggingFace metadata
Policy-as-code	—	Block unverified servers, enforce thresholds in CI/CD, EPSS/scorecard conditions
Posture scorecard	—	Letter grade (A–F), 6-dimension scoring, weighted enterprise posture
Incident correlation	—	Group vulns by agent, P1–P4 priority, SOC-ready incident summaries
Credential risk ranking	—	Rank exposed credentials by blast radius severity tier
AI framework recognition	—	GPU/ML packages flagged as high-risk in image scans (via Grype/Syft)
Lateral movement analysis	—	Agent context graph, shared server/credential detection, BFS attack paths
427+ server MCP registry	—	Risk levels, tool inventories, auto-synced weekly

What it scans:

Source	How
MCP configs	Auto-discover (18 clients + Docker Compose)
Docker images	Grype / Syft / Docker CLI fallback
Kubernetes	kubectl across namespaces
Cloud providers	AWS, Azure, GCP, Databricks, Snowflake, Nebius
Terraform / GitHub Actions	AI resources + env vars
AI platforms	HuggingFace, W&B, MLflow, OpenAI
Jupyter notebooks	AI library imports + model refs
Model files	13 formats (.gguf, .safetensors, .pkl, ...)
Skill files	CLAUDE.md, .cursorrules, AGENTS.md
Prompt templates	.prompt, .promptfile, prompt.yaml
Ollama models	Local inventory via API + manifests
Existing SBOMs	CycloneDX / SPDX import

</td> <td width="50%" valign="top">

What it outputs:

Console, HTML dashboard, SARIF, CycloneDX 1.6, SPDX 3.0, Prometheus, OTLP, JSON, REST API

Read-only guarantee: Never writes configs, never runs servers, never stores secrets. All API calls are read-only. See PERMISSIONS.md.

Ecosystem:

Platform	Link
PyPI	`pip install agent-bom`
Docker	`docker run agentbom/agent-bom scan`
GitHub Action	`uses: msaad00/agent-bom@v0.48.0`
MCP Registry	server.json
ToolHive	registry entry
OpenClaw	SKILL.md
Smithery	smithery.yaml
Railway	Dockerfile.sse

</td> </tr> </table>

How it works

Discover — auto-detect MCP configs across 18 clients (Claude Desktop, Cursor, Codex CLI, Gemini CLI, Goose, etc.)
Extract — pull server names, package names, env var names, and tool lists. Credential values are never read.
Scan — send only package names + versions to public APIs (OSV.dev, NVD, EPSS, CISA KEV). No hostnames, no secrets, no auth tokens.
Analyze — CVE blast radius mapping, tool poisoning detection (--enforce), OWASP/ATLAS/NIST threat models, model provenance (--hf-model)
Score — posture scorecard (grade A–F), credential risk ranking, incident correlation by agent (P1–P4)
Report — JSON, SARIF, CycloneDX, SPDX, HTML, or console output. Alert dispatch to Slack/webhooks. Nothing stored server-side.

Trust guarantees: Read-only (no file writes, no config changes, no servers started). --dry-run previews all files and API calls then exits. Every release is Sigstore-signed. Run agent-bom verify agent-bom to check integrity. See PERMISSIONS.md for the full auditable trust contract.

<details> <summary>Architecture data flow</summary>

graph TB
    subgraph Input["Input Sources"]
        MCP["MCP Configs\n18 Clients"]
        Docker["Docker Images"]
        K8s["Kubernetes"]
        Cloud["Cloud APIs\nAWS / Azure / GCP / Snowflake"]
        SBOM["Existing SBOMs\nCycloneDX / SPDX"]
        AI["AI Platforms\nHuggingFace / W&B / MLflow"]
    end

    subgraph Core["Core Engine"]
        Discovery["Discovery Engine"]
        Parser["Package Parser"]
        Scanner["Vulnerability Scanner\nOSV + NVD + EPSS + KEV"]
        Blast["Blast Radius Analyzer"]
        Compliance["Compliance Tagger\n10 Frameworks"]
        Posture["Posture Scorer"]
    end

    subgraph Output["Output Channels"]
        Console["Console / HTML"]
        SBOM_Out["CycloneDX / SPDX / SARIF"]
        API["REST API + MCP Server"]
        Alerts["Slack / Webhook / Jira"]
    end

    MCP --> Discovery
    Docker --> Discovery
    K8s --> Discovery
    Cloud --> Discovery
    SBOM --> Discovery
    AI --> Discovery

    Discovery --> Parser
    Parser --> Scanner
    Scanner --> Blast
    Blast --> Compliance
    Compliance --> Posture

    Posture --> Console
    Posture --> SBOM_Out
    Posture --> API
    Posture --> Alerts

See docs/ARCHITECTURE.md for the full set of architecture diagrams including data flow pipeline, blast radius propagation, compliance framework mapping, and integration architecture.

</details>

Get started

pip install agent-bom

agent-bom scan                                     # auto-discover + scan
agent-bom scan --enrich                            # + NVD CVSS + EPSS + CISA KEV
agent-bom scan -f html -o report.html              # HTML dashboard
agent-bom scan --enforce                           # tool poisoning detection
agent-bom scan --fail-on-severity high -q          # CI gate
agent-bom scan --image myapp:latest                # Docker image scanning
agent-bom scan --k8s --all-namespaces              # K8s cluster
agent-bom scan --aws --snowflake --databricks      # Multi-cloud
agent-bom scan --hf-model meta-llama/Llama-3.1-8B  # model provenance

Auto-discovers Claude Desktop, Claude Code, Cursor, Windsurf, Cline, VS Code Copilot, Continue, Zed, Cortex Code (CoCo), Codex CLI, Gemini CLI, Goose, Snowflake CLI, OpenClaw, Roo Code, Amazon Q, ToolHive, and Docker MCP Toolkit.

<details> <summary>Install extras</summary>

Mode	Command
Core CLI	`pip install agent-bom`
Cloud (all)	`pip install 'agent-bom[cloud]'`
AWS	`pip install 'agent-bom[aws]'`
Snowflake	`pip install 'agent-bom[snowflake]'`
Databricks	`pip install 'agent-bom[databricks]'`
Nebius GPU cloud	`pip install 'agent-bom[nebius]'`
REST API	`pip install 'agent-bom[api]'`
Dashboard	`pip install 'agent-bom[ui]'`
AI enrichment	`pip install 'agent-bom[ai-enrich]'`
MCP server	`pip install 'agent-bom[mcp-server]'`
OpenTelemetry	`pip install 'agent-bom[otel]'`
Docker	`docker run --rm -v ~/.config:/root/.config:ro agentbom/agent-bom scan`

</details>

Core capabilities

CVE scanning + blast radius

Every vulnerability is mapped through your AI stack: which agents are affected, which credentials are exposed, which MCP tools an attacker can reach, and what to fix first.

Enrichment sources: OSV batch (primary), NVD CVSS v4, FIRST EPSS exploit probability, CISA KEV active exploitation catalog.

Privilege detection

Every MCP server is assessed for privilege escalation risk:

Signal	Detection
runs_as_root	`sudo` in command/args, Docker `Config.User` empty/"0"/"root"
shell_access	bash/sh/zsh/powershell command, exec/shell tools
container_privileged	Docker `HostConfig.Privileged`, CapAdd/CapDrop
tool_permissions	Per-tool read/write/execute/destructive classification

Privilege levels: critical (privileged container, CAP_SYS_ADMIN) → high (root, shell) → medium (fs write, network) → low (read-only).

6-framework compliance mapping

Every finding is tagged against six frameworks simultaneously:

OWASP Agentic Top 10 — ASI01 through ASI10 (agent autonomy, tool misuse, spawn persistence)
OWASP LLM Top 10 — LLM01 through LLM10 (7 categories triggered)
OWASP MCP Top 10 — MCP01 through MCP10 (8 categories triggered) — token exposure, tool poisoning, supply chain, shadow servers
MITRE ATLAS — AML.T0010, AML.T0043, AML.T0051, etc. (9 techniques mapped)
NIST AI RMF 1.0 — Govern, Map, Measure, Manage (12 subcategories mapped)
EU AI Act — ART-5 through ART-17 (prohibited practices, high-risk classification, cybersecurity)

Enterprise remediation

Each fix tells you exactly what will be protected — named agents, credentials, tools, percentages, threat tags, and risk narratives.

AI-BOM export

agent-bom scan -f cyclonedx -o ai-bom.cdx.json   # CycloneDX 1.6
agent-bom scan -f spdx -o ai-bom.spdx.json       # SPDX 3.0
agent-bom scan -f sarif -o results.sarif           # GitHub Security tab
agent-bom scan -f json -o ai-bom.json             # Full AI-BOM
agent-bom scan -f html -o report.html              # Interactive dashboard
agent-bom scan -f mermaid                          # Mermaid supply chain diagram
agent-bom scan -f graph -o graph.json              # Cytoscape-compatible graph JSON

Policy-as-code

agent-bom scan --policy policy.json --fail-on-severity high

Supported policy conditions: severity_gte, is_kev, ai_risk, has_credentials, ecosystem, package_name_contains, min_agents, min_tools, unverified_server, registry_risk_gte, owasp_tag, owasp_mcp_tag, is_malicious, min_scorecard_score, max_epss_score, has_kev_with_no_fix

Enterprise security operations

Posture scorecard — letter grade (A–F), numeric score (0–100), 6-dimension breakdown:

Dimension	Weight	Measures
Vulnerability Posture	30%	Severity distribution, fix availability
Credential Hygiene	20%	Credential exposure footprint
Supply Chain Quality	15%	OpenSSF Scorecard coverage
Compliance Coverage	15%	Threat framework tag mapping
Active Exploitation	10%	KEV, high-EPSS presence
Configuration Quality	10%	Registry verification, tool declarations

Incident correlation — group vulnerabilities by agent for SOC workflows:

Priority levels: P1 (KEV/multi-critical) → P2 (critical+creds) → P3 (high) → P4 (monitor)
Per-agent: unique CVEs, KEV IDs, exposed credentials, affected packages, recommended actions

Credential risk ranking — rank all exposed credentials by blast radius:

Risk tiers: critical (critical CVE exposure) → high → medium → low
Aggregated across all agents and servers per credential

Cloud provider discovery

agent-bom scan --aws --aws-region us-east-1       # Bedrock, Lambda, EKS, ECS, EC2, Step Functions
agent-bom scan --snowflake                         # Cortex Agents, MCP Servers, Search, Snowpark
agent-bom scan --databricks                        # Cluster libraries, model serving
agent-bom scan --nebius --nebius-project-id proj   # GPU cloud K8s + containers
agent-bom scan --k8s --context=coreweave-cluster   # CoreWeave / any K8s

<details> <summary>Cloud provider details</summary>

Provider	Depth	What's discovered	Install
Snowflake	Deep	Cortex Agents, native MCP Servers, Search, Snowpark, Streamlit, query history, governance, activity, observability	`pip install 'agent-bom[snowflake]'`
AWS	Standard	Bedrock agents, Lambda package extraction, EKS, ECS, Step Functions, EC2, SageMaker	`pip install 'agent-bom[aws]'`
Databricks	Preview	Cluster packages, model serving endpoints	`pip install 'agent-bom[databricks]'`
Azure	Standard	OpenAI deployments, Functions, Container Instances, ML endpoints, AI Foundry workspaces, Container Apps	`pip install 'agent-bom[azure]'`
GCP	Standard	Vertex AI endpoints, Cloud Functions, GKE, Cloud Run	`pip install 'agent-bom[gcp]'`
Nebius	Preview	Managed K8s, container services	`pip install 'agent-bom[nebius]'`
CoreWeave	Via K8s	K8s-native — `--k8s --context=coreweave-cluster`	(core CLI)
Ollama	Standard	Local model inventory via API + manifests	(core CLI)

Snowflake is the deepest integration — includes governance audit (access history, privilege grants, data classification), agent activity timeline, and Cortex observability. Other providers have functional discovery at varying depth. PRs welcome.

</details>

Additional capabilities

<details> <summary>MCP runtime introspection</summary>

Connect to live servers to discover runtime tools/resources and detect drift from configs. Read-only — only calls tools/list and resources/list.

agent-bom scan --introspect

</details>

<details> <summary>Skill file scanning + security audit</summary>

Scan CLAUDE.md, .cursorrules, AGENTS.md for embedded MCP servers, packages, and credentials. 7 security checks: typosquat detection, shell access, dangerous server names, unverified servers, excessive credentials, external URLs, unknown packages.

agent-bom scan --skill CLAUDE.md    # explicit
agent-bom scan --skill-only         # skills only
agent-bom scan --no-skill           # skip skills

</details>

<details> <summary>Prompt template scanning</summary>

Scan .prompt, .promptfile, system_prompt.*, prompt.yaml/json files for hardcoded secrets, prompt injection patterns, unsafe instructions, and sensitive data exposure.

agent-bom scan --scan-prompts

</details>

<details> <summary>AI-powered enrichment</summary>

LLM-generated risk narratives, executive summaries, and threat chain analysis. Works with local Ollama (free) or 100+ providers via litellm.

agent-bom scan --ai-enrich                              # auto-detect Ollama
agent-bom scan --ai-enrich --ai-model ollama/llama3      # specific model
agent-bom scan --ai-enrich --ai-model openai/gpt-4o-mini # cloud LLM

</details>

<details> <summary>Tool poisoning detection + enforcement</summary>

Static analysis of MCP tool descriptions for prompt injection patterns, dangerous capability combinations (EXECUTE + WRITE), CVE exposure in server dependencies, and tool drift detection via introspection.

agent-bom scan --enforce                       # tool poisoning + enforcement checks
agent-bom scan --enforce --introspect          # + drift detection against live servers

</details>

<details> <summary>Model weight provenance</summary>

SHA-256 hash verification, Sigstore signature file detection (.sig/.sigstore/.bundle presence — not cryptographic verification), and HuggingFace model metadata (author, license, model card, gated status, download count).

agent-bom scan --model-files ./models --model-provenance   # hash + signature checks
agent-bom scan --hf-model meta-llama/Llama-3.1-8B          # HuggingFace provenance

</details>

<details> <summary>Jupyter notebook + model file scanning</summary>

Detect 29+ AI libraries, pip installs, credentials in notebooks. Scan 13 model file formats with security flags for pickle-based formats.

agent-bom scan --jupyter ./notebooks
agent-bom scan --model-files ./models

</details>

<details> <summary>Interactive security graph visualization</summary>

The dashboard (agent-bom api) serves interactive React Flow graphs — the same rendering approach used by enterprise security platforms:

Agent Mesh (/mesh) — cross-agent topology with vulnerability overlay, shared server detection, credential blast analysis, severity filtering, and search
Attack Flow (/scan?view=attack-flow) — CVE-centric blast radius graph: CVE → Package → Server → Agent → Credentials → Tools
Supply Chain Lineage (/graph) — full dependency lineage with hover highlighting and detail panels
Context Graph (/context) — lateral movement analysis: agent-to-agent attack paths via shared servers, credentials, and tools

All graph views include: dagre auto-layout, hover highlighting (BFS connected nodes), click-to-inspect detail panels, minimap, OWASP LLM Top 10 + OWASP MCP Top 10 + MITRE ATLAS + NIST AI RMF framework tagging on every node.

CLI output formats for CI/CD and automation:

agent-bom scan -f graph -o graph.json    # Cytoscape-compatible JSON
agent-bom scan -f html -o report.html    # standalone interactive HTML report
agent-bom scan -f mermaid                # Mermaid text (for docs/markdown)
agent-bom scan -f sarif -o results.sarif # GitHub Security tab integration

</details>

<details> <summary>Supplemental advisory enrichment</summary>

Beyond OSV.dev, agent-bom checks supplemental sources to catch CVEs not yet indexed:

GitHub Security Advisories (GHSA) — all ecosystems (PyPI, npm, Go, Maven, Cargo, NuGet)
NVIDIA CSAF advisories — GPU/ML packages (CUDA, cuDNN, TensorRT, NCCL)

Both sources deduplicate by CVE ID against OSV results. Packages without a pinned version are auto-resolved from npm/PyPI registries before scanning.

</details>

Deployment

Mode	Command	Best for
CLI	`agent-bom scan`	Local audit
Pre-install check	`agent-bom check express@4.18.2 -e npm`	Before running MCP servers
GitHub Action	`uses: msaad00/agent-bom@v0.48.0`	CI/CD + SARIF
Docker	`docker run agentbom/agent-bom scan`	Isolated scans
REST API	`agent-bom api`	Dashboards, SIEM
Runtime proxy	`agent-bom proxy`	Opt-in MCP traffic audit (per-server)
MCP Server	`agent-bom mcp-server`	Inside any MCP client
Dashboard	`agent-bom serve`	API + Next.js dashboard
Snowflake	`SNOWFLAKE_ACCOUNT=... agent-bom api`	Snowpark + SiS
Prometheus	`--push-gateway` / `--otel-endpoint`	Monitoring

GitHub Action

- uses: msaad00/agent-bom@v0.48.0
  with:
    severity-threshold: high
    upload-sarif: true
    enrich: true
    fail-on-kev: true

REST API

pip install agent-bom[api]
agent-bom api --api-key $SECRET --rate-limit 30   # http://127.0.0.1:8422/docs

Endpoint	Description
`POST /v1/scan`	Start async scan
`GET /v1/scan/{id}`	Results + status
`GET /v1/scan/{id}/attack-flow`	Per-CVE blast radius graph
`GET /v1/registry`	427+ server registry
`GET /v1/compliance`	Full 6-framework compliance posture
`GET /v1/compliance/{framework}`	Single framework (owasp-llm, owasp-mcp, owasp-agentic, atlas, nist, eu-ai-act)
`GET /v1/posture`	Enterprise posture scorecard (grade A–F, 6 dimensions)
`GET /v1/posture/credentials`	Credential risk ranking by blast radius
`GET /v1/posture/incidents`	Incident correlation by agent (P1–P4)
`POST /v1/traces`	OpenTelemetry trace ingestion + vulnerable tool call flagging
`GET /v1/scan/{id}/context-graph`	Agent context graph + lateral movement paths
`GET /v1/malicious/check`	Malicious package / typosquat check

MCP Server

pip install agent-bom[mcp-server]
agent-bom mcp-server                    # stdio
agent-bom mcp-server --transport sse    # remote

15 tools: scan, check, blast_radius, policy_check, registry_lookup, generate_sbom, compliance, remediate, verify, where, inventory, diff, skill_trust, marketplace_check, context_graph

Cloud UI

cd ui && npm install && npm run dev   # http://localhost:3000

15-section Next.js dashboard:

Page	Description
Dashboard	Security posture summary + stat cards
Scan	Enterprise scan form with cloud options
Vulnerabilities	CVE browser with severity/EPSS/KEV filters
Agents	Fleet registry + lifecycle state management
Compliance	6-framework compliance posture (OWASP Agentic, OWASP LLM, OWASP MCP, ATLAS, NIST, EU AI Act)
Lineage Graph	Interactive supply chain graph — dagre layout, 7 node types, filter panel
Agent Mesh	Cross-agent topology — shared server detection, credential blast radius, tool overlap
Gateway	Runtime MCP policy rules + audit log
Registry	427+ MCP server browser
Fleet	Agent trust scoring + fleet management
Activity	Agent activity timeline + AI observability
Governance	Snowflake access, privileges, data classification
Traces	OpenTelemetry trace ingestion + vulnerable tool call flagging
Context Graph	Lateral movement analysis — agent-to-agent attack paths, shared credentials, tool overlap
Jobs	Background scan job management

Snowflake Deployment

pip install 'agent-bom[api,snowflake]'

Component	Description
Snowflake Table Storage	`SnowflakeJobStore`, `SnowflakeFleetStore`, `SnowflakePolicyStore` — auto-detect key-pair or password auth
Snowpark Container Services	`Dockerfile.snowpark` + `snowflake/setup.sql` — run the API inside Snowflake
Streamlit in Snowflake	`snowflake/streamlit_app.py` — 6-tab SiS dashboard reading from shared tables
Native App	`snowflake/native-app/` — Marketplace-distributable package

Set SNOWFLAKE_ACCOUNT + SNOWFLAKE_USER + auth (SNOWFLAKE_PRIVATE_KEY_PATH or SNOWFLAKE_PASSWORD) and the API auto-switches to Snowflake persistence.

See DEPLOYMENT.md for full Snowflake architecture and setup instructions.

MCP Server Registry (427+ servers)

Curated registry of 427+ known MCP servers with risk levels, tool inventories, credential env vars, categories, and version pins. Auto-synced weekly from the Official MCP Registry. Unverified servers trigger warnings. Policy rules can block them in CI.

Browse: mcp_registry.json | Expand: python scripts/expand_registry.py

AI supply chain coverage

Layer	Coverage	Examples
GPU/ML packages	`--image` via Grype/Syft	NVIDIA CUDA, cuDNN, TensorRT, AMD ROCm — flagged by package name matching
GPU clouds	`--k8s` pod discovery	CoreWeave, Lambda Labs, Nebius, Paperspace — image-level scanning
AI platforms	Cloud modules	Bedrock, Vertex AI, Snowflake Cortex, Databricks
Containers	`--image` via Grype/Syft	NVIDIA NGC, ROCm, vLLM, Triton, Ollama — any OCI image
AI frameworks	Dependency scan	LangChain, LlamaIndex, AutoGen, PyTorch, JAX, TensorFlow
Inference servers	`--image`	vLLM, Triton, TGI, llama.cpp
MLOps	Dependency scan	MLflow, W&B, Ray, ClearML
MCP ecosystem	Auto-discovery + registry	18 clients, 427+ servers
LLM providers	API key + SDK detection	OpenAI, Anthropic, Cohere, Mistral
IaC + CI/CD	`--tf-dir`, `--gha`	Terraform AI resources, GitHub Actions

See AI Infrastructure Scanning Guide for GPU container scanning examples (NVIDIA + AMD ROCm).

Trust & permissions

--dry-run — preview every file and API URL before access, then exit without reading anything
PERMISSIONS.md — auditable trust contract with all config paths enumerated
Read-only — never writes configs, runs servers, provisions resources, or stores secrets
Credential redaction — only env var names in reports; values, tokens, passwords never read
Sigstore signed — releases v0.7.0+ signed via cosign OIDC; verify PyPI integrity with agent-bom verify agent-bom@0.48.0 (SHA-256 + SLSA provenance)
No binary needed (MCP) — SSE transport requires zero local install; local CLI available for air-gapped use
OpenSSF Scorecard — automated supply chain scoring

Roadmap

Shipped:

[x] Cloud AI inventory — AWS Bedrock, Azure AI Foundry, GCP Vertex, Snowflake Cortex, Databricks, Nebius
[x] Tool poisoning / prompt injection detection — --enforce with description injection, capability combos, CVE exposure, drift
[x] Model weight provenance — SHA-256 hash, Sigstore file detection, HuggingFace metadata (--model-provenance, --hf-model)
[x] 18 MCP client discovery — Codex CLI, Gemini CLI, Goose, Snowflake CLI, full Cortex Code (CoCo) coverage
[x] K8s AI workload discovery — --k8s --all-namespaces with pod-level scanning
[x] OWASP MCP Top 10 compliance mapping — MCP01–MCP10 risk tagging
[x] Malicious package detection — OSV MAL- prefix flagging + typosquat heuristics
[x] OpenSSF Scorecard enrichment — --scorecard for package health scoring
[x] AI framework package recognition — GPU/ML packages (CUDA, ROCm, vLLM, JAX, etc.) flagged as high-risk in image scans
[x] Runtime MCP proxy — opt-in stdio proxy (agent-bom proxy) wraps individual MCP server commands for traffic interception; requires per-server client reconfiguration
[x] Enterprise integrations — Jira, Slack, Vanta, Drata
[x] Runtime sidecar Docker container — Dockerfile.runtime + Docker Compose for MCP proxy deployment
[x] EU AI Act compliance mapping — ART-5 through ART-17 risk classification
[x] OWASP Agentic Top 10 — ASI01 through ASI10 agent-specific risk tagging
[x] Marketplace trust check — marketplace_check MCP tool for pre-install validation
[x] OpenTelemetry trace ingestion — POST /v1/traces for vulnerable tool call flagging
[x] CMMC/FedRAMP compliance evidence export — --compliance-export ZIP bundles
[x] Agent spawn tree visualization — parent-child delegation chains
[x] RSP v3.0 alignment badge — Anthropic Responsible Scaling Policy compliance indicator
[x] Claude Code config security scanner — Check Point CVE vector detection
[x] Over-permission analyzer — mission profile enforcement per agent type
[x] Alert pipeline — AlertDispatcher with Slack, webhook, and in-memory channels; auto-trigger on scan
[x] Runtime protection engine — unified 5-detector orchestration with OTel trace ingestion
[x] Multi-tenant fleet — tenant_id scoping, X-Tenant-ID header, per-tenant stats
[x] Enterprise posture scorecard — letter grade (A–F), 6-dimension breakdown, auto-computed in scan output
[x] Incident correlation — per-agent vulnerability grouping with P1–P4 priority for SOC workflows
[x] Credential risk ranking — blast radius severity ranking for all exposed credentials
[x] Slack blast radius enrichment — webhook payloads include risk score, agents, credentials, fix versions
[x] Advanced policy conditions — min_scorecard_score, max_epss_score, has_kev_with_no_fix
[x] Enterprise hardening — bounded caches, SQLite indexes, stuck job cleanup, Content-Length validation
[x] Agent context graph — lateral movement analysis via shared servers, credentials, and tools; BFS attack path discovery
[x] Enterprise security hardening — per-job thread locks, SSRF protection, error sanitization, RBAC least privilege, path traversal guards

Planned:

[ ] CIS AI benchmarks
[ ] License compliance engine
[ ] Workflow engine scanning (n8n, Zapier, Make)

Contributing

git clone https://github.com/msaad00/agent-bom.git && cd agent-bom
pip install -e ".[dev]"
pytest && ruff check src/

See CONTRIBUTING.md | SECURITY.md | CODE_OF_CONDUCT.md | Skills

Apache 2.0 — LICENSE

Recommended Servers

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official

Featured

TypeScript

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official

Featured

Local

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official

Featured

TypeScript

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official

Featured

Python

E2B

Using MCP to run code via e2b.

Official

Featured

Neon Database

MCP server for interacting with Neon Management API and databases

Official

Featured

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official

Featured

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official

Featured