Open security scanner and self-hosted control plane for AI/MCP infrastructure.
Start with the demo, then choose the entrypoint that matches your first job: repo scan, image scan, cloud posture, fix plan, dashboard, MCP tools, or runtime review.
better-sqlite3@9.0.0 (npm package)
|── OSV/GHSA finding (critical · advisory-backed)
|── sqlite-mcp (MCP Server · unverified · root)
|── Cursor IDE (Agent · 4 servers · 12 tools)
|── ANTHROPIC_KEY, DB_URL, AWS_SECRET (Credential env names visible)
|── query_db, read_file, write_file, run_shell (Reachable tools)
Fix: upgrade better-sqlite3 → 11.7.0
Blast radius is the core idea: package -> vulnerability finding -> MCP server (tools + credential env names) -> connected agents. This schematic explains the model; emitted findings are backed by the configured advisory sources.
Scan local agent configs, MCP servers, instruction files, lockfiles, containers, cloud posture, GPU surfaces, and runtime evidence.
Try the built-in demo first:
agent-bom agents --demo --offlineThe demo uses a curated sample so the output stays reproducible across releases. For real scans, run agent-bom agents, or add -p . to fold project manifests and lockfiles into the same result.
If you want an inspectable sample before scanning your own repo:
agent-bom samples first-run
agent-bom agents --inventory agent-bom-first-run/inventory.json -p agent-bom-first-run --enrichThe bundled first-run stack includes agent inventory, MCP server definitions,
placeholder credential environment variable names, Python/npm manifests, and a
prompt file. See docs/FIRST_RUN.md in the repository for the guided flow.
See the terminal demo
pip install agent-bom
agent-bom quickstart --dry-run --offline # Scan, sample-data, and API/UI next steps
agent-bom agents -p . # Repo + MCP + package blast radius
agent-bom samples first-run # Inspectable sample AI stack
agent-bom check flask@2.2.0 --ecosystem pypi # Pre-install package verdict
agent-bom image nginx:latest # Container image scan
agent-bom agents -p . --remediate remediation.md # Fix-first remediation plan
pip install 'agent-bom[ui]' # once, if you want the dashboard
agent-bom serve # API + dashboard + graph explorerThe base wheel is the scanner/CLI path. Install optional surfaces explicitly:
pip install 'agent-bom[mcp-server]' for MCP server mode and
pip install 'agent-bom[ui]' for the local API/dashboard process. Use
pip install 'agent-bom[all]' for supported first-run extras; MLflow remains
separate until its upstream CVE backlog is fixed. If an extra is missing, the
command exits with the matching install hint.
Self-hosted pilot:
curl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml
docker compose -f docker-compose.pilot.yml up -d
# Dashboard -> http://localhost:3000Production chart from a checked-out repo:
helm upgrade --install agent-bom deploy/helm/agent-bom \
--namespace agent-bom --create-namespace \
-f deploy/helm/agent-bom/examples/eks-production-values.yaml
- Agents + MCP — MCP clients, servers, tools, transports, trust posture
- Skills + instructions —
CLAUDE.md,AGENTS.md,.cursorrules,.windsurfrules,skills/* - Package risk — software supply chain scanning with enrichment and blast radius
- Container images + IaC — native OCI parsing plus Dockerfile, Terraform, CloudFormation, Helm, and Kubernetes coverage
- Cloud AI — cloud and AI infrastructure posture across major supported providers
- Secrets + runtime — MCP proxy, Shield SDK, secrets, and redaction surfaces
- Compliance + evidence — mapped governance plus ZIP evidence bundles for auditors
- Blast radius mapping — package → vulnerability finding → MCP server (tools + credential env names) → connected agents
- CWE-aware impact — RCE shows credential exposure, DoS does not
- Portable outputs — SARIF, CycloneDX, SPDX, HTML, graph, JSON, ZIP evidence bundles, and more
- MCP server mode — expose
agent-bomcapabilities directly to MCP clients like Claude, Cursor, Windsurf, and Cortex CoCo / Cortex Code - Skill bundle identity — stable bundle hashes for skill and instruction file review
- Dependency confusion detection — flags internal naming patterns
- VEX generation — auto-triage with CWE-aware reachability
Read-only. Agentless. No secrets leave your machine unless you explicitly enable an outbound integration.
