Do not open a public GitHub issue for security vulnerabilities.
Report privately via GitHub Security Advisories.
For procurement-facing support boundaries, patch cadence, escalation paths, and release-note security language, see docs/ENTERPRISE_SUPPORT_MODEL.md.
Response SLA:
- Acknowledgement within 48 hours
- Triage and severity assessment within 5 business days
- Fix for critical issues within 7 days of triage
- Fix for high issues within 30 days of triage
| Version | Supported |
|---|---|
| Latest | ✓ Yes |
| < Latest | ✗ No — upgrade to the latest release |
The open-source project supports the latest released tag. Older release lines are not maintained as long-term support branches unless a separate commercial or customer-specific agreement exists.
agent-bom is a read-only scanner. It does not modify agent configurations, execute MCP servers, write credentials, or alter any external system state.
- Local config files (
~/.config/,~/.claude/, etc.) — for agent discovery - Public APIs: OSV.dev, NVD, EPSS, CISA KEV — for CVE enrichment
- Cloud provider APIs — when explicitly configured with credentials (AWS, GCP, Azure, Snowflake, Databricks)
- Docker daemon socket — when
--imageflag is used - Kubernetes API — when
--k8sflag is used
- Credentials are never stored by agent-bom
- Credential names/env var keys appear in output as
***REDACTED*** - Redaction is heuristic-based (regex patterns) and may miss obfuscated or non-standard key names
- Cloud credentials must be pre-configured in the environment (AWS profile, GCP application default, etc.)
- Credential redaction is heuristic — non-standard or obfuscated key names may not be flagged
- External scanner dependency — container image scanning can rely on external binaries; their CVEs apply to those tools
- Network dependency — OSV/NVD/EPSS enrichment requires outbound HTTPS; air-gapped environments see reduced coverage
- MCP server execution — agent-bom does NOT execute MCP servers it discovers; it only reads their configs
- Runtime proxy enforcement — the proxy intercepts MCP traffic using a trust-on-first-use model; pre-existing compromised servers must be identified via scanning before proxy deployment
- Defaults to localhost-only binding (
127.0.0.1:8422) - API key auth via
AGENT_BOM_API_KEYenv var; OIDC/JWT viaAGENT_BOM_OIDC_ISSUER - WebSocket endpoints require the same auth when
AGENT_BOM_API_KEYis set - JWKS public key caching (1h TTL); RS256/RS384/RS512/ES256/ES384/ES512 supported;
alg: nonerejected - Dashboard HTML uses a route-specific CSP. The packaged FastAPI-served UI allows
script-src 'self' 'unsafe-inline'for the Next.js runtime bootstrap; API JSON routes keep the stricterdefault-src 'self'policy. - The standalone Vercel preview config in
ui/vercel.jsonis looser and still includesunsafe-evalfor that hosting path. Treat it as a preview-only constraint, not the recommended self-hosted control-plane policy.
- Static analysis: ruff + mypy on every PR (required CI checks)
- Dependency scanning: Dependabot weekly (Python + npm)
- Container image scanning: pinned scanner action in CI pipeline
- Pre-commit hooks: ruff, ruff-format, detect-private-key, check-yaml, end-of-file-fixer
- Third-party penetration testing: not completed yet; required before
v1.0runtime-enforcement GA. Scope and exit criteria are documented in docs/PENTEST_READINESS.md
The independent assessment planned before v1.0 is expected to cover:
- runtime proxy enforcement and audit integrity
- multi-MCP gateway auth, policy evaluation, and upstream relay behavior
- control-plane tenant isolation across API and dashboard surfaces
- reference EKS / Helm deployment hardening
The tracked scope, environment expectations, and v1.0 release criteria live
in docs/PENTEST_READINESS.md.
The public verification path is documented:
- docs/RELEASE_VERIFICATION.md — Sigstore bundle verification, SLSA provenance inspection, and self-SBOM review
- docs/SUPPLY_CHAIN.md — dependency bounds, lockfiles, extras audit coverage, fuzz targets, and release trust controls
- Reporter submits via GitHub Security Advisories
- Maintainer acknowledges within 48 hours
- Issue triaged, CVSS severity assigned within 5 business days
- Fix developed on private branch; CVE ID requested if warranted
- Coordinated disclosure: patch released, advisory published simultaneously
- Reporter credited in release notes (unless anonymity requested)
agent-bom follows a 90-day coordinated disclosure model aligned with industry practice (CERT/CC, Project Zero):
- Default embargo: 90 days from the date the maintainer acknowledges the report
- Critical (CVSS ≥ 9.0): 30-day target with possible 14-day extension if a patch is in active review
- High (CVSS 7.0–8.9): 60-day target
- Medium / Low (CVSS < 7.0): 90-day target
- Extension requests are considered case-by-case; the reporter is consulted before any extension
- Early disclosure is permitted if the vulnerability is being actively exploited in the wild, or if the reporter and maintainer mutually agree
- Public CVE / GHSA publication happens at the same moment as the patched release; the reporter is credited unless anonymity is requested
- Private pre-disclosure to downstream packagers (PyPI security, Docker Hub, distros) may occur up to 7 days before public disclosure when the maintainer has reasonable grounds to believe coordinated patching reduces aggregate risk
If the maintainer becomes unresponsive past the embargo deadline without prior coordination, reporters may publish at their own discretion 14 days after a documented final outreach attempt.