Offline AI agent bill of materials and attack surface scanner
Project description
AgentBOM
What AgentBOM Is
AgentBOM is a local-first pre-commit security guard for AI-agent repositories.
AI-agent repos often mix prompts, tool permissions, MCP config, and API keys. AgentBOM gives you a local commit-time check before risky changes enter git.
- Activate once with
agentbom activate. - Commit normally.
- Block likely AI/API key leaks and risky agent capabilities.
- Run offline with deterministic checks and no scanned-code execution.
Quickstart
pip install ai-agentbom
cd my-agent-repo
agentbom activate
git commit
What It Catches
- likely AI/API key leaks, with values redacted
- risky shell or code execution capabilities
- MCP server exposure
- AI provider or model usage outside policy
Demo
Passing commit:
AgentBOM OK
No policy violations found.
Blocked commit:
AgentBOM blocked this commit
CRITICAL Possible OpenAI API key value
.env:1
Value redacted. Remove the key and rotate it.
Secret values are redacted in output.
Recommended Workflow
agentbom activate creates or reuses agentbom.toml and installs a repo-local
pre-commit guard. The default mode is confirm: passing commits print
AgentBOM OK, and AgentBOM asks before committing when policy violations are
found. Activation only affects this local clone and does not overwrite an
existing agentbom.toml unless --force is passed.
agentbom status
agentbom scan . --policy agentbom.toml --html --open
Activation presets:
safe: default, good for normal use.audit: observe without blocking.strict: stronger policy for sensitive repos.
agentbom activate --strict remains available as an alias for
agentbom activate --preset strict.
Policy Review
Policy review is advisory by default:
agentbom scan . --policy agentbom.toml --pretty
Make policy violations fail a scan only when you opt in:
agentbom scan . --policy agentbom.toml --enforce-policy
The HTML report includes a Policy Workbench for generating and refining
agentbom.toml from detected providers, models, frameworks, reachable
capabilities, MCP servers, secret references, and policy gaps.
See policy docs for policy format, rollout, local guard modes, and bypass behavior.
Local Guard
Install a repo-local pre-commit guard:
agentbom activate
Modes:
advisoryallows commits and warns on policy violations.confirmasks before committing when violations exist.enforceblocks commits when violations exist.
The hook is local to the current repository under .git/hooks/pre-commit.
Disable it with:
agentbom deactivate
Troubleshooting prompt or PATH issues: troubleshooting.
What It Finds
| Area | Examples |
|---|---|
| Providers and models | OpenAI, Anthropic, Gemini, Ollama, OpenRouter, GPT/o-series, Claude, Gemini, Llama, Mistral, Qwen, Grok, Cohere, Perplexity |
| Frameworks | LangChain, LangGraph, LlamaIndex, CrewAI, AutoGen/AG2, Semantic Kernel, Pydantic AI, OpenAI Agents SDK, Mastra, Vercel AI SDK, LiteLLM |
| Prompts | AGENTS.md, CLAUDE.md, prompts/*.md, prompt YAML |
| MCP | mcp.json, .mcp.json, claude_desktop_config.json, Cursor/Claude MCP config paths |
| Capabilities | shell, code execution, network, database, cloud, MCP tool invocation |
| Secret references | credential names such as OPENAI_API_KEY, never values |
| Secret leak findings | likely AI/API credential values, always redacted |
| Policy gaps | prompt files, MCP config, shell/cloud access without policy documentation |
Findings include source paths, confidence, reviewer-facing rationale, and mitigation signals where static evidence is available.
Reports
Generate review artifacts:
agentbom scan . --output-dir agentbom-report --html --mermaid --sarif --pretty
Diff-aware scans compare the current report with a baseline JSON report:
agentbom scan . --baseline agentbom-baseline.json --fail-on-new high --sarif --html --pretty
--fail-on-new accepts low, medium, high, or critical.
See the report guide for field definitions and reviewer workflow.
GitHub Action
Use the action in pull requests to publish reports and a workflow job summary.
name: AgentBOM
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run AgentBOM
uses: vlcak27/agentbom@v0.8.0
with:
path: .
fail-on: none
sarif-upload: false
html: true
output-dir: agentbom-report
- name: Upload AgentBOM reports
uses: actions/upload-artifact@v4
with:
name: agentbom-report
path: agentbom-report/
Enable SARIF upload only when you want GitHub code scanning alerts:
permissions:
contents: read
security-events: write
More details: GitHub Action docs.
Security Model
- static analysis only
- does not execute scanned code
- does not import scanned modules
- does not execute MCP servers
- does not contact networks during scanning
- skips files larger than 1 MB
- skips binary-looking files
- does not follow symlink loops
- records secret references by name and likely credential leaks with redacted metadata only, never secret values
- works offline and emits deterministic output for the same input repository
Limitations
- Findings are review signals, not exploit verification.
- Reachability is inferred from nearby static evidence, not runtime traces.
- False positives and missed detections are possible.
- AgentBOM is AI-agent focused. Use SAST for language-specific vulnerability patterns and SBOM tools for package inventory.
- AI/API credential leak checks are focused review signals and are not a replacement for full secret scanners such as Gitleaks or TruffleHog.
- Dependency parsing is deterministic and limited, not a full lockfile solver.
- AgentBOM is not an SBOM, SPDX, or CycloneDX replacement.
Development
pip install -e ".[dev]"
ruff check .
pytest
Or run the project check:
make check
Useful docs:
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ai_agentbom-0.8.0.tar.gz.
File metadata
- Download URL: ai_agentbom-0.8.0.tar.gz
- Upload date:
- Size: 90.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c37411c488c5f225e74a343b895156f087a045bd7e72a49cb38a8380282441d5
|
|
| MD5 |
d28df406a188f4328252304f9df79ec9
|
|
| BLAKE2b-256 |
8cafb3dccccc0cafee5513f0f479116ccc7d877c6f32bc66436b51c1ec065803
|
Provenance
The following attestation bundles were made for ai_agentbom-0.8.0.tar.gz:
Publisher:
release.yml on vlcak27/agentbom
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ai_agentbom-0.8.0.tar.gz -
Subject digest:
c37411c488c5f225e74a343b895156f087a045bd7e72a49cb38a8380282441d5 - Sigstore transparency entry: 1578963731
- Sigstore integration time:
-
Permalink:
vlcak27/agentbom@90ed2c5b2e05938e3da275f82a1d43a5df3536d8 -
Branch / Tag:
refs/tags/v0.8.0 - Owner: https://github.com/vlcak27
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@90ed2c5b2e05938e3da275f82a1d43a5df3536d8 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ai_agentbom-0.8.0-py3-none-any.whl.
File metadata
- Download URL: ai_agentbom-0.8.0-py3-none-any.whl
- Upload date:
- Size: 71.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3acc7fe45732e21d91d5f821421fc4381e8d9455031d7372e161f783022f2736
|
|
| MD5 |
6120f2c11b49c2b7af2209e9eba67ff9
|
|
| BLAKE2b-256 |
b86d7b951b6fa6894a49f59dac9bdc08ca6eff291b65798a696e0637019ee89d
|
Provenance
The following attestation bundles were made for ai_agentbom-0.8.0-py3-none-any.whl:
Publisher:
release.yml on vlcak27/agentbom
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ai_agentbom-0.8.0-py3-none-any.whl -
Subject digest:
3acc7fe45732e21d91d5f821421fc4381e8d9455031d7372e161f783022f2736 - Sigstore transparency entry: 1578963923
- Sigstore integration time:
-
Permalink:
vlcak27/agentbom@90ed2c5b2e05938e3da275f82a1d43a5df3536d8 -
Branch / Tag:
refs/tags/v0.8.0 - Owner: https://github.com/vlcak27
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@90ed2c5b2e05938e3da275f82a1d43a5df3536d8 -
Trigger Event:
push
-
Statement type: