Offline AI agent bill of materials and attack surface scanner
Project description
AgentBOM
AgentBOM is a static security scanner for AI-agent repositories. It detects AI providers, model identifiers, agent frameworks, prompts, MCP servers, secret references, and risky capabilities that appear reachable from an agent.
AgentBOM does not run code. It does not import scanned modules, execute MCP servers, contact networks, or store secret values.
It is different from SAST and SBOM tools because it focuses on AI-agent attack surface: which models, prompts, frameworks, MCP servers, and capabilities appear connected in the repository. Use SAST for language-specific vulnerability patterns and SBOM tools for package inventory. Use AgentBOM to review agent context and statically inferred reachability.
Quickstart
pip install ai-agentbom
agentbom scan . --pretty
Generate review artifacts:
agentbom scan . --output-dir agentbom-report --html --mermaid --sarif --pretty
AgentBOM always writes:
agentbom.json: machine-readable findingsagentbom.md: human-readable review report
Optional outputs:
| Flag | Output | Use |
|---|---|---|
--html |
agentbom.html |
self-contained offline report |
--mermaid |
agentbom.mmd |
capability graph |
--sarif |
agentbom.sarif |
GitHub code scanning and SARIF consumers |
--cyclonedx |
agentbom.cdx.json |
package ecosystem inventory workflows |
What It Finds
| Area | Examples |
|---|---|
| Providers | OpenAI, Anthropic, Gemini, Ollama, DeepSeek, OpenRouter |
| Models | gpt-5.1, gpt-4o-mini, o3-mini, claude-sonnet-4.6, gemini-3.1-pro, deepseek-r1, llama-3.3-70b-instruct, qwen2.5-coder, grok-4, command-r-plus, sonar-pro, OpenRouter and LiteLLM-prefixed model strings |
| Frameworks | LangChain, LangGraph, LlamaIndex, CrewAI, AutoGen/AG2, Semantic Kernel, Pydantic AI, OpenAI Agents SDK, Claude Agent SDK, Mastra, Google ADK, Vercel AI SDK, LiteLLM, Instructor, Haystack, DSPy, LangServe |
| Prompts | AGENTS.md, CLAUDE.md, prompts/*.md, prompt YAML |
| MCP | mcp.json, .mcp.json, claude_desktop_config.json, nested Cursor/Claude MCP config paths |
| MCP server risk | filesystem, shell/process, browser/network, database, cloud, secrets/env, unknown/custom servers |
| Capabilities | shell, code execution, network, database, cloud, MCP tool invocation |
| Secret references | credential names such as OPENAI_API_KEY, never values |
| Dependencies | deterministic AI-relevant dependency extraction from Python, JavaScript, Rust, and Go manifests |
| Policy gaps | prompt files, MCP config, shell/cloud access without policy documentation |
Findings include source paths, confidence, reviewer-facing rationale, and mitigation signals where static evidence is available.
Reports
Start with repository risk, review priorities, reachable capabilities, MCP security analysis, policy findings, and Changes since baseline.
Diff-aware scans compare the current report with a baseline JSON report:
agentbom scan . --baseline agentbom-baseline.json --fail-on-new high --sarif --html --pretty
--fail-on-new accepts low, medium, high, or critical. It evaluates
new providers, capabilities, MCP servers, secret references, and policy findings
introduced since the baseline.
See the report guide for field definitions and reviewer workflow.
GitHub Action
Use the action in pull requests to publish reports and a workflow job summary.
When GITHUB_STEP_SUMMARY is available, AgentBOM summarizes repository risk,
detected AI surface, reachable capabilities, and generated report files directly
in the GitHub Actions run.
name: AgentBOM
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run AgentBOM
uses: vlcak27/agentbom@v0.7.0
with:
path: .
fail-on: none
sarif-upload: false
html: true
output-dir: agentbom-report
- name: Upload AgentBOM reports
uses: actions/upload-artifact@v4
with:
name: agentbom-report
path: agentbom-report/
Enable SARIF upload only when you want GitHub code scanning alerts:
permissions:
contents: read
security-events: write
More details: GitHub Action docs.
Security Model
AgentBOM is designed for safe repository review:
- static analysis only
- does not execute scanned code
- does not import scanned modules
- does not execute MCP servers
- does not contact networks during scanning
- skips files larger than 1 MB
- skips binary-looking files
- does not follow symlink loops
- records secret names only, never secret values
- works offline and emits deterministic output for the same input repository
Limitations
- Findings are review signals, not exploit verification.
- Reachability is inferred from nearby static evidence, not runtime traces.
- False positives and missed detections are possible.
- Detector coverage is intentionally AI-agent focused, not general SAST.
- Dependency parsing is deterministic and limited, not a full lockfile solver.
- AgentBOM is not an SBOM, SPDX, or CycloneDX replacement.
Development
pip install -e ".[dev]"
ruff check .
pytest
Or run the project check:
make check
Useful docs:
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ai_agentbom-0.7.0.tar.gz.
File metadata
- Download URL: ai_agentbom-0.7.0.tar.gz
- Upload date:
- Size: 62.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cf817ebcaf1eb618fce938768a6c46eec001a84bf154a44bb8410625188b2909
|
|
| MD5 |
34c540525301f9cb202d239e1a82c888
|
|
| BLAKE2b-256 |
1263dc393bcca6450d153e56ccaca34d7ca87b45b4f78ee5ad93191018b493b8
|
Provenance
The following attestation bundles were made for ai_agentbom-0.7.0.tar.gz:
Publisher:
release.yml on vlcak27/agentbom
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ai_agentbom-0.7.0.tar.gz -
Subject digest:
cf817ebcaf1eb618fce938768a6c46eec001a84bf154a44bb8410625188b2909 - Sigstore transparency entry: 1562036045
- Sigstore integration time:
-
Permalink:
vlcak27/agentbom@16f013dcb9ad6d28bd743a12421c1f3b74ea4035 -
Branch / Tag:
refs/tags/v0.7.0 - Owner: https://github.com/vlcak27
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@16f013dcb9ad6d28bd743a12421c1f3b74ea4035 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ai_agentbom-0.7.0-py3-none-any.whl.
File metadata
- Download URL: ai_agentbom-0.7.0-py3-none-any.whl
- Upload date:
- Size: 51.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7240ff9cbecb88d1a34aecce9216e3c47d87d668c3bd63d825fda9ebc06d72e6
|
|
| MD5 |
fc579056d2a0e9ce4160cb24ea21a594
|
|
| BLAKE2b-256 |
64f13f652b0765bb9324ac78a95db4e75f6687c5ccaeaefa118771e6418c8b5c
|
Provenance
The following attestation bundles were made for ai_agentbom-0.7.0-py3-none-any.whl:
Publisher:
release.yml on vlcak27/agentbom
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ai_agentbom-0.7.0-py3-none-any.whl -
Subject digest:
7240ff9cbecb88d1a34aecce9216e3c47d87d668c3bd63d825fda9ebc06d72e6 - Sigstore transparency entry: 1562036144
- Sigstore integration time:
-
Permalink:
vlcak27/agentbom@16f013dcb9ad6d28bd743a12421c1f3b74ea4035 -
Branch / Tag:
refs/tags/v0.7.0 - Owner: https://github.com/vlcak27
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@16f013dcb9ad6d28bd743a12421c1f3b74ea4035 -
Trigger Event:
push
-
Statement type: