Skip to main content

Offline AI agent bill of materials and attack surface scanner

Project description

AgentBOM

CI PyPI Python License

AgentBOM is a static security scanner for AI-agent repositories. It detects AI providers, model identifiers, agent frameworks, prompts, MCP servers, secret references, and risky capabilities that appear reachable from an agent.

AgentBOM does not run code. It does not import scanned modules, execute MCP servers, contact networks, or store secret values.

It is different from SAST and SBOM tools because it focuses on AI-agent attack surface: which models, prompts, frameworks, MCP servers, and capabilities appear connected in the repository. Use SAST for language-specific vulnerability patterns and SBOM tools for package inventory. Use AgentBOM to review agent context and statically inferred reachability.

AgentBOM HTML report preview

Quickstart

pip install ai-agentbom
agentbom scan . --pretty

Generate review artifacts:

agentbom scan . --output-dir agentbom-report --html --mermaid --sarif --pretty

AgentBOM always writes:

  • agentbom.json: machine-readable findings
  • agentbom.md: human-readable review report

Optional outputs:

Flag Output Use
--html agentbom.html self-contained offline report
--mermaid agentbom.mmd capability graph
--sarif agentbom.sarif GitHub code scanning and SARIF consumers
--cyclonedx agentbom.cdx.json package ecosystem inventory workflows

What It Finds

Area Examples
Providers OpenAI, Anthropic, Gemini, Ollama, DeepSeek, OpenRouter
Models gpt-5.1, gpt-4o-mini, o3-mini, claude-sonnet-4.6, gemini-3.1-pro, deepseek-r1, llama-3.3-70b-instruct, qwen2.5-coder, grok-4, command-r-plus, sonar-pro, OpenRouter and LiteLLM-prefixed model strings
Frameworks LangChain, LangGraph, LlamaIndex, CrewAI, AutoGen/AG2, Semantic Kernel, Pydantic AI, OpenAI Agents SDK, Claude Agent SDK, Mastra, Google ADK, Vercel AI SDK, LiteLLM, Instructor, Haystack, DSPy, LangServe
Prompts AGENTS.md, CLAUDE.md, prompts/*.md, prompt YAML
MCP mcp.json, .mcp.json, claude_desktop_config.json, nested Cursor/Claude MCP config paths
MCP server risk filesystem, shell/process, browser/network, database, cloud, secrets/env, unknown/custom servers
Capabilities shell, code execution, network, database, cloud, MCP tool invocation
Secret references credential names such as OPENAI_API_KEY, never values
Dependencies deterministic AI-relevant dependency extraction from Python, JavaScript, Rust, and Go manifests
Policy gaps prompt files, MCP config, shell/cloud access without policy documentation

Findings include source paths, confidence, reviewer-facing rationale, and mitigation signals where static evidence is available.

Reports

Start with repository risk, review priorities, reachable capabilities, MCP security analysis, policy findings, and Changes since baseline.

Diff-aware scans compare the current report with a baseline JSON report:

agentbom scan . --baseline agentbom-baseline.json --fail-on-new high --sarif --html --pretty

--fail-on-new accepts low, medium, high, or critical. It evaluates new providers, capabilities, MCP servers, secret references, and policy findings introduced since the baseline.

See the report guide for field definitions and reviewer workflow.

GitHub Action

Use the action in pull requests to publish reports and a workflow job summary. When GITHUB_STEP_SUMMARY is available, AgentBOM summarizes repository risk, detected AI surface, reachable capabilities, and generated report files directly in the GitHub Actions run.

name: AgentBOM

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run AgentBOM
        uses: vlcak27/agentbom@v0.7.0
        with:
          path: .
          fail-on: none
          sarif-upload: false
          html: true
          output-dir: agentbom-report

      - name: Upload AgentBOM reports
        uses: actions/upload-artifact@v4
        with:
          name: agentbom-report
          path: agentbom-report/

Enable SARIF upload only when you want GitHub code scanning alerts:

permissions:
  contents: read
  security-events: write

More details: GitHub Action docs.

Security Model

AgentBOM is designed for safe repository review:

  • static analysis only
  • does not execute scanned code
  • does not import scanned modules
  • does not execute MCP servers
  • does not contact networks during scanning
  • skips files larger than 1 MB
  • skips binary-looking files
  • does not follow symlink loops
  • records secret names only, never secret values
  • works offline and emits deterministic output for the same input repository

Limitations

  • Findings are review signals, not exploit verification.
  • Reachability is inferred from nearby static evidence, not runtime traces.
  • False positives and missed detections are possible.
  • Detector coverage is intentionally AI-agent focused, not general SAST.
  • Dependency parsing is deterministic and limited, not a full lockfile solver.
  • AgentBOM is not an SBOM, SPDX, or CycloneDX replacement.

Development

pip install -e ".[dev]"
ruff check .
pytest

Or run the project check:

make check

Useful docs:

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ai_agentbom-0.7.0.tar.gz (62.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ai_agentbom-0.7.0-py3-none-any.whl (51.1 kB view details)

Uploaded Python 3

File details

Details for the file ai_agentbom-0.7.0.tar.gz.

File metadata

  • Download URL: ai_agentbom-0.7.0.tar.gz
  • Upload date:
  • Size: 62.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ai_agentbom-0.7.0.tar.gz
Algorithm Hash digest
SHA256 cf817ebcaf1eb618fce938768a6c46eec001a84bf154a44bb8410625188b2909
MD5 34c540525301f9cb202d239e1a82c888
BLAKE2b-256 1263dc393bcca6450d153e56ccaca34d7ca87b45b4f78ee5ad93191018b493b8

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_agentbom-0.7.0.tar.gz:

Publisher: release.yml on vlcak27/agentbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ai_agentbom-0.7.0-py3-none-any.whl.

File metadata

  • Download URL: ai_agentbom-0.7.0-py3-none-any.whl
  • Upload date:
  • Size: 51.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ai_agentbom-0.7.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7240ff9cbecb88d1a34aecce9216e3c47d87d668c3bd63d825fda9ebc06d72e6
MD5 fc579056d2a0e9ce4160cb24ea21a594
BLAKE2b-256 64f13f652b0765bb9324ac78a95db4e75f6687c5ccaeaefa118771e6418c8b5c

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_agentbom-0.7.0-py3-none-any.whl:

Publisher: release.yml on vlcak27/agentbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page