Skip to main content

Agentic AI Bill of Materials scanner — discover and risk-assess the AI agents, models, tools, and MCP servers in a codebase.

Project description

aibom — Agentic AI Bill of Materials scanner

Discover, inventory, and risk-assess the AI agents, models, tools, and MCP servers in a codebase — without running it. aibom produces an AI-BOM (the AI equivalent of an SBOM) plus posture findings mapped to the OWASP LLM Top 10, and gates your CI on new critical/high findings.

Zero dependencies (Python stdlib only). Part of ScopeSafe.

pip install scopesafe-aibom   # installs the `aibom` command

aibom .            # human-readable report, exit 1 on CRITICAL/HIGH
aibom . --json     # raw AI-BOM JSON (SBOM export)

What it finds

  • Agents — LangChain, LangGraph, CrewAI, AutoGen, LlamaIndex constructors and graph idioms (StateGraph().compile(), .bind_tools(), factory functions), with cross-file resolution of imported tools/models
  • Models — client instantiation across frameworks + direct SDKs, including config-default model names (model: str = field(default="provider/model"))
  • Tools@tool decorators, Tool() constructors, TOOLS = [...] lists, with capability tags (filesystem/exec/network/delete/...)
  • MCP servers.mcp.json / claude_desktop_config.json, scope classification (broad/scoped/unknown)
  • Posture findings — broadly-scoped MCP servers, exec-capable servers, destructive tools without human-in-the-loop, hardcoded provider keys — each mapped to an OWASP LLM Top 10 category

Continuous monitoring (ScopeSafe platform)

Upload scans to track finding lifecycle (new / recurring / resolved) across your projects and gate PRs:

export AIBOM_TOKEN=aibom_...          # workspace API token from settings
export AIBOM_API_URL=https://api.scopesafe.net

aibom . --upload --project my-repo
# aibom: uploaded scan 3f2a... (project 'my-repo')
#   findings: 1 new, 4 recurring, 2 resolved
#   gate: fail — 1 new high finding(s), e.g. AGENT-001: ...

Exit codes with --upload: 0 gate passed/skipped · 1 gate failed · 2 upload error.

Development

pip install -e ".[dev]"
pytest -q
ruff check src/

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

scopesafe_aibom-0.1.0.tar.gz (19.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

scopesafe_aibom-0.1.0-py3-none-any.whl (19.4 kB view details)

Uploaded Python 3

File details

Details for the file scopesafe_aibom-0.1.0.tar.gz.

File metadata

  • Download URL: scopesafe_aibom-0.1.0.tar.gz
  • Upload date:
  • Size: 19.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for scopesafe_aibom-0.1.0.tar.gz
Algorithm Hash digest
SHA256 a4e96183e29ddf0cd3895109988dce5d0697bf6045a9e3e5d4700f764f50b12e
MD5 b3e39b5b8ef5ac20a2305a77162a404a
BLAKE2b-256 fd884593c04ea575bf7760bac10f055454b217e65ae028d69e4a2cc47fc281e2

See more details on using hashes here.

Provenance

The following attestation bundles were made for scopesafe_aibom-0.1.0.tar.gz:

Publisher: release.yml on sandhipveera/aibom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file scopesafe_aibom-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for scopesafe_aibom-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a21baf96d47b6032fc279d92a34a4e950eb8137f3ffb82dd01d399f4e42052dc
MD5 11db01c6dab8d6208b9ff9d99c3a8cb9
BLAKE2b-256 6b5266b7d19adcc12253ee0a49ee2e8184b49b470589c5af400cccb120a8495b

See more details on using hashes here.

Provenance

The following attestation bundles were made for scopesafe_aibom-0.1.0-py3-none-any.whl:

Publisher: release.yml on sandhipveera/aibom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page