name: agent-bom-scan
description: >-
Open security scanner for agentic infrastructure — agents, MCP, packages,
blast radius, runtime, and trust for package CVEs (OSV, NVD, EPSS,
KEV), container images, provenance, filesystems, and SBOMs. Use
when: "check package", "scan image", "verify", "is this safe",
"scan dependencies", "CVE lookup", "blast radius".
version: 0.88.4
license: Apache-2.0
compatibility: >-
Requires Python 3.11+. Install via pipx or pip. Native container image
scanning — no external scanner required. No API keys required for basic
operation.
metadata:
author: msaad00
homepage: https://github.com/msaad00/agent-bom
source: https://github.com/msaad00/agent-bom
pypi: https://pypi.org/project/agent-bom/
scorecard: https://securityscorecards.dev/viewer/?uri=github.com/msaad00/agent-bom
tests: 7239
install:
pipx: agent-bom
pip: agent-bom
docker: ghcr.io/msaad00/agent-bom:0.88.4
openclaw:
requires:
bins: []
env: []
credentials: none
credential_policy: "Zero credentials required. Optional env vars below increase rate limits. They are never auto-discovered, inferred, or transmitted."
optional_env: []
optional_bins:

• semgrep
• kubectl

emoji: "\U0001F6E1"
homepage: https://github.com/msaad00/agent-bom
source: https://github.com/msaad00/agent-bom
license: Apache-2.0
os:

• darwin
• linux
• windows

credentialhandling: "Env var values are NEVER extracted from config files. sanitizeenvvars() replaces all env values with REDACTED BEFORE any config data is processed or stored. Only structural data (server names, commands, URLs) passes through. Source: https://github.com/msaad00/agent-bom/blob/main/src/agentbom/security.py#L159"
data_flow: "All scanning is local-first. Only public package names and CVE IDs are sent to vulnerability databases (OSV, NVD, EPSS, GitHub Advisories). No credentials, config file contents, or scan results leave the machine."
file_reads:
# Claude Desktop

• "~/Library/Application Support/Claude/claudedesktopconfig.json"
• "~/.config/Claude/claudedesktopconfig.json"

# Claude Code

• "~/.claude/settings.json"
• "~/.claude.json"

# Cursor

• "~/.cursor/mcp.json"
• "~/Library/Application Support/Cursor/User/globalStorage/cursor.mcp/mcp.json"

# Windsurf

• "~/.windsurf/mcp.json"

# Cline

• "~/Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/clinemcpsettings.json"

# VS Code Copilot

• "~/Library/Application Support/Code/User/mcp.json"

# Codex CLI

• "~/.codex/config.toml"

# Gemini CLI

• "~/.gemini/settings.json"

# Goose

• "~/.config/goose/config.yaml"

# Continue

• "~/.continue/config.json"

# Zed

• "~/.config/zed/settings.json"

# Roo Code

• "~/Library/Application Support/Code/User/globalStorage/rooveterinaryinc.roo-cline/settings/clinemcpsettings.json"

# Amazon Q

• "~/Library/Application Support/Code/User/globalStorage/amazonwebservices.amazon-q-vscode/mcp.json"

# JetBrains AI

• "~/Library/Application Support/JetBrains/*/mcp.json"
• "~/.config/github-copilot/intellij/mcp.json"

# Junie

• "~/.junie/mcp/mcp.json"

# GitHub Copilot CLI

• "~/.copilot/mcp-config.json"

# Tabnine

• "~/.tabnine/mcp_servers.json"

# Cortex Code (Snowflake)

• "~/.snowflake/cortex/mcp.json"
• "~/.snowflake/cortex/settings.json"
• "~/.snowflake/cortex/permissions.json"
• "~/.snowflake/cortex/hooks.json"

# Snowflake CLI

• "~/.snowflake/connections.toml"
• "~/.snowflake/config.toml"

# Project-level configs

• ".mcp.json"
• ".vscode/mcp.json"
• ".cursor/mcp.json"

# User-provided files

• "user-provided SBOM files (CycloneDX/SPDX JSON)"

file_writes: []
network_endpoints:

• url: "https://api.osv.dev/v1"

purpose: "OSV vulnerability database — batch CVE lookup for packages"
auth: false

• url: "https://services.nvd.nist.gov/rest/json/cves/2.0"

purpose: "NVD CVSS v4 enrichment — optional API key increases rate limit"
auth: false

• url: "https://api.first.org/data/v1/epss"

purpose: "EPSS exploit probability scores"
auth: false

• url: "https://api.github.com/advisories"

purpose: "GitHub Security Advisories — supplemental CVE lookup"
auth: false
telemetry: false
persistence: false
privilege_escalation: false
always: false
autonomous_invocation: restricted

agent-bom-scan — AI Supply Chain Vulnerability Scanner

Checks packages for CVEs, scans container images natively, verifies package
provenance via Sigstore, scans filesystems, and generates SBOMs.

Install

pipx install agent-bom
agent-bom agents             # discover agents and scan dependencies
agent-bom check langchain==0.1.0  # check a specific package with version
agent-bom image nginx:1.25   # scan container image (native)
agent-bom fs .               # scan filesystem packages
agent-bom sbom .             # generate SBOM
agent-bom verify agent-bom   # verify Sigstore provenance
agent-bom where              # show all discovery paths

As an MCP Server

{
  "mcpServers": {
    "agent-bom": {
      "command": "uvx",
      "args": ["agent-bom", "mcp", "server"]
    }
  }
}

When to Use

• "check package" / "is this package safe"
• "scan image" / "scan container"
• "verify" / "check provenance"
• "is this safe" / "CVE lookup"
• "scan dependencies"
• "blast radius"
• "generate SBOM"

Tools (8)

| Tool | Description |
|------|-------------|
| check | Check a package for CVEs (OSV, NVD, EPSS, KEV) |
| scan | Full discovery + vulnerability scan pipeline |
| blast_radius | Map CVE impact chain across agents, servers, credentials |
| remediate | Prioritized remediation plan for vulnerabilities |
| verify | Package integrity + SLSA provenance check |
| diff | Compare two scan reports (new/resolved/persistent) |
| where | Show MCP client config discovery paths |
| inventory | List discovered agents, servers, packages |

Examples

# Check a package before installing
check(package="langchain", version="0.1.0", ecosystem="pypi")

# Map blast radius of a CVE
blast_radius(cve_id="CVE-2024-21538")

# Full scan
scan()

# Verify package provenance
verify(package="agent-bom")

Agentic Workflows

Use tool chains, not isolated calls, when the user asks for a decision:

| User intent | Recommended sequence | Output |
|-------------|----------------------|--------|
| "Is this MCP safe to install?" | registry_lookup -> check -> blast_radius when a package/version is known | concise allow/warn/block recommendation with evidence |
| "Gate this PR" | scan with SARIF output and fail on high/critical findings | SARIF for code scanning plus non-zero gate result |
| "Audit my fleet inventory" | validate inventory -> scan/agents with JSON output -> context_graph | findings plus graph-ready JSON |
| "What changed since last run?" | current scan -> diff against prior JSON | new/resolved/persistent findings |
| "What should I fix first?" | scan -> blast_radius -> remediate plan | prioritized plan only; no file writes |

Pick output by consumer: SARIF for CI, JSON for automation/graph, HTML or
Markdown for human review, CycloneDX/SPDX for SBOM consumers.

For CLI gates, prefer:

agent-bom agents --format sarif --output agent-bom.sarif --fail-on-severity high

Guardrails

• Show CVEs even when NVD analysis is pending or severity is unknown — a CVE ID is still a real finding.
• Treat UNKNOWN severity as unresolved, not benign — it means data is not yet available.
• Do not modify any files, install packages, or change system configuration.
• Only public package names and CVE IDs leave the machine for vulnerability database lookups.
• Ask before scanning paths outside the user's home directory.

Privacy & Data Handling

# Step 1: Install
pip install agent-bom

# Step 2: Review redaction logic BEFORE scanning
# sanitize_env_vars() replaces ALL env var values with ***REDACTED***
# BEFORE any config data is processed or stored:
# https://github.com/msaad00/agent-bom/blob/main/src/agent_bom/security.py#L159

# Step 3: Verify package provenance (Sigstore)
agent-bom verify agent-bom

# Step 4: Only then run scans
agent-bom agents

Verification

• Source: github.com/msaad00/agent-bom (Apache-2.0)
• Sigstore signed: agent-bom verify agent-bom@0.88.4
• 7,100+ tests with CodeQL + OpenSSF Scorecard
• No telemetry: Zero tracking, zero analytics