agent-bom

# agent-bom — AI Agent Infrastructure Security Scanner Discovers MCP clients and servers across 22 AI tools, scans for CVEs, maps blast radius, runs cloud CIS benchmarks, checks OWASP/NIST/MITRE compliance, generates SBOMs, and assesses AI infrastructure against AISVS v1.0 and MAESTRO framework layers. ## Install ```bash pipx install agent-bom agent-bom agents # auto-discover + scan agent-bom check langchain==0.1.0 # check a specific package with version agent-bom fs . # scan filesystem packages agent-bom image nginx:1.25 # scan container image (native) agent-bom cloud aws # AWS CIS benchmark agent-bom iac infra/ # scan Terraform/CloudFormation agent-bom where # show all discovery paths ``` ### As an MCP Server ```json { "mcpServers": { "agent-bom": { "command": "uvx", "args": ["agent-bom", "mcp", "server"] } } } ``` ## Sub-Skills (8) | Sub-Skill | Purpose | Triggers | |-----------|---------|---------| | [discover](discover/SKILL.md) | Find agents, MCP servers, configurations | "find agents", "what's configured", "mcp inventory" | | [scan](scan/SKILL.md) | CVE scanning, image scanning, SBOM, provenance | "check package", "scan image", "verify", "blast radius" | | [scan-infra](scan-infra/SKILL.md) | IaC, cloud config, secrets scanning | "check terraform", "scan kubernetes", "find secrets" | | [enforce](enforce/SKILL.md) | Runtime policy enforcement, MCP proxy | "block risky calls", "apply policy", "proxy" | | [compliance](compliance/SKILL.md) | 14-framework compliance, SBOM generation | "compliance report", "NIST", "SOC 2", "OWASP" | | [monitor](monitor/SKILL.md) | Fleet monitoring, trust scores, lifecycle | "fleet", "watch agents", "trust scores" | | [analyze](analyze/SKILL.md) | Blast radius, attack paths, context graph | "blast radius", "threat intel", "attack path" | | [troubleshoot](troubleshoot/SKILL.md) | Diagnostics, doctor, config validation | "doctor", "debug", "why failing", "validate config" | ## Tools ### Vulnerability Scanning | Tool | Description | |------|-------------| | `scan` | Full discovery + vulnerability scan pipeline | | `check` | Check a package for CVEs (OSV, NVD, EPSS, KEV) | | `blast_radius` | Map CVE impact chain across agents, servers, credentials | | `remediate` | Prioritized remediation plan for vulnerabilities | | `verify` | Package integrity + SLSA provenance check | | `diff` | Compare two scan reports (new/resolved/persistent) | | `where` | Show MCP client config discovery paths | | `inventory` | List discovered agents, servers, packages | ### Compliance & Policy | Tool | Description | |------|-------------| | `compliance` | OWASP LLM/Agentic Top 10, EU AI Act, MITRE ATLAS, NIST AI RMF | | `policy_check` | Evaluate results against custom security policy (17 conditions) | | `cis_benchmark` | CIS benchmark checks (AWS, Azure v3.0, GCP v3.0, Snowflake) | | `generate_sbom` | Generate SBOM (CycloneDX or SPDX format) | | `aisvs_benchmark` | OWASP AISVS v1.0 compliance — 9 AI security checks | ### Registry & Trust | Tool | Description | |------|-------------| | `registry_lookup` | Look up MCP server in 427+ server security metadata registry | | `marketplace_check` | Pre-install trust check with registry cross-reference | | `fleet_scan` | Batch registry lookup + risk scoring for MCP server inventories | | `skill_scan` | Scan instruction files for package refs, trust, and findings | | `skill_verify` | Verify Sigstore provenance for instruction files | | `skill_trust` | Assess skill file trust level (5-category analysis) | | `code_scan` | SAST scanning via Semgrep with CWE-based compliance mapping | ### Runtime & Analytics | Tool | Description | |------|-------------| | `context_graph` | Agent context graph with lateral movement analysis | | `analytics_query` | Query vulnerability trends, posture history, and runtime events | | `runtime_correlate` | Cross-reference proxy audit JSONL with CVE findings, risk amplification | | `vector_db_scan` | Probe Qdrant/Weaviate/Chroma/Milvus for auth and exposure | | `gpu_infra_scan` | GPU container and K8s node inventory + unauthenticated DCGM probe (MAESTRO KC6) | ### Specialized Scans | Tool | Description | |------|-------------| | `dataset_card_scan` | Scan dataset cards for bias, licensing, and provenance issues | | `training_pipeline_scan` | Scan training pipeline configs for security risks | | `browser_extension_scan` | Scan browser extensions for risky permissions and AI domain access | | `model_provenance_scan` | Verify model provenance and supply chain integrity | | `prompt_scan` | Scan prompt templates for injection and data leakage risks | | `model_file_scan` | Scan model files for unsafe serialization (pickle, etc.) | | `license_compliance_scan` | Full SPDX license catalog scan with copyleft and network-copyleft detection | | `ingest_external_scan` | Import external scan results (CycloneDX/SPDX/JSON) and merge into agent-bom findings | ### Resources | Resource | Description | |----------|-------------| | `registry://servers` | Browse 427+ MCP server security metadata registry | ## Example Workflows ``` # Check a package before installing check(package="@modelcontextprotocol/server-filesystem", ecosystem="npm") # Map blast radius of a CVE blast_radius(cve_id="CVE-2024-21538") # Full agent discovery + scan agents() # Run CIS benchmark cis_benchmark(provider="aws") # Run AISVS v1.0 compliance aisvs_benchmark() # Scan vector databases for auth misconfigurations vector_db_scan() # Discover GPU containers, K8s GPU nodes, and unauthenticated DCGM endpoints gpu_infra_scan() # Scan instruction files and then inspect trust skill_scan(path=".") skill_trust(skill_path="./SKILL.md") ``` ## Guardrails **Always do:** - Show CVEs even when NVD analysis is pending or severity is `unknown` — a CVE ID with no details is still a real finding. Report what is known; mark severity as `unknown` explicitly. - Confirm with the user before scanning cloud environments (`cis_benchmark`) — these make live API calls to AWS/Azure/GCP using the user's credentials. - Treat `UNKNOWN` severity as unresolved, not benign — it means data is not yet available, not that the issue is minor. **Never do:** - Do not modify any files, install packages, or change system configuration. This skill is read-only. - Do not transmit env var values, credentials, or file contents to any external service. Only package names and CVE IDs leave the machine. - Do not invoke `agents()` autonomously on sensitive environments without user confirmation. The `autonomous_invocation` policy is `restricted`. **Stop and ask the user when:** - The user requests a cloud CIS benchmark and no cloud credentials are configured. - A scan finds `CRITICAL` CVEs — present findings and ask whether to generate a remediation plan. - The user asks to scan a path outside their home directory. ## Supported Frameworks (14) - **OWASP LLM Top 10** (2025) — prompt injection, supply chain, data leakage - **OWASP MCP Top 10** — MCP-specific security risks - **OWASP Agentic Top 10** — tool poisoning, rug pulls, credential theft - **OWASP AISVS v1.0** — AI Security Verification Standard (9 checks) - **MITRE ATLAS** — adversarial ML threat framework - **NIST AI RMF** — govern, map, measure, manage lifecycle - **NIST CSF 2.0** — identify, protect, detect, respond, recover - **NIST 800-53 Rev 5** — federal security controls (CM-8, RA-5, SI-2, SR-3) - **FedRAMP Moderate** — derived from NIST 800-53 controls - **EU AI Act** — risk classification, transparency, SBOM requirements - **ISO 27001:2022** — information security controls (Annex A) - **SOC 2** — Trust Services Criteria - **CIS Controls v8** — implementation groups IG1/IG2/IG3 - **CMMC 2.0** — cybersecurity maturity model (Level 1-3) ## Privacy & Data Handling This skill installs agent-bom from PyPI. **Verify the redaction behavior before running with any config files:** ```bash # Step 1: Install pip install agent-bom # Step 2: Review redaction logic BEFORE scanning # sanitize_env_vars() replaces ALL env var values with ***REDACTED*** # BEFORE any config data is processed or stored: # https://github.com/msaad00/agent-bom/blob/main/src/agent_bom/security.py#L159 # Step 3: Review config parsing — only structural data extracted: # https://github.com/msaad00/agent-bom/blob/main/src/agent_bom/discovery/__init__.py # Step 4: Verify package provenance (Sigstore) agent-bom verify agent-bom # Step 5: Only then run scans agent-bom agents ``` **What is extracted**: Server names, commands, args, and URLs from MCP client config files across 22 AI tools. **What is NOT extracted**: Env var values are replaced with `***REDACTED***` by `sanitize_env_vars()` before any processing. Only public package names and CVE IDs are sent to vulnerability databases. Cloud CIS checks use locally configured credentials and call only the cloud provider's own APIs. ## Verification - **Source**: [github.com/msaad00/agent-bom](https://github.com/msaad00/agent-bom) (Apache-2.0) - **Sigstore signed**: `agent-bom verify agent-bom@0.76.4` - **7,100+ tests** with CodeQL + OpenSSF Scorecard - **No telemetry**: Zero tracking, zero analytics