Open security scanner for agentic infrastructure — agents, MCP, packages, blast radius, runtime, and trust for package CVEs (OSV, NVD, EPSS, KEV), container...
---
name: agent-bom-scan
description: >-
Open security scanner for agentic infrastructure — agents, MCP, packages,
blast radius, runtime, and trust for package CVEs (OSV, NVD, EPSS,
KEV), container images, provenance, filesystems, and SBOMs. Use
when: "check package", "scan image", "verify", "is this safe",
"scan dependencies", "CVE lookup", "blast radius".
version: 0.94.2
license: Apache-2.0
compatibility: >-
Requires Python 3.11+. Install via pipx or pip. Native container image
scanning — no external scanner required. No API keys required for basic
operation.
metadata:
author: msaad00
homepage: https://github.com/msaad00/agent-bom
source: https://github.com/msaad00/agent-bom
pypi: https://pypi.org/project/agent-bom/
scorecard: https://securityscorecards.dev/viewer/?uri=github.com/msaad00/agent-bom
tests: 7239
install:
pipx: agent-bom
pip: agent-bom
docker: ghcr.io/msaad00/agent-bom:0.94.2
openclaw:
requires:
bins: []
env: []
credentials: none
credential_policy: "Zero credentials required. Optional env vars below increase rate limits. They are never auto-discovered, inferred, or transmitted."
optional_env: []
optional_bins:
- semgrep
- kubectl
emoji: "\U0001F6E1"
homepage: https://github.com/msaad00/agent-bom
source: https://github.com/msaad00/agent-bom
license: Apache-2.0
os:
- darwin
- linux
- windows
credential_handling: "Env var values are NEVER extracted from config files. sanitize_env_vars() replaces all env values with ***REDACTED*** BEFORE any config data is processed or stored. Only structural data (server names, commands, URLs) passes through. Source: https://github.com/msaad00/agent-bom/blob/main/src/agent_bom/security.py#L159"
data_flow: "All scanning is local-first. Only public package names and CVE IDs are sent to vulnerability databases (OSV, NVD, EPSS, GitHub Advisories). No credentials, config file contents, or scan results leave the machine."
file_reads:
# Claude Desktop
- "~/Library/Application Support/Claude/claude_desktop_config.json"
- "~/.config/Claude/claude_desktop_config.json"
# Claude Code
- "~/.claude/settings.json"
- "~/.claude.json"
# Cursor
- "~/.cursor/mcp.json"
- "~/Library/Application Support/Cursor/User/globalStorage/cursor.mcp/mcp.json"
# Windsurf
- "~/.windsurf/mcp.json"
# Cline
- "~/Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json"
# VS Code Copilot
- "~/Library/Application Support/Code/User/mcp.json"
# Codex CLI
- "~/.codex/config.toml"
# Gemini CLI
- "~/.gemini/settings.json"
# Goose
- "~/.config/goose/config.yaml"
# Continue
- "~/.continue/config.json"
# Zed
- "~/.config/zed/settings.json"
# Roo Code
- "~/Library/Application Support/Code/User/globalStorage/rooveterinaryinc.roo-cline/settings/cline_mcp_settings.json"
# Amazon Q
- "~/Library/Application Support/Code/User/globalStorage/amazonwebservices.amazon-q-vscode/mcp.json"
# JetBrains AI
- "~/Library/Application Support/JetBrains/*/mcp.json"
- "~/.config/github-copilot/intellij/mcp.json"
# Junie
- "~/.junie/mcp/mcp.json"
# GitHub Copilot CLI
- "~/.copilot/mcp-config.json"
# Tabnine
- "~/.tabnine/mcp_servers.json"
# Cortex Code (Snowflake)
- "~/.snowflake/cortex/mcp.json"
- "~/.snowflake/cortex/settings.json"
- "~/.snowflake/cortex/permissions.json"
- "~/.snowflake/cortex/hooks.json"
# Snowflake CLI
- "~/.snowflake/connections.toml"
- "~/.snowflake/config.toml"
# Project-level configs
- ".mcp.json"
- ".vscode/mcp.json"
- ".cursor/mcp.json"
# User-provided files
- "user-provided SBOM files (CycloneDX/SPDX JSON)"
file_writes: []
network_endpoints:
- url: "https://api.osv.dev/v1"
purpose: "OSV vulnerability database — batch CVE lookup for packages"
auth: false
- url: "https://services.nvd.nist.gov/rest/json/cves/2.0"
purpose: "NVD CVSS v4 enrichment — optional API key increases rate limit"
auth: false
- url: "https://api.first.org/data/v1/epss"
purpose: "EPSS exploit probability scores"
auth: false
- url: "https://api.github.com/advisories"
purpose: "GitHub Security Advisories — supplemental CVE lookup"
auth: false
telemetry: false
persistence: false
privilege_escalation: false
always: false
autonomous_invocation: restricted
---
# agent-bom-scan — AI Supply Chain Vulnerability Scanner
Checks packages for CVEs, scans container images natively, verifies package
provenance via Sigstore, scans filesystems, and generates SBOMs.
## Install
```bash
pipx install agent-bom
agent-bom scan # discover agents and scan dependencies
agent-bom check langchain==0.1.0 # check a specific package with version
agent-bom image nginx:1.25 # scan container image (native)
agent-bom fs . # scan filesystem packages
agent-bom sbom . # generate SBOM
agent-bom verify agent-bom # verify Sigstore provenance
agent-bom where # show all discovery paths
```
### As an MCP Server
```json
{
"mcpServers": {
"agent-bom": {
"command": "uvx",
"args": ["agent-bom", "mcp", "server"]
}
}
}
```
## When to Use
- "check package" / "is this package safe"
- "scan image" / "scan container"
- "verify" / "check provenance"
- "is this safe" / "CVE lookup"
- "scan dependencies"
- "blast radius"
- "generate SBOM"
## Tools (8)
| Tool | Description |
|------|-------------|
| `check` | Check a package for CVEs (OSV, NVD, EPSS, KEV) |
| `scan` | Full discovery + vulnerability scan pipeline |
| `blast_radius` | Map CVE impact chain across agents, servers, credentials |
| `remediate` | Prioritized remediation plan for vulnerabilities |
| `verify` | Package integrity + SLSA provenance check |
| `diff` | Compare two scan reports (new/resolved/persistent) |
| `where` | Show MCP client config discovery paths |
| `inventory` | List discovered agents, servers, packages |
## Examples
```
# Check a package before installing
check(package="langchain", version="0.1.0", ecosystem="pypi")
# Map blast radius of a CVE
blast_radius(cve_id="CVE-2024-21538")
# Full scan
scan()
# Verify package provenance
verify(package="agent-bom")
```
## Agentic Workflows
Use tool chains, not isolated calls, when the user asks for a decision:
| User intent | Recommended sequence | Output |
|-------------|----------------------|--------|
| "Is this MCP safe to install?" | `registry_lookup` -> `check` -> `blast_radius` when a package/version is known | concise allow/warn/block recommendation with evidence |
| "Gate this PR" | `scan` with SARIF output and fail on high/critical findings | SARIF for code scanning plus non-zero gate result |
| "Audit my fleet inventory" | validate inventory -> `scan`/`agents` with JSON output -> `context_graph` | findings plus graph-ready JSON |
| "What changed since last run?" | current scan -> `diff` against prior JSON | new/resolved/persistent findings |
| "What should I fix first?" | `scan` -> `blast_radius` -> `remediate` plan | prioritized plan only; no file writes |
Pick output by consumer: SARIF for CI, JSON for automation/graph, HTML or
Markdown for human review, CycloneDX/SPDX for SBOM consumers.
For CLI gates, prefer:
```bash
agent-bom scan --format sarif --output agent-bom.sarif --fail-on-severity high
```
## Guardrails
- Show CVEs even when NVD analysis is pending or severity is `unknown` — a CVE ID is still a real finding.
- Treat `UNKNOWN` severity as unresolved, not benign — it means data is not yet available.
- Do not modify any files, install packages, or change system configuration.
- Only public package names and CVE IDs leave the machine for vulnerability database lookups.
- Ask before scanning paths outside the user's home directory.
## Privacy & Data Handling
```bash
# Step 1: Install
pip install agent-bom
# Step 2: Review redaction logic BEFORE scanning
# sanitize_env_vars() replaces ALL env var values with ***REDACTED***
# BEFORE any config data is processed or stored:
# https://github.com/msaad00/agent-bom/blob/main/src/agent_bom/security.py#L159
# Step 3: Verify package provenance (Sigstore)
agent-bom verify agent-bom
# Step 4: Only then run scans
agent-bom scan
```
## Verification
- **Source**: [github.com/msaad00/agent-bom](https://github.com/msaad00/agent-bom) (Apache-2.0)
- **Sigstore signed**: `agent-bom verify agent-bom@0.94.2`
- **7,100+ tests** with CodeQL + OpenSSF Scorecard
- **No telemetry**: Zero tracking, zero analytics
don't have the plugin yet? install it then click "run inline in claude" again.
restructured original markdown into six required implexa components (intent, inputs, procedure with numbered steps and explicit i/o, decision points with if-else branches for rate limits, network failures, and user queries, output contract specifying data formats and success criteria, outcome signal for verification); added edge cases (rate limits, network timeouts, auth expiry, unknown severity handling); preserved all original scanning capabilities, tools, agentic workflows, and guardrails; documented all config file reads and network endpoints as inputs; kept original author attribution and Apache-2.0 license.
scan packages, container images, MCP configs, and agentic infrastructure for known CVEs, supply chain compromise, and blast radius impact. use this when the user asks to "check package", "scan image", "verify provenance", "is this safe", "scan dependencies", "CVE lookup", "blast radius", or "generate SBOM". runs fully local, requires zero credentials, and never exfiltrates config file contents or scan results.
required
optional binaries (enhance scanning, not required)
external network endpoints (all public, no auth required)
config files read (agentic platform configs, MCP server definitions, no credentials extracted)
no credentials required
install agent-bom (one-time setup)
pipx install agent-bom or pip install agent-bomverify package provenance (optional, recommended before first scan)
agent-bom verify agent-bomdiscover agents and MCP servers in environment
agent-bom agents to auto-discover, or agent-bom where to show all discovery pathscheck a specific package for CVEs
agent-bom check langchain==0.1.0 or agent-bom check langchainscan container image for vulnerabilities
agent-bom image nginx:1.25scan filesystem for package vulnerabilities
agent-bom fs . or agent-bom fs /path/to/scanmap blast radius of a CVE
agent-bom blast_radius CVE-2024-21538 or agent-bom blast_radius (scans environment first)generate or scan SBOM
agent-bom sbom . to generate, or agent-bom check --sbom=/path/to/sbom.json to scan existinggenerate remediation plan
agent-bom remediate (after scan) or agent-bom scan --format json | agent-bom remediatediff two scan reports
agent-bom diff prior.json current.jsongate a CI/CD pipeline
agent-bom agents --format sarif --output agent-bom.sarif --fail-on-severity highoutput in format of choice
--format sarif|json|html|markdown|cyclonedx|spdx flag to any commandif user asks "is this safe to install":
agent-bom check <package> <version> first (does a quick CVE check)blast_radius to check if this package is trusted upstream (no compromise in dependency chain)if user asks "scan my fleet" or "audit all agents":
agent-bom agents first to discover all MCP servers and agents in the environmentagent-bom scan --format json --output inventory.json to scan all discovered dependencies--format json and pass to graphing toolif NVD API returns rate limit error:
if network endpoint is unreachable:
if scan finds UNKNOWN severity CVEs:
if user provides path outside home directory:
if Sigstore verification fails:
if user asks to modify files or install packages:
data format by use case:
file locations:
--output flagsuccess indicators:
user knows it worked if:
user knows something failed if:
--retry-attempts 5 flag--exclude flag--verbose flag