{"id":45569770,"url":"https://github.com/msaad00/agent-bom","last_synced_at":"2026-05-25T02:11:34.235Z","repository":{"id":340035934,"uuid":"1164260249","full_name":"msaad00/agent-bom","owner":"msaad00","description":"Open security scanner for AI supply chain and infrastructure: agents, MCP, containers, cloud, GPU, and runtime with blast-radius analysis.","archived":false,"fork":false,"pushed_at":"2026-04-28T19:31:10.000Z","size":118610,"stargazers_count":16,"open_issues_count":27,"forks_count":6,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-28T19:32:33.670Z","etag":null,"topics":["ai-agents","ai-security","ai-supply-chain","aibom","blast-radius","cloud-security","compliance","container-security","cyclonedx","devsecops","kubernetes","llm-security","mcp","mcp-server","owasp","sarif","sbom","security-scanner","supply-chain-security","vulnerability-scanning"],"latest_commit_sha":null,"homepage":"https://pypi.org/project/agent-bom/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/msaad00.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-22T21:38:37.000Z","updated_at":"2026-04-28T19:21:38.000Z","dependencies_parsed_at":"2026-04-01T19:02:28.463Z","dependency_job_id":null,"html_url":"https://github.com/msaad00/agent-bom","commit_stats":null,"previous_names":["msaad00/agent-bom"],"tags_count":127,"template":false,"template_full_name":null,"purl":"pkg:github/msaad00/agent-bom","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaad00%2Fagent-bom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaad00%2Fagent-bom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaad00%2Fagent-bom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaad00%2Fagent-bom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/msaad00","download_url":"https://codeload.github.com/msaad00/agent-bom/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaad00%2Fagent-bom/sbom","scorecard":{"id":1243857,"data":{"date":"2026-02-23T05:47:27Z","repo":{"name":"github.com/msaad00/agent-bom","commit":"d74215a3ff432febf34b7a84296f98061850dba1"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":4.6,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/27 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:21","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:64","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:130","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:19","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecard.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy-mcp-sse.yml:13","Warn: topLevel 'contents' permission set to 'write': .github/workflows/mcp-registry-sync.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish-mcp-registry.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish-mcp.yml:9","Warn: topLevel 'packages' permission set to 'write': .github/workflows/publish-mcp.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish-registries.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:10"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:169: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:172: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:184: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:195: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:204: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:219: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:222: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:239: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:251: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/dependency-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/dependency-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/mcp-registry-sync.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/mcp-registry-sync.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-mcp-registry.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/publish-mcp-registry.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-registries.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/publish-registries.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-registries.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/publish-registries.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-registries.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/publish-registries.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/scorecard.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/msaad00/agent-bom/scorecard.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating python:3.11-slim to python:3.11-slim@sha256:0b23cfb7425d065008b778022a17b1551c82f8b4866ee5a7a200084b7e2eafbf","Warn: containerImage not pinned by hash: Dockerfile.sse:14: pin your Docker image by updating python:3.12-slim to python:3.12-slim@sha256:9e01bf1ae5db7649a236da7be1e94ffbbbdd7a93f867dd0d8d5720d9e1f89fab","Warn: containerImage not pinned by hash: integrations/toolhive/Dockerfile.mcp:1: pin your Docker image by updating python:3.12-slim to python:3.12-slim@sha256:9e01bf1ae5db7649a236da7be1e94ffbbbdd7a93f867dd0d8d5720d9e1f89fab","Warn: pipCommand not pinned by hash: Dockerfile:24","Warn: pipCommand not pinned by hash: Dockerfile.sse:32","Warn: pipCommand not pinned by hash: integrations/toolhive/Dockerfile.mcp:16","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:228","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:229","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:27","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:28","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:59","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:60","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:86","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:87","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:178","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:179","Warn: npmCommand not pinned by hash: .github/workflows/deploy-mcp-sse.yml:24","Warn: pipCommand not pinned by hash: .github/workflows/mcp-registry-sync.yml:22","Warn: npmCommand not pinned by hash: .github/workflows/publish-registries.yml:96","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:25","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:31","Info:   3 out of  42 GitHub-owned GitHubAction dependencies pinned","Info:   5 out of  12 third-party GitHubAction dependencies pinned","Info:   0 out of   3 containerImage dependencies pinned","Info:   0 out of  16 pipCommand dependencies pinned","Info:   0 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (5) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"21 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-68rp-wp8r-4726","Warn: Project is vulnerable to: PYSEC-2023-62 / GHSA-m2qf-hxjv-5gpq","Warn: Project is vulnerable to: GHSA-cpwx-vrp4-4pq7","Warn: Project is vulnerable to: GHSA-gmj6-6f8f-6699","Warn: Project is vulnerable to: GHSA-h5c8-rqwp-cp95","Warn: Project is vulnerable to: GHSA-h75v-3vvj-5mfj","Warn: Project is vulnerable to: GHSA-q2x7-8rv6-6q7h","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2023-74 / GHSA-j8r2-6x86-q33q","Warn: Project is vulnerable to: GHSA-29vq-49wr-vm6x","Warn: Project is vulnerable to: GHSA-2g68-c3qc-8985","Warn: Project is vulnerable to: GHSA-87hc-h4r5-73f7","Warn: Project is vulnerable to: GHSA-f9vj-2wh5-fj8j","Warn: Project is vulnerable to: GHSA-hgf8-39gv-g3f2","Warn: Project is vulnerable to: PYSEC-2023-221 / GHSA-hrfv-mqp8-q5rw","Warn: Project is vulnerable to: PYSEC-2023-57 / GHSA-px8h-6qxv-m22q","Warn: Project is vulnerable to: GHSA-q34m-jh98-gwm2","Warn: Project is vulnerable to: PYSEC-2023-58 / GHSA-xg9f-g7g7-2323","Warn: Project is vulnerable to: GHSA-2g4f-4pwh-qvx6","Warn: Project is vulnerable to: GHSA-3ppc-4f35-3m26"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish-mcp.yml:13"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.29.0 not signed: https://api.github.com/repos/msaad00/agent-bom/releases/289265821","Warn: release artifact v0.28.1 not signed: https://api.github.com/repos/msaad00/agent-bom/releases/289214147","Warn: release artifact v0.29.0 does not have provenance: https://api.github.com/repos/msaad00/agent-bom/releases/289265821","Warn: release artifact v0.28.1 does not have provenance: https://api.github.com/repos/msaad00/agent-bom/releases/289214147"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"2 out of 2 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}}]},"last_synced_at":"2026-02-23T06:27:05.526Z","repository_id":340035934,"created_at":"2026-02-23T06:27:05.526Z","updated_at":"2026-02-23T06:27:05.526Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32476682,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"ssl_error","status_checked_at":"2026-04-30T13:12:06.837Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","ai-security","ai-supply-chain","aibom","blast-radius","cloud-security","compliance","container-security","cyclonedx","devsecops","kubernetes","llm-security","mcp","mcp-server","owasp","sarif","sbom","security-scanner","supply-chain-security","vulnerability-scanning"],"created_at":"2026-02-23T07:53:47.089Z","updated_at":"2026-05-25T02:11:34.227Z","avatar_url":"https://github.com/msaad00.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cpicture\u003e\n    \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/logo-dark.svg\"\u003e\n    \u003cimg src=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/logo-light.svg\" alt=\"agent-bom\" width=\"360\" /\u003e\n  \u003c/picture\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/msaad00/agent-bom/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/msaad00/agent-bom/ci.yml?branch=main\u0026style=flat\u0026label=Build\" alt=\"Build\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pypi.org/project/agent-bom/\"\u003e\u003cimg src=\"https://img.shields.io/pypi/v/agent-bom?style=flat\u0026label=Latest%20version\u0026cacheSeconds=300\" alt=\"PyPI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://hub.docker.com/r/agentbom/agent-bom\"\u003e\u003cimg src=\"https://img.shields.io/docker/pulls/agentbom/agent-bom?style=flat\u0026label=Docker%20pulls\" alt=\"Docker\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/msaad00/agent-bom/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-Apache%202.0-blue?style=flat\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://securityscorecards.dev/viewer/?uri=github.com/msaad00/agent-bom\"\u003e\u003cimg src=\"https://img.shields.io/ossf-scorecard/github.com/msaad00/agent-bom?style=flat\u0026label=OpenSSF%20scorecard\" alt=\"OpenSSF Scorecard\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\u003c!-- mcp-name: io.github.msaad00/agent-bom --\u003e\n\n\u003cp align=\"center\"\u003e\u003cb\u003eOpen security scanner and self-hosted control plane for AI/MCP infrastructure.\u003c/b\u003e\u003c/p\u003e\n\u003cp align=\"center\"\u003eHeadless agent primitives and human cockpit surfaces over the same evidence model.\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://msaad00.github.io/agent-bom/\"\u003eDocs\u003c/a\u003e ·\n  \u003ca href=\"docs/FIRST_RUN.md\"\u003eFirst Run\u003c/a\u003e ·\n  \u003ca href=\"site-docs/deployment/overview.md\"\u003eSelf-host\u003c/a\u003e ·\n  \u003ca href=\"https://github.com/marketplace/actions/agent-bom\"\u003eGitHub Action\u003c/a\u003e ·\n  \u003ca href=\"https://hub.docker.com/r/agentbom/agent-bom\"\u003eDocker\u003c/a\u003e ·\n  \u003ca href=\"https://github.com/msaad00/agent-bom/releases\"\u003eChangelog\u003c/a\u003e\n\u003c/p\u003e\n\n`agent-bom` scans local and fleet AI infrastructure, builds an AI BOM across\nagents, MCP servers, tools, packages, credential environment names, cloud,\nruntime, and skills, then turns that inventory into findings, compliance\nevidence, and graph-backed exposure paths.\n\nThe same evidence is available through CLI/CI, REST API, MCP tools, and a\nself-hosted dashboard. Runtime proxy/gateway controls are optional and scoped\nto environments where enforcement is worth the operational cost.\n\n\u003cp align=\"center\"\u003e\n  \u003cpicture\u003e\n    \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/blast-radius-dark.svg\"\u003e\n    \u003cimg src=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/blast-radius-light.svg\" alt=\"agent-bom blast-radius drilldown — package to finding to MCP server to agent\" width=\"900\" /\u003e\n  \u003c/picture\u003e\n\u003c/p\u003e\n\n```text\npackage -\u003e vulnerability finding -\u003e MCP server -\u003e tools + credential refs -\u003e agent\n```\n\nBlast radius is the core idea. A vulnerable package is not just a CVE row; it\nis linked to the MCP server that loads it, the tools exposed by that server,\nthe credential environment names in reach, and the agents that can call it.\n\n## First Run\n\n```bash\npip install agent-bom\nagent-bom agents --demo --offline\n```\n\nThe demo uses real OSV/GHSA advisories against intentionally vulnerable sample\npackages and produces graph-ready inventory without touching your source tree.\nFor a real local scan:\n\n```bash\nagent-bom agents -p . -f html -o agent-bom-report.html\n```\n\nWant an inspectable sample stack first?\n\n```bash\nagent-bom samples first-run\nagent-bom agents --inventory agent-bom-first-run/inventory.json -p agent-bom-first-run --enrich\n```\n\nSee [docs/FIRST_RUN.md](docs/FIRST_RUN.md) for the guided path from CLI output\nto the dashboard.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/demo-latest.gif\" alt=\"agent-bom terminal demo\" width=\"820\" /\u003e\n\u003c/p\u003e\n\n## Product Proof\n\nThe dashboard screenshots below are captured from the packaged UI with bundled\ndemo data, not mockups. The README keeps the first screen focused; expand the\ngallery when you want to inspect the control-plane surfaces.\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u003cb\u003eEvidence cockpit and agent mesh\u003c/b\u003e\u003c/summary\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/dashboard-live.png\" alt=\"agent-bom risk overview dashboard with posture score, findings, and attack path summary\" width=\"900\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/mesh-live.png\" alt=\"agent-bom agent mesh graph showing agent, MCP server, package, tool, credential reference, and finding path\" width=\"900\" /\u003e\n\u003c/p\u003e\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eGraph investigation and remediation views\u003c/b\u003e\u003c/summary\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/security-graph-live.png\" alt=\"agent-bom security graph with attack-path queue, graph evidence export, and remediation handoff\" width=\"900\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/lineage-graph-live.png\" alt=\"agent-bom lineage graph centered on an agent with bounded paths, filters, and graph evidence export\" width=\"900\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/dependency-map-live.png\" alt=\"agent-bom dependency map with scan pipeline counts and package risk distribution\" width=\"900\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/msaad00/agent-bom/main/docs/images/remediation-live.png\" alt=\"agent-bom remediation dashboard with prioritized package fixes and compliance context\" width=\"900\" /\u003e\n\u003c/p\u003e\n\n\u003c/details\u003e\n\nScreenshot capture rules and the full manifest live in\n[docs/CAPTURE.md](docs/CAPTURE.md) and\n[docs/images/product-screenshots.json](docs/images/product-screenshots.json).\n\n## Start Here\n\n| Goal | Command | Artifact |\n|---|---|---|\n| Local agent and MCP inventory | `agent-bom agents` | findings, AI BOM, graph-ready JSON |\n| Repo and lockfile scan | `agent-bom agents -p .` | package findings, SARIF/SBOM/HTML when requested |\n| Pre-install guard | `agent-bom check flask@2.0.0 --ecosystem pypi` | deterministic allow/warn/block result |\n| Container image scan | `agent-bom image nginx:latest` | image findings and remediation |\n| IaC scan | `agent-bom iac Dockerfile k8s/ infra/main.tf` | IaC findings and policy context |\n| CI gate | `uses: msaad00/agent-bom@v0.88.3` | SARIF, PR summary, optional code-scanning upload |\n| MCP tools | `pip install 'agent-bom[mcp-server]' \u0026\u0026 agent-bom mcp server` | strict-args security tools for MCP clients |\n| Local API/UI | `pip install 'agent-bom[ui]' \u0026\u0026 agent-bom serve` | API plus bundled dashboard |\n| Self-hosted pilot | `docker compose -f docker-compose.pilot.yml up -d` | API and dashboard in your environment |\n\nThe base wheel is the scanner and CLI path. Optional runtime surfaces fail fast\nwith install hints when their extras are missing.\n\nMCP registry publishing is tracked through the committed Smithery manifest and\nother registry metadata; install and liveness checks stay in the linked\nintegration docs instead of this front door.\n\n## Shipped Surfaces\n\n| Surface | Primary user | Current boundary |\n|---|---|---|\n| CLI / CI | developers and release gates | local scans, SARIF/SBOM/HTML/JSON, deterministic exit codes |\n| REST API | control-plane integrations | scans, bulk findings, dataset versions, graph evidence, audit, runtime summaries |\n| MCP tools | agents and assistants | strict arguments, read-mostly security queries, exposure paths, deploy decisions, audited Shield actions |\n| Dashboard | security teams and operators | inventory, findings, graph cockpit, compliance, evidence, runtime posture |\n| Runtime proxy/gateway | runtime operators | scoped MCP traffic inspection, policy decisions, redacted audit evidence |\n| Python client | services, notebooks, and automation | typed helper for stable REST endpoints in the packaged wheel |\n| TypeScript client | services and agent runtimes | typed helper for stable REST endpoints |\n\nMCP server mode advertises 55 MCP tools, 6 resources, and 6 workflow prompts.\nMost tools are read-only. The three Shield write actions fail closed unless\nthe caller supplies `operator_role=admin`, `operator_scopes=shield:write`, and\nan audit reason.\n\nCLI scan commands run local scan pipelines today. They share lower scanner and\ndiscovery libraries with the API, but they are not API wrappers yet.\n\n## Deploy In Your Boundary\n\n`agent-bom` is designed for customer-controlled deployment: local CLI, Docker,\nGitHub Action, Helm, EKS, Postgres, and optional runtime proxy/gateway.\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml\ndocker compose -f docker-compose.pilot.yml up -d\n# Dashboard -\u003e http://localhost:3000\n```\n\nProduction self-hosting starts with the deployment chooser:\n\n- [Deployment overview](site-docs/deployment/overview.md)\n- [Helm chart](deploy/helm/agent-bom)\n- [EKS reference installer](scripts/deploy/install-eks-reference.sh)\n- [Docker Hub image](https://hub.docker.com/r/agentbom/agent-bom)\n\nThere is no managed cloud offering in this repository today. Product lane\nboundaries are documented in [docs/PRODUCT_BOUNDARIES.md](docs/PRODUCT_BOUNDARIES.md).\n\n## Trust Model\n\n- Read-only discovery by default for cloud and local inventory.\n- No mandatory telemetry.\n- Credential values are redacted; credential environment names are preserved as\n  evidence so exposure paths stay explainable.\n- Findings can export as JSON, SARIF, CycloneDX, SPDX, Markdown, HTML, and\n  compliance evidence bundles.\n- API and runtime paths are designed for tenant scope, auth boundaries, and\n  audit evidence.\n- OpenAPI artifacts are committed for SDK and client contract checks.\n\nSecurity and release references:\n\n- [Threat model](docs/THREAT_MODEL.md)\n- [Pentest readiness](docs/PENTEST_READINESS.md)\n- [Python API and control-plane client](docs/PYTHON_API.md)\n- [Go control-plane client](sdks/go/README.md)\n- [Product metrics](docs/PRODUCT_METRICS.md)\n- [Release verification](docs/RELEASE_VERIFICATION.md)\n- [GitHub Action](https://github.com/marketplace/actions/agent-bom)\n\n## Product Views\n\nThe docs site carries the deployment-oriented walkthroughs behind those\nscreenshots:\n\n- [Dashboard and graph capture protocol](docs/CAPTURE.md)\n- [Documentation site](https://msaad00.github.io/agent-bom/)\n- [Deployment overview](site-docs/deployment/overview.md)\n\n## Contributing\n\nContributions are welcome. Start with:\n\n- [CONTRIBUTING.md](CONTRIBUTING.md)\n- [.agents/AGENTS.md](.agents/AGENTS.md)\n- [Open issues](https://github.com/msaad00/agent-bom/issues)\n\nLicense: Apache-2.0.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmsaad00%2Fagent-bom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmsaad00%2Fagent-bom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmsaad00%2Fagent-bom/lists"}