msaad00/agent-bom

Overview

Agent-bom is a self-hosted security scanner and control plane for AI agent supply chains. It generates SBOM and SARIF reports, maps findings in a graph, enforces runtime policies, and collects compliance evidence for MCP-based agent systems.

Best for

Best for
Developers building or auditing MCP-based AI agents who need a self-hosted supply chain security and compliance tool.

Use cases

• Scan AI agent dependencies for known vulnerabilities
• Enforce runtime security policies on MCP agent interactions
• Generate compliance evidence for agent supply chain audits

Notes

Agent-bom is a self-hosted security scanner and control plane for AI agent supply chains. It generates SBOM and SARIF reports, maps findings in a graph, enforces runtime policies, and collects compliance evidence for MCP-based agent systems.

20 stars on GitHub. Last updated 2026-06-01. Licensed Apache-2.0.

Use cases

• Scan AI agent dependencies for known vulnerabilities
• Enforce runtime security policies on MCP agent interactions
• Generate compliance evidence for agent supply chain audits

Pros

• Self-hosted control plane gives full data ownership
• Combines SBOM, SARIF, and graph analysis in one tool
• Supports runtime enforcement, not just static scanning

Cons

• Small community with only 20 GitHub stars
• Limited documentation and real-world usage examples
• Requires Python environment and self-hosting setup

Indexed from awesome-mcp-servers-punkpeye and enriched against its public facts.