Skip to content

feat: add agent-bom MCP server (v0.54.0 — 18 tools)#784

Open
msaad00 wants to merge 4 commits intostacklok:mainfrom
msaad00:feat/add-agent-bom
Open

feat: add agent-bom MCP server (v0.54.0 — 18 tools)#784
msaad00 wants to merge 4 commits intostacklok:mainfrom
msaad00:feat/add-agent-bom

Conversation

@msaad00
Copy link

@msaad00 msaad00 commented Feb 23, 2026
edited
Loading

Summary

Adds agent-bom to the ToolHive registry — an open-source AI supply chain security scanner for MCP servers and AI agents.

  • Docker image: ghcr.io/msaad00/agent-bom:v0.54.0
  • Transport: stdio
  • 18 MCP tools: scan, check, blast_radius, policy_check, registry_lookup, generate_sbom, compliance, remediate, verify, where, inventory, diff, skill_trust, marketplace_check, code_scan, context_graph, analytics_query, cis_benchmark

What agent-bom does

  • Auto-discovers 20 MCP client configs (Claude Desktop, Cursor, VS Code Copilot, Windsurf, etc.)
  • Scans packages against OSV.dev for CVEs, enriches with NVD CVSS + EPSS + CISA KEV
  • Maps blast radius: CVE → package → MCP server → agent → exposed credentials + tools
  • CIS benchmarks (AWS Foundations v3.0, Snowflake v1.0)
  • 10 compliance frameworks (OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, EU AI Act, ...)
  • Policy-as-code enforcement (18 conditions)
  • CycloneDX 1.6 + SPDX 3.0 SBOM generation
  • 13 cloud provider scanning (AWS Bedrock, Azure OpenAI, GCP Vertex, Snowflake Cortex, ...)

Links

@rdimitrov rdimitrov force-pushed the feat/add-agent-bom branch from 80cb5b9 to 0074c4c Compare March 5, 2026 14:03
Wegz and others added 3 commits March 5, 2026 13:30
@msaad00
feat: add agent-bom MCP server
997564c 
AI supply chain security scanner for MCP servers and AI agents.
Provides CVE scanning, blast radius analysis, policy enforcement,
SBOM generation (CycloneDX/SPDX/SARIF), and remediation planning.

Signed-off-by: Mohamed Saad <msaad00@users.noreply.github.com>
Signed-off-by: Wegz <mohamedsaad@Wegzs-MacBook-Pro.local>
@msaad00
feat: update agent-bom to v0.31.1 with GHCR image
1cf708b 
- Update image from docker.io/agentbom/agent-bom:0.28.1 to
  ghcr.io/msaad00/agent-bom:v0.31.1
- Fix namespace from io.github.stacklok to io.github.msaad00
- Update version from 1.0.0 to 0.31.1
- Add check tool and npm/PyPI to allowed network hosts
@msaad00
feat: update agent-bom to v0.54.0 — 18 MCP tools, CIS benchmarks, 10 …
98d0d4a 
…compliance frameworks

Major update from v0.31.1 (8 tools) to v0.54.0 (18 tools):

New tools: verify, where, inventory, diff, skill_trust,
marketplace_check, code_scan, context_graph, analytics_query,
cis_benchmark

New capabilities:
- CIS benchmarks (AWS Foundations v3.0, Snowflake v1.0)
- 20 MCP client auto-discovery
- 13 cloud provider scanning
- 10 compliance frameworks (OWASP LLM, MITRE ATLAS, NIST, EU AI Act, ...)
- Policy-as-code with 18 conditions
- Transitive dependency resolution (npm, PyPI, Go, Cargo, Maven)
@msaad00 msaad00 force-pushed the feat/add-agent-bom branch from 0074c4c to 98d0d4a Compare March 5, 2026 18:40
@msaad00 msaad00 changed the title feat: add agent-bom MCP server feat: add agent-bom MCP server (v0.54.0 — 18 tools) Mar 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@msaad00