msaad00/agent-bom - RepoRadar

Score7.6

Popularity5.8

Riskmedium

TierSilver

Score breakdown

Usefulness8.0

Novelty9.0

Momentum7.0

Maturity5.7

Open-source/build8.4

Evidence7.2

Workflow potential8.7

Setup ease6.4

Popularity is tracked separately. Support, ads, sponsorships, and tips never affect these signals.

Why it matters

Useful for security engineers, platform teams, and AI governance programs who need a real SBOM/SARIF-grade view of an agent fleet, because agent-bom ships an Apache-2.0 Python scanner + self-hosted control plane that produces AIBOM output across agents, MCP servers, tools, packages, and credential env names with runtime enforcement hooks, which means a security team can put AI agents under the sam

Who should use it

Security engineers who need a CycloneDX + SARIF AIBOM-grade audit surface for AI agents, MCP servers, and toolsPlatform teams who want a self-hosted control plane with blast-radius graph findings, runtime enforcement, and compliance evidenceAI governance and compliance programs that need OWASP/devsecops-grade evidence for an agent fleet instead of ad-hoc inventories

Who should skip it

Skip or sandbox it if you cannot review permissions, data access, and failure modes before use.

Risk explanation

It scans agent setups and credential environment names, so confirm the scan boundary before running against production agents, lock down which credentials are visible to the scanner, and review the runtime enforcement hooks before enabling them in CI; It emits CycloneDX + SARIF artifacts that may include environment names and tool versions, so route the output through your existing secure artifact pipeline before sharing findings externally.

Evidence links

github.com

Closest alternatives / related signals

agent-bomaibomcyclonedxsarifsupply-chainmcpmcp-serversbom