Skip to content

feat: add agent-bom MCP server (v0.68.2 — 30 tools)#784

Open
msaad00 wants to merge 8 commits intostacklok:mainfrom
msaad00:feat/add-agent-bom
Open

feat: add agent-bom MCP server (v0.68.2 — 30 tools)#784
msaad00 wants to merge 8 commits intostacklok:mainfrom
msaad00:feat/add-agent-bom

Conversation

@msaad00
Copy link

@msaad00 msaad00 commented Feb 23, 2026
edited
Loading

agent-bom — Security scanner for AI infrastructure

Adds agent-bom to the ToolHive catalog.

30 MCP tools covering: CVE scanning, blast radius analysis, credential exposure detection, CIS benchmarks, policy enforcement, SBOM generation, compliance across 11 frameworks (OWASP LLM/MCP/Agentic, MITRE ATLAS, NIST AI RMF, EU AI Act, and more).

Server details

Field Value
Image ghcr.io/msaad00/agent-bom:v0.68.1
Transport stdio
License Apache-2.0
Tools 30

Optional environment variables

Variable Description
NVD_API_KEY NVD API key for higher rate limits on CVSS enrichment
SNYK_TOKEN Snyk API token for vulnerability enrichment

@rdimitrov rdimitrov force-pushed the feat/add-agent-bom branch from 80cb5b9 to 0074c4c Compare March 5, 2026 14:03
Wegz and others added 3 commits March 5, 2026 13:30
@msaad00
feat: add agent-bom MCP server
997564c 
AI supply chain security scanner for MCP servers and AI agents.
Provides CVE scanning, blast radius analysis, policy enforcement,
SBOM generation (CycloneDX/SPDX/SARIF), and remediation planning.

Signed-off-by: Mohamed Saad <msaad00@users.noreply.github.com>
Signed-off-by: Wegz <mohamedsaad@Wegzs-MacBook-Pro.local>
@msaad00
feat: update agent-bom to v0.31.1 with GHCR image
1cf708b 
- Update image from docker.io/agentbom/agent-bom:0.28.1 to
  ghcr.io/msaad00/agent-bom:v0.31.1
- Fix namespace from io.github.stacklok to io.github.msaad00
- Update version from 1.0.0 to 0.31.1
- Add check tool and npm/PyPI to allowed network hosts
@msaad00
feat: update agent-bom to v0.54.0 — 18 MCP tools, CIS benchmarks, 10 …
98d0d4a 
…compliance frameworks

Major update from v0.31.1 (8 tools) to v0.54.0 (18 tools):

New tools: verify, where, inventory, diff, skill_trust,
marketplace_check, code_scan, context_graph, analytics_query,
cis_benchmark

New capabilities:
- CIS benchmarks (AWS Foundations v3.0, Snowflake v1.0)
- 20 MCP client auto-discovery
- 13 cloud provider scanning
- 10 compliance frameworks (OWASP LLM, MITRE ATLAS, NIST, EU AI Act, ...)
- Policy-as-code with 18 conditions
- Transitive dependency resolution (npm, PyPI, Go, Cargo, Maven)
@msaad00 msaad00 force-pushed the feat/add-agent-bom branch from 0074c4c to 98d0d4a Compare March 5, 2026 18:40
@msaad00 msaad00 changed the title feat: add agent-bom MCP server feat: add agent-bom MCP server (v0.54.0 — 18 tools) Mar 5, 2026
msaad00 and others added 2 commits March 5, 2026 14:00
@msaad00
chore: bump agent-bom to v0.55.0 (Streamlit dashboard, self-scan)
cb5aaac
@agent-bom
feat: update agent-bom to v0.68.1 — 30 MCP tools
adb2e38 
- Version: 0.55.0 → 0.68.1
- Tools: 18 → 30 (added fleet_scan, runtime_correlate, vector_db_scan,
  aisvs_benchmark, gpu_infra_scan, dataset_card_scan, training_pipeline_scan,
  browser_extension_scan, model_provenance_scan, prompt_scan, model_file_scan,
  license_compliance_scan)
- Description: updated to canonical tagline
- Tags: added ai-infrastructure, gpu, runtime-enforcement
- Env vars: added optional SNYK_TOKEN
- Author: corrected to Wagdy Saad

Signed-off-by: Wagdy Saad <andwgdysaad@gmail.com>
@msaad00 msaad00 changed the title feat: add agent-bom MCP server (v0.54.0 — 18 tools) feat: add agent-bom MCP server (v0.68.1 — 30 tools) Mar 10, 2026
@agent-bom
fix: remove unnecessary SNYK_TOKEN env var from listing
2f44731 
Signed-off-by: Wagdy Saad <andwgdysaad@gmail.com>
@agent-bom
fix: add required icons, overview, and correct version format
f6ba5f8 
- Add icon.svg (shield logo) to server directory
- Add icons array to server.json pointing to raw GitHub URL
- Add overview markdown in _meta (capabilities summary)
- Change version from "0.68.1" to "1.0.0" (catalog entry version, not software version)
- Remove SNYK_TOKEN (unnecessary env var)

Signed-off-by: Wagdy Saad <andwgdysaad@gmail.com>
@agent-bom
chore: bump image tag to v0.68.2
033def0 
Signed-off-by: Wagdy Saad <andwgdysaad@gmail.com>
@msaad00 msaad00 changed the title feat: add agent-bom MCP server (v0.68.1 — 30 tools) feat: add agent-bom MCP server (v0.68.2 — 30 tools) Mar 10, 2026
@rdimitrov
Copy link
Member

rdimitrov commented Mar 12, 2026

Hi @msaad00, thanks for your patience on this, it took us a bit longer to get through the review 🍻

Here are the main findings:

  1. The image tag is a bit stale, but that's not a problem that much since our renovate automation would pick it up
  2. SNYK_TOKEN mentioned in the PR description but missing from server.json so we should either add it as an env var (with isSecret: true) or remove it from the description 👍
  3. No build provenance/attestation - the Docker publish workflow doesn't include actions/attest-build-provenance, which is something we look for in the registry. Adding that would also let you populate a provenance block in _meta. Let us know if you need help about how to setup this, happy to forward you examples of how to sign and pubilsh the signature using cosign
  4. _meta publisher namespace - this one is real issue as the entry uses io.github.msaad00 rather than io.github.stacklok

One broader note: the project is very new (~3 weeks) with an extremely high release cadence (~70 versions). That's not a blocker, but it does mean we'd be updating the catalog entry frequently. Something to keep in mind as we think about stability for users.

Let us know if you have questions and thanks for reaching out! 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@msaad00 @rdimitrov @agent-bom