Quick Start¶
Install¶
Scan your local AI environment¶
This auto-discovers local MCP clients and AI agent configs, extracts configured servers and packages, and scans for CVEs.
Scan a project plus local agent context¶
Use this when you want one scan to cover both: - project manifests and lockfiles in the current repo - local MCP / agent context on your machine
Scan instruction and skill files¶
This covers CLAUDE.md, AGENTS.md, .cursorrules, and supported skills/*
instruction surfaces.
Check a specific package before installing¶
agent-bom check langchain@0.2.17 --ecosystem pypi
agent-bom check express@4.18.2 --ecosystem npm
agent-bom check tensorflow@2.17.0 --ecosystem pypi
Export machine-readable output¶
agent-bom agents -f json -o report.json
agent-bom agents -f sarif -o findings.sarif
agent-bom agents -f cyclonedx -o bom.json
Run compliance mapping¶
agent-bom agents --compliance owasp-llm
agent-bom agents --compliance eu-ai-act
agent-bom agents --compliance all
Scan a container image¶
Scan infrastructure as code¶
iac accepts one or more paths in a single run, so the example above scans:
- a Dockerfile
- a Kubernetes directory
- a Terraform file
Inspect discovery paths¶
agent-bom mcp where still works when you want the grouped MCP subcommand form.
Output formats¶
agent-bom agents -f table # terminal table (default)
agent-bom agents -f json # JSON report
agent-bom agents -f html # HTML dashboard
agent-bom agents -f sarif # SARIF for GitHub Code Scanning
agent-bom agents -f csv # CSV export
agent-bom check requests@2.33.0 -e pypi -f json # single-package JSON verdict
agent-bom report history -f json # saved scan metadata for CI