agent-bom and mcp-audit
These are complementary tools—agent-bom provides runtime security monitoring and enforcement across infrastructure, while mcp-audit performs static configuration scanning and inventory—together covering both preventive and detective security postures for MCP deployments.
About agent-bom
msaad00/agent-bom
Security scanner for AI infrastructure — CVEs, blast radius, credential exposure, runtime enforcement across MCP servers, containers, cloud, and GPU.
Performs AST analysis on 14 AI frameworks to extract system prompts and tool signatures, then maps CVE→package→MCP server→agent→credentials→tools blast radius. Built around MCP client discovery (30 types), runtime protection via proxy with 112 detection patterns, and AI BOM generation with CycloneDX extensions—integrating package ecosystems (15), container/IaC scanning, cloud AI infrastructure, and the Shield SDK for agent-level enforcement.
About mcp-audit
apisec-inc/mcp-audit
See what your AI agents can access. Scan MCP configs for exposed secrets, shadow APIs, and AI models. Generate AI-BOMs for compliance.
Performs static analysis of MCP configuration files across development tools (Claude Desktop, Cursor, VS Code, Windsurf, Zed) and GitHub repositories, using pattern matching to detect 25+ secret types and mapping findings to OWASP LLM Top 10 (2025). Exports results in multiple formats (JSON, CycloneDX AI-BOM, SARIF, CSV) for CI/CD integration and compliance workflows, with a browser-based GitHub scanner and local CLI tool that scans MCP configs without telemetry or network transmission.
Related comparisons
Scores updated daily from GitHub, PyPI, and npm data. How scores work