Do not open a public GitHub issue for security vulnerabilities.
Report privately via GitHub Security Advisories.
Response SLA:
- Acknowledgement within 48 hours
- Triage and severity assessment within 5 business days
- Fix for critical issues within 7 days of triage
- Fix for high issues within 30 days of triage
| Version | Supported |
|---|---|
| Latest | ✓ Yes |
| < Latest | ✗ No — upgrade to the latest release |
agent-bom is a read-only scanner. It does not modify agent configurations, execute MCP servers, write credentials, or alter any external system state.
- Local config files (
~/.config/,~/.claude/, etc.) — for agent discovery - Public APIs: OSV.dev, NVD, EPSS, CISA KEV — for CVE enrichment
- Cloud provider APIs — when explicitly configured with credentials (AWS, GCP, Azure, Snowflake, Databricks)
- Docker daemon socket — when
--imageflag is used - Kubernetes API — when
--k8sflag is used
- Credentials are never stored by agent-bom
- Credential names/env var keys appear in output as
***REDACTED*** - Redaction is heuristic-based (regex patterns) and may miss obfuscated or non-standard key names
- Cloud credentials must be pre-configured in the environment (AWS profile, GCP application default, etc.)
- Credential redaction is heuristic — non-standard or obfuscated key names may not be flagged
- Grype/Syft dependency — container image scanning relies on external binaries; their CVEs apply to those tools
- Network dependency — OSV/NVD/EPSS enrichment requires outbound HTTPS; air-gapped environments see reduced coverage
- MCP server execution — agent-bom does NOT execute MCP servers it discovers; it only reads their configs
- Runtime proxy enforcement — the proxy intercepts MCP traffic using a trust-on-first-use model; pre-existing compromised servers must be identified via scanning before proxy deployment
- Defaults to localhost-only binding (
127.0.0.1:8422) - API key auth via
AGENT_BOM_API_KEYenv var; OIDC/JWT viaAGENT_BOM_OIDC_ISSUER - WebSocket endpoints require the same auth when
AGENT_BOM_API_KEYis set - JWKS public key caching (1h TTL); RS256/RS384/RS512/ES256/ES384/ES512 supported;
alg: nonerejected
- Static analysis: ruff + mypy on every PR (required CI checks)
- Dependency scanning: Dependabot weekly (Python + npm)
- Container image scanning: Trivy in CI pipeline
- Pre-commit hooks: ruff, ruff-format, detect-private-key, check-yaml, end-of-file-fixer
- No third-party penetration testing yet (planned for v1.0)
The public verification path is documented:
- docs/RELEASE_VERIFICATION.md — Sigstore bundle verification, SLSA provenance inspection, and self-SBOM review
- docs/SUPPLY_CHAIN.md — dependency bounds, lockfiles, extras audit coverage, fuzz targets, and release trust controls
- Reporter submits via GitHub Security Advisories
- Maintainer acknowledges within 48 hours
- Issue triaged, CVSS severity assigned within 5 business days
- Fix developed on private branch; CVE ID requested if warranted
- Coordinated disclosure: patch released, advisory published simultaneously
- Reporter credited in release notes (unless anonymity requested)
agent-bom follows a 90-day coordinated disclosure model aligned with industry practice (CERT/CC, Project Zero):
- Default embargo: 90 days from the date the maintainer acknowledges the report
- Critical (CVSS ≥ 9.0): 30-day target with possible 14-day extension if a patch is in active review
- High (CVSS 7.0–8.9): 60-day target
- Medium / Low (CVSS < 7.0): 90-day target
- Extension requests are considered case-by-case; the reporter is consulted before any extension
- Early disclosure is permitted if the vulnerability is being actively exploited in the wild, or if the reporter and maintainer mutually agree
- Public CVE / GHSA publication happens at the same moment as the patched release; the reporter is credited unless anonymity is requested
- Private pre-disclosure to downstream packagers (PyPI security, Docker Hub, distros) may occur up to 7 days before public disclosure when the maintainer has reasonable grounds to believe coordinated patching reduces aggregate risk
If the maintainer becomes unresponsive past the embargo deadline without prior coordination, reporters may publish at their own discretion 14 days after a documented final outreach attempt.