Problem or use case
Enterprise compliance teams increasingly require software BOMs. For AI agents, this means cataloging every skill, MCP server, model, tool, and dependency the agent touches. Cisco DefenseClaw and SkillFortify both generate CycloneDX 1.6 format ASBOMs.
agentsec already collects all the data needed during scanning. It just needs a structured output format.
Proposed solution
Add --output asbom format option:
agentsec scan -o asbom -f agent-sbom.json
CycloneDX 1.6 format including:
- Agent type and version
- All configured MCP servers (name, transport, endpoint)
- All installed skills (name, version, source)
- All credential types detected (not values)
- OWASP ASI mapping per component
Also add agentsec sbom as a standalone command that generates the ASBOM without running the full security scan.
Area
Reporting / compliance
Problem or use case
Enterprise compliance teams increasingly require software BOMs. For AI agents, this means cataloging every skill, MCP server, model, tool, and dependency the agent touches. Cisco DefenseClaw and SkillFortify both generate CycloneDX 1.6 format ASBOMs.
agentsec already collects all the data needed during scanning. It just needs a structured output format.
Proposed solution
Add
--output asbomformat option:CycloneDX 1.6 format including:
Also add
agentsec sbomas a standalone command that generates the ASBOM without running the full security scan.Area
Reporting / compliance