Built by a security architect

SBOM and AI-BOM,
built by a security architect.

Not a dev tool that pretends compliance is your problem. Most scanners hand you a dependency list and a JSON file and call it done. SBOMix inventories what you actually ship: your dependencies, your AI models, and the agents holding your keys. Then it maps that to what an auditor or regulator actually asks for, showing what you can prove, naming what you can't, and never faking a pass.

$ npx sbomix .

Where other SBOM tools stop

A dependency graph is the easy 80%. The part that decides an audit is the part most tools skip.

A typical SBOM scanner
Enumerates your top-level dependencies and stops.
Ignores your AI/ML supply chain entirely.
Has no idea an agent, an MCP server, or a signing key is in the repo.
Prints a green pass on a zero-CVE count.
Leaves the regulation as your homework, then implies it certifies you.
SBOMix
Enumerates the full resolved tree across 10+ ecosystems.
Treats models, providers, and datasets as first-class components with their own threat profile.
Surfaces every MCP server and prompt an agent can reach, with its authority scope.
Refuses to. "No known CVEs" is not "no exploitable vulnerabilities," and it says so.
Maps observable evidence to CRA, EU AI Act, and ISO 42001, quoted verbatim. Evidence and gaps, never a verdict.

Built around the questions
a security architect gets asked

Not a checkbox. Each report answers something a customer, an auditor, or an investor has actually asked.

sbomix cra-check

EU Cyber Resilience Act readiness

The evidence an auditor wants, what you have, and what's missing, sorted into what a scan can prove, what needs review, and what only you can evidence. Citations are verbatim from Regulation (EU) 2024/2847. It never green-lights Annex I (2)(a) from a CVE count, and it never assigns your product a CRA class. That call belongs to a human.

sbomix ai-bom

Your AI supply chain as components

Models, external API providers, frameworks, and datasets, inventoried like any other dependency. Then the part no other SBOM tool surfaces: every MCP server and system-prompt file your agent can reach, each with its authority scope (shell, filesystem, unpinned source) and a Least Agency Score.

sbomix --profile crypto-agent

What's in the agent holding your keys

For teams shipping autonomous agents near signing keys or money. One report answers the exchange questionnaire and the investor's diligence question: what can this agent call, what can it sign, and where is the blast radius. Presence detection, not a code audit, and it tells you which is which.

$ sbomix ai-bom .

  AI-BOM — your-agent

  MODELS & PROVIDERS
    • Anthropic  ·  external API dependency  ·  sdk: anthropic
    • OpenAI     ·  external API dependency  ·  sdk: openai

  FRAMEWORKS & RUNTIMES
    • LangChain@0.3.7
    • PyTorch@2.4.1

  MCP SERVERS / AGENT TOOLS (3)  —  what your agent can call
    • filesystem  ·  stdio  ·  no auth  ·  ⚠ broad-filesystem, unpinned-source
        from .cursor/mcp.json
    • shell       ·  stdio  ·  no auth  ·  ⚠ shell-exec, unpinned-source
        from .cursor/mcp.json
    • github      ·  stdio  ·  auth required
        from .cursor/mcp.json

  Least Agency Score: 55/100  (higher = tighter agent authority)
  AI supply-chain threats: 4  (0 critical, 1 high)
    [HIGH] AI-009 Excessive agency (broad tool authority)  ·  mcp:filesystem

  Presence detection and static inventory — not a code audit or a security rating.

The honesty is the point

A tool that prints a green checkmark on your compliance obligation is selling you risk. SBOMix is built the other way around. Every report draws an explicit line between what a scan can observe and what a human still has to prove.

Quoted regulation is verbatim. A gap is called a gap. Nothing here is a certification, a declaration of conformity, or legal advice, and the tool says so on every report it prints. You get evidence you can hand to an auditor, and a clear list of what that evidence does not cover.

Built by David Cooper, CCIE #14019, with 25 years in infrastructure and security, because the tools that were supposed to answer these questions kept answering the wrong ones.

See what you're
actually shipping

Free on the CLI, forever. No account, no Docker, no agent to install.

Get started free →

Or run npx sbomix ai-bom . right now