Not a dev tool that pretends compliance is your problem. Most scanners hand you a dependency list and a JSON file and call it done. SBOMix inventories what you actually ship: your dependencies, your AI models, and the agents holding your keys. Then it maps that to what an auditor or regulator actually asks for, showing what you can prove, naming what you can't, and never faking a pass.
A dependency graph is the easy 80%. The part that decides an audit is the part most tools skip.
Not a checkbox. Each report answers something a customer, an auditor, or an investor has actually asked.
The evidence an auditor wants, what you have, and what's missing, sorted into what a scan can prove, what needs review, and what only you can evidence. Citations are verbatim from Regulation (EU) 2024/2847. It never green-lights Annex I (2)(a) from a CVE count, and it never assigns your product a CRA class. That call belongs to a human.
Models, external API providers, frameworks, and datasets, inventoried like any other dependency. Then the part no other SBOM tool surfaces: every MCP server and system-prompt file your agent can reach, each with its authority scope (shell, filesystem, unpinned source) and a Least Agency Score.
For teams shipping autonomous agents near signing keys or money. One report answers the exchange questionnaire and the investor's diligence question: what can this agent call, what can it sign, and where is the blast radius. Presence detection, not a code audit, and it tells you which is which.
$ sbomix ai-bom . AI-BOM — your-agent MODELS & PROVIDERS • Anthropic · external API dependency · sdk: anthropic • OpenAI · external API dependency · sdk: openai FRAMEWORKS & RUNTIMES • LangChain@0.3.7 • PyTorch@2.4.1 MCP SERVERS / AGENT TOOLS (3) — what your agent can call • filesystem · stdio · no auth · ⚠ broad-filesystem, unpinned-source from .cursor/mcp.json • shell · stdio · no auth · ⚠ shell-exec, unpinned-source from .cursor/mcp.json • github · stdio · auth required from .cursor/mcp.json Least Agency Score: 55/100 (higher = tighter agent authority) AI supply-chain threats: 4 (0 critical, 1 high) [HIGH] AI-009 Excessive agency (broad tool authority) · mcp:filesystem Presence detection and static inventory — not a code audit or a security rating.
A tool that prints a green checkmark on your compliance obligation is selling you risk. SBOMix is built the other way around. Every report draws an explicit line between what a scan can observe and what a human still has to prove.
Quoted regulation is verbatim. A gap is called a gap. Nothing here is a certification, a declaration of conformity, or legal advice, and the tool says so on every report it prints. You get evidence you can hand to an auditor, and a clear list of what that evidence does not cover.
Free on the CLI, forever. No account, no Docker, no agent to install.
Get started free →Or run npx sbomix ai-bom . right now