概述

agent-bom-compliance — AI Compliance & Policy Engine

Evaluate AI infrastructure scan results against 14 security and regulatory

frameworks. Enforce policy-as-code rules. Generate SBOMs in standard formats.

Run AISVS v1.0 and CIS benchmark checks.

Install

pipx install agent-bom
agent-bom agents --compliance --compliance-export nist-ai-rmf
agent-bom agents -f cyclonedx -o sbom.json

When to Use

"compliance report" / "run compliance"
"NIST" / "NIST AI RMF" / "NIST CSF" / "NIST 800-53"
"SOC 2" / "SOC2"
"ISO 27001"
"OWASP" / "OWASP LLM Top 10" / "OWASP Agentic Top 10"
"EU AI Act"
"AISVS" / "AI Security Verification Standard"
"CMMC" / "FedRAMP"
"generate SBOM" / "CycloneDX" / "SPDX"
"policy check" / "policy enforcement"

Tools (5)

Tool	Description
------	-------------
`compliance`	OWASP LLM/Agentic Top 10, EU AI Act, MITRE ATLAS, NIST AI RMF
`policy_check`	Evaluate results against custom security policy (17 conditions)
`cis_benchmark`	Run CIS benchmark checks against cloud accounts
`generate_sbom`	Generate SBOM (CycloneDX or SPDX format)
`aisvs_benchmark`	OWASP AISVS v1.0 compliance — 9 AI security checks

Supported Frameworks (15)

OWASP LLM Top 10 (2025) — prompt injection, supply chain, data leakage
OWASP MCP Top 10 — MCP-specific security risks
OWASP Agentic Top 10 — tool poisoning, rug pulls, credential theft
MITRE ATLAS — adversarial ML threat framework
MITRE ATT&CK Enterprise — adversary techniques tagged via CWE → CAPEC → ATT&CK on every blast-radius finding
NIST AI RMF — govern, map, measure, manage lifecycle
NIST CSF 2.0 — identify, protect, detect, respond, recover
NIST 800-53 Rev 5 — federal security controls (CM-8, RA-5, SI-2, SR-3)
FedRAMP Moderate — derived from NIST 800-53 controls
EU AI Act — risk classification, transparency, SBOM requirements
ISO 27001:2022 — information security controls (Annex A)
SOC 2 — Trust Services Criteria
CIS Controls v8 — implementation groups IG1/IG2/IG3
CMMC 2.0 — cybersecurity maturity model (Level 1-3)
PCI DSS v4.0 — payment-card data security requirements

OWASP AISVS v1.0 ships as a benchmark surface alongside the tag-mapped frameworks (9 verification checks).

Examples

# Run compliance check against multiple frameworks
compliance(frameworks=["owasp_llm", "eu_ai_act", "nist_ai_rmf"])

# Enforce custom policy
policy_check(policy={"max_critical": 0, "max_high": 5})

# Generate SBOM
generate_sbom(format="cyclonedx")

# Run AISVS v1.0 compliance
aisvs_benchmark()

# Run AWS CIS benchmark
cis_benchmark(provider="aws")

Privacy & Data Handling

**OWASP, NIST, EU AI Act, MITRE ATLAS, AISVS, SBOM generation, and policy

checks** run entirely locally on scan data already in memory. No network calls,

no credentials needed for these features.

CIS benchmark checks (optional, user-initiated) call cloud provider APIs

using your locally configured credentials. These are read-only API calls to

AWS, Azure, GCP, or Snowflake. You must explicitly run cis_benchmark(provider=...)

and confirm before any cloud API calls are made.

Verification

Source: github.com/msaad00/agent-bom (Apache-2.0)
7,100+ tests with CodeQL + OpenSSF Scorecard
No telemetry: Zero tracking, zero analytics

版本历史

共 11 个版本

v0.88.5 当前

2026-06-01 20:14
v0.88.4

2026-05-26 22:36
v0.88.1

2026-05-23 15:38 安全安全
v0.87.1

2026-05-19 10:24 安全安全
v0.86.2

2026-05-08 12:16 安全安全
v0.86.1

2026-05-07 03:19 安全安全
v0.84.6

2026-05-03 02:55 安全安全
v0.83.3

2026-04-30 22:08 安全安全
v0.75.8

2026-03-29 10:22
v0.71.0

2026-03-18 21:53
v0.70.6

2026-03-14 03:54

agent-bom compliance

概述

agent-bom-compliance — AI Compliance & Policy Engine

Install

When to Use

Tools (5)

Supported Frameworks (15)

Examples

Privacy & Data Handling

Verification

版本历史

安全检测

腾讯云安全 (Keen)

腾讯云安全 (Sanbu)

🔗 相关推荐

MoltGuard - Security & Antivirus & Guardrails

agent-bom vulnerability intel

OpenClaw Backup