Data sources

Data sources and operating surfaces

The product should support three honest modes: launch direct scans, connect to a read-only source, or ingest evidence that the customer already centralizes elsewhere. This page makes those boundaries explicit and also shows where runtime, fleet, graph, and policy surfaces fit once the data is in the system.

Canonical model firstRead-only where possibleBring your data when collection already exists

Direct scans

Agentless or local scan jobs that agent-bom launches directly.

Direct scan

Local inventory and MCP discovery

Scan local MCP configs, Python agent projects, GitHub Actions, inventories, container images, and Terraform from the New Scan flow.

Shipping nowOpen New Scan

Direct scan

Kubernetes and image analysis

Use the same scan flow for cluster inventory and container/image package analysis where you can point agent-bom at the runtime or artifact directly.

Shipping nowLaunch direct scan

Connected sources

Read-only sources where the customer points us at a cloud or SaaS system that already contains the data.

Read-only integration

Governance and cloud activity

Snowflake-backed governance, access history, and activity pages already consume cloud-side telemetry without forcing everything through the local scan form.

Shipping nowOpen Governance

Read-only integration

Connector-backed discovery

The backend exposes connector and SIEM connector routes today. The product still needs a first-class setup wizard in the UI.

API first today

Ingested evidence

Evidence pushed into agent-bom from an existing collector, exporter, or security data lake workflow.

Pushed ingest

OTLP traces and runtime events

The traces surface and POST /v1/traces route accept OTLP JSON so teams can correlate runtime calls against known vulnerable assets.

Shipping nowOpen Traces

Pushed ingest

Security lake and warehouse feeds

If customers already centralize evidence in Snowflake or another data platform, agent-bom should consume that source of truth instead of duplicating collection.

Partial todayOpen Activity

Imported artifacts

Customer-exported files that agent-bom can analyze without managing the source system.

Imported artifact

SBOM and custom inventory inputs

SBOMs, custom inventory JSON, and similar exported artifacts remain valid entry points when direct access is not available or not desired.

Shipping nowUse scan inputs

Operating surfaces after ingest

Discovery and ingest are only the front door. Agent-bom also needs clear surfaces for runtime review, fleet operations, policy enforcement, and graph analysis after the data lands.

Security graph and path analysis

Persisted graph snapshots, attack-path focus, and blast-radius analysis across agents, servers, packages, tools, and credentials.

Analyze

Fleet management

Persisted agent inventory, lifecycle state, trust score, and operational review state for the agent fleet.

Operate

Runtime proxy and alerts

Live runtime enforcement, detector alerts, drift protection, and audit review for MCP and tool-call activity.

Runtime

Gateway and policy enforcement

Policy evaluation, review, and enforcement surfaces for controlling high-impact tool usage and approval workflows.

Protect

Guardrail principle

Prefer agentless read-only discovery when the product can safely gather the data itself. When the customer already owns the collection path, use imported artifacts or pushed ingest instead of rebuilding their telemetry pipeline inside agent-bom.