Snyk AI-BOM - See AI supply chains with graph of clients, servers, tools

Why we built the Snyk AI-BOM CLI

AI components like models, and external services are the new dependencies, and they are moving into production faster than we can track them. Engineering and security leaders kept asking us: "Which models are we actually using?" and "Are we compliant?" The answer was almost always, "We think it's these, but we have no central inventory." When an AI model is deprecated, a service changes its API, or developers adopt out-of-policy models, you need to know which of your apps is affected instantly. Waiting for a security audit to find out felt far too slow and way too risky.

What we're solving

1. Eliminating the AI Blind Spot: Snyk provides a comprehensive AI Bill of Materials (AIBOM) that goes beyond just pip dependencies to map the entire AI supply chain, including LLMs, datasets, MCP servers, and external API calls.

2. Governing the "Hidden" Connections: We specifically built in the ability to detect and map connections made via the MCP open standard, creating a clear dependency graph for services that your AI application relies on but often go unrecorded.

3. Answering Critical Questions Instantly: Instead of manual tracking or hunting through code, you can use the CLI to audit usage across your organization for specific frameworks, LLM providers, or potentially vulnerable AI components.

How we got here
The traditional Software Bill of Materials (SBOM) is crucial, but it was not designed for the complexities of modern AI applications. We realized that governance had to start with visibility. We prototyped a simple scanner to identify models and datasets, and quickly saw the need to map the services and tools they connect to. The core of this is the Snyk AI-BOM API, and we built it into the Snyk CLI to make that power accessible for any developer or security practitioner to run scans locally or integrate them easily into their CI/CD process. The goal is to make AI component tracking as routine and simple as tracking your open-source libraries.

What to try today:

• Run the CLI in one of your Python projects that uses an LLM or an AI framework (e.g., PyTorch, LangChain).

• See the resulting AIBOM and check the dependency chain. Look specifically for how it maps the external LLM provider or any MCP connections you might have.

• Use the ai-bom-scan functionality (https://github.com/snyk-labs/ai-...) to find repositories in your organization that mention a specific model like deepseek or an API provider like anthropic.
  

We'd love your feedback on the clarity of the AIBOM output, how easily it fits into your existing security/governance workflow, and which AI frameworks you'd like to see better support for next.

Thanks for checking out Snyk AI-BOM CLI, excited to help you get control over your AI supply chain!

Can I integrate @Snyk with existing IDEs and Github Workflows ?

I recall asking someone just a year ago if they thought AI-BOMs would actually become a thing... Since then, I have been increasingly hearing from members of our community asking how they can determine what's running behind the scenes when they use third-party models. Great feature!