Product Announcement · 30 June 2026

AI Bill of Materials is Live

The Vulnetix Code Scanner now discovers every AI coding agent, SDK and model touching a project — from environment, filesystem, source and commit-history evidence — and emits a CycloneDX AI Bill of Materials. On-device. Environment-variable values are never read, so no secret can leak into the BOM.

See the AI features

You cannot govern AI you cannot see. Assistants, SDKs and autonomous agents spread through codebases faster than any policy tracks by hand. "Which assistants, which SDKs, which models touch our code?" is now a customer-questionnaire question — and vulnetix aibom answers it with evidence.

Four evidence passes

Environment

Known AI tool and provider env-var NAMES only — values are never read, so no secret leaks into the BOM.

Filesystem

Config and instruction files — CLAUDE.md, AGENTS.md, .cursorrules — plus skills, hooks, plugins and prompts.

Source code

AI SDK usage per language and the model-name literals passed to them, captured even for unknown models.

Commit history

AI agent authorship via Co-Authored-By trailers, session markers and bot authors like Devin, Jules and Copilot.

Standards-native output

The output is a CycloneDX 1.7 document: AI coding agents become application components, SDKs become libraries, and each model becomes a machine-learning-model component with a modelCard. All evidence — method, file, line and snippet — rides on properties under the vulnetix:ai namespace. The builtin catalog (version 2026.06.4) recognises 84 AI coding agents, 73 AI provider services, two conventions and 102 AI SDKs.

Catches the AI that left no files

The hard part of an AI inventory is the autonomous agent that opened a pull request and left only a commit trailer, or the SDK call invoking an undocumented model. Four independent passes mean a tool must evade all of them to stay hidden. A note on scope: AI-BOM today inventories AI tooling and usage — agents, SDKs and the model names they invoke — not model weights or training datasets.

No new workflow

AI-BOM runs inside vulnetix scan (disable with --no-aibom) and uploads to the AI Inventory console at /vdb-ai-inventory, alongside the SBOM, CBOM, VEX and SARIF the same scan produces.

Get a free API key →