firmis bom — Generate Agent Bill of Materials
You can’t pass a SOC 2 audit for an AI system you haven’t inventoried. firmis bom generates a CycloneDX 1.7 Agent Bill of Materials — a complete, structured record of every component, dependency, tool, and model reference in your agent stack.
SOC 2 auditors will love you. Your security team will too.
When to use this
Section titled “When to use this”- Compliance prep: Your SOC 2, EU AI Act, or GDPR audit requires evidence of what AI components you’re running. BOM gives you that artifact in a standard format auditors recognize.
- Supply chain review: Before shipping an agent to production, generate a BOM to confirm exactly what’s in it — versions, dependencies, model references.
- Incident response: After a security event, a pre-incident BOM tells you what was running and when.
- Change tracking: Generate BOMs before and after a dependency update to diff what changed in your agent stack.
For a full security scan of what’s in the BOM, follow up with firmis scan. For a full CI pipeline that generates the BOM and scans in one pass, use firmis ci.
firmis bom [path] [options]What’s in the BOM
Section titled “What’s in the BOM”The Agent BOM follows the CycloneDX 1.7 specification — the same standard used for software supply chain security across the industry. It includes:
- Components — each AI agent tool, skill, or plugin listed as a named component with type, version, and file location
- Dependencies — npm/pip packages with exact version numbers, allowing vulnerability checks against the OSV database
- Models — detected AI model references (model IDs, quantization, config paths)
- Metadata — scan timestamp, Firmis version, project name, and component count
Example output
Section titled “Example output”{ "bomFormat": "CycloneDX", "specVersion": "1.7", "version": 1, "metadata": { "timestamp": "2026-03-05T10:32:00Z", "tools": [{ "name": "firmis", "version": "1.4.0" }], "component": { "name": "my-agent-project", "type": "application" } }, "components": [ { "type": "library", "name": "fetch-tool", "purl": "pkg:npm/%40myorg/fetch-tool@1.0.0", "description": "Claude skill: fetch-tool", "properties": [ { "name": "firmis:platform", "value": "claude" }, { "name": "firmis:file", "value": ".claude/tools/fetch.ts" } ] }, ... ]}Options
Section titled “Options”| Flag | Type | Default | Description |
|---|---|---|---|
--platform <name> | string | auto-detect | Generate BOM for a specific platform only — useful when scoping to one part of a larger monorepo |
--output <file> | string | stdout | Save the BOM to a file. Use agent-bom.json as a convention for CI artifact storage. |
--verbose | boolean | false | Show detailed logging during BOM generation |
Examples
Section titled “Examples”Generate BOM for current directory
Section titled “Generate BOM for current directory”npx firmis bomSave BOM to file for audit submission
Section titled “Save BOM to file for audit submission”npx firmis bom --output agent-bom.jsonGenerate BOM for MCP servers only
Section titled “Generate BOM for MCP servers only”npx firmis bom --platform mcp --output mcp-bom.jsonGenerate BOM as part of a release workflow
Section titled “Generate BOM as part of a release workflow”npx firmis bom --output artifacts/agent-bom-$(date +%Y%m%d).jsonRelated
Section titled “Related”- Agent BOM concept — what Agent BOMs are, why they matter, and how they differ from a standard SBOM
- CycloneDX BOM spec — full output format reference
- CI pipeline — generate the BOM automatically as part of your CI security pipeline