agent-bom-compliance

AI compliance and policy engine — evaluate scan results against OWASP, NIST, SOC 2, ISO 27001, CMMC, EU AI Act, AISVS v1.0, and related frameworks. Generate SBOMs and compliance reports. Use when: "compliance report", "NIST", "SOC 2", "ISO 27001", "OWASP", "EU AI Act", "AISVS", "generate SBOM", "policy check".

10 stars

Best use case

agent-bom-compliance is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

AI compliance and policy engine — evaluate scan results against OWASP, NIST, SOC 2, ISO 27001, CMMC, EU AI Act, AISVS v1.0, and related frameworks. Generate SBOMs and compliance reports. Use when: "compliance report", "NIST", "SOC 2", "ISO 27001", "OWASP", "EU AI Act", "AISVS", "generate SBOM", "policy check".

Teams using agent-bom-compliance should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/compliance/SKILL.md --create-dirs "https://raw.githubusercontent.com/msaad00/agent-bom/main/integrations/openclaw/compliance/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/compliance/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How agent-bom-compliance Compares

Feature / Agentagent-bom-complianceStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

AI compliance and policy engine — evaluate scan results against OWASP, NIST, SOC 2, ISO 27001, CMMC, EU AI Act, AISVS v1.0, and related frameworks. Generate SBOMs and compliance reports. Use when: "compliance report", "NIST", "SOC 2", "ISO 27001", "OWASP", "EU AI Act", "AISVS", "generate SBOM", "policy check".

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# agent-bom-compliance — AI Compliance & Policy Engine

Evaluate AI infrastructure scan results against 14 security and regulatory
frameworks. Enforce policy-as-code rules. Generate SBOMs in standard formats.
Run AISVS v1.0 and CIS benchmark checks.

## Install

```bash
pipx install agent-bom
agent-bom agents --compliance --compliance-export nist-ai-rmf
agent-bom agents -f cyclonedx -o sbom.json
```

## When to Use

- "compliance report" / "run compliance"
- "NIST" / "NIST AI RMF" / "NIST CSF" / "NIST 800-53"
- "SOC 2" / "SOC2"
- "ISO 27001"
- "OWASP" / "OWASP LLM Top 10" / "OWASP Agentic Top 10"
- "EU AI Act"
- "AISVS" / "AI Security Verification Standard"
- "CMMC" / "FedRAMP"
- "generate SBOM" / "CycloneDX" / "SPDX"
- "policy check" / "policy enforcement"

## Tools (5)

| Tool | Description |
|------|-------------|
| `compliance` | OWASP LLM/Agentic Top 10, EU AI Act, MITRE ATLAS, NIST AI RMF |
| `policy_check` | Evaluate results against custom security policy (17 conditions) |
| `cis_benchmark` | Run CIS benchmark checks against cloud accounts |
| `generate_sbom` | Generate SBOM (CycloneDX or SPDX format) |
| `aisvs_benchmark` | OWASP AISVS v1.0 compliance — 9 AI security checks |

## Supported Frameworks (15)

- **OWASP LLM Top 10** (2025) — prompt injection, supply chain, data leakage
- **OWASP MCP Top 10** — MCP-specific security risks
- **OWASP Agentic Top 10** — tool poisoning, rug pulls, credential theft
- **MITRE ATLAS** — adversarial ML threat framework
- **MITRE ATT&CK Enterprise** — adversary techniques tagged via CWE → CAPEC → ATT&CK on every blast-radius finding
- **NIST AI RMF** — govern, map, measure, manage lifecycle
- **NIST CSF 2.0** — identify, protect, detect, respond, recover
- **NIST 800-53 Rev 5** — federal security controls (CM-8, RA-5, SI-2, SR-3)
- **FedRAMP Moderate** — derived from NIST 800-53 controls
- **EU AI Act** — risk classification, transparency, SBOM requirements
- **ISO 27001:2022** — information security controls (Annex A)
- **SOC 2** — Trust Services Criteria
- **CIS Controls v8** — implementation groups IG1/IG2/IG3
- **CMMC 2.0** — cybersecurity maturity model (Level 1-3)
- **PCI DSS v4.0** — payment-card data security requirements

OWASP AISVS v1.0 ships as a **benchmark surface** alongside the tag-mapped frameworks (9 verification checks).

## Examples

```
# Run compliance check against multiple frameworks
compliance(frameworks=["owasp_llm", "eu_ai_act", "nist_ai_rmf"])

# Enforce custom policy
policy_check(policy={"max_critical": 0, "max_high": 5})

# Generate SBOM
generate_sbom(format="cyclonedx")

# Run AISVS v1.0 compliance
aisvs_benchmark()

# Run AWS CIS benchmark
cis_benchmark(provider="aws")
```

## Privacy & Data Handling

**OWASP, NIST, EU AI Act, MITRE ATLAS, AISVS, SBOM generation, and policy
checks** run entirely locally on scan data already in memory. No network calls,
no credentials needed for these features.

**CIS benchmark checks** (optional, user-initiated) call cloud provider APIs
using your locally configured credentials. These are read-only API calls to
AWS, Azure, GCP, or Snowflake. You must explicitly run `cis_benchmark(provider=...)`
and confirm before any cloud API calls are made.

## Verification

- **Source**: [github.com/msaad00/agent-bom](https://github.com/msaad00/agent-bom) (Apache-2.0)
- **7,100+ tests** with CodeQL + OpenSSF Scorecard
- **No telemetry**: Zero tracking, zero analytics

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.