Documentation

AIBOM

Discover AI coding agents and AI usage, and emit a CycloneDX AI Bill of Materials.

The vulnetix aibom command discovers evidence of AI coding agents/assistants and AI usage in a project and produces an AI Bill of Materials (AIBOM) in CycloneDX 1.7 format.

This page is generated from the detection catalog (internal/aibom/catalog/*.json). Run just gen-aibom after editing the catalog.

What it detects

Three passes, all driven by a maintainable catalog:

Environment — known AI tool / provider environment-variable names. Values are never read or emitted, so secrets never leak into the AIBOM.
Filesystem — tool config directories, instruction files, ignore files, skills, hooks, plugins, steering, memory, prompts, agents, commands and marketplace manifests.
Source code — AI SDK/framework usage per language, and the model-name literals passed to them. Model names are extracted by anchoring on the SDK parameter (model=, modelId=, deployment_name=), so future / unknown model names are still captured.
Commit history — commits authored by an AI agent, identified by Co-Authored-By trailers, session markers (e.g. Claude-Session:), agent bot authors, or “Generated with ” lines. Catches agent use that left no file/env/source trace.

The builtin catalog (version 2026.06.4) covers 84 AI coding agents, 73 AI provider services, 2 conventions, and 102 AI SDKs across many languages.

Supported Agents

Every AI coding tool & provider the catalog detects.

AI SDKs

SDKs detected and the model parameters extracted.

Catalog Format

Extend or override detection with –catalog.

Command Reference

vulnetix aibom flags and examples.

Supported Agents & Providers

Every AI coding agent, provider service and convention the AIBOM detector recognises.

AI SDKs & Frameworks

AI SDKs detected by the source-code pass and the model-name parameters extracted from each.

Catalog Format

The detection catalog schema, and how to extend or override it with --catalog.