`drako bom`

drako bom extracts a complete inventory of your AI agent project without evaluating any governance rules or producing a score. It is a pure discovery tool useful for audits, dependency tracking, and understanding the attack surface of your agents. All analysis runs via Python AST. No network calls are made.

Usage

drako bom [PATH] [OPTIONS]

PATH defaults to . (current directory).

Options

--format

text | json | markdown

default:"text"

Output format.

text — human-readable plain-text summary
json — structured JSON object with full BOM data
markdown — Markdown table output suitable for embedding in reports

--output

string

Write output to a file instead of stdout. When set, a confirmation message is printed to stdout and the BOM content goes to the specified file.

What is extracted

The BOM covers every component that Drako can detect from source code and config files:

Category	What is detected
Agents	Agent class definitions and constructor calls (`Agent()`, `AssistantAgent()`, etc.) from Python and TypeScript files; CrewAI YAML configs (`agents.yaml`)
Tools	Functions decorated with `@tool` and `Tool()` constructor calls
Models	LLM model name strings (GPT-4, Claude, Gemini, Llama, Mistral, etc.)
Prompts	System prompt strings assigned to `system_prompt`, `instructions`, `SystemMessage()`, and similar patterns
MCP servers	Entries in `mcp.json` and `mcp://` URIs found in source code
Permissions	Inferred from tool bodies: `filesystem`, `network`, `code_execution`, `database`
Frameworks	Detected from imports and project structure
Dependencies	Package versions from `requirements.txt`, `pyproject.toml`, `package.json`

Example output

text
json
markdown

Agent BOM — my-agent-project
Generated in 142 ms

FRAMEWORKS
  crewai 0.55.0

AGENTS (2)
  researcher      crewai    crew/agents.py:12
  writer          crewai    crew/agents.py:34

TOOLS (3)
  search_web      network   tools/search.py:8
  read_file       write     tools/files.py:15
  run_code        execute   tools/code.py:22

MODELS (1)
  gpt-4o          crew/agents.py:13

PERMISSIONS
  code_execution, filesystem, network

MCP SERVERS
  none detected

{
  "agents": [
    {
      "name": "researcher",
      "framework": "crewai",
      "file_path": "crew/agents.py",
      "line_number": 12,
      "tools": ["search_web"],
      "model": "gpt-4o"
    }
  ],
  "tools": [
    {
      "name": "search_web",
      "file_path": "tools/search.py",
      "line_number": 8,
      "has_network_access": true,
      "has_filesystem_access": false,
      "has_code_execution": false
    }
  ],
  "models": [{ "name": "gpt-4o", "file_path": "crew/agents.py" }],
  "permissions": ["network"],
  "mcp_servers": [],
  "frameworks": [{ "name": "crewai", "version": "0.55.0" }],
  "dependencies": { "crewai": "0.55.0", "openai": "1.30.0" }
}

drako bom . --format markdown

Produces Markdown tables for agents, tools, models, and permissions — ready to paste into a README or audit report.

Examples

# Print BOM for the current directory
drako bom .

# Output as JSON
drako bom . --format json

# Save Markdown BOM to a file
drako bom . --format markdown --output AGENT_BOM.md

# Scan a subdirectory
drako bom src/agents/

# Pipe JSON to jq
drako bom . --format json | jq '.agents[].name'

drako bom is also implicitly run during drako scan. If you only need the inventory without the governance evaluation, drako bom is faster and produces no findings or score.

CLI Reference

Python SDK

Rules & Advisories

Usage

Options

What is extracted

Example output

Examples

Build docs developers (and LLMs) love

CLI Reference

Python SDK

Rules & Advisories

​Usage

​Options

​What is extracted

​Example output

​Examples

Build docs developers (and LLMs) love

Usage

Options

What is extracted

Example output

Examples