firmis bom - Generate Agent Bill of Materials

Synopsis

firmis bom [path] [options]

Description

You cannot pass a compliance audit for an AI system you have not inventoried. firmis bom generates a CycloneDX 1.7 Agent Bill of Materials - a complete, structured record of every component, dependency, tool, and model reference in your agent stack.

The BOM follows the CycloneDX 1.7 specification, the same standard used for software supply chain security across the industry. It includes each AI agent tool, skill, or plugin listed as a named component; npm and pip packages with exact version numbers; detected model files and model references; and metadata including scan timestamp, Firmis version, and project name.

By default the BOM is written to stdout as JSON. Use --output to save to a file. When --output is provided, a human-readable summary is printed to the terminal alongside the saved file.

firmis bom is read-only. It does not modify any files. For immediate security findings on the same components, use firmis scan. For a full CI pipeline that generates the BOM and scans in one pass, use firmis ci.

Examples

Generate BOM for the current directory

npx firmis bom

Save BOM to file for audit submission

npx firmis bom --output agent-bom.json

Generate BOM for MCP servers only

npx firmis bom --platform mcp --output mcp-bom.json

Generate a timestamped BOM as part of a release workflow

npx firmis bom --output "artifacts/agent-bom-$(date +%Y%m%d).json"

Verbose output during generation

npx firmis bom --verbose --output agent-bom.json

Options

Flag	Type	Default	Description
`--platform <name>`	string	all platforms	Generate BOM for a specific platform only. Useful when scoping to one part of a larger monorepo.
`--output <file>`	string	stdout	Save the BOM JSON to a file. When provided, a summary is printed to the terminal.
`--verbose`	boolean	`false`	Enable verbose logging during BOM generation.

Exit Codes

Code	Meaning
`0`	BOM generated successfully.
`1`	BOM generation failed with an error.