See your agent's composition
Map the components your agents compose — MCP servers, plugins, skills, hooks, frameworks — into an Agent BOM, for any repo or endpoint. The inventory SCA tools can't produce.
Docs →Open Agent Composition Analysis
Your dependency scanner can't see your agent stack. Agents pull in MCP servers, plugins, and skills that SCA tools don't parse. OpenACA inventories them into an Agent BOM — and matches each against known security records: CVE/GHSA/OSV, enriched with agent-native context.
Install
curl -fsSL https://openaca.dev/scan | shFind vulnerabilities and posture gaps
Match each component against upstream CVE/GHSA/OSV advisories and posture findings, layered with agent-native context: OWASP Agentic Top 10, OWASP MCP Top 10, MITRE ATLAS, evidence level, and malicious-package flags.
Browse overlays →Scan the agents you use — and the ones you build
From a developer's coding agent to a custom agent in production:
scan repo runs as a CI check, scan endpoint
audits an installed machine. OSV-compatible output flows into the tools
you already run.