See AI supply chains with graph of clients, servers, tools
The Snyk AI-BOM CLI maps the critical AI components powering your application, including AI models, datasets, and external services. It extends the traditional SBOM to create a clear inventory of everything your AI code relies on. Use Snyk AI-BOM to detect and map dependencies created via the MCP open standard, providing security and engineering leaders with the governance insights they need. Audit AI usage, track LLM providers, and ensure compliance with one command
AI components like models, and external services are the new dependencies, and they are moving into production faster than we can track them. Engineering and security leaders kept asking us: "Which models are we actually using?" and "Are we compliant?" The answer was almost always, "We think it's these, but we have no central inventory." When an AI model is deprecated, a service changes its API, or developers adopt out-of-policy models, you need to know which of your apps is affected instantly. Waiting for a security audit to find out felt far too slow and way too risky.
What we're solving
Eliminating the AI Blind Spot: Snyk provides a comprehensive AI Bill of Materials (AIBOM) that goes beyond just pip dependencies to map the entire AI supply chain, including LLMs, datasets, MCP servers, and external API calls.
Governing the "Hidden" Connections: We specifically built in the ability to detect and map connections made via the MCP open standard, creating a clear dependency graph for services that your AI application relies on but often go unrecorded.
Answering Critical Questions Instantly: Instead of manual tracking or hunting through code, you can use the CLI to audit usage across your organization for specific frameworks, LLM providers, or potentially vulnerable AI components.
How we got here The traditional Software Bill of Materials (SBOM) is crucial, but it was not designed for the complexities of modern AI applications. We realized that governance had to start with visibility. We prototyped a simple scanner to identify models and datasets, and quickly saw the need to map the services and tools they connect to. The core of this is the Snyk AI-BOM API, and we built it into the Snyk CLI to make that power accessible for any developer or security practitioner to run scans locally or integrate them easily into their CI/CD process. The goal is to make AI component tracking as routine and simple as tracking your open-source libraries.
What to try today:
Run the CLI in one of your Python projects that uses an LLM or an AI framework (e.g., PyTorch, LangChain).
See the resulting AIBOM and check the dependency chain. Look specifically for how it maps the external LLM provider or any MCP connections you might have.
Use the ai-bom-scan functionality (https://github.com/snyk-labs/ai-...) to find repositories in your organization that mention a specific model like deepseek or an API provider like anthropic.
We'd love your feedback on the clarity of the AIBOM output, how easily it fits into your existing security/governance workflow, and which AI frameworks you'd like to see better support for next.
Thanks for checking out Snyk AI-BOM CLI, excited to help you get control over your AI supply chain!
About Snyk AI-BOM on Product Hunt
“See AI supply chains with graph of clients, servers, tools”
Snyk AI-BOM launched on Product Hunt on December 4th, 2025 and earned 99 upvotes and 11 comments, placing #19 on the daily leaderboard. The Snyk AI-BOM CLI maps the critical AI components powering your application, including AI models, datasets, and external services. It extends the traditional SBOM to create a clear inventory of everything your AI code relies on. Use Snyk AI-BOM to detect and map dependencies created via the MCP open standard, providing security and engineering leaders with the governance insights they need. Audit AI usage, track LLM providers, and ensure compliance with one command
On the analytics side, Snyk AI-BOM competes within Developer Tools, Artificial Intelligence and Security — topics that collectively have 983.6k followers on Product Hunt. The dashboard above tracks how Snyk AI-BOM performed against the three products that launched closest to it on the same day.
Who hunted Snyk AI-BOM?
Snyk AI-BOM was hunted by fmerian. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.
fmerian
Why we built the Snyk AI-BOM CLI
AI components like models, and external services are the new dependencies, and they are moving into production faster than we can track them. Engineering and security leaders kept asking us: "Which models are we actually using?" and "Are we compliant?" The answer was almost always, "We think it's these, but we have no central inventory." When an AI model is deprecated, a service changes its API, or developers adopt out-of-policy models, you need to know which of your apps is affected instantly. Waiting for a security audit to find out felt far too slow and way too risky.
What we're solving
Eliminating the AI Blind Spot: Snyk provides a comprehensive AI Bill of Materials (AIBOM) that goes beyond just pip dependencies to map the entire AI supply chain, including LLMs, datasets, MCP servers, and external API calls.
Governing the "Hidden" Connections: We specifically built in the ability to detect and map connections made via the MCP open standard, creating a clear dependency graph for services that your AI application relies on but often go unrecorded.
Answering Critical Questions Instantly: Instead of manual tracking or hunting through code, you can use the CLI to audit usage across your organization for specific frameworks, LLM providers, or potentially vulnerable AI components.
How we got here
The traditional Software Bill of Materials (SBOM) is crucial, but it was not designed for the complexities of modern AI applications. We realized that governance had to start with visibility. We prototyped a simple scanner to identify models and datasets, and quickly saw the need to map the services and tools they connect to. The core of this is the Snyk AI-BOM API, and we built it into the Snyk CLI to make that power accessible for any developer or security practitioner to run scans locally or integrate them easily into their CI/CD process. The goal is to make AI component tracking as routine and simple as tracking your open-source libraries.
What to try today:
Run the CLI in one of your Python projects that uses an LLM or an AI framework (e.g., PyTorch, LangChain).
See the resulting AIBOM and check the dependency chain. Look specifically for how it maps the external LLM provider or any MCP connections you might have.
Use the ai-bom-scan functionality (https://github.com/snyk-labs/ai-...) to find repositories in your organization that mention a specific model like deepseek or an API provider like anthropic.
We'd love your feedback on the clarity of the AIBOM output, how easily it fits into your existing security/governance workflow, and which AI frameworks you'd like to see better support for next.
Thanks for checking out Snyk AI-BOM CLI, excited to help you get control over your AI supply chain!