README.md
Browse Online · Documentation · Contributing · License
</div>We built AI-BOM because we scanned our own 4,343 workflows and found hardcoded API keys, unauthenticated AI agents, and MCP clients connecting to unknown servers — all invisible to existing security tools.
AI-BOM is the first and only tool that scans n8n workflows for AI security risks.
pip install ai-bom
ai-bom scan ./workflows/
One command finds every AI Agent node, LLM integration, MCP client, hardcoded credential, and dangerous tool combination — then gives you a risk score and a compliance-ready report.
EU AI Act deadline: August 2025. You need an AI inventory.
<a href="https://github.com/Trusera/ai-bom"><strong>Get AI-BOM (free & open source) →</strong></a>
</td> <td width="35%" align="center"> <a href="https://github.com/Trusera/ai-bom"> </a><sub><strong>AI-BOM</strong> by <a href="https://trusera.dev">Trusera</a></sub>
<sub>Securing the Agentic Service Mesh</sub>
</td> </tr> </table> <details> <summary><strong>What does AI-BOM detect in n8n workflows? (click to expand)</strong></summary>| Risk | Severity | What it finds |
|---|---|---|
| AI Agent nodes | CRITICAL | Agents connected to LLMs with tool access — can execute code |
| Hardcoded credentials | CRITICAL | API keys in workflow JSON instead of credential store |
| Dangerous tool combos | CRITICAL | Agents with Code Execution + HTTP Request = RCE risk |
| MCP clients | HIGH | Model Context Protocol connections to external servers |
| Unauthenticated webhooks | HIGH | Webhook triggers exposed to the internet without auth |
| Agent chains | HIGH | Execute Workflow linking agents without input validation |
Beyond n8n, AI-BOM also scans source code (Python, JS, TS, Java, Go, Rust, Ruby), Docker configs, cloud infrastructure (Terraform, CloudFormation), and network endpoints — 21+ AI SDKs detected across 7 languages.
Output formats: CycloneDX SBOM | SARIF (GitHub Code Scanning) | HTML Dashboard | Markdown | JSON
</details>Visit zie619.github.io/n8n-workflows for instant access to:
# Clone the repository
git clone https://github.com/Zie619/n8n-workflows.git
cd n8n-workflows
# Install dependencies
pip install -r requirements.txt
# Start the server
python run.py
# Open in browser
# http://localhost:8000
# Using Docker Hub
docker run -p 8000:8000 zie619/n8n-workflows:latest
# Or build locally
docker build -t n8n-workflows .
docker run -p 8000:8000 n8n-workflows
| Endpoint | Method | Description |
|---|---|---|
/ | GET | Web interface |
/api/search | GET | Search workflows |
/api/stats | GET | Repository statistics |
/api/workflow/{id} | GET | Get workflow JSON |
/api/categories | GET | List all categories |
/api/export | GET | Export workflows |
graph LR
A[User] --> B[Web Interface]
B --> C[FastAPI Server]
C --> D[SQLite FTS5]
D --> E[Workflow Database]
C --> F[Static Files]
F --> G[Workflow JSONs]
n8n-workflows/
├── workflows/ # 4,343 workflow JSON files
│ └── [category]/ # Organized by integration
├── docs/ # GitHub Pages site
├── src/ # Python source code
├── scripts/ # Utility scripts
├── api_server.py # FastAPI application
├── run.py # Server launcher
├── workflow_db.py # Database manager
└── requirements.txt # Python dependencies
We love contributions! Here's how you can help:
# Fork and clone
git clone https://github.com/YOUR_USERNAME/n8n-workflows.git
# Create branch
git checkout -b feature/amazing-feature
# Make changes and test
python run.py --debug
# Commit and push
git add .
git commit -m "feat: add amazing feature"
git push origin feature/amazing-feature
# Open PR
Please report security vulnerabilities to the maintainers via Security Advisory.
This project is licensed under the MIT License - see the LICENSE file for details.
If you find this project helpful, please consider:
<div align="center"> </div></div>
Star us on GitHub — it motivates us a lot!
Made with care by Zie619 and contributors
<a href="https://github.com/Trusera/ai-bom"> </a>AI-BOM — Discover every AI agent, model, and API hiding in your infrastructure.
Open source by Trusera — Securing the Agentic Service Mesh.
</div>