When a supply chain alert lands, the first question is always the same: are we affected? Finding the answer meant someone on our Security Architecture (SecArch) team within IT & Security manually checking repositories until they were reasonably sure nothing was missed. It was slow, it was incomplete, and it was exactly the kind of work our own platform was built to eliminate.
So we built an agent to do it instead that takes a question like "Which of our repositories use the plugin-syntax-async-generators dependency?" and returns a complete, reliable answer in seconds.
The Problem with Manual Searches
Treasure AI (TAI) GitHub organization has hundreds of repositories. When a compromised dependency surfaces, every one of them is potentially in scope. Before this project, the response looked like this: receive the alert, start searching, work through repositories one at a time, compile whatever you found, and hope nothing slipped through. There was no structured way to know when you were done.
It's a common failure mode. Supply chain incidents move fast and the investigation tooling rarely keeps up. We wanted to close that gap using the same AI platform we offer to customers.
What the Agent Does
The SBOM2TD Agent answers dependency questions in plain English through the Foundry Workspace interface. An engineer opens the interface, types a question, and gets back a list of affected repositories. No SQL, no GitHub searches, no waiting on someone with repository access to run a manual sweep.
To align with strict enterprise security standards, the AI inherits comprehensive Role-Based Access Controls (RBAC), ensuring only authorized personnel can query the workspace. While the agent eliminates the manual toil, human-in-the-loop accountability is maintained; security engineers remain fully responsible for remediation and final decision-making.
The agent's knowledge comes from a continuously refreshed inventory of every dependency across every repository in our GitHub organization, stored securely in our Intelligent CDP. That inventory is what makes the answers complete rather than best-effort.
How It's Built
The architecture has four parts, all running on our own Customer Data Platform (CDP).
- TAI CDP knowledge base: A dedicated database and table in TAI CDP stores the dependency inventory. Every repository, every package, updated on a schedule. For strict data privacy, this process parses only metadata and dependency manifests—never sensitive customer data or core intellectual property—keeping everything securely isolated.
- Python ingestion script: A Python script does three things in order: queries the TAI GitHub organization to pull all repositories, calls the SBOM endpoint for each repository to get its full dependency manifest, then calls the TAI Ingestion API to write everything into the knowledge base. By pulling the full manifest, it creates a dynamic, real-time Software Bill of Materials (SBOM) environment, which is a massive upgrade over static compliance spreadsheets. This script is what keeps the agent's answers current.
- TAI User-defined Workflow: The script runs on a schedule inside a TAI User-defined Workflow. No manual triggers, no cron jobs on someone's laptop.
- SBOM Query project in AI Agent Foundry: The project ties everything together — the agent, the knowledge base connection, and the Foundry Workspace interface.
What Changed
The operational difference shows up most clearly during an active incident. Before, a security engineer spent hours manually combing through repositories with no guarantee they'd caught everything. Now they open the Foundry Workspace, ask the question, and have a complete answer before they've finished their coffee. This enhanced productivity effectively reduces our Mean Time to Respond (MTTR) by up to 90%.
Outside of incidents, the same agent handles dependency audits, license reviews, and upgrade planning. The knowledge base is already there. The questions just change.
What We Took Away From Building This
Working through AI Agent Foundry, TAI CDP, and the Foundry Workspace end-to-end gave the team a much clearer picture of how these components actually fit together in production. That kind of hands-on understanding is hard to get any other way.
Supply chain security is a problem every engineering organization is dealing with. If you're thinking about something similar, we hope this gives you a starting point.
Ready to build trustworthy AI agents that eliminate manual toil for your own teams? Discover how you can leverage Treasure AI Agent Foundry today.
