> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safedep.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AI Tools Discovery

> Discover AI coding agents, MCP servers, CLI tools, IDE extensions, and agent skills across developer machines and project repositories

`vet ai discover` is an alias for `vet endpoint scan --kind ai-tool --kind agent-skill`. It scans the local system and project directory to inventory AI tool usage signals: coding agents, MCP servers, CLI tools, IDE extensions, project configuration files, and agent skills. When SafeDep credentials are configured, discovered items sync to SafeDep Cloud's Endpoint Hub automatically. See [Inventory](/governance/cloud/endpoint-hub/inventory).

## Prerequisites

* `vet` [installed](/governance/vet/quickstart)

## Usage

Discover all AI tool usage signals on the current system and project:

```bash theme={null}
vet ai discover
```

### Scope Filtering

Limit discovery to system-level or project-level signals:

```bash theme={null}
# Only system-level signals (global configs, CLI binaries, IDE extensions)
vet ai discover --scope system

# Only project-level signals for a specific repository
vet ai discover --scope project -D /path/to/repo
```

### JSON Output

Write a structured JSON inventory for downstream processing:

```bash theme={null}
vet ai discover --report-json inventory.json

# JSON only, suppress table output
vet ai discover --report-json inventory.json --silent
```

## What Gets Discovered

`vet ai discover` reports **usage signals**, not unique tools. The same tool may appear multiple times because it can be configured at different scopes. Each row represents a distinct configuration entry.

For example, Claude Code might produce:

| Type             | Name        | Scope   | Why                                     |
| ---------------- | ----------- | ------- | --------------------------------------- |
| `coding_agent`   | Claude Code | system  | `~/.claude/settings.json` exists        |
| `project_config` | Claude Code | project | Project has a `CLAUDE.md`               |
| `mcp_server`     | my-server   | system  | Configured in `~/.claude/settings.json` |
| `mcp_server`     | my-server   | project | Also configured in `.mcp.json`          |

### Signal Types

The `--kind` flag on `vet endpoint scan` controls which signal types are collected. `vet ai discover` always collects all of them.

| Type                | Kind          | Description                                                                                                    |
| ------------------- | ------------- | -------------------------------------------------------------------------------------------------------------- |
| **coding\_agent**   | `ai-tool`     | AI coding assistant installed on the system, detected via system-level config directories                      |
| **mcp\_server**     | `ai-tool`     | Model Context Protocol server configured for an application                                                    |
| **cli\_tool**       | `ai-tool`     | Standalone AI CLI binary found on `$PATH`, verified by executing with a version flag                           |
| **ai\_extension**   | `ai-tool`     | AI-related IDE extension detected from installed extension manifests                                           |
| **project\_config** | `ai-tool`     | AI tool configuration or instruction file found in a project repository                                        |
| **agent\_skill**    | `agent-skill` | Agent skill directory discovered in a supported agent's skill path (e.g. `.claude/skills/`, `.agents/skills/`) |

### Scope

* **system** refers to user-global config (e.g. `~/.claude/settings.json`, `~/.cursor/mcp.json`)
* **project** refers to repo-scoped config (e.g. `.mcp.json`, `.cursorrules`, `CLAUDE.md`)

## What Gets Scanned

**App configuration** is read from well-known system and project-level config paths for each supported application. System-level configs indicate the tool is installed; project-level configs indicate the project is set up for a tool.

**CLI binaries** are discovered by searching `$PATH` for known binary names. Each candidate is executed with a version flag and the output verified against known patterns.

**IDE extensions** are discovered by reading extension manifests from supported IDE distributions and matching against a curated list of known AI extension identifiers.

**Agent skill directories** are discovered by scanning known per-agent skill paths at system and project scope.

## Security

Discovery makes no network calls. All scanning reads the local filesystem and `$PATH`. Environment variable and header values are never captured; only key names are recorded. CLI arguments matching secret patterns (`--token=`, `--api-key=`, `--password=`, etc.) are redacted. Sync to SafeDep Cloud is a separate step that runs only when credentials are configured.

<CardGroup cols={2}>
  <Card title="Inventory" icon="cloud" href="/governance/cloud/endpoint-hub/inventory">
    Sync discovered AI tools and skills to SafeDep Cloud's Endpoint Hub
  </Card>

  <Card title="Shadow AI in Code" icon="brain" href="/governance/shadow-ai-detection">
    Detect AI SDK usage in source code and generate AI-enriched SBOMs
  </Card>

  <Card title="xBOM Concepts" icon="cube" href="/governance/xbom/overview">
    Learn about extended Bill of Materials and signature-based detection
  </Card>
</CardGroup>