aibom-inspector 0.1.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (72) hide show
  1. aibom_inspector-0.1.0/LICENSE +201 -0
  2. aibom_inspector-0.1.0/PKG-INFO +396 -0
  3. aibom_inspector-0.1.0/README.md +357 -0
  4. aibom_inspector-0.1.0/pyproject.toml +78 -0
  5. aibom_inspector-0.1.0/setup.cfg +4 -0
  6. aibom_inspector-0.1.0/src/aibom_inspector/__init__.py +7 -0
  7. aibom_inspector-0.1.0/src/aibom_inspector/__main__.py +7 -0
  8. aibom_inspector-0.1.0/src/aibom_inspector/attestation.py +88 -0
  9. aibom_inspector-0.1.0/src/aibom_inspector/audit_log.py +124 -0
  10. aibom_inspector-0.1.0/src/aibom_inspector/bidi_guard.py +74 -0
  11. aibom_inspector-0.1.0/src/aibom_inspector/cli.py +7 -0
  12. aibom_inspector-0.1.0/src/aibom_inspector/cli_shim.py +1210 -0
  13. aibom_inspector-0.1.0/src/aibom_inspector/control_plane.py +90 -0
  14. aibom_inspector-0.1.0/src/aibom_inspector/data/__init__.py +1 -0
  15. aibom_inspector-0.1.0/src/aibom_inspector/data/ai_threat_taxonomy.json +55 -0
  16. aibom_inspector-0.1.0/src/aibom_inspector/data/license_risk_db.json +20 -0
  17. aibom_inspector-0.1.0/src/aibom_inspector/data/model_hash_reputation.json +5 -0
  18. aibom_inspector-0.1.0/src/aibom_inspector/data/model_vulnerability_db.json +5 -0
  19. aibom_inspector-0.1.0/src/aibom_inspector/data/training_source_fingerprints.json +29 -0
  20. aibom_inspector-0.1.0/src/aibom_inspector/data_loader.py +28 -0
  21. aibom_inspector-0.1.0/src/aibom_inspector/dependency_scanner.py +737 -0
  22. aibom_inspector-0.1.0/src/aibom_inspector/evidence_export.py +55 -0
  23. aibom_inspector-0.1.0/src/aibom_inspector/feedback.py +60 -0
  24. aibom_inspector-0.1.0/src/aibom_inspector/framework_mapping.py +214 -0
  25. aibom_inspector-0.1.0/src/aibom_inspector/integrity.py +98 -0
  26. aibom_inspector-0.1.0/src/aibom_inspector/ip_protection.py +108 -0
  27. aibom_inspector-0.1.0/src/aibom_inspector/model_inspector.py +626 -0
  28. aibom_inspector-0.1.0/src/aibom_inspector/model_risk_db.py +78 -0
  29. aibom_inspector-0.1.0/src/aibom_inspector/network.py +63 -0
  30. aibom_inspector-0.1.0/src/aibom_inspector/parsers.py +292 -0
  31. aibom_inspector-0.1.0/src/aibom_inspector/pickle_inspector.py +129 -0
  32. aibom_inspector-0.1.0/src/aibom_inspector/policy.py +410 -0
  33. aibom_inspector-0.1.0/src/aibom_inspector/policy_graph.py +171 -0
  34. aibom_inspector-0.1.0/src/aibom_inspector/renderers.py +82 -0
  35. aibom_inspector-0.1.0/src/aibom_inspector/report_enrichment.py +271 -0
  36. aibom_inspector-0.1.0/src/aibom_inspector/report_loader.py +142 -0
  37. aibom_inspector-0.1.0/src/aibom_inspector/reporting.py +877 -0
  38. aibom_inspector-0.1.0/src/aibom_inspector/risk_engine.py +590 -0
  39. aibom_inspector-0.1.0/src/aibom_inspector/runtime_trace.py +143 -0
  40. aibom_inspector-0.1.0/src/aibom_inspector/scoring_models.py +229 -0
  41. aibom_inspector-0.1.0/src/aibom_inspector/stack_discovery.py +398 -0
  42. aibom_inspector-0.1.0/src/aibom_inspector/tensor_fuzz.py +253 -0
  43. aibom_inspector-0.1.0/src/aibom_inspector/trust_enforcement.py +64 -0
  44. aibom_inspector-0.1.0/src/aibom_inspector/trust_root.py +109 -0
  45. aibom_inspector-0.1.0/src/aibom_inspector/types.py +37 -0
  46. aibom_inspector-0.1.0/src/aibom_inspector/types_dependencies.py +69 -0
  47. aibom_inspector-0.1.0/src/aibom_inspector/types_models.py +58 -0
  48. aibom_inspector-0.1.0/src/aibom_inspector/types_report.py +140 -0
  49. aibom_inspector-0.1.0/src/aibom_inspector/types_risk.py +143 -0
  50. aibom_inspector-0.1.0/src/aibom_inspector.egg-info/PKG-INFO +396 -0
  51. aibom_inspector-0.1.0/src/aibom_inspector.egg-info/SOURCES.txt +70 -0
  52. aibom_inspector-0.1.0/src/aibom_inspector.egg-info/dependency_links.txt +1 -0
  53. aibom_inspector-0.1.0/src/aibom_inspector.egg-info/entry_points.txt +2 -0
  54. aibom_inspector-0.1.0/src/aibom_inspector.egg-info/requires.txt +19 -0
  55. aibom_inspector-0.1.0/src/aibom_inspector.egg-info/top_level.txt +1 -0
  56. aibom_inspector-0.1.0/tests/test_bidi_guard.py +22 -0
  57. aibom_inspector-0.1.0/tests/test_cli.py +209 -0
  58. aibom_inspector-0.1.0/tests/test_dependency_scanner.py +201 -0
  59. aibom_inspector-0.1.0/tests/test_evidence_manifest.py +39 -0
  60. aibom_inspector-0.1.0/tests/test_evidence_signing.py +45 -0
  61. aibom_inspector-0.1.0/tests/test_model_inspector.py +48 -0
  62. aibom_inspector-0.1.0/tests/test_parsers.py +79 -0
  63. aibom_inspector-0.1.0/tests/test_pickle_inspector.py +30 -0
  64. aibom_inspector-0.1.0/tests/test_policy_enforcement_graph.py +21 -0
  65. aibom_inspector-0.1.0/tests/test_policy_graph.py +75 -0
  66. aibom_inspector-0.1.0/tests/test_policy_simulation.py +56 -0
  67. aibom_inspector-0.1.0/tests/test_policy_workflow.py +126 -0
  68. aibom_inspector-0.1.0/tests/test_reporting.py +64 -0
  69. aibom_inspector-0.1.0/tests/test_risk_engine.py +86 -0
  70. aibom_inspector-0.1.0/tests/test_scoring_models.py +47 -0
  71. aibom_inspector-0.1.0/tests/test_stack_discovery.py +36 -0
  72. aibom_inspector-0.1.0/tests/test_tensor_fuzz.py +120 -0
@@ -0,0 +1,201 @@
1
+ Apache License
2
+ Version 2.0, January 2004
3
+ http://www.apache.org/licenses/
4
+
5
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6
+
7
+ 1. Definitions.
8
+
9
+ "License" shall mean the terms and conditions for use, reproduction,
10
+ and distribution as defined by Sections 1 through 9 of this document.
11
+
12
+ "Licensor" shall mean the copyright owner or entity authorized by
13
+ the copyright owner that is granting the License.
14
+
15
+ "Legal Entity" shall mean the union of the acting entity and all
16
+ other entities that control, are controlled by, or are under common
17
+ control with that entity. For the purposes of this definition,
18
+ "control" means (i) the power, direct or indirect, to cause the
19
+ direction or management of such entity, whether by contract or
20
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
21
+ outstanding shares, or (iii) beneficial ownership of such entity.
22
+
23
+ "You" (or "Your") shall mean an individual or Legal Entity
24
+ exercising permissions granted by this License.
25
+
26
+ "Source" form shall mean the preferred form for making modifications,
27
+ including but not limited to software source code, documentation
28
+ source, and configuration files.
29
+
30
+ "Object" form shall mean any form resulting from mechanical
31
+ transformation or translation of a Source form, including but
32
+ not limited to compiled object code, generated documentation,
33
+ and conversions to other media types.
34
+
35
+ "Work" shall mean the work of authorship, whether in Source or
36
+ Object form, made available under the License, as indicated by a
37
+ copyright notice that is included in or attached to the work
38
+ (an example is provided in the Appendix below).
39
+
40
+ "Derivative Works" shall mean any work, whether in Source or Object
41
+ form, that is based on (or derived from) the Work and for which the
42
+ editorial revisions, annotations, elaborations, or other modifications
43
+ represent, as a whole, an original work of authorship. For the purposes
44
+ of this License, Derivative Works shall not include works that remain
45
+ separable from, or merely link (or bind by name) to the interfaces of,
46
+ the Work and Derivative Works thereof.
47
+
48
+ "Contribution" shall mean any work of authorship, including
49
+ the original version of the Work and any modifications or additions
50
+ to that Work or Derivative Works thereof, that is intentionally
51
+ submitted to Licensor for inclusion in the Work by the copyright owner
52
+ or by an individual or Legal Entity authorized to submit on behalf of
53
+ the copyright owner. For the purposes of this definition, "submitted"
54
+ means any form of electronic, verbal, or written communication sent
55
+ to the Licensor or its representatives, including but not limited to
56
+ communication on electronic mailing lists, source code control systems,
57
+ and issue tracking systems that are managed by, or on behalf of, the
58
+ Licensor for the purpose of discussing and improving the Work, but
59
+ excluding communication that is conspicuously marked or otherwise
60
+ designated in writing by the copyright owner as "Not a Contribution."
61
+
62
+ "Contributor" shall mean Licensor and any individual or Legal Entity
63
+ on behalf of whom a Contribution has been received by Licensor and
64
+ subsequently incorporated within the Work.
65
+
66
+ 2. Grant of Copyright License. Subject to the terms and conditions of
67
+ this License, each Contributor hereby grants to You a perpetual,
68
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69
+ copyright license to reproduce, prepare Derivative Works of,
70
+ publicly display, publicly perform, sublicense, and distribute the
71
+ Work and such Derivative Works in Source or Object form.
72
+
73
+ 3. Grant of Patent License. Subject to the terms and conditions of
74
+ this License, each Contributor hereby grants to You a perpetual,
75
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76
+ (except as stated in this section) patent license to make, have made,
77
+ use, offer to sell, sell, import, and otherwise transfer the Work,
78
+ where such license applies only to those patent claims licensable
79
+ by such Contributor that are necessarily infringed by their
80
+ Contribution(s) alone or by combination of their Contribution(s)
81
+ with the Work to which such Contribution(s) was submitted. If You
82
+ institute patent litigation against any entity (including a
83
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
84
+ or a Contribution incorporated within the Work constitutes direct
85
+ or contributory patent infringement, then any patent licenses
86
+ granted to You under this License for that Work shall terminate
87
+ as of the date such litigation is filed.
88
+
89
+ 4. Redistribution. You may reproduce and distribute copies of the
90
+ Work or Derivative Works thereof in any medium, with or without
91
+ modifications, and in Source or Object form, provided that You
92
+ meet the following conditions:
93
+
94
+ (a) You must give any other recipients of the Work or
95
+ Derivative Works a copy of this License; and
96
+
97
+ (b) You must cause any modified files to carry prominent notices
98
+ stating that You changed the files; and
99
+
100
+ (c) You must retain, in the Source form of any Derivative Works
101
+ that You distribute, all copyright, patent, trademark, and
102
+ attribution notices from the Source form of the Work,
103
+ excluding those notices that do not pertain to any part of
104
+ the Derivative Works; and
105
+
106
+ (d) If the Work includes a "NOTICE" text file as part of its
107
+ distribution, then any Derivative Works that You distribute must
108
+ include a readable copy of the attribution notices contained
109
+ within such NOTICE file, excluding those notices that do not
110
+ pertain to any part of the Derivative Works, in at least one
111
+ of the following places: within a NOTICE text file distributed
112
+ as part of the Derivative Works; within the Source form or
113
+ documentation, if provided along with the Derivative Works; or,
114
+ within a display generated by the Derivative Works, if and
115
+ wherever such third-party notices normally appear. The contents
116
+ of the NOTICE file are for informational purposes only and
117
+ do not modify the License. You may add Your own attribution
118
+ notices within Derivative Works that You distribute, alongside
119
+ or as an addendum to the NOTICE text from the Work, provided
120
+ that such additional attribution notices cannot be construed
121
+ as modifying the License.
122
+
123
+ You may add Your own copyright statement to Your modifications and
124
+ may provide additional or different license terms and conditions
125
+ for use, reproduction, or distribution of Your modifications, or
126
+ for any such Derivative Works as a whole, provided Your use,
127
+ reproduction, and distribution of the Work otherwise complies with
128
+ the conditions stated in this License.
129
+
130
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
131
+ any Contribution intentionally submitted for inclusion in the Work
132
+ by You to the Licensor shall be under the terms and conditions of
133
+ this License, without any additional terms or conditions.
134
+ Notwithstanding the above, nothing herein shall supersede or modify
135
+ the terms of any separate license agreement you may have executed
136
+ with Licensor regarding such Contributions.
137
+
138
+ 6. Trademarks. This License does not grant permission to use the trade
139
+ names, trademarks, service marks, or product names of the Licensor,
140
+ except as required for reasonable and customary use in describing the
141
+ origin of the Work and reproducing the content of the NOTICE file.
142
+
143
+ 7. Disclaimer of Warranty. Unless required by applicable law or
144
+ agreed to in writing, Licensor provides the Work (and each
145
+ Contributor provides its Contributions) on an "AS IS" BASIS,
146
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147
+ implied, including, without limitation, any warranties or conditions
148
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149
+ PARTICULAR PURPOSE. You are solely responsible for determining the
150
+ appropriateness of using or redistributing the Work and assume any
151
+ risks associated with Your exercise of permissions under this License.
152
+
153
+ 8. Limitation of Liability. In no event and under no legal theory,
154
+ whether in tort (including negligence), contract, or otherwise,
155
+ unless required by applicable law (such as deliberate and grossly
156
+ negligent acts) or agreed to in writing, shall any Contributor be
157
+ liable to You for damages, including any direct, indirect, special,
158
+ incidental, or consequential damages of any character arising as a
159
+ result of this License or out of the use or inability to use the
160
+ Work (including but not limited to damages for loss of goodwill,
161
+ work stoppage, computer failure or malfunction, or any and all
162
+ other commercial damages or losses), even if such Contributor
163
+ has been advised of the possibility of such damages.
164
+
165
+ 9. Accepting Warranty or Additional Liability. While redistributing
166
+ the Work or Derivative Works thereof, You may choose to offer,
167
+ and charge a fee for, acceptance of support, warranty, indemnity,
168
+ or other liability obligations and/or rights consistent with this
169
+ License. However, in accepting such obligations, You may act only
170
+ on Your own behalf and on Your sole responsibility, not on behalf
171
+ of any other Contributor, and only if You agree to indemnify,
172
+ defend, and hold each Contributor harmless for any liability
173
+ incurred by, or claims asserted against, such Contributor by reason
174
+ of your accepting any such warranty or additional liability.
175
+
176
+ END OF TERMS AND CONDITIONS
177
+
178
+ APPENDIX: How to apply the Apache License to your work.
179
+
180
+ To apply the Apache License to your work, attach the following
181
+ boilerplate notice, with the fields enclosed by brackets "[]"
182
+ replaced with your own identifying information. (Don't include
183
+ the brackets!) The text should be enclosed in the appropriate
184
+ comment syntax for the file format. We also recommend that a
185
+ file or class name and description of purpose be included on the
186
+ same "printed page" as the copyright notice for easier
187
+ identification within third-party archives.
188
+
189
+ Copyright [yyyy] [name of copyright owner]
190
+
191
+ Licensed under the Apache License, Version 2.0 (the "License");
192
+ you may not use this file except in compliance with the License.
193
+ You may obtain a copy of the License at
194
+
195
+ http://www.apache.org/licenses/LICENSE-2.0
196
+
197
+ Unless required by applicable law or agreed to in writing, software
198
+ distributed under the License is distributed on an "AS IS" BASIS,
199
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200
+ See the License for the specific language governing permissions and
201
+ limitations under the License.
@@ -0,0 +1,396 @@
1
+ Metadata-Version: 2.4
2
+ Name: aibom-inspector
3
+ Version: 0.1.0
4
+ Summary: Security and risk analysis tool for AI projects (AI-BOM).
5
+ Author-email: Jordan Desjarlais <jordandesjarlais.2022@gmail.com>
6
+ Project-URL: Homepage, https://github.com/aibom-inspector/AI-BOM-Inspector
7
+ Project-URL: Repository, https://github.com/aibom-inspector/AI-BOM-Inspector
8
+ Project-URL: Bug Tracker, https://github.com/aibom-inspector/AI-BOM-Inspector/issues
9
+ Keywords: ai,security,supply-chain,bom,risk
10
+ Classifier: Development Status :: 5 - Production/Stable
11
+ Classifier: Intended Audience :: Developers
12
+ Classifier: License :: OSI Approved :: MIT License
13
+ Classifier: Programming Language :: Python
14
+ Classifier: Programming Language :: Python :: 3
15
+ Classifier: Programming Language :: Python :: 3.10
16
+ Classifier: Programming Language :: Python :: 3.11
17
+ Classifier: Programming Language :: Python :: 3.12
18
+ Classifier: Topic :: Security
19
+ Classifier: Topic :: Software Development :: Build Tools
20
+ Requires-Python: >=3.10
21
+ Description-Content-Type: text/markdown
22
+ License-File: LICENSE
23
+ Requires-Dist: click>=8.1.0
24
+ Requires-Dist: jinja2>=3.1.0
25
+ Requires-Dist: pydantic>=2.6.0
26
+ Requires-Dist: requests>=2.31.0
27
+ Requires-Dist: packaging>=23.0
28
+ Requires-Dist: PyYAML>=6.0.0
29
+ Requires-Dist: tomli>=2.0.1; python_version < "3.11"
30
+ Provides-Extra: huggingface
31
+ Requires-Dist: huggingface_hub>=0.26.0; extra == "huggingface"
32
+ Provides-Extra: dev
33
+ Requires-Dist: build>=1.2.1; extra == "dev"
34
+ Requires-Dist: pytest>=8.0.0; extra == "dev"
35
+ Requires-Dist: ruff>=0.6.0; extra == "dev"
36
+ Requires-Dist: mypy>=1.10.0; extra == "dev"
37
+ Requires-Dist: types-requests>=2.32.0.20240622; extra == "dev"
38
+ Dynamic: license-file
39
+
40
+ # AI-BOM Inspector
41
+
42
+ ![AI-BOM Inspector CI](https://img.shields.io/badge/AI--BOM%20Inspector-Scan%20your%20AI%20stack%20in%20CI-blue)
43
+
44
+ Offline-first SBOM + AI supply-chain risk and license scanner. Privacy posture: default is `--offline` (no network calls) unless you opt into `--online`. Local-first; optional enrichment (OSV/HF/Shadow-UEFI) can be enabled explicitly. Fully offline supported. The "AI" is transparent rules + heuristics with a deterministic executive summary that runs offline; teams can still layer in their own LLM if desired.
45
+
46
+ ## Architecture at a glance
47
+
48
+ ```mermaid
49
+ graph TD
50
+ A["CLI / API"] --> B["Manifest & SBOM parsers"]
51
+ A --> C["Model metadata loaders"]
52
+ B --> D["Risk engine"]
53
+ C --> D
54
+ D --> E["Report renderers<br/>(JSON, Markdown, HTML, CycloneDX, SPDX)"]
55
+ E --> F["CI gates<br/>(fail-on-score, diff)"]
56
+ ```
57
+
58
+ The scanner defaults to local-only analysis: it ingests manifests/SBOMs, can layer in optional OSV/Hugging Face lookups, and emits reports that CI can enforce. Network enrichment (OSV, Hugging Face, Shadow-UEFI-Intel metadata) only occurs when you deliberately pass `--online` and enable the relevant feature flag.
59
+
60
+ ## Repository layout
61
+
62
+ ```
63
+ ai-bom-inspector/
64
+ crates/
65
+ core/ # parsing, normalization, scoring (Rust extension)
66
+ licenses/ # license rules, SPDX mapping
67
+ advisories/ # CVE ingestion adapters (OSV/NVD/etc)
68
+ report/ # JSON/MD/SARIF outputs + diff support
69
+ src/ # Python package (aibom_inspector)
70
+ policies/
71
+ examples/
72
+ default.yml
73
+ strict.yml
74
+ oss-friendly.yml
75
+ schemas/
76
+ policy.schema.json
77
+ report.schema.json
78
+ integrations/
79
+ github-action/ # composite action wrapper for CI
80
+ pre-commit/ # reusable hook definition
81
+ docs/
82
+ QUICKSTART.md
83
+ POLICY.md
84
+ SCORING.md
85
+ FAQ.md
86
+ .github/
87
+ workflows/
88
+ ci.yml
89
+ scan-pr.yml # runs on PR and posts summary
90
+ tests/
91
+ README.md
92
+ ```
93
+
94
+ ## What it does
95
+ - Parse dependency manifests across Python (`requirements.txt`, `pyproject.toml`), JavaScript (`package.json` / `package-lock.json`), Go (`go.mod`), and Java (`pom.xml`)
96
+ - Ingest existing SBOMs (`--sbom-file`) and export CycloneDX or SPDX alongside AI-BOM extensions
97
+ - Gather AI model metadata from JSON or explicit Hugging Face IDs and auto-discover model references (OpenAI/Anthropic calls, `from_pretrained` loads, pipeline configs) directly from your repo
98
+ - Apply heuristics for pins, stale models, license posture (permissive vs copyleft vs proprietary vs unknown), and optional CVE lookups via OSV
99
+ - Surface AI model lineage, training data provenance, license ambiguity, and model risk profiles so AI-BOM metadata is front-and-center for governance reviews
100
+ - Inspect model artifacts (safetensors/pickle checkpoints) for poisoned weights or unsafe globals and compute hashes for reputation checks
101
+ - Cross-check models against local vulnerability/advisory feeds, training source fingerprints, and map findings to STRIDE + MITRE ATLAS categories
102
+ - Emit JSON, Markdown, HTML, CycloneDX, or SPDX reports with risk breakdowns driven by explainable heuristics plus a deterministic, offline AI summary (optionally replaceable by your own LLM if desired)
103
+ - Optionally pull firmware research context from [Shadow-UEFI-Intel](https://github.com/MellyFinnese/Shadow-UEFI-Intel) when `--online --enable-shadow-uefi-intel` is used
104
+ - Maintain evidence chain-of-custody with attestations, audit logs, and integrity checks so governance teams can trace decisions end-to-end
105
+ - Provide score explainability artifacts (policy version, intel versions, weight breakdowns, temporal multipliers) to make risk outcomes audit-ready
106
+ - Require org context (asset criticality, data sensitivity, environment) so scores cannot be generated without enterprise context
107
+
108
+ The default reports only use deterministic heuristics; the "AI summary" field is generated offline from the scan findings so teams get an executive-ready summary without hosted inference.
109
+
110
+ ## Network behavior
111
+ - Global posture: `--offline` is the default and hard-blocks every remote call. Expect `[OFFLINE_MODE]` / `[CVE_LOOKUP_SKIPPED]` annotations in reports when enrichment is skipped.
112
+ - Opt-in enrichment: add `--online` to allow outbound calls, then enable specific feeds (e.g., `--with-cves`, `--model-id`, `--enable-shadow-uefi-intel`) to choose what actually dials out.
113
+ - Local-only hardening: pass `--local-only` (or keep `--safe-mode` enabled) to enforce zero outbound fetches even if `--online` is set.
114
+ - Endpoints and payloads:
115
+
116
+ | Endpoint | When it fires | Data sent | How to disable |
117
+ | --- | --- | --- | --- |
118
+ | `https://api.osv.dev/v1/query` (or `OSV_API_URL`) | `--online` **and** `--with-cves` | JSON body containing `package.name`, `package.ecosystem`, and `version` for each dependency | Default offline; omit `--with-cves`; keep `--offline`; or point `OSV_API_URL` to an internal mirror |
119
+ | `https://huggingface.co/api/models/<id>` (or `huggingface_hub` SDK) | `--online` with `--model-id` or models whose `source` is `huggingface` | Model identifier only; response cached locally | Default offline; avoid `--online`; or provide a fully populated `models.json` |
120
+ | GitHub API for [Shadow-UEFI-Intel](https://github.com/MellyFinnese/Shadow-UEFI-Intel) | `--online` **and** `--enable-shadow-uefi-intel` | Repository metadata fetch; no project data sent | Default is disabled; leave `--enable-shadow-uefi-intel` off or keep `--offline` enabled |
121
+ | Local model advisory/hash databases (`model_vulnerability_db.json`, `model_hash_reputation.json`) | Always local unless you point to a custom URL | None (local JSON only) | Use defaults or pass `--model-advisory-db` / `--model-hash-db` |
122
+ | Future feeds | Any new integrations (documented as added) | Varies by feed | Default offline; disable the specific feature flag; or run with `--offline` |
123
+
124
+ Timeouts can be tuned via `--osv-timeout`, `--shadow-uefi-timeout`, or the `OSV_API_TIMEOUT` / `SHADOW_UEFI_INTEL_TIMEOUT` environment variables.
125
+
126
+ ## Installation
127
+ - **Pinned release from GitHub (current canonical path):**
128
+ ```bash
129
+ pip install "aibom-inspector @ git+https://github.com/aibom-inspector/AI-BOM-Inspector.git@main"
130
+ # Prefer a tagged release for CI:
131
+ pip install "aibom-inspector @ git+https://github.com/aibom-inspector/AI-BOM-Inspector.git@v0.1.0"
132
+ ```
133
+ - **Editable dev install:**
134
+ ```bash
135
+ pip install -e .[dev]
136
+ ```
137
+ - **Wheels:** the Rust extension ships as a wheel when you build from source—`python -m build` will produce a `.whl` under `dist/` for airgapped installs.
138
+ - **PyPI readiness:** packaging metadata and wheels are production-ready for internal or public registries; use GitHub release pins above for stable CI installs or build a wheel locally for airgapped environments.
139
+
140
+ ## Build + SBOM generation
141
+ - Build a wheel for offline installs:
142
+ ```bash
143
+ python -m build
144
+ ```
145
+ - Generate a CycloneDX SBOM for this tool:
146
+ ```bash
147
+ pip install cyclonedx-bom
148
+ cyclonedx-py -o aibom-inspector-sbom.json
149
+ ```
150
+
151
+ ## Getting started
152
+ 1. Create a `models.json` file if you want to include model metadata (auto-discovery will still pull model IDs out of your code/configs when this is omitted). A ready-to-use sample lives in `examples/models.sample.json`:
153
+ ```json
154
+ [
155
+ {"id": "gpt2", "source": "huggingface", "license": "mit", "last_updated": "2024-01-01"},
156
+ {"id": "custom-embedder", "source": "private"}
157
+ ]
158
+ ```
159
+ 2. Run the scanner (auto-detects dependency files when present):
160
+ ```bash
161
+ aibom scan --models-file models.json --format html --output report.html
162
+ ```
163
+ Run `aibom scan --help` for the full list of options and supported formats.
164
+
165
+ Network calls are off by default; add `--online` (plus flags like `--with-cves` or `--model-id`) if you want remote enrichment.
166
+
167
+ ### Who is this for?
168
+ - AppSec and security engineers who want CI/CD-friendly AI-BOMs without shipping code to a third party
169
+ - MLOps/platform teams who need model metadata (license, freshness, advisories) next to dependencies
170
+ - Builders who want tweakable, explainable rules instead of black-box scanners
171
+
172
+ ### Why this vs. Snyk & friends?
173
+ - **Small, OSS, local-first**: zero data leaves your laptop or CI box.
174
+ - **AI-stack aware**: treats models as first-class assets instead of opaque blobs.
175
+ - **Customizable rules**: heuristics are readable Python, not black-box policies.
176
+ - **Offline gates + allowlists + model-as-asset scoring**: enforce allowlisted model sources, run fully offline by default, and score models/dependencies together—capabilities that hosted scanners often treat as optional add-ons.
177
+
178
+ ## Examples
179
+ - **End-to-end demo** (`examples/demo/`): tiny app with `requirements.txt`, `pyproject.toml`, `package-lock.json`, `go.mod`, `models.json`, and generated `aibom-report.json/md/html`.
180
+ - HTML report snapshot: open `examples/demo/aibom-report.html`
181
+ - Markdown rendering snapshot: see `examples/demo/aibom-report.md`
182
+ - Before/after hygiene comparison: `docs/screenshots/before-after.html`
183
+
184
+ Small JSON excerpt (full file in `examples/demo/aibom-report.json`):
185
+ ```json
186
+ {
187
+ "stack_risk_score": 30,
188
+ "risk_breakdown": {"unpinned_deps": 3, "unverified_sources": 0, "unknown_licenses": 1, "stale_models": 1},
189
+ "dependencies": [{"name": "urllib3", "issues": ["[KNOWN_VULN] CVE-2019-11324: CRLF injection when retrieving HTTP headers"]}],
190
+ "models": [{"id": "gpt2", "issues": ["[STALE_MODEL] Model metadata is stale", "[MODEL_VULNERABILITY] Advisory feed match (model_vulnerability_db.json)"]}]
191
+ }
192
+ ```
193
+ - **Screenshots:**
194
+ - HTML report: open `examples/demo/aibom-report.html`
195
+ - Markdown rendering: view `examples/demo/aibom-report.md`
196
+ - Before vs. after: open `docs/screenshots/before-after.html`
197
+ - **Sample models file:** `examples/models.sample.json`
198
+ - **Sample Markdown report:** `examples/report.sample.md`
199
+ - **Example commands:**
200
+ - Only dependency scan with autodetection: `aibom scan --format json`
201
+ - Include models from a file: `aibom scan --models-file examples/models.sample.json --format markdown --output report.md`
202
+ - Specify models inline: `aibom scan --online --model-id gpt2 --model-id meta-llama/Llama-3-8B --format html`
203
+ - Enrich CVEs during the scan: `aibom scan --online --with-cves --format json`
204
+ - Use local model advisory and hash feeds: `aibom scan --models-file models.json --model-advisory-db feeds/model_vulnerability_db.json --model-hash-db feeds/model_hash_reputation.json`
205
+ - Apply training source fingerprints: `aibom scan --models-file models.json --training-source-db feeds/training_source_fingerprints.json`
206
+ - Include non-Python manifests: `aibom scan --manifest package-lock.json --manifest go.mod --format json`
207
+ - Import an SBOM: `aibom scan --sbom-file path/to/cyclonedx.json --format html --output merged-report.html`
208
+ - Run fully offline (no OSV/HF calls): `aibom scan --format markdown`
209
+ - Require inputs or fail fast: `aibom scan --require-input`
210
+ - Export CycloneDX: `aibom scan --format cyclonedx --sbom-output aibom-cyclonedx.json`
211
+ - Fail CI if health score < 70: `aibom scan --fail-on-score 70 --format html`
212
+ - Inspect model weights directly (detect NaNs/LSB steganography): `aibom weights my_model.safetensors --json`
213
+ - Quick comparison of two runs: `aibom diff aibom-report-old.json aibom-report-new.json`
214
+
215
+ ## Highest-impact capabilities
216
+ See [docs/HIGHEST_IMPACT_NEXT_MOVES.md](docs/HIGHEST_IMPACT_NEXT_MOVES.md) for the capabilities that enable the end-to-end `discover → enforce` loop, policy-as-code UX, and GitHub-native SARIF outputs.
217
+
218
+ ## Enterprise trust baseline
219
+ See [docs/ENTERPRISE_TRUST_BASELINE.md](docs/ENTERPRISE_TRUST_BASELINE.md) for the deal-maker controls around provenance/signing, artifact integrity, and dependency trust enforcement that enterprises expect in CI/CD rollouts.
220
+
221
+ ## Enterprise control plane
222
+ - [Enterprise Control Plane](docs/ENTERPRISE_CONTROL_PLANE.md): multi-tenant governance, evidence storage, and CI/CD enforcement.
223
+ - [Enterprise roadmap](docs/ENTERPRISE_ROADMAP.md): central policy server, org audit features, dashboards, and web UI milestones.
224
+ - [Open-core boundary](docs/OPEN_CORE_BOUNDARY.md): commercial vs OSS separation and packaging.
225
+ - [AI supply chain threat model](docs/AI_SUPPLY_CHAIN_THREAT_MODEL.md): sales-ready threat taxonomy and control mapping.
226
+ - [Deployment reference](docs/DEPLOYMENT_REFERENCE.md): SaaS/on-prem parity and isolation model.
227
+ - [Policy engine deep dive](docs/POLICY_ENGINE_DEEP_DIVE.md): deterministic enforcement and explainability.
228
+
229
+ ### 30-second sample report (before vs. after)
230
+ - **Input SBOM**: lightweight CycloneDX with a few Python and npm components plus a Hugging Face model ID.
231
+ - **Before (messy state)**:
232
+ - Command: `aibom scan --sbom-file examples/demo/aibom-report.json --format markdown --output before.md --fail-on-score 70`
233
+ - Top findings: `MISSING_PIN` for multiple deps, `UNKNOWN_LICENSE` on the model, `STALE_MODEL`, demo `KNOWN_VULN` entry, and `UNVERIFIED_SOURCE`.
234
+ - Outcome: `stack_risk_score` ≈ 50 and exit code **1** because it failed the `--fail-on-score 70` gate.
235
+ - **After (hardened state)**:
236
+ - Command: `aibom scan --sbom-file examples/demo/aibom-report.json --models-file examples/models.sample.json --format markdown --output after.md --fail-on-score 70 --online --with-cves`
237
+ - Top findings: `CVE` hits (if any) plus minor governance nits; pins and licenses quiet down once manifests and model metadata are cleaned up.
238
+ - Outcome: `stack_risk_score` in the high 80s and exit code **0**, making it CI-safe.
239
+
240
+ ### AI-BOM extensions
241
+
242
+ CycloneDX and SPDX exports include AI-BOM extension data (e.g., `aibom:source`, license category, risk score, and issues) alongside the standard SBOM fields. See `docs/ai-bom-extensions.md` for the JSON schema and how each extension maps into CycloneDX properties and SPDX summaries.
243
+
244
+ ### Standards alignment
245
+ - **AI-BOM schema mapping**: `schemas/report.schema.json` tracks the AI-BOM JSON conventions and is structured to align with the TAIBOM-style trust/attestation fields emerging in the community (e.g., explicit model source, license, provenance, and risk signals).
246
+ - **CycloneDX/SPDX bridges**: the CycloneDX/SPDX exporters project `aibom:*` properties into vendor-neutral fields so the output can slot into existing SBOM pipelines without custom parsers.
247
+ - **Reference-first posture**: schema updates aim to follow the AI-BOM working drafts; additions are scoped so teams can diff their SBOMs against the schema and treat this project as a reference implementation rather than a one-off tool.
248
+ - **Credibility pack**: `docs/credibility-pack/` ships SBOM slices, a repo list, and a scoreboard you can rerun to validate detection heuristics and false-positive rates.
249
+
250
+ ### Output formats at a glance
251
+ See `docs/OUTPUTS.md` for a side-by-side JSON, SARIF, and CycloneDX example plus guidance on when to use each.
252
+
253
+ ### Adoption defaults
254
+ - **Gates to start with**: fail CI on `--fail-on-score 70`, require allowlisted model sources (`--require-input` plus allowlist rules in `policies/examples/*`), and keep `--offline` as the default posture.
255
+ - **CI vs. local**: run `aibom scan --format json --output aibom-report.json --fail-on-score 70` in CI, then publish CycloneDX/SPDX via `--format cyclonedx` or `--format spdx` for downstream compliance jobs. Locally, add `--format html` or `--format markdown` for readability and iterate with `--diff` against previous runs.
256
+ - **Policy cookbook**: see `docs/POLICY_COOKBOOK.md` for OSS-friendly, enterprise-strict, and regulated defaults that can be copied into your own policy file (HIPAA, SOC 2, ISO/IEC 42001 packs are in `policies/examples/`).
257
+
258
+ Configuration tips:
259
+
260
+ - OSV enrichment uses the public API by default; override with `--osv-url` or `OSV_API_URL` and adjust the HTTP timeout via `--osv-timeout` or `OSV_API_TIMEOUT`.
261
+ - Model risk databases can be swapped via `--model-advisory-db`, `--model-hash-db`, `--license-risk-db`, and `--training-source-db` when you want to point at internal mirrors or curated feeds.
262
+
263
+ ## Heuristics & Risk Signals
264
+ AI-BOM Inspector ships with lightweight, explainable checks that map to common AI supply-chain issues:
265
+
266
+ | Code | What it means | Severity |
267
+ | --- | --- | --- |
268
+ | `MISSING_PIN` | Dependency version not pinned with `==`/`~=` | High |
269
+ | `LOOSE_PIN` | Dependency uses a range (`>=`, `<=`, etc.) | Medium |
270
+ | `UNSTABLE_VERSION` | Pre-1.0 releases that may churn | Medium |
271
+ | `KNOWN_VULN` / `CVE` | Known vulnerable versions (built-in heuristics + optional OSV lookup; recommends safer versions when known) | High |
272
+ | `LICENSE_RISK` | Copyleft / reciprocal terms detected for a model | Medium |
273
+ | `MODEL_LICENSE_RESTRICTED` | Restricted or custom model license detected (OpenRAIL, research-only, etc.) | Medium |
274
+ | `PROPRIETARY_AI_RISK` | Proprietary model license may limit auditability or reuse | Medium |
275
+ | `UNKNOWN_LICENSE` | Model or SBOM component lacks license metadata | High |
276
+ | `STALE_MODEL` | Model metadata older than ~9 months | Medium |
277
+ | `UNVERIFIED_SOURCE` | Non-standard model source value | Medium |
278
+ | `MODEL_VULNERABILITY` | Model flagged by a vulnerability/advisory feed | High |
279
+ | `MODEL_HASH_MALICIOUS` | Model hash matches a malicious fingerprint | High |
280
+ | `MODEL_WEIGHT_ANOMALY` | Safetensors inspection detected poisoned/steganographic weights | High |
281
+ | `PICKLE_DANGEROUS_GLOBALS` | Pickle checkpoint references dangerous globals | High |
282
+ | `MODEL_LINEAGE_RISK` | Base model lineage contains license or vulnerability risk | Medium |
283
+ | `MODEL_LINEAGE_UNKNOWN` | Base model lineage not present in scan context | Medium |
284
+ | `FINE_TUNE_INHERITANCE_RISK` | Fine-tune inherits high-risk findings from base model | High |
285
+ | `DATASET_CONTAMINATION_RISK` | Training sources suggest contamination or policy exposure | High |
286
+ | `TRAINING_SOURCE_RISK` | Training source requires additional governance review | Medium |
287
+ | `SUPPLY_CHAIN_ANOMALY` | Model hash mismatch or artifact integrity anomaly detected | High |
288
+ | `MODEL_HASH_INVALID` | Declared model hash is not a valid SHA256 fingerprint | Medium |
289
+ | `MODEL_HASH_MISSING` | Model artifacts present without declared hashes | Medium |
290
+ | `OFFLINE_MODE` / `CVE_LOOKUP_SKIPPED` | Scan ran offline or without network dependencies; no remote enrichment performed | Low |
291
+ | `METADATA_UNAVAILABLE` | Model registry/API could not be reached; metadata reused from cache with a warning | Low |
292
+ | `INVALID_SBOM` | SBOM could not be parsed; flagged as an issue instead of crashing the scan | Medium |
293
+
294
+ The report shows a `stack_risk_score` (0–100, higher is healthier) and a `risk_breakdown` capturing unpinned deps, unverified sources, unknown licenses, stale models, and CVE hits. Tune the scoring with `--risk-max-score`, per-severity `--risk-penalty-*` flags, and governance/CVE penalties so teams can calibrate what “red” means for them. Conceptually, this is a health score: penalties are subtracted from the maximum, so `--fail-on-score 70` means “fail if health drops below 70/100.”
295
+
296
+ ### How the risk score is computed
297
+ - Start from `risk_settings.max_score` (default 100) and subtract penalties instead of adding danger points.
298
+ - Every dependency/model issue subtracts `risk_settings.penalty_for(severity)` (default high=8, medium=4, low=2).
299
+ - Governance penalties subtract an extra `governance_penalty` for each unpinned dependency and unverified model source; CVE hits subtract `cve_penalty` to emphasize known exploit paths.
300
+ - Active exploitation flags override baseline scoring with `active_exploitation_penalty`, ensuring live exploitation signals dominate baseline severity math.
301
+ - The resulting value is clamped between 0–`max_score`, giving you a “health score” you can fail CI on via `--fail-on-score`.
302
+
303
+ ### Recommended scoring policy
304
+ - **Start conservative**: gate on `--fail-on-score 70` while teams pilot the tool; after triage, ratchet up to **80** once noisy signals are addressed.
305
+ - **Respond by signal type**:
306
+ - `MISSING_PIN` / `LOOSE_PIN`: add explicit `==` pins (or `~=` if you must) and commit lockfiles.
307
+ - `UNKNOWN_LICENSE` / `LICENSE_RISK`: annotate licenses in `models.json` and prefer permissive alternatives when available.
308
+ - `STALE_MODEL`: update to a fresher model release or document a waiver in `models.json`.
309
+ - `KNOWN_VULN` / `CVE`: upgrade to the suggested safe version; if blocked, add a comment in your SBOM or pin to a patched fork.
310
+ - `UNVERIFIED_SOURCE`: source models from trusted registries (Hugging Face, internal artifactory) and record provenance.
311
+ - `OFFLINE_MODE` / `CVE_LOOKUP_SKIPPED`: rerun with network access before shipping to ensure enrichment isn’t missing critical advisories.
312
+
313
+ ### Assumptions and known limitations
314
+ - **Offline mode trades fidelity for privacy:** metadata/CVE lookups are skipped; issues are marked with `OFFLINE_MODE` / `CVE_LOOKUP_SKIPPED` so reviewers know enrichment was suppressed.
315
+ - **SBOM trust but verify:** malformed SBOMs are surfaced as `INVALID_SBOM` issues and ignored otherwise; well-formed CycloneDX/SPDX inputs are merged into the dependency set.
316
+ - **Model metadata freshness depends on registries:** network failures are tolerated and recorded as `METADATA_UNAVAILABLE`, but license/freshness signals may be stale until the registry is reachable again.
317
+ - **Weight inspection is heuristic:** the safetensors scanner samples bits and looks for NaNs/Inf/LSB bias; unusual dtypes or truncated files raise clear errors instead of silently passing.
318
+
319
+ ### Threat taxonomy + MITRE ATLAS mapping
320
+ AI-BOM Inspector attaches explicit AI threat categories and STRIDE classifications to model findings. Mappings are surfaced in the report framework section and can be tailored via a local taxonomy file:
321
+ - Default taxonomy: `src/aibom_inspector/data/ai_threat_taxonomy.json`
322
+ - Override: `aibom scan --threat-taxonomy-db path/to/ai_threat_taxonomy.json`
323
+ - MITRE ATLAS controls appear alongside NIST AI RMF, ISO/IEC 42001, OWASP LLM Top 10, SOC 2, and EU AI Act mappings.
324
+ See `docs/THREAT_TAXONOMY.md` for the default taxonomy and extension guidance.
325
+
326
+ ### Model risk databases
327
+ Model risk intelligence is local-first. You can ship curated JSON feeds in-repo or pull them from internal mirrors:
328
+ - **Model vulnerability DB:** `model_vulnerability_db.json` (use `--model-advisory-db` to override)
329
+ - **Model hash reputation DB:** `model_hash_reputation.json` (use `--model-hash-db` to override)
330
+ - **License risk DB:** `license_risk_db.json` (use `--license-risk-db` to override)
331
+ - **Training source fingerprints:** `training_source_fingerprints.json` (use `--training-source-db` to override)
332
+
333
+ ### Before vs. after hardening
334
+
335
+ | Scenario | Risk score | Signals |
336
+ | --- | --- | --- |
337
+ | **Messy AI stack** | 48/100 | Unpinned `package-lock.json`, unknown model license, stale model metadata |
338
+ | **Hardened AI stack** | 88/100 | All deps pinned, permissive licenses, fresh model metadata, no advisories |
339
+
340
+ ### Example: scanning a real project
341
+ ```bash
342
+ aibom scan --requirements requirements.txt --models-file models.json --with-cves --format html --output report.html \
343
+ --risk-penalty-high 10 --risk-penalty-medium 5 --risk-penalty-low 2
344
+ ```
345
+ Pair it with `aibom diff report-old.json report-new.json` to highlight PR drift, or run in CI with `--fail-on-score 70`.
346
+
347
+ ## Performance & scale signals
348
+ Baseline timings below were captured on the included demo project to give teams a starting point. Re-run in your own CI to capture local baselines:
349
+
350
+ | Scenario | Command | Result |
351
+ | --- | --- | --- |
352
+ | Demo project scan | `PYTHONPATH=src python -m aibom_inspector.cli scan --requirements examples/demo/requirements.txt --pyproject examples/demo/pyproject.toml --manifest examples/demo/package-lock.json --manifest examples/demo/go.mod --models-file examples/demo/models.json --format json --output /tmp/aibom-report.json` | 2.16s real (container, Python 3.10.19) |
353
+
354
+ Use `/usr/bin/time -p` or your CI timing metrics to capture project-specific numbers (dependency count, model count, and total runtime).
355
+
356
+
357
+ ## Testing and CI
358
+ - Run unit tests: `pytest`
359
+ - GitHub Action: `.github/workflows/scan-pr.yml` uses the bundled composite action to scan PRs and post a risk comment.
360
+ - One-command SARIF + Markdown upload (offline by default; pair with `--online --with-cves` when you want CVEs):
361
+ ```yaml
362
+ name: AI-BOM Inspector
363
+ on: [pull_request]
364
+ jobs:
365
+ scan:
366
+ runs-on: ubuntu-latest
367
+ steps:
368
+ - uses: actions/checkout@v4
369
+ - name: Install AI-BOM Inspector
370
+ run: pip install aibom-inspector
371
+ - name: Scan AI stack and emit SARIF + Markdown
372
+ run: >-
373
+ aibom scan --format sarif --output aibom-report.sarif --markdown-output aibom-report.md
374
+ --fail-on-score 75 --require-input
375
+ - name: Upload SARIF to GitHub Security
376
+ uses: github/codeql-action/upload-sarif@v3
377
+ with:
378
+ sarif_file: aibom-report.sarif
379
+ - name: Upload Markdown artifact
380
+ uses: actions/upload-artifact@v4
381
+ with:
382
+ name: aibom-report
383
+ path: aibom-report.md
384
+ ```
385
+ - CI guardrails: keep `--offline` unless you need enrichments; when allowed, add `--online --with-cves` to the scan step and adjust allowlists accordingly.
386
+
387
+ ## Releases and distribution
388
+ - **Tagged releases**: we cut signed Git tags for CLI milestones; package metadata lives in `pyproject.toml` and tracks the changelog.
389
+ - **PyPI**: publishing is planned under the `aibom-inspector` name; until then, install from source (`pip install -e .[dev]`) or lock to a tag tarball.
390
+ - **Versioning**: semantic-ish—patch releases for heuristics/docs, minor bumps when report schemas or exit codes change.
391
+
392
+ ## Security, governance, and contributions
393
+ - See `SECURITY.md` for how to report vulnerabilities.
394
+ - See `CODE_OF_CONDUCT.md` for community standards.
395
+ - See `CONTRIBUTING.md` for development conventions and how to propose changes.
396
+ - `CHANGELOG.md` tracks notable updates.