aisbom-cli 1.1.0__tar.gz → 1.2.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,3 +1,28 @@
1
+ Metadata-Version: 2.4
2
+ Name: aisbom-cli
3
+ Version: 1.2.0
4
+ Summary: An AI Supply Chain security tool that that detects Pickle bombs and generates CycloneDX SBOMs for Machine Learning models.
5
+ License-File: LICENSE
6
+ Author: Ajoy L
7
+ Author-email: lab700xdev@gmail.com
8
+ Requires-Python: >=3.11,<4.0
9
+ Classifier: Programming Language :: Python :: 3
10
+ Classifier: Programming Language :: Python :: 3.11
11
+ Classifier: Programming Language :: Python :: 3.12
12
+ Classifier: Programming Language :: Python :: 3.13
13
+ Classifier: Programming Language :: Python :: 3.14
14
+ Requires-Dist: click (<8.5.0)
15
+ Requires-Dist: cyclonedx-python-lib (>=8.5,<12.0)
16
+ Requires-Dist: packaging (>=24,<27)
17
+ Requires-Dist: pip-requirements-parser (>=32.0.1,<33.0.0)
18
+ Requires-Dist: requests (>=2.32.3,<3.0.0)
19
+ Requires-Dist: rich (>=13.7.1,<16.0.0)
20
+ Requires-Dist: spdx-tools (>=0.8.3,<0.9.0)
21
+ Requires-Dist: typer[all] (>=0.12.5,<0.27.0)
22
+ Project-URL: Homepage, https://www.aisbom.io/
23
+ Project-URL: Repository, https://github.com/Lab700xOrg/aisbom
24
+ Description-Content-Type: text/markdown
25
+
1
26
  # AIsbom: The Supply Chain for Artificial Intelligence
2
27
 
3
28
  [![PyPI version](https://img.shields.io/pypi/v/aisbom-cli.svg)](https://pypi.org/project/aisbom-cli/)
@@ -236,6 +261,23 @@ When the scan is clean, the comment collapses to a one-line ✅:
236
261
 
237
262
  Re-runs update the same comment in place via a hidden `<!-- aisbom-action -->` marker — you'll never see stacked AIsbom comments on the same PR.
238
263
 
264
+ ### Hosted dashboard (optional)
265
+
266
+ The PR comment shows you each scan; the hosted dashboard at [app.aisbom.io](https://app.aisbom.io) keeps the history. Set the optional `token` input and every scan's SBOM is posted to your inventory dashboard, where you can browse artifacts across repos and branches, track drift over time, and share an executive view with compliance stakeholders:
267
+
268
+ ```yaml
269
+ - uses: Lab700xOrg/aisbom@v1
270
+ with:
271
+ directory: models/
272
+ token: ${{ secrets.AISBOM_TOKEN }}
273
+ ```
274
+
275
+ Get a per-repo token at <https://app.aisbom.io/connect> (sign in with GitHub). Leave `token` unset and the Action stays purely local — nothing is sent to the dashboard.
276
+
277
+ #### Data flow & privacy
278
+
279
+ When (and only when) `token` is set, the Action POSTs the generated CycloneDX SBOM JSON to `https://app.aisbom.io/v1/scan-result`, along with the branch/tag name (`GITHUB_REF_NAME`) so the dashboard can attribute results to the right ref. That's the entire payload: the SBOM describes the *structure and findings* of your model files (names, hashes, licenses, risk levels) — never the weights or file contents, which don't leave the GitHub runner. Data is stored in the EU (Cloudflare R2/D1, EU jurisdiction). Every upload is announced in a loud log group in your CI output, so your logs always show when a network call happened and where the data went. To stop uploading, remove the `token` input — there is no background or implicit sending.
280
+
239
281
  See [`action/README_ACTION.md`](action/README_ACTION.md) for the full inputs/outputs reference, permissions block, and troubleshooting.
240
282
 
241
283
  ---
@@ -350,3 +392,4 @@ As of **0.9.1**, telemetry is **on by default**. `AISBOM_NO_TELEMETRY=1` is the
350
392
  ---
351
393
 
352
394
  *Built with ❤️ in Austin.*
395
+
@@ -1,28 +1,3 @@
1
- Metadata-Version: 2.4
2
- Name: aisbom-cli
3
- Version: 1.1.0
4
- Summary: An AI Supply Chain security tool that that detects Pickle bombs and generates CycloneDX SBOMs for Machine Learning models.
5
- License-File: LICENSE
6
- Author: Ajoy L
7
- Author-email: lab700xdev@gmail.com
8
- Requires-Python: >=3.11,<4.0
9
- Classifier: Programming Language :: Python :: 3
10
- Classifier: Programming Language :: Python :: 3.11
11
- Classifier: Programming Language :: Python :: 3.12
12
- Classifier: Programming Language :: Python :: 3.13
13
- Classifier: Programming Language :: Python :: 3.14
14
- Requires-Dist: click (<8.4.0)
15
- Requires-Dist: cyclonedx-python-lib (>=8.5,<12.0)
16
- Requires-Dist: packaging (>=24,<27)
17
- Requires-Dist: pip-requirements-parser (>=32.0.1,<33.0.0)
18
- Requires-Dist: requests (>=2.32.3,<3.0.0)
19
- Requires-Dist: rich (>=13.7.1,<15.0.0)
20
- Requires-Dist: spdx-tools (>=0.8.3,<0.9.0)
21
- Requires-Dist: typer[all] (>=0.12.5,<0.26.0)
22
- Project-URL: Homepage, https://www.aisbom.io/
23
- Project-URL: Repository, https://github.com/Lab700xOrg/aisbom
24
- Description-Content-Type: text/markdown
25
-
26
1
  # AIsbom: The Supply Chain for Artificial Intelligence
27
2
 
28
3
  [![PyPI version](https://img.shields.io/pypi/v/aisbom-cli.svg)](https://pypi.org/project/aisbom-cli/)
@@ -261,6 +236,23 @@ When the scan is clean, the comment collapses to a one-line ✅:
261
236
 
262
237
  Re-runs update the same comment in place via a hidden `<!-- aisbom-action -->` marker — you'll never see stacked AIsbom comments on the same PR.
263
238
 
239
+ ### Hosted dashboard (optional)
240
+
241
+ The PR comment shows you each scan; the hosted dashboard at [app.aisbom.io](https://app.aisbom.io) keeps the history. Set the optional `token` input and every scan's SBOM is posted to your inventory dashboard, where you can browse artifacts across repos and branches, track drift over time, and share an executive view with compliance stakeholders:
242
+
243
+ ```yaml
244
+ - uses: Lab700xOrg/aisbom@v1
245
+ with:
246
+ directory: models/
247
+ token: ${{ secrets.AISBOM_TOKEN }}
248
+ ```
249
+
250
+ Get a per-repo token at <https://app.aisbom.io/connect> (sign in with GitHub). Leave `token` unset and the Action stays purely local — nothing is sent to the dashboard.
251
+
252
+ #### Data flow & privacy
253
+
254
+ When (and only when) `token` is set, the Action POSTs the generated CycloneDX SBOM JSON to `https://app.aisbom.io/v1/scan-result`, along with the branch/tag name (`GITHUB_REF_NAME`) so the dashboard can attribute results to the right ref. That's the entire payload: the SBOM describes the *structure and findings* of your model files (names, hashes, licenses, risk levels) — never the weights or file contents, which don't leave the GitHub runner. Data is stored in the EU (Cloudflare R2/D1, EU jurisdiction). Every upload is announced in a loud log group in your CI output, so your logs always show when a network call happened and where the data went. To stop uploading, remove the `token` input — there is no background or implicit sending.
255
+
264
256
  See [`action/README_ACTION.md`](action/README_ACTION.md) for the full inputs/outputs reference, permissions block, and troubleshooting.
265
257
 
266
258
  ---
@@ -375,4 +367,3 @@ As of **0.9.1**, telemetry is **on by default**. `AISBOM_NO_TELEMETRY=1` is the
375
367
  ---
376
368
 
377
369
  *Built with ❤️ in Austin.*
378
-
@@ -1,6 +1,6 @@
1
1
  [tool.poetry]
2
2
  name = "aisbom-cli"
3
- version = "1.1.0"
3
+ version = "1.2.0"
4
4
  description = "An AI Supply Chain security tool that that detects Pickle bombs and generates CycloneDX SBOMs for Machine Learning models."
5
5
  authors = ["Ajoy L <lab700xdev@gmail.com>"]
6
6
  readme = "README.md"
@@ -9,11 +9,11 @@ repository = "https://github.com/Lab700xOrg/aisbom"
9
9
  urls = { "Homepage" = "https://www.aisbom.io/" }
10
10
  [tool.poetry.dependencies]
11
11
  python = "^3.11"
12
- typer = {extras = ["all"], version = ">=0.12.5,<0.26.0"}
13
- rich = ">=13.7.1,<15.0.0"
12
+ typer = {extras = ["all"], version = ">=0.12.5,<0.27.0"}
13
+ rich = ">=13.7.1,<16.0.0"
14
14
  cyclonedx-python-lib = ">=8.5,<12.0"
15
15
  pip-requirements-parser = "^32.0.1"
16
- click = "<8.4.0"
16
+ click = "<8.5.0"
17
17
  spdx-tools = "^0.8.3"
18
18
  packaging = ">=24,<27"
19
19
 
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes