aisbom-cli 1.1.0__tar.gz → 1.2.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- aisbom_cli-1.1.0/README.md → aisbom_cli-1.2.0/PKG-INFO +43 -0
- aisbom_cli-1.1.0/PKG-INFO → aisbom_cli-1.2.0/README.md +17 -26
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/pyproject.toml +4 -4
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/LICENSE +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/__init__.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/cli.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/diff.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/linter.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/mock_generator.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/properties.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/remote.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/safety.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/scanner.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/spdx_gen.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/telemetry.py +0 -0
- {aisbom_cli-1.1.0 → aisbom_cli-1.2.0}/aisbom/version_check.py +0 -0
|
@@ -1,3 +1,28 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: aisbom-cli
|
|
3
|
+
Version: 1.2.0
|
|
4
|
+
Summary: An AI Supply Chain security tool that that detects Pickle bombs and generates CycloneDX SBOMs for Machine Learning models.
|
|
5
|
+
License-File: LICENSE
|
|
6
|
+
Author: Ajoy L
|
|
7
|
+
Author-email: lab700xdev@gmail.com
|
|
8
|
+
Requires-Python: >=3.11,<4.0
|
|
9
|
+
Classifier: Programming Language :: Python :: 3
|
|
10
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
11
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
12
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
13
|
+
Classifier: Programming Language :: Python :: 3.14
|
|
14
|
+
Requires-Dist: click (<8.5.0)
|
|
15
|
+
Requires-Dist: cyclonedx-python-lib (>=8.5,<12.0)
|
|
16
|
+
Requires-Dist: packaging (>=24,<27)
|
|
17
|
+
Requires-Dist: pip-requirements-parser (>=32.0.1,<33.0.0)
|
|
18
|
+
Requires-Dist: requests (>=2.32.3,<3.0.0)
|
|
19
|
+
Requires-Dist: rich (>=13.7.1,<16.0.0)
|
|
20
|
+
Requires-Dist: spdx-tools (>=0.8.3,<0.9.0)
|
|
21
|
+
Requires-Dist: typer[all] (>=0.12.5,<0.27.0)
|
|
22
|
+
Project-URL: Homepage, https://www.aisbom.io/
|
|
23
|
+
Project-URL: Repository, https://github.com/Lab700xOrg/aisbom
|
|
24
|
+
Description-Content-Type: text/markdown
|
|
25
|
+
|
|
1
26
|
# AIsbom: The Supply Chain for Artificial Intelligence
|
|
2
27
|
|
|
3
28
|
[](https://pypi.org/project/aisbom-cli/)
|
|
@@ -236,6 +261,23 @@ When the scan is clean, the comment collapses to a one-line ✅:
|
|
|
236
261
|
|
|
237
262
|
Re-runs update the same comment in place via a hidden `<!-- aisbom-action -->` marker — you'll never see stacked AIsbom comments on the same PR.
|
|
238
263
|
|
|
264
|
+
### Hosted dashboard (optional)
|
|
265
|
+
|
|
266
|
+
The PR comment shows you each scan; the hosted dashboard at [app.aisbom.io](https://app.aisbom.io) keeps the history. Set the optional `token` input and every scan's SBOM is posted to your inventory dashboard, where you can browse artifacts across repos and branches, track drift over time, and share an executive view with compliance stakeholders:
|
|
267
|
+
|
|
268
|
+
```yaml
|
|
269
|
+
- uses: Lab700xOrg/aisbom@v1
|
|
270
|
+
with:
|
|
271
|
+
directory: models/
|
|
272
|
+
token: ${{ secrets.AISBOM_TOKEN }}
|
|
273
|
+
```
|
|
274
|
+
|
|
275
|
+
Get a per-repo token at <https://app.aisbom.io/connect> (sign in with GitHub). Leave `token` unset and the Action stays purely local — nothing is sent to the dashboard.
|
|
276
|
+
|
|
277
|
+
#### Data flow & privacy
|
|
278
|
+
|
|
279
|
+
When (and only when) `token` is set, the Action POSTs the generated CycloneDX SBOM JSON to `https://app.aisbom.io/v1/scan-result`, along with the branch/tag name (`GITHUB_REF_NAME`) so the dashboard can attribute results to the right ref. That's the entire payload: the SBOM describes the *structure and findings* of your model files (names, hashes, licenses, risk levels) — never the weights or file contents, which don't leave the GitHub runner. Data is stored in the EU (Cloudflare R2/D1, EU jurisdiction). Every upload is announced in a loud log group in your CI output, so your logs always show when a network call happened and where the data went. To stop uploading, remove the `token` input — there is no background or implicit sending.
|
|
280
|
+
|
|
239
281
|
See [`action/README_ACTION.md`](action/README_ACTION.md) for the full inputs/outputs reference, permissions block, and troubleshooting.
|
|
240
282
|
|
|
241
283
|
---
|
|
@@ -350,3 +392,4 @@ As of **0.9.1**, telemetry is **on by default**. `AISBOM_NO_TELEMETRY=1` is the
|
|
|
350
392
|
---
|
|
351
393
|
|
|
352
394
|
*Built with ❤️ in Austin.*
|
|
395
|
+
|
|
@@ -1,28 +1,3 @@
|
|
|
1
|
-
Metadata-Version: 2.4
|
|
2
|
-
Name: aisbom-cli
|
|
3
|
-
Version: 1.1.0
|
|
4
|
-
Summary: An AI Supply Chain security tool that that detects Pickle bombs and generates CycloneDX SBOMs for Machine Learning models.
|
|
5
|
-
License-File: LICENSE
|
|
6
|
-
Author: Ajoy L
|
|
7
|
-
Author-email: lab700xdev@gmail.com
|
|
8
|
-
Requires-Python: >=3.11,<4.0
|
|
9
|
-
Classifier: Programming Language :: Python :: 3
|
|
10
|
-
Classifier: Programming Language :: Python :: 3.11
|
|
11
|
-
Classifier: Programming Language :: Python :: 3.12
|
|
12
|
-
Classifier: Programming Language :: Python :: 3.13
|
|
13
|
-
Classifier: Programming Language :: Python :: 3.14
|
|
14
|
-
Requires-Dist: click (<8.4.0)
|
|
15
|
-
Requires-Dist: cyclonedx-python-lib (>=8.5,<12.0)
|
|
16
|
-
Requires-Dist: packaging (>=24,<27)
|
|
17
|
-
Requires-Dist: pip-requirements-parser (>=32.0.1,<33.0.0)
|
|
18
|
-
Requires-Dist: requests (>=2.32.3,<3.0.0)
|
|
19
|
-
Requires-Dist: rich (>=13.7.1,<15.0.0)
|
|
20
|
-
Requires-Dist: spdx-tools (>=0.8.3,<0.9.0)
|
|
21
|
-
Requires-Dist: typer[all] (>=0.12.5,<0.26.0)
|
|
22
|
-
Project-URL: Homepage, https://www.aisbom.io/
|
|
23
|
-
Project-URL: Repository, https://github.com/Lab700xOrg/aisbom
|
|
24
|
-
Description-Content-Type: text/markdown
|
|
25
|
-
|
|
26
1
|
# AIsbom: The Supply Chain for Artificial Intelligence
|
|
27
2
|
|
|
28
3
|
[](https://pypi.org/project/aisbom-cli/)
|
|
@@ -261,6 +236,23 @@ When the scan is clean, the comment collapses to a one-line ✅:
|
|
|
261
236
|
|
|
262
237
|
Re-runs update the same comment in place via a hidden `<!-- aisbom-action -->` marker — you'll never see stacked AIsbom comments on the same PR.
|
|
263
238
|
|
|
239
|
+
### Hosted dashboard (optional)
|
|
240
|
+
|
|
241
|
+
The PR comment shows you each scan; the hosted dashboard at [app.aisbom.io](https://app.aisbom.io) keeps the history. Set the optional `token` input and every scan's SBOM is posted to your inventory dashboard, where you can browse artifacts across repos and branches, track drift over time, and share an executive view with compliance stakeholders:
|
|
242
|
+
|
|
243
|
+
```yaml
|
|
244
|
+
- uses: Lab700xOrg/aisbom@v1
|
|
245
|
+
with:
|
|
246
|
+
directory: models/
|
|
247
|
+
token: ${{ secrets.AISBOM_TOKEN }}
|
|
248
|
+
```
|
|
249
|
+
|
|
250
|
+
Get a per-repo token at <https://app.aisbom.io/connect> (sign in with GitHub). Leave `token` unset and the Action stays purely local — nothing is sent to the dashboard.
|
|
251
|
+
|
|
252
|
+
#### Data flow & privacy
|
|
253
|
+
|
|
254
|
+
When (and only when) `token` is set, the Action POSTs the generated CycloneDX SBOM JSON to `https://app.aisbom.io/v1/scan-result`, along with the branch/tag name (`GITHUB_REF_NAME`) so the dashboard can attribute results to the right ref. That's the entire payload: the SBOM describes the *structure and findings* of your model files (names, hashes, licenses, risk levels) — never the weights or file contents, which don't leave the GitHub runner. Data is stored in the EU (Cloudflare R2/D1, EU jurisdiction). Every upload is announced in a loud log group in your CI output, so your logs always show when a network call happened and where the data went. To stop uploading, remove the `token` input — there is no background or implicit sending.
|
|
255
|
+
|
|
264
256
|
See [`action/README_ACTION.md`](action/README_ACTION.md) for the full inputs/outputs reference, permissions block, and troubleshooting.
|
|
265
257
|
|
|
266
258
|
---
|
|
@@ -375,4 +367,3 @@ As of **0.9.1**, telemetry is **on by default**. `AISBOM_NO_TELEMETRY=1` is the
|
|
|
375
367
|
---
|
|
376
368
|
|
|
377
369
|
*Built with ❤️ in Austin.*
|
|
378
|
-
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
[tool.poetry]
|
|
2
2
|
name = "aisbom-cli"
|
|
3
|
-
version = "1.
|
|
3
|
+
version = "1.2.0"
|
|
4
4
|
description = "An AI Supply Chain security tool that that detects Pickle bombs and generates CycloneDX SBOMs for Machine Learning models."
|
|
5
5
|
authors = ["Ajoy L <lab700xdev@gmail.com>"]
|
|
6
6
|
readme = "README.md"
|
|
@@ -9,11 +9,11 @@ repository = "https://github.com/Lab700xOrg/aisbom"
|
|
|
9
9
|
urls = { "Homepage" = "https://www.aisbom.io/" }
|
|
10
10
|
[tool.poetry.dependencies]
|
|
11
11
|
python = "^3.11"
|
|
12
|
-
typer = {extras = ["all"], version = ">=0.12.5,<0.
|
|
13
|
-
rich = ">=13.7.1,<
|
|
12
|
+
typer = {extras = ["all"], version = ">=0.12.5,<0.27.0"}
|
|
13
|
+
rich = ">=13.7.1,<16.0.0"
|
|
14
14
|
cyclonedx-python-lib = ">=8.5,<12.0"
|
|
15
15
|
pip-requirements-parser = "^32.0.1"
|
|
16
|
-
click = "<8.
|
|
16
|
+
click = "<8.5.0"
|
|
17
17
|
spdx-tools = "^0.8.3"
|
|
18
18
|
packaging = ">=24,<27"
|
|
19
19
|
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|