modelaudit 0.2.40__tar.gz → 0.2.41__tar.gz

{modelaudit-0.2.40 → modelaudit-0.2.41}/.github/markdown-link-check-config.json

@@ -3,6 +3,9 @@
     {
       "pattern": "^https://github.com/.*/(pull|issues)/[0-9]+$"
     },
+    {
+      "pattern": "^https://github.com/promptfoo/modelaudit/(commit|compare|releases/tag)/"
+    },
     {
       "pattern": "^https://claude.ai"
     }

modelaudit-0.2.41/.release-please-manifest.json

@@ -0,0 +1,4 @@
+{
+  ".": "0.2.41",
+  "packages/modelaudit-picklescan": "0.1.3"
+}

{modelaudit-0.2.40 → modelaudit-0.2.41}/AGENTS.md

@@ -9,6 +9,17 @@ This is the single source of truth for all AI coding agents (Claude, Gemini, oth
 - Keep instructions universal and minimal; lean on deterministic tools (ruff, mypy, pytest, prettier) rather than embedding style rules.
 - When unsure, ask or fetch targeted context instead of expanding instructions.
 
+### Monorepo at a glance
+
+This repo publishes **two PyPI packages with independent versions**:
+
+| PyPI name               | Path                              | Version file                    | CHANGELOG                                     |
+| ----------------------- | --------------------------------- | ------------------------------- | --------------------------------------------- |
+| `modelaudit`            | `./` (root)                       | `pyproject.toml` + `uv.lock`    | `CHANGELOG.md`                                |
+| `modelaudit-picklescan` | `packages/modelaudit-picklescan/` | `pyproject.toml` + `Cargo.toml` | `packages/modelaudit-picklescan/CHANGELOG.md` |
+
+Root `modelaudit` hard-requires `modelaudit-picklescan>=0.1.0,<0.2.0` — when the sibling crosses `0.2.0`, bump the constraint in the same PR or the next `modelaudit` release is uninstallable. Both packages are driven by a single `release-please` workflow (`.github/workflows/release-please.yml`) with components defined in `release-please-config.json` and current versions in `.release-please-manifest.json`. Full publishing details — trusted publishing, manual `workflow_dispatch` recovery (`root_version` / `picklescan_version`), and yank procedure — are in [`docs/agents/release-process.md`](docs/agents/release-process.md). For work inside the picklescan package, start from [`packages/modelaudit-picklescan/AGENTS.md`](packages/modelaudit-picklescan/AGENTS.md).
+
 ## Mission & Principles
 
 - **Security first:** Never weaken detections or bypass safeguards.
@@ -184,7 +195,7 @@ modelaudit/
 └── CHANGELOG.md          # Keep a Changelog format
 ```
 
-Key docs: `docs/agents/architecture.md`, `docs/agents/dependencies.md`, `docs/agents/release-process.md`, `docs/agents/new-scanner-quickstart.md`.
+Key docs: `docs/agents/architecture.md`, `docs/agents/dependencies.md`, `docs/agents/release-process.md`, `docs/agents/new-scanner-quickstart.md`, `docs/agents/picklescan-package-split.md`, `packages/modelaudit-picklescan/AGENTS.md`.
 
 ## README.md Content Guidelines
 

{modelaudit-0.2.40 → modelaudit-0.2.41}/CHANGELOG.md

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.41](https://github.com/promptfoo/modelaudit/compare/v0.2.40...v0.2.41) (2026-04-27)
+
+### Bug Fixes
+
+- **ci:** skip POSIX proof cases on Windows ([#1072](https://github.com/promptfoo/modelaudit/issues/1072)) ([bfa17a3](https://github.com/promptfoo/modelaudit/commit/bfa17a3e152cd178c5d1fdbfec55dd3f124778ef))
+- **docker:** add apt-get clean and pinned pip constraints to Dockerfile.tensorflow ([#1079](https://github.com/promptfoo/modelaudit/issues/1079)) ([8d9f9b7](https://github.com/promptfoo/modelaudit/commit/8d9f9b7c628ae05cdccf5d8eb480eea89f551e8d))
+- harden picklescan call graph RCE detection ([#1061](https://github.com/promptfoo/modelaudit/issues/1061)) ([19c4fc4](https://github.com/promptfoo/modelaudit/commit/19c4fc487b4758462ac2107a3f3e59463e5d888b))
+- harden picklescan stdlib callable detection ([f0f57b4](https://github.com/promptfoo/modelaudit/commit/f0f57b47f3355bea008a48779dbd856e6f550ec7))
+- improve test isolation, reduce duplication, and fix command injection risk in test suite ([#1078](https://github.com/promptfoo/modelaudit/issues/1078)) ([3867c83](https://github.com/promptfoo/modelaudit/commit/3867c83b2dd0d5ab6a83b650c28d64122a675dea))
+- **picklescan:** avoid call-graph false positives for PyTorch storage IDs ([#1069](https://github.com/promptfoo/modelaudit/issues/1069)) ([e75ed24](https://github.com/promptfoo/modelaudit/commit/e75ed249948558864d8f56882a02f1327323205d))
+- silence stale CodeQL generated import alerts ([#1080](https://github.com/promptfoo/modelaudit/issues/1080)) ([9530740](https://github.com/promptfoo/modelaudit/commit/9530740312725d051a41f7f2a405280ee2be4c62))
+- **telemetry:** stabilize modelaudit identity ([#1071](https://github.com/promptfoo/modelaudit/issues/1071)) ([592a656](https://github.com/promptfoo/modelaudit/commit/592a65672ac58e0b89eb50a54614e736b60c6741))
+
+### Documentation
+
+- improve PyPI READMEs ([#1057](https://github.com/promptfoo/modelaudit/issues/1057)) ([1cfb27d](https://github.com/promptfoo/modelaudit/commit/1cfb27de814125470d1e1a38eec03a83d79ff3d9))
+
 ## [0.2.40](https://github.com/promptfoo/modelaudit/compare/v0.2.39...v0.2.40) (2026-04-17)
 
 ### Bug Fixes
@@ -74,6 +91,169 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- **security:** detect `mailcap.findmatch` pickle call targets that can execute
+  attacker-controlled mailcap `test` commands on Python versions that still
+  provide `mailcap`
+- **security:** detect `setuptools._distutils.spawn.spawn` pickle call targets
+  that can execute attacker-controlled subprocess command lists when
+  `setuptools` is installed
+- **security:** detect `pipes.Template` pickle call targets that can execute
+  attacker-controlled shell pipelines on Python versions that still provide
+  `pipes`
+- **security:** resolve module-level bound-method aliases and same-module
+  constructor call paths in pickle call-graph analysis so process-dispatch
+  wrappers are blocked
+- **security:** resolve dangerous `six.moves` compatibility aliases, including
+  vendored `six` copies, in pickle call-graph analysis so subprocess, pickle
+  deserializer, and builtin execution wrappers are blocked
+- **security:** resolve constructor-default sink aliases assigned to instance
+  attributes in pickle call-graph analysis so wrappers like Botocore credential
+  process providers are blocked
+- **security:** resolve sink defaults forwarded through `super().__init__` in
+  pickle call-graph analysis so async credential process wrappers are blocked
+- **security:** resolve parameter-fed function-local class instance aliases in
+  pickle call-graph analysis so wrapper functions like `click.edit` are blocked
+- **security:** resolve function-local import aliases in pickle call-graph
+  analysis so wrappers that import RCE sinks inside function bodies are blocked
+- **security:** preserve callable invocation aliases when import-reference
+  metadata is crowded, while ignoring uninvoked nested function and lambda
+  bodies during pickle call-graph analysis
+- **security:** detect `typing._eval_type` pickle call targets that can
+  evaluate attacker-controlled `ForwardRef` expressions
+- **security:** detect `dataclasses._create_fn` pickle call targets that can
+  execute attacker-controlled generated Python source
+- **security:** detect `typing.get_type_hints` pickle call targets that can
+  evaluate attacker-controlled annotation strings
+- **security:** detect public `operator.call` pickle call targets that can
+  invoke attacker-controlled callables
+- **security:** detect `builtins.map` pickle call targets that can lazily
+  invoke attacker-controlled callables when iterated
+- **security:** detect `itertools.starmap` pickle call targets that can lazily
+  invoke attacker-controlled callables when iterated
+- **security:** detect `builtins.filter` pickle call targets that can lazily
+  invoke attacker-controlled callables when iterated
+- **security:** detect `types.MethodType` pickle call targets that can
+  synthesize attacker-controlled bound methods for later invocation
+- **security:** detect `types.DynamicClassAttribute.__get__` pickle call
+  targets that can invoke attacker-controlled descriptor getters
+- **security:** detect `functools.cached_property.__get__` pickle call targets
+  that can invoke attacker-controlled cached-property getters
+- **security:** detect `functools.cmp_to_key` pickle call targets that can
+  invoke attacker-controlled comparators during rich comparison
+- **security:** detect `logging.Filterer.filter` pickle call targets that can
+  invoke attacker-controlled logging filter callbacks
+- **security:** detect `inspect.getmembers` pickle call targets that can
+  invoke attacker-controlled descriptors during introspection
+- **security:** detect `builtins.hasattr` pickle call targets that can invoke
+  attacker-controlled descriptors during attribute-existence checks
+- **security:** detect `__del__` finalizer string seeds that can execute
+  attacker-controlled methods when pickle-built objects are dropped
+- **security:** detect `__eq__` rich-comparison string seeds that can execute
+  attacker-controlled methods during equality checks
+- **security:** detect `__lt__`, `__le__`, `__gt__`, `__ge__`, and `__ne__`
+  rich-comparison string seeds that can execute attacker-controlled methods
+  during ordering checks
+- **security:** detect `__contains__` membership string seeds that can execute
+  attacker-controlled methods during containment checks
+- **security:** detect `__setitem__` item-assignment string seeds that can
+  execute attacker-controlled methods during item mutation
+- **security:** detect `__getitem__` and `__delitem__` item-protocol string
+  seeds that can execute attacker-controlled methods during item access
+- **security:** detect binary arithmetic and bitwise dunder string seeds that
+  can execute attacker-controlled methods during operator dispatch
+- **security:** detect reflected and in-place binary operator dunder string
+  seeds that can execute attacker-controlled methods during operator dispatch
+- **security:** detect unary operator dunder string seeds that can execute
+  attacker-controlled methods during operator dispatch
+- **security:** detect context-manager entry dunder string seeds and
+  `contextlib.ExitStack.enter_context` pickle call targets that can invoke
+  attacker-controlled `__enter__` methods
+- **security:** detect iteration protocol dunder string seeds that can execute
+  attacker-controlled methods during builtin iteration dispatch
+- **security:** detect numeric rounding protocol dunder string seeds that can
+  execute attacker-controlled methods during rounding helper dispatch
+- **security:** detect descriptor setup and numeric coercion dunder string
+  seeds that can execute attacker-controlled methods during class creation
+- **security:** detect presentation and size protocol dunder string seeds that
+  can execute attacker-controlled methods during common builtin dispatch
+- **security:** detect PathLike `__fspath__` dunder string seeds that can
+  route attacker-controlled paths into file APIs during pickle loading
+- **security:** detect direct pickle calls to stdlib file-write sinks such as
+  `pathlib.Path.write_text`, `io.open`, and `_io.FileIO`
+- **security:** detect pickle calls to logging file handlers and emit/handle
+  dispatch methods that can write attacker-controlled startup hooks
+- **security:** detect pickle calls to `argparse.FileType` and high-level
+  logging stream dispatch methods that can write attacker-controlled startup
+  hooks
+- **security:** detect pickle calls to NumPy text writers that can write
+  attacker-controlled startup hooks
+- **security:** detect pickle calls to `python-dotenv` key writers that can
+  write attacker-controlled startup hooks
+- **security:** detect pickle globals whose Python call graph reaches known
+  RCE-capable source primitives such as `os.execvpe`
+- **security:** detect pickle globals whose Python call graph pairs file-open
+  and file-write wrappers that can create executable startup hooks
+- **security:** resolve pickle-imported Python class globals through bounded
+  constructor and object-method call graph entrypoints
+- **security:** detect public `io.FileIO` and `io.TextIOWrapper.write` aliases
+  for blocked `_io` file-writing primitives
+- **security:** detect builtin namespace dictionary access that can recover
+  blocked primitives through mapping lookups
+- **security:** detect dotted pickle global aliases that resolve to blocked
+  source primitives such as `os.system`
+- **security:** detect concrete `pathlib` path writer aliases and module
+  namespace dictionary recovery for modules with blocked globals
+- **security:** detect module namespace and `__builtins__` access used for
+  dynamic builtin recovery
+- **security:** detect `string.Formatter.get_field` pickle call targets that
+  can traverse attacker-controlled field expressions into callable objects
+- **security:** detect `unittest.mock._get_target` pickle call targets that
+  can manufacture delayed `pkgutil.resolve_name` resolver partials
+- **security:** detect descriptor getter pickle call targets that can bind
+  recovered function descriptors and expose builtin namespaces
+- **security:** detect wrapper and method descriptor getter pickle call targets
+  that can bind recovered slot wrappers for dynamic attribute access
+- **security:** detect global references to attribute-access and function
+  namespace source methods used for dynamic builtin recovery
+- **security:** detect object subclass enumeration globals that can recover
+  loaded process capabilities without direct imports
+- **security:** detect garbage collector object-graph globals that can recover
+  hidden namespaces and loaded process capabilities
+- **security:** detect frame-introspection globals and frame namespace
+  descriptor getters used for dynamic builtin recovery
+- **security:** detect callable `__call__` aliases of blocked pickle globals
+  used to invoke hidden RCE source primitives
+- **security:** detect wrapper `__get__` and `__self__` aliases of blocked
+  pickle globals used to recover hidden RCE source primitives
+- **security:** detect attribute aliases under blocked pickle global prefixes
+  used to recover hidden RCE source primitives
+- **security:** detect pickle calls to PyYAML unsafe loaders that can execute
+  attacker-controlled Python constructors
+- **security:** detect pickle calls to `codecs.open` and codec stream writes
+  that can write attacker-controlled startup hooks
+- **security:** detect pickle calls to durable tempfile creation and CSV
+  `DictWriter` row dispatch that can write attacker-controlled startup hooks
+- **security:** detect pickle calls to mailbox single-file `add` dispatch
+  methods that can write attacker-controlled startup hooks
+- **security:** detect pickle calls to `_tkinter` Tcl interpreter dispatch
+  methods that can execute local commands
+- **security:** detect high-level `tkinter.Misc` pickle call targets that can
+  forward attacker-controlled commands into Tcl interpreter dispatch
+- **security:** detect pickle calls to `_xxsubinterpreters.run_string` that
+  can execute attacker-controlled Python source
+- **security:** detect `builtins.staticmethod` pickle call targets that can
+  synthesize callable descriptors for later invocation
+- **security:** detect `builtins.property.__get__` pickle call targets that
+  can invoke attacker-controlled property getters during descriptor access
+- **security:** detect `builtins.classmethod.__get__` pickle call targets that
+  can synthesize attacker-controlled bound methods during descriptor access
+- **security:** detect `_functools.partial` pickle call targets that can
+  synthesize private-alias partial callables for later invocation
+- **security:** detect `_functools.reduce` pickle call targets that can invoke
+  attacker-controlled reducer callables through the private CPython alias
+- **security:** detect `functools.cache`, `functools.lru_cache`, and
+  `functools.singledispatch` pickle call targets that can synthesize callable
+  wrappers around attacker-controlled functions for later invocation
 - **cli:** add scanner selection with `--scanners`, `--exclude-scanner`, and `--list-scanners` wired into core routing, nested dispatch, remote prefilters, and scan metadata; selection-suppressed preferred scanners emit a stderr warning and populate `scanner_selection.suppressed_preferred_scanner_ids`, and unknown scanner names suggest the closest match
 - **pickle:** replace the standalone pickle scanner's package-engine selector with the Rust-only runtime and explicit native-extension errors
 - **pickle:** scan PyTorch ZIP checkpoint pickle members directly in the standalone pickle scanner
@@ -86,6 +266,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- **telemetry:** persist ModelAudit distinct IDs in Promptfoo's global config
+  format (creating `~/.promptfoo/promptfoo.yaml` if absent and migrating any
+  legacy `~/.modelaudit/user_config.json` ID) and include `isRunningInCi` on
+  analytics payloads, with presence-based detection for marker-style providers
+  (TeamCity, CodeBuild, Bitbucket, Jenkins)
 - **docs:** align public README and compatibility guidance with supported Python 3.10-3.13, TensorFlow extra requirements, supported formats, and telemetry sanitization behavior
 - **security:** credit @mosebit for privately reporting a TensorRT native-code detection gap that helped harden native-code scanner coverage
 - **security-policy:** clarify when low-impact scanner coverage gaps may be closed without publishing a public advisory while still crediting reporters
@@ -102,6 +287,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- **pickle:** detect stdlib filesystem probe and process-state callables such as `pathlib` metadata methods, `decimal.setcontext`, and `gc.disable` during pickle scans, while keeping local container mutations clean and covering public `operator.setitem` registry poisoning plus target-aware `operator.imul` warning-filter mutation.
+- **pickle:** detect public `operator.setitem` pickle calls, keep callable
+  invocation aliases ahead of import-reference budget exhaustion, dedupe repeated
+  invocation metadata before the reporting cap, preserve literal mapping-key
+  shadowing through `ChainMap`, block deeply wrapped `defaultdict` factories,
+  and avoid outer-function call-graph false positives from nested function and
+  lambda bodies.
 - **security:** prevent HuggingFace whitelist provenance from downgrading active payload, CVE, traversal, executable, operational-error, or incomplete-coverage findings. Exemptions now cover S1xx code-execution primitives (`S101`–`S115`) and HIGH-severity S3xx network primitives (`S301`/`S304`/`S305`/`S310`), and the keyword fallback uses word-boundary matching so substrings like "executable" inside "ExecuTorch" no longer over-suppress legitimate downgrades.
 - **security:** scan generic ZIP/TAR/NPZ Python members and ZIP/TAR/NPZ executable members, including wildcard imports and callable rebindings while failing closed on malformed Python source. Findings carry accurate rule codes per risk category (`S101` for `os.system`/`os.popen`, `S103` for `subprocess.*`, `S104` for `eval`/`exec`, `S106` for `__import__`, `S107` for `importlib.import_module`, `S213` for `pickle.load`/`pickle.loads`) instead of a single catch-all, the ZIP path now honors `max_mar_python_analysis_bytes` for non-MAR Python members, and source bytes are parsed directly so PEP 263 encoding declarations are respected.
 - **security:** bound PyTorch ZIP JIT/network member reads (default 32 MiB per-member cap, configurable via `max_jit_scan_member_bytes`) and mark oversized or unreadable member coverage inconclusive. Oversize and read-failure events are aggregated into a single summary INFO check per kind (with per-member detail in `details["entries"]`) so adversarial archives cannot flood the checks list, duplicate-name entries are de-duplicated by `ZipInfo` identity rather than filename so the second of two same-name members is still analyzed, directory entries are skipped explicitly, and pickle members continue through the bounded JIT/network pass so padded payloads remain covered beyond the pickle scanner raw window.

{modelaudit-0.2.40 → modelaudit-0.2.41}/Dockerfile

@@ -1,4 +1,4 @@
-ARG PYTHON_IMAGE=python:3.13-slim@sha256:d168b8d9eb761f4d3fe305ebd04aeb7e7f2de0297cec5fb2f8f6403244621664
+ARG PYTHON_IMAGE=python:3.13-slim@sha256:a0779d7c12fc20be6ec6b4ddc901a4fd7657b8a6bc9def9d3fde89ed5efe0a3d
 # Keep the major/minor version in sync with packages/modelaudit-picklescan/Cargo.toml rust-version.
 ARG PICKLESCAN_RUST_TOOLCHAIN=1.83.0
 

{modelaudit-0.2.40 → modelaudit-0.2.41}/Dockerfile.full

@@ -1,4 +1,4 @@
-ARG PYTHON_IMAGE=python:3.13-slim@sha256:d168b8d9eb761f4d3fe305ebd04aeb7e7f2de0297cec5fb2f8f6403244621664
+ARG PYTHON_IMAGE=python:3.13-slim@sha256:a0779d7c12fc20be6ec6b4ddc901a4fd7657b8a6bc9def9d3fde89ed5efe0a3d
 # Keep the major/minor version in sync with packages/modelaudit-picklescan/Cargo.toml rust-version.
 ARG PICKLESCAN_RUST_TOOLCHAIN=1.83.0
 

{modelaudit-0.2.40 → modelaudit-0.2.41}/Dockerfile.tensorflow

@@ -1,18 +1,20 @@
-FROM python:3.13-slim@sha256:d168b8d9eb761f4d3fe305ebd04aeb7e7f2de0297cec5fb2f8f6403244621664
+FROM python:3.12-slim@sha256:46cb7cc2877e60fbd5e21a9ae6115c30ace7a077b9f8772da879e4590c18c2e3
 
 WORKDIR /app
 
 # Pull in current Debian security fixes from the configured apt sources.
 RUN apt-get update \
     && apt-get install --yes --no-install-recommends --only-upgrade libc-bin libc6 \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy only necessary files for installation
 COPY pyproject.toml README.md ./
+COPY requirements-tensorflow.txt ./
 COPY modelaudit ./modelaudit
 
-# Install the application with TensorFlow extras
-RUN pip install --no-cache-dir ".[tensorflow]"
+# Install the application with TensorFlow extras using pinned constraints
+RUN pip install --no-cache-dir -c requirements-tensorflow.txt ".[tensorflow]"
 
 # Create a non-root user
 ARG UID=10001

{modelaudit-0.2.40 → modelaudit-0.2.41}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: modelaudit
-Version: 0.2.40
+Version: 0.2.41
 Summary: Static scanning library for detecting malicious code, potential backdoor indicators, and other security risks in ML model files
 Project-URL: Repository, https://github.com/promptfoo/modelaudit
 Project-URL: Homepage, https://github.com/promptfoo/modelaudit
@@ -130,11 +130,23 @@ Description-Content-Type: text/markdown
 [![Python versions](https://img.shields.io/pypi/pyversions/modelaudit.svg)](https://pypi.org/project/modelaudit/)
 [![Code Style: ruff](https://img.shields.io/badge/code%20style-ruff-005cd7.svg)](https://github.com/astral-sh/ruff)
 [![License](https://img.shields.io/github/license/promptfoo/modelaudit)](https://github.com/promptfoo/modelaudit/blob/main/LICENSE)
+[![Security policy](https://img.shields.io/badge/security-policy-brightgreen.svg)](https://github.com/promptfoo/modelaudit/security/policy)
 
 <img width="989" alt="ModelAudit scan results" src="https://www.promptfoo.dev/img/docs/modelaudit/modelaudit-result.png" />
 
 **[Full Documentation](https://www.promptfoo.dev/docs/model-audit/)** | **[Usage Examples](https://www.promptfoo.dev/docs/model-audit/usage/)** | **[Supported Formats](https://www.promptfoo.dev/docs/model-audit/scanners/)**
 
+## Why ModelAudit
+
+Models download from untrusted registries, pass through CI, and end up running in production. Traditional SAST tools do not look at pickle opcodes, HDF5 group layouts, ONNX proto graphs, or TensorFlow SavedModel signatures — ModelAudit does:
+
+- **Scan statically.** No model is ever loaded, unpickled, or executed.
+- **Cover the formats you actually ship.** 40+ scanners spanning pickle, PyTorch, SafeTensors, ONNX, TensorFlow, Keras, GGUF, archives, and configs.
+- **Fit into CI.** Machine-readable output (JSON, SARIF), strict mode, exit codes, and [selectable scanners](https://github.com/promptfoo/modelaudit/blob/main/docs/user/scanner-selection.md).
+- **Fail closed.** Truncated reads, exhausted budgets, and unsupported formats are reported as coverage gaps, not silent passes.
+
+Comparable tools: [`picklescan`](https://github.com/mmaitre314/picklescan) (pickle only, Python-based), [`fickling`](https://github.com/trailofbits/fickling) (pickle only, AST-based), [`modelscan`](https://github.com/protectai/modelscan) (pickle + TensorFlow + Keras subset). ModelAudit is broader in coverage and ships a native Rust pickle engine via its companion package [`modelaudit-picklescan`](https://pypi.org/project/modelaudit-picklescan/).
+
 ## Quick Start
 
 **Requires Python 3.10-3.13**
@@ -356,7 +368,8 @@ ModelAudit includes telemetry for product reliability and usage analytics.
 - Collected metadata can include command usage, scan timing, scanner/file-type usage, issue severity/type aggregates, sanitized model names/references, and coarse metadata like file extension/domain.
 - URL telemetry strips userinfo, query strings, and fragments from model references. Avoid putting credentials in model names, file names, or artifact paths when telemetry is enabled.
 - Model files are scanned locally and ModelAudit does not upload model binary contents as telemetry events.
-- Telemetry is disabled automatically in CI/test environments and in editable development installs by default.
+- Telemetry is disabled automatically when `CI=true` is set or `IS_TESTING=true` is set, and in editable development installs by default. Events that are sent from other CI providers (TeamCity, CodeBuild, Bitbucket Pipelines, Jenkins) are tagged with `isRunningInCi=true` so they can be filtered downstream.
+- The anonymous user identifier is stored in `~/.promptfoo/promptfoo.yaml` for cross-tool correlation with [Promptfoo](https://www.promptfoo.dev/). Existing IDs from `~/.modelaudit/user_config.json` are migrated on first run after upgrade.
 
 Opt out explicitly with either environment variable:
 
@@ -405,6 +418,18 @@ modelaudit model.pkl --format sarif --output results.sarif
 - **[Offline/air-gapped guide](https://github.com/promptfoo/modelaudit/blob/main/docs/user/offline-air-gapped.md)** — secure operation without internet access
 - **Troubleshooting** — run `modelaudit doctor --show-failed` to check scanner availability
 
+## Related Packages
+
+- **[`modelaudit-picklescan`](https://pypi.org/project/modelaudit-picklescan/)** — the standalone Rust-backed pickle scanner used by ModelAudit's pickle, PyTorch, ExecuTorch, and PyTorch-ZIP scanners. Install it directly if you only need pickle analysis (as a library, not a CLI) and do not want the full scanner bundle.
+
+## Reporting Vulnerabilities
+
+Do not open public issues for suspected vulnerabilities. See [SECURITY.md](https://github.com/promptfoo/modelaudit/blob/main/SECURITY.md) for coordinated disclosure.
+
+## Contributing
+
+Issues, feature requests, and PRs are welcome. See [CONTRIBUTING.md](https://github.com/promptfoo/modelaudit/blob/main/CONTRIBUTING.md).
+
 ## License
 
 MIT License — see [LICENSE](https://github.com/promptfoo/modelaudit/blob/main/LICENSE) for details.

{modelaudit-0.2.40 → modelaudit-0.2.41}/README.md

@@ -6,11 +6,23 @@
 [![Python versions](https://img.shields.io/pypi/pyversions/modelaudit.svg)](https://pypi.org/project/modelaudit/)
 [![Code Style: ruff](https://img.shields.io/badge/code%20style-ruff-005cd7.svg)](https://github.com/astral-sh/ruff)
 [![License](https://img.shields.io/github/license/promptfoo/modelaudit)](https://github.com/promptfoo/modelaudit/blob/main/LICENSE)
+[![Security policy](https://img.shields.io/badge/security-policy-brightgreen.svg)](https://github.com/promptfoo/modelaudit/security/policy)
 
 <img width="989" alt="ModelAudit scan results" src="https://www.promptfoo.dev/img/docs/modelaudit/modelaudit-result.png" />
 
 **[Full Documentation](https://www.promptfoo.dev/docs/model-audit/)** | **[Usage Examples](https://www.promptfoo.dev/docs/model-audit/usage/)** | **[Supported Formats](https://www.promptfoo.dev/docs/model-audit/scanners/)**
 
+## Why ModelAudit
+
+Models download from untrusted registries, pass through CI, and end up running in production. Traditional SAST tools do not look at pickle opcodes, HDF5 group layouts, ONNX proto graphs, or TensorFlow SavedModel signatures — ModelAudit does:
+
+- **Scan statically.** No model is ever loaded, unpickled, or executed.
+- **Cover the formats you actually ship.** 40+ scanners spanning pickle, PyTorch, SafeTensors, ONNX, TensorFlow, Keras, GGUF, archives, and configs.
+- **Fit into CI.** Machine-readable output (JSON, SARIF), strict mode, exit codes, and [selectable scanners](https://github.com/promptfoo/modelaudit/blob/main/docs/user/scanner-selection.md).
+- **Fail closed.** Truncated reads, exhausted budgets, and unsupported formats are reported as coverage gaps, not silent passes.
+
+Comparable tools: [`picklescan`](https://github.com/mmaitre314/picklescan) (pickle only, Python-based), [`fickling`](https://github.com/trailofbits/fickling) (pickle only, AST-based), [`modelscan`](https://github.com/protectai/modelscan) (pickle + TensorFlow + Keras subset). ModelAudit is broader in coverage and ships a native Rust pickle engine via its companion package [`modelaudit-picklescan`](https://pypi.org/project/modelaudit-picklescan/).
+
 ## Quick Start
 
 **Requires Python 3.10-3.13**
@@ -232,7 +244,8 @@ ModelAudit includes telemetry for product reliability and usage analytics.
 - Collected metadata can include command usage, scan timing, scanner/file-type usage, issue severity/type aggregates, sanitized model names/references, and coarse metadata like file extension/domain.
 - URL telemetry strips userinfo, query strings, and fragments from model references. Avoid putting credentials in model names, file names, or artifact paths when telemetry is enabled.
 - Model files are scanned locally and ModelAudit does not upload model binary contents as telemetry events.
-- Telemetry is disabled automatically in CI/test environments and in editable development installs by default.
+- Telemetry is disabled automatically when `CI=true` is set or `IS_TESTING=true` is set, and in editable development installs by default. Events that are sent from other CI providers (TeamCity, CodeBuild, Bitbucket Pipelines, Jenkins) are tagged with `isRunningInCi=true` so they can be filtered downstream.
+- The anonymous user identifier is stored in `~/.promptfoo/promptfoo.yaml` for cross-tool correlation with [Promptfoo](https://www.promptfoo.dev/). Existing IDs from `~/.modelaudit/user_config.json` are migrated on first run after upgrade.
 
 Opt out explicitly with either environment variable:
 
@@ -281,6 +294,18 @@ modelaudit model.pkl --format sarif --output results.sarif
 - **[Offline/air-gapped guide](https://github.com/promptfoo/modelaudit/blob/main/docs/user/offline-air-gapped.md)** — secure operation without internet access
 - **Troubleshooting** — run `modelaudit doctor --show-failed` to check scanner availability
 
+## Related Packages
+
+- **[`modelaudit-picklescan`](https://pypi.org/project/modelaudit-picklescan/)** — the standalone Rust-backed pickle scanner used by ModelAudit's pickle, PyTorch, ExecuTorch, and PyTorch-ZIP scanners. Install it directly if you only need pickle analysis (as a library, not a CLI) and do not want the full scanner bundle.
+
+## Reporting Vulnerabilities
+
+Do not open public issues for suspected vulnerabilities. See [SECURITY.md](https://github.com/promptfoo/modelaudit/blob/main/SECURITY.md) for coordinated disclosure.
+
+## Contributing
+
+Issues, feature requests, and PRs are welcome. See [CONTRIBUTING.md](https://github.com/promptfoo/modelaudit/blob/main/CONTRIBUTING.md).
+
 ## License
 
 MIT License — see [LICENSE](https://github.com/promptfoo/modelaudit/blob/main/LICENSE) for details.

{modelaudit-0.2.40 → modelaudit-0.2.41}/SECURITY.md

@@ -94,7 +94,7 @@ If a fix requires longer than the default window, we will negotiate an extension
 
 ## When we issue CVEs
 
-We request CVE IDs through [GitHub's CVE Numbering Authority (CNA)](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-github-security-advisories-for-repositories) program. Not every security fix warrants a CVE.
+We request CVE IDs through [GitHub's CVE Numbering Authority (CNA)](https://docs.github.com/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories) program. Not every security fix warrants a CVE.
 
 **CVE issued:**
 
@@ -123,6 +123,7 @@ When in doubt, we err toward issuing a CVE.
 **In scope:**
 
 - The `modelaudit` Python package published on [PyPI](https://pypi.org/project/modelaudit/).
+- The `modelaudit-picklescan` Python package published on [PyPI](https://pypi.org/project/modelaudit-picklescan/), including its bundled Rust pickle engine.
 - The official Docker images.
 - The GitHub Actions CI/CD workflows in the [modelaudit repository](https://github.com/promptfoo/modelaudit).
 

{modelaudit-0.2.40 → modelaudit-0.2.41}/THIRD_PARTY_NOTICES.md

@@ -53,7 +53,7 @@ These are installed only when the corresponding extra is requested.
 | onnx            | `onnx`        | Apache-2.0   | <https://onnx.ai/>                           |
 | py7zr           | `sevenzip`    | LGPL-2.1+    | <https://github.com/miurahr/py7zr>           |
 | pybcj           | `sevenzip`    | LGPL-2.1+    | <https://github.com/miurahr/pybcj>           |
-| py-ubjson       | `xgboost`     | Apache-2.0   | <https://github.com/Iber/py-ubjson>          |
+| py-ubjson       | `xgboost`     | Apache-2.0   | <https://github.com/Iotic-Labs/py-ubjson>    |
 | pyppmd          | `sevenzip`    | LGPL-2.1+    | <https://github.com/miurahr/pyppmd>          |
 | safetensors     | `safetensors` | Apache-2.0   | <https://github.com/huggingface/safetensors> |
 | scikit-learn    | `joblib`      | BSD-3-Clause | <https://scikit-learn.org/>                  |

modelaudit-0.2.41/docs/agents/release-process.md

@@ -0,0 +1,151 @@
+# Release Process
+
+This repo is a monorepo with **two independently versioned PyPI packages**:
+
+| PyPI name               | Path                              | Version source                  | Git tag format                   |
+| ----------------------- | --------------------------------- | ------------------------------- | -------------------------------- |
+| `modelaudit`            | `./` (root)                       | `pyproject.toml` + `uv.lock`    | `v{X.Y.Z}`                       |
+| `modelaudit-picklescan` | `packages/modelaudit-picklescan/` | `pyproject.toml` + `Cargo.toml` | `modelaudit-picklescan-v{X.Y.Z}` |
+
+Both packages are driven by a single [release-please](https://github.com/googleapis/release-please) workflow (`.github/workflows/release-please.yml`) with two components declared in `release-please-config.json` and current versions pinned in `.release-please-manifest.json`.
+
+The root `modelaudit` wheel declares a **hard dependency** on `modelaudit-picklescan>=0.1.0,<0.2.0` in `pyproject.toml`. When the sibling version crosses `0.2.0`, the constraint must be bumped in the same PR.
+
+## Normal flow
+
+1. **Write Conventional Commits** — `feat:`, `fix:`, `docs:`, etc. Release-please uses these to compute the next version and the changelog entry.
+2. **Merge to `main`** — release-please creates or updates a "Release PR" per changed component. Commits that only touch `packages/modelaudit-picklescan/` feed the picklescan component; everything else feeds the root component.
+3. **Review and merge the Release PR** — release-please tags the release and the workflow runs the matching publish jobs:
+   - **For `modelaudit`** — `build` produces sdist+wheel → `publish-pypi` uploads via OIDC → `provenance` attests and uploads SBOM.
+   - **For `modelaudit-picklescan`** — `build-picklescan-package` matrix builds 5 native wheels (Linux x86_64, Linux aarch64, macOS arm64, macOS x86_64, Windows x64) + sdist → `publish-picklescan-pypi` uploads → `picklescan-provenance` attests.
+
+## Version scheme (0ver)
+
+Both packages follow [0ver](https://0ver.org/) — we stay in `0.x.y` indefinitely:
+
+- `fix:` commits bump **patch**
+- `feat:` commits bump **patch**
+- `feat!:` or `BREAKING CHANGE:` bumps **minor**
+
+The two components bump independently: a picklescan-only `fix:` bumps only `modelaudit-picklescan`.
+
+## Manual version override
+
+To force a specific version on the release PR:
+
+```
+feat: major new feature
+
+Release-As: 1.0.0
+```
+
+## Manual recovery path (workflow_dispatch)
+
+The release-please workflow accepts inputs to re-run the publish step for an already-tagged release without cutting a new tag. Use when:
+
+- A prior release tagged successfully but the publish job failed (e.g. transient PyPI outage, runner misconfiguration).
+- You need to re-publish an existing version to a package that was registered on PyPI after the fact.
+
+```bash
+# Re-publish modelaudit at an already-tagged version
+gh workflow run release-please.yml -f root_version=<X.Y.Z>
+
+# Re-publish modelaudit-picklescan at an already-tagged version
+gh workflow run release-please.yml -f picklescan_version=<X.Y.Z>
+```
+
+The workflow's `Resolve manual release inputs` step flips `manual_release=true`, skips the release-please action, ensures the GitHub release exists (creating it if not), then feeds `release_created=true` / `picklescan_release_created=true` into the publish jobs. `uv build` always reads from `pyproject.toml` at the current `HEAD`, so the tagged commit must already contain the target version; dispatching a version that does not match what's in `HEAD` will fail the PyPI upload.
+
+## PyPI trusted publishing (first-time setup)
+
+Both packages publish via PyPI [Trusted Publishing](https://docs.pypi.org/trusted-publishers/). The `publish-pypi` and `publish-picklescan-pypi` jobs both use environment `pypi` and `id-token: write` permissions. PyPI is configured with an **active trusted publisher** on each project, scoped to owner `promptfoo`, repository `modelaudit`, workflow `release-please.yml`, environment `pypi`.
+
+### Adding a new PyPI package
+
+When you introduce a new PyPI package in this repo, register a **pending trusted publisher** on PyPI _before_ the first publish attempt, or the workflow will fail with `400 Non-user identities cannot create new projects`.
+
+Steps:
+
+1. Log in to PyPI → Your account → Publishing → **Add a new pending publisher**.
+2. Fields: PyPI Project Name (hyphenated — PyPI normalizes), Owner (`promptfoo`), Repository (`modelaudit`), Workflow filename (`release-please.yml`), Environment (`pypi`).
+3. The pending publisher is automatically promoted to an active one after the first successful publish.
+
+## Commit conventions
+
+- **NEVER commit directly to `main` branch** — always create a feature branch and PR.
+- Use Conventional Commit format for ALL commit messages.
+- Add user-visible entries to `CHANGELOG.md` (root) or `packages/modelaudit-picklescan/CHANGELOG.md` under `## [Unreleased]` during feature work. Release-please promotes unreleased entries to a version-tagged section when the Release PR is merged.
+- PR titles must follow Conventional Commits (validated by CI).
+
+Examples:
+
+```
+feat: add scanner for XYZ format
+fix: handle corrupt pickle files gracefully
+fix(modelaudit-picklescan): bound nested pickle expansion
+```
+
+## Pre-release checklist (maintainers)
+
+Before merging a Release PR:
+
+1. Release PR version and changelog content look correct for every component bumped.
+2. Required checks green: `CI Success`, `Docker CI Success`, docs checks, CodeQL, and — for picklescan bumps — `Standalone Pickle Package (3.10/3.11/3.12/3.13)`.
+3. Release-build validation green:
+   - `twine check dist/*`
+   - exactly one wheel + one sdist for `modelaudit`
+   - 5 wheels + one sdist for `modelaudit-picklescan`, each matching the release version
+   - clean-room install smoke tests from wheel and sdist
+   - project URL metadata checks (`Bug Tracker`, `Changelog`)
+   - standalone Rust gates: `cargo fmt --check`, `cargo check`, `cargo clippy -D warnings`, `cargo test`, wheel build, clean-room wheel smoke test
+4. No unreviewed high-severity security findings outstanding.
+5. After merging, verify GitHub Release exists and PyPI publish completed for each bumped component:
+
+   ```bash
+   # modelaudit
+   curl -s https://pypi.org/pypi/modelaudit/json | jq .info.version
+
+   # modelaudit-picklescan (simple index surfaces yank flags)
+   curl -sH "Accept: application/vnd.pypi.simple.v1+json" \
+     https://pypi.org/simple/modelaudit-picklescan/ | jq '.files[-1].filename'
+   ```
+
+## Rollback / recovery procedures
+
+Use the least disruptive path.
+
+### Release PR unmerged
+
+- Close or update the Release PR and regenerate with new commits.
+
+### GitHub release exists but PyPI publish failed
+
+- Fix workflow / secrets issues, then **re-run the failed publish job** (`gh run rerun <run-id> --failed`) OR dispatch the manual recovery path:
+
+  ```bash
+  gh workflow run release-please.yml -f root_version=<X.Y.Z>
+  gh workflow run release-please.yml -f picklescan_version=<X.Y.Z>
+  ```
+
+### A published version is broken (e.g. unresolvable deps)
+
+- **Yank** the affected version on PyPI. PyPI has no CLI/API for yanks — it must be done in the web UI:
+  1. Open the PyPI releases page for the affected package, such as
+     <https://pypi.org/manage/project/modelaudit/releases/> or
+     <https://pypi.org/manage/project/modelaudit-picklescan/releases/>.
+  2. Click the version → Options → **Yank**
+  3. Provide a short reason (shown in the PyPI simple index).
+  - Yanked versions remain installable if a user pins the exact version, but pip/uv resolvers skip them by default. Prefer yank + follow-up patch over deletion.
+- Ship a follow-up patch release (`X.Y.Z+1`) with a clear changelog note explaining the yank.
+
+### Broken monorepo version coupling
+
+If `modelaudit` is published with a dependency on a `modelaudit-picklescan` version that is not on PyPI, **every dependent `modelaudit` release is unusable** — pip will either silently downgrade to an older `modelaudit` or fail resolution. Recovery:
+
+1. Publish the missing `modelaudit-picklescan` version first (via the manual recovery path above).
+2. Yank the affected `modelaudit` versions.
+3. Cut a new `modelaudit` patch release pointing at the now-resolvable sibling.
+
+### Release metadata / tagging incorrect
+
+- Prefer a corrective follow-up release over rewriting public history. Do not force-push tags.

{modelaudit-0.2.40 → modelaudit-0.2.41}/modelaudit/protos/tensorflow/core/framework/api_def_pb2.py

@@ -24,6 +24,8 @@ _runtime_version.ValidateProtobufRuntimeVersion(
 from tensorflow.core.framework import attr_value_pb2 as tensorflow_dot_core_dot_framework_dot_attr__value__pb2
 
 # Keep generated dependency imports for descriptor registration side effects.
+# Reference aliases so static analysis preserves these side-effect imports.
+id(tensorflow_dot_core_dot_framework_dot_attr__value__pb2)
 del tensorflow_dot_core_dot_framework_dot_attr__value__pb2
 DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\'tensorflow/core/framework/api_def.proto\x12\ntensorflow\x1a*tensorflow/core/framework/attr_value.proto\"\xe1\x05\n\x06\x41piDef\x12\x15\n\rgraph_op_name\x18\x01 \x01(\t\x12\x1b\n\x13\x64\x65precation_message\x18\x0c \x01(\t\x12\x1b\n\x13\x64\x65precation_version\x18\r \x01(\x05\x12\x31\n\nvisibility\x18\x02 \x01(\x0e\x32\x1d.tensorflow.ApiDef.Visibility\x12-\n\x08\x65ndpoint\x18\x03 \x03(\x0b\x32\x1b.tensorflow.ApiDef.Endpoint\x12&\n\x06in_arg\x18\x04 \x03(\x0b\x32\x16.tensorflow.ApiDef.Arg\x12\'\n\x07out_arg\x18\x05 \x03(\x0b\x32\x16.tensorflow.ApiDef.Arg\x12\x11\n\targ_order\x18\x0b \x03(\t\x12%\n\x04\x61ttr\x18\x06 \x03(\x0b\x32\x17.tensorflow.ApiDef.Attr\x12\x0f\n\x07summary\x18\x07 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x08 \x01(\t\x12\x1a\n\x12\x64\x65scription_prefix\x18\t \x01(\t\x12\x1a\n\x12\x64\x65scription_suffix\x18\n \x01(\t\x1aI\n\x08\x45ndpoint\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x12\n\ndeprecated\x18\x03 \x01(\x08\x12\x1b\n\x13\x64\x65precation_version\x18\x04 \x01(\x05\x1a;\n\x03\x41rg\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\trename_to\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\x1aj\n\x04\x41ttr\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\trename_to\x18\x02 \x01(\t\x12,\n\rdefault_value\x18\x03 \x01(\x0b\x32\x15.tensorflow.AttrValue\x12\x13\n\x0b\x64\x65scription\x18\x04 \x01(\t\"G\n\nVisibility\x12\x16\n\x12\x44\x45\x46\x41ULT_VISIBILITY\x10\x00\x12\x0b\n\x07VISIBLE\x10\x01\x12\x08\n\x04SKIP\x10\x02\x12\n\n\x06HIDDEN\x10\x03\")\n\x07\x41piDefs\x12\x1e\n\x02op\x18\x01 \x03(\x0b\x32\x12.tensorflow.ApiDefB}\n\x18org.tensorflow.frameworkB\x0c\x41piDefProtosP\x01ZNgithub.com/tensorflow/tensorflow/tensorflow/go/core/framework/api_def_go_proto\xf8\x01\x01\x62\x06proto3')
 

{modelaudit-0.2.40 → modelaudit-0.2.41}/modelaudit/protos/tensorflow/core/framework/attr_value_pb2.py

@@ -26,6 +26,10 @@ from tensorflow.core.framework import tensor_shape_pb2 as tensorflow_dot_core_do
 from tensorflow.core.framework import types_pb2 as tensorflow_dot_core_dot_framework_dot_types__pb2
 
 # Keep generated dependency imports for descriptor registration side effects.
+# Reference aliases so static analysis preserves these side-effect imports.
+id(tensorflow_dot_core_dot_framework_dot_tensor__pb2)
+id(tensorflow_dot_core_dot_framework_dot_tensor__shape__pb2)
+id(tensorflow_dot_core_dot_framework_dot_types__pb2)
 del tensorflow_dot_core_dot_framework_dot_tensor__pb2
 del tensorflow_dot_core_dot_framework_dot_tensor__shape__pb2
 del tensorflow_dot_core_dot_framework_dot_types__pb2