AIsbom is a specialized security and compliance scanner for Machine Learning artifacts.
- SPDX 2.3: Standard SBOM format for industry compliance.
- CycloneDX: Supported (Default output format).
Install via Pip or download our standalone, air-gapped binary for USB/offline audits.
Unlike generic SBOM tools that only parse requirements.txt, AIsbom performs Deep Binary Introspection on model files (.pt, .pkl, .safetensors, .gguf) to detect malware risks and legal license violations hidden inside the serialized weights.
Install directly from PyPI. No cloning required.
pip install aisbom-cliNote: The package name is aisbom-cli, but the command you run is aisbom.
For environments where installing Python is not possible, download the single-file executable from our Releases page.
Available Binaries:
aisbom-linux-amd64(Linux x86_64)aisbom-macos-amd64(macOS Intel)aisbom-macos-arm64(macOS Silicon M1/M2/M3)
Due to Apple's strict security policies for unsigned binaries, you must explicitly allow the application to run.
# 1. Make the binary executable
chmod +x aisbom-macos-*
# 2. Remove the "Quarantine" attribute (Fixes "Unidentified Developer" error)
xattr -d com.apple.quarantine aisbom-macos-*
# 3. Run it
./aisbom-macos-arm64 --helpWhy is xattr needed?
macOS tags downloaded files with a "quarantine" attribute. Since our open-source binary is not code-signed with an Apple Developer ID, Gatekeeper will block it by default. The xattr -d command removes this tag, allowing the binary to execute on your machine.
- Zero Dependencies: Everything is bundled.
- Portable: Runs on bare metal servers.
Point it at any directory containing your ML project. It scans recursively for requirements files AND binary model artifacts.
aisbom scan ./my-project-folderYou will see a combined Security & Legal risk assessment in your terminal:
π§ AI Model Artifacts Found
βββββββββββββββββββββββ³ββββββββββββββ³βββββββββββββββββββββββ³ββββββββββββββββββββββββββββββ
β Filename β Framework β Security Risk β Legal Risk β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β bert_finetune.pt β PyTorch β CRITICAL (RCE Found) β UNKNOWN β
β safe_model.st β SafeTensors β LOW β UNKNOWN β
β restricted_model.st β SafeTensors β LOW β LEGAL RISK (cc-by-nc-4.0) β
β llama-3-quant.gguf β GGUF β LOW β LEGAL RISK (cc-by-nc-sa) β
βββββββββββββββββββββββ΄ββββββββββββββ΄βββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββ
A compliant sbom.json (CycloneDX v1.6) including SHA256 hashes and license data will be generated in your current directory.
Scan models directly on Hugging Face without downloading terabytes of weights. We use HTTP Range requests to inspect headers over the wire.
aisbom scan hf://google-bert/bert-base-uncased- Speed: Scans in seconds, not minutes.
- Storage: Zero disk usage.
- Security: Verify "SafeTensors" compliance before you even
git clone.
Detect "Silent Regressions" in your AI Supply Chain. The diff command compares your current SBOM against a known baseline JSON.
aisbom diff baseline_sbom.json new_sbom.jsonDrift Analysis Output:
βββββββββββββββββ³βββββββββββ³ββββββββββ³βββββββββββββββββ³ββββββββββββββββββ³βββββββββββββββββ
β Component β Type β Change β Security Risk β Legal Risk β Details β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β drift-risk.pt β Modified β DRIFT β LOW -> β - β β
β β β β CRITICAL β β β
β drift-license β Modified β DRIFT β - β UNKNOWN -> β Lic: MIT -> β
β β β β β LEGAL RISK β CC-BY-NC β
β drift-hash.pt β Modified β DRIFT β INTEGRITY FAIL β - β Hash: ... β
βββββββββββββββββ΄βββββββββββ΄ββββββββββ΄βββββββββββββββββ΄ββββββββββββββββββ΄βββββββββββββββββ
It enforces Quality Gates by exiting with code 1 if:
- A new CRITICAL risk is introduced.
- A Component's risk level escalates (e.g., LOW -> CRITICAL).
- Hash Drift: A verified file has been tampered with (Marked as INTEGRITY FAIL).
For high-security environments, switch from "Blocklisting" (looking for malware) to "Allowlisting" (blocking everything unknown).
aisbom scan model.pkl --strictThis will report any import that is not in the safe-list.
Allowed Libraries: torch (and submodules), numpy, collections, typing, datetime, re, pathlib, copy, functools, dataclasses, uuid.
Allowed Builtins: dict, list, set, tuple, int, float, str, bytes, etc., etc.).
- Flags any unknown global import as
CRITICAL.
Prepare your models for the upcoming PyTorch security defaults. PyTorch 2.6+ will default to weights_only=True, which breaks many legacy models.
aisbom scan model.pt --lintThe --lint flag activates the Migration Linter, which statically simulates the unpickling stack to predict runtime failures without executing code.
AIsbom advocates for a two-layer security approach:
- Layer 1 (Pre-Execution): Use
aisbom scan --lintto statically analyze the file structure. This catches 99% of obvious malware and incompatible globals without ever loading the file. - Layer 2 (Runtime Isolation): If you must load a model that uses
REDUCEor unsafe globals (common in legacy files), do not run it on bare metal.- Recommendation: Use Sandboxed Execution (e.g.,
uvx+amazing-sandbox) to contain any potential RCE.
- Recommendation: Use Sandboxed Execution (e.g.,
Tip
Why both? Static analysis is fast but can be tricked by complex obfuscation. Runtime sandboxing is secure but slow. Together, they provide speed and safety.
It detects:
- Custom Class Imports: Objects that are not in the PyTorch default allowlist.
- Unsafe Globals: Usage of
posix.systemor other unsafe modules.
Output:
π‘οΈ Migration Readiness (weights_only=True)
ββββββββββββββββββ³ββββββββββββββββββββββββββββββββ³βββββββββββββββββββββββββββββββββββββββββ
β File β Issue β Recommendation β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β mock_broken.pt β Custom Class Import Detected: β Module 'aisbom' is not in PyTorch β
β β aisbom.mock.Layer β default allowlist. Use β
β β β `torch.serialization.add_safe_globals` β
β β β . β
ββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββ
Generate a GitHub-flavored Markdown report suitable for Pull Request comments.
aisbom scan . --format markdown --output report.mdGenerate SPDX 2.3 Software Bill of Materials.
aisbom scan . --format spdx --output sbom.spdx.jsonAdd AIsbom to your GitHub Actions pipeline.
Behavior: The scanner returns exit code 1 if Critical risks are found, automatically blocking the build/merge.
name: AI Security Scan
on: [pull_request]
jobs:
aisbom-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan AI Models
uses: Lab700xOrg/aisbom@v0
with:
directory: '.'Don't like reading JSON? You can visualize your security posture using our offline viewer.
- Run the scan to generate
sbom.json. - Go to aisbom.io/viewer.html.
- Drag and drop your JSON file.
- Get an instant dashboard of risks, license issues, and compliance stats.
Note: The viewer is client-side only. Your SBOM data never leaves your browser.
AI models are not just text files; they are executable programs and IP assets.
- The Security Risk: PyTorch (
.pt) files are Zip archives containing Pickle bytecode. A malicious model can execute arbitrary code (RCE) instantly when loaded. - The Legal Risk: A developer might download a "Non-Commercial" model (CC-BY-NC) and deploy it to production. Since the license is hidden inside the binary header, standard tools miss it.
- The Solution: We look inside. We decompile bytecode and parse internal metadata headers without loading the heavy weights into RAM.
Security tools require trust. We do not distribute malicious binaries.
However, AIsbom includes a built-in generator so you can create safe "mock artifacts" to verify the scanner works.
1. Install:
pip install aisbom-cli2. Generate Test Artifacts: Run this command to create a mock "Pickle Bomb" and a "Restricted License" model in your current folder.
aisbom generate-test-artifactsResult: Files named mock_malware.pt, mock_restricted.safetensors, mock_restricted.gguf, and mock_broken.pt are created.
3. Scan them:
aisbom scan .Result: You will see mock_malware.pt flagged as CRITICAL, legal risks flagged, and if you run with --lint, mock_broken.pt will appear in the Migration Readiness table.
AIsbom uses a static analysis engine to disassemble Python Pickle opcodes. It looks for specific GLOBAL and STACK_GLOBAL instructions that reference dangerous modules:
os/posix(System calls)subprocess(Shell execution)builtins.eval/exec(Dynamic code execution)socket(Network reverse shells)
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}