ModelScan addresses the critical security vulnerability of model serialization attacks, protecting machine learning workflows from malicious code embedded within model files. It is designed for ML engineers, data scientists, and MLOps professionals seeking to secure their model supply chain.

How It Works

ModelScan operates by statically analyzing model files byte-by-byte, identifying known unsafe code signatures without executing the model's code. This approach is fast and secure, preventing potential exploits during the loading process. It categorizes detected risks from CRITICAL to LOW, enabling informed decisions about model usage.

Quick Start & Requirements

• Install via pip: pip install modelscan
• For TensorFlow or H5 support: pip install 'modelscan[tensorflow, h5py]'
• Supported Python versions: 3.9 to 3.12.
• Official documentation: https://github.com/protectai/modelscan

Highlighted Details

• Supports H5, Pickle, and SavedModel formats.
• Integrates with PyTorch, TensorFlow, Keras, Sklearn, XGBoost, and more.
• CLI for ad-hoc scanning and integration into CI/CD pipelines.
• Identifies vulnerabilities like credential theft, data theft, and model poisoning.

Maintenance & Community

• Developed by Protect AI.
• Open to contributions; details available on the Contribution page.

Licensing & Compatibility

• Licensed under the Apache License, Version 2.0.
• Permissive license suitable for commercial use and integration into closed-source projects.

Limitations & Caveats

The project is inspired by and extends PickleScan, indicating a potential for ongoing development and refinement. While it supports multiple formats, the breadth of support for emerging ML frameworks and serialization methods may evolve.