ai-bom  by Trusera

Discover and inventory AI components across your infrastructure

Created 5 months ago
281 stars

Top 92.5% on SourcePulse

GitHubView on GitHub
Project Summary

Summary

AI-BOM addresses the critical need for discovering and inventorying AI components within software infrastructure, driven by regulations like the EU AI Act and the prevalence of "Shadow AI." It provides developers and security teams with a comprehensive, standards-compliant AI Bill of Materials (SBOM) for security reviews and compliance.

How It Works

A single command (ai-bom scan .) triggers 13 specialized scanners to detect LLM providers, agent frameworks, model references, API keys, AI containers, and cloud AI services across source code, Docker, network, and cloud IaC. Outputs include CycloneDX SBOMs, SARIF, HTML dashboards, and terminal tables. The engine prioritizes speed and cross-language support via regex-based detection and auto-registering scanners.

Quick Start & Requirements

  • Installation: Recommended: pipx install ai-bom. Alternatives: Python venv or Docker (docker run --rm -v $(pwd):/scan ghcr.io/trusera/ai-bom scan /scan).
  • Prerequisites: Python 3.x. pipx or venv advised for modern OS environments to bypass system-level pip restrictions. Docker requires a running daemon. Cloud scanning (ai-bom[aws]) needs extra dependencies and permissions.
  • Links: Official documentation is available within the repository's docs/ directory. CI/CD examples are provided in .github/workflows/ and templates/gitlab-ci-ai-bom.yml.

Highlighted Details

  • AI Component Detection: Identifies over 25 AI SDKs across major languages (Python, JS, etc.), including LLM providers, agent frameworks, model references, API keys, AI containers, cloud AI services, n8n AI nodes, and MCP servers.
  • Standards-Compliant Output: Generates CycloneDX 1.6 and SPDX 3.0 SBOMs, SARIF 2.1.0 for security scanning, and provides shareable HTML dashboards.
  • LLM Enrichment & Callable Models: Supports optional LLM enrichment for detailed model identification and can transform scan results into callable Python objects for red-teaming and evaluation tools like Giskard.
  • CI/CD & Policy Enforcement: Offers seamless integration with GitHub Actions and GitLab CI, with options for policy enforcement via CLI flags (--fail-on) or fine-grained Cedar policies.
  • Developer Tooling: Includes a VS Code extension for inline diagnostics and an n8n Community Node for direct workflow scanning within n8n.
  • Standalone SDK Mode: SDKs function without a Trusera account, enabling local policy enforcement and event logging.

Maintenance & Community

Developed by Trusera as the open-source foundation for their commercial platform. Active development is indicated by tagged releases and contribution guidelines. Specific community channels (e.g., Discord, Slack) or individual contributor details are not explicitly listed in the README.

Licensing & Compatibility

AI-BOM is released under the permissive Apache License 2.0. This license allows for broad compatibility with commercial use and integration into closed-source projects without significant copyleft restrictions.

Limitations & Caveats

Deeper scanning capabilities (Docker, network, cloud infrastructure, live cloud services) require additional installations, cloud credentials, and permissions. LLM enrichment necessitates API keys for external services or local model setups. The standalone SDK mode lacks the centralized dashboard, collaboration features, and advanced analytics found in the Trusera platform. Performance benchmarks and potential bus factors are not detailed in the README.

Health Check
Last Commit

1 month ago

Responsiveness

Inactive

Pull Requests (30d)
0
Issues (30d)
0
Star History
27 stars in the last 30 days

Explore Similar Projects

Starred by John Mullan John Mullan(MTS at xAI; Cofounder of Hotshot AI), Thomas Wolf Thomas Wolf(Cofounder of Hugging Face), and
24 more.

n8n by n8n-io

0.5%
196k
AI agent and workflow automation platform
Created 7 years ago
Updated 1 day ago
Feedback? Help us improve.