Merge branch 'main' into feat/add-qwen-grok-deepseek-support

Author: Joy-In-Code

.github/workflows/ai-bom-scan.yml

@@ -0,0 +1,137 @@
+name: AI-BOM Scan (PR)
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  ai-bom:
+    runs-on: ubuntu-latest
+
+    env:
+      AIBOM_JSON: aibom.json
+      SUMMARY_JSON: aibom-summary.json
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      # Use the official AI-BOM GitHub Action (faster than pip install)
+      - name: Run AI-BOM scan (AIBOM JSON)
+        id: scan
+        uses: trusera/ai-bom@v3
+        continue-on-error: true
+        with:
+          path: "."
+          format: "aibom"
+          output: "${{ env.AIBOM_JSON }}"
+          # Native policy gate (requested by reviewer)
+          fail-on: "high"
+
+      # Python only for building summary + PR comment
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Build summary (pass/fail + counts)
+        run: |
+          python - <<'PY'
+          import json, os
+
+          aibom_path = os.environ["AIBOM_JSON"]
+          out_path = os.environ["SUMMARY_JSON"]
+          scan_status = os.environ.get("SCAN_STATUS", "PASS")
+
+          components = []
+
+          try:
+            with open(aibom_path, "r", encoding="utf-8") as f:
+              data = json.load(f)
+
+            # Best-effort component extraction across likely schemas
+            if isinstance(data, dict):
+              components = data.get("components") or data.get("aiComponents") or []
+              if not isinstance(components, list):
+                components = []
+              if not components and isinstance(data.get("results"), dict):
+                components = data["results"].get("components") or data["results"].get("aiComponents") or []
+                if not isinstance(components, list):
+                  components = []
+
+          except FileNotFoundError:
+            # Scan step may fail before producing output.
+            components = []
+
+          summary = {
+            "status": scan_status,
+            "components_found": len(components),
+            "policy_gate": "fail-on: high",
+            "artifact_generated": os.path.exists(aibom_path),
+          }
+
+          with open(out_path, "w", encoding="utf-8") as f:
+            json.dump(summary, f, indent=2)
+
+          print(json.dumps(summary, indent=2))
+          PY
+        env:
+          SCAN_STATUS: ${{ steps.scan.outcome == 'success' && 'PASS' || 'FAIL' }}
+
+      - name: Upload AIBOM JSON artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ai-bom-results
+          path: |
+            ${{ env.AIBOM_JSON }}
+            ${{ env.SUMMARY_JSON }}
+          if-no-files-found: warn
+
+      - name: Create PR comment body
+        id: comment
+        run: |
+          python - <<'PY'
+          import json, os
+
+          with open(os.environ["SUMMARY_JSON"], "r", encoding="utf-8") as f:
+            s = json.load(f)
+
+          status = s["status"]
+          emoji = "✅" if status == "PASS" else "❌"
+
+          if s.get("artifact_generated"):
+            artifact_note = f"Artifact uploaded: `{os.environ['AIBOM_JSON']}`"
+          else:
+            artifact_note = "Artifact not generated (scan may have failed before producing output)."
+
+          body = f"""### {emoji} AI-BOM Scan Result: **{status}**
+
+          - **Components found:** {s["components_found"]}
+          - **Policy gate:** {s["policy_gate"]}
+
+          {artifact_note}
+          """
+
+          with open(os.environ["GITHUB_OUTPUT"], "a", encoding="utf-8") as f:
+            f.write("body<<EOF\n")
+            f.write(body)
+            f.write("\nEOF\n")
+          PY
+
+      - name: Post PR comment
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body: ${{ steps.comment.outputs.body }}
+          edit-mode: replace
+
+      # Enforce failure after comment + artifacts (so reviewers still see output)
+      - name: Fail if policy gate failed
+        if: steps.scan.outcome != 'success'
+        run: |
+          echo "AI-BOM policy gate failed (fail-on: high)."
+          exit 1
+          

.github/workflows/auto-release.yml

@@ -239,7 +239,7 @@ jobs:
           eval "$BUMP_SCRIPT"
           bump_version 'trusera-sdk-go/v*' 'trusera-sdk-go/v' 'trusera-sdk-go/'
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         if: steps.bump.outputs.skip != 'true'
         with: { go-version: "1.21" }
 

README.md

@@ -1,4 +1,7 @@
 <div align="center">
+<a href="https://github.com/trusera/ai-bom/actions/workflows/ai-bom-scan.yml">
+  <img src="https://github.com/trusera/ai-bom/actions/workflows/ai-bom-scan.yml/badge.svg" alt="AI-BOM Scan" />
+</a>
   <img src="https://raw.githubusercontent.com/Trusera/ai-bom/main/assets/logo.png" alt="AI-BOM Logo" width="120" />
   <br /><br />
   <h1>AI-BOM</h1>
@@ -17,7 +20,7 @@
   <a href="#agent-sdks">SDKs</a>&ensp;&middot;&ensp;
   <a href="#n8n-community-node">n8n Node</a>&ensp;&middot;&ensp;
   <a href="#cicd-integration">CI/CD</a>&ensp;&middot;&ensp;
-  <a href="#comparison">Compare</a>&ensp;&middot;&ensp;
+  <a href="docs/comparison.md">Compare</a>&ensp;&middot;&ensp;
   <a href="#architecture">Docs</a>
 </div>
 
@@ -59,8 +62,6 @@ ai-bom scan . -f sarif -o results.sarif
 # Fail CI on critical findings
 ai-bom scan . --fail-on critical --quiet
 
-
-
 <details>
 <summary>Alternative: Install in a virtual environment</summary>
 
@@ -284,8 +285,6 @@ Scan all your n8n workflows for AI security risks — directly inside n8n. One n
 3. Activate the workflow
 4. Visit `http://your-n8n-url/webhook/trusera`
 
-
-
 That's it. The node fetches all workflows, scans them, and serves an interactive HTML dashboard.
 
 ### Included Nodes
@@ -309,6 +308,7 @@ That's it. The node fetches all workflows, scans them, and serves an interactive
 - Optional password protection (AES-256-GCM encrypted, client-side decryption)
 
 ---
+> Looking for AI-BOM ecosystem comparisons? See [AI-BOM Tool Comparison](docs/comparison.md).
 
 ## Comparison
 

docs/comparison.md

@@ -0,0 +1,51 @@
+# AI-BOM Tool Comparison
+
+This document compares **ai-bom** with other AI Bill of Materials tools currently available in the ecosystem.
+
+The goal is to help users understand feature differences and choose the right tool for their workflow.
+
+---
+
+## Feature Comparison
+
+| Feature | ai-bom | Cisco AIBOM | Snyk AIBOM |
+|--------|--------|-------------|-----------|
+| License | Apache 2.0 | Apache 2.0 | Proprietary |
+| Open Source | Yes | Yes | No |
+| Scanners | 13+ (code, cloud, Docker, GitHub Actions, Jupyter, MCP, n8n, etc.) | 1 (Python-focused) | Unknown |
+| Output Formats | 9 (Table, JSON, SARIF, SPDX, CycloneDX, CSV, HTML, Markdown, JUnit) | JSON, CSV | Unknown |
+| CI/CD Integration | GitHub Action, GitLab CI | No | Yes |
+| LLM Enrichment | No | Yes | Early access / limited preview |
+| n8n Scanning | Yes | No | No |
+| MCP / A2A Detection | Yes | No | No |
+| Agent Framework Detection | LangChain, CrewAI, AutoGen, LlamaIndex, Semantic Kernel | Limited | Unknown |
+| Binary Model Detection | Yes (.onnx, .pt, .safetensors, etc.) | No | Unknown |
+| Policy Enforcement | Cedar policy gate | No | Yes |
+| Best For | Multi-framework projects needing multiple formats | Python projects needing LLM enrichment | Existing Snyk customers |
+
+---
+
+## Notes
+
+### ai-bom
+
+- Open-source AI Bill of Materials scanner focused on discovering AI/LLM usage across codebases and infrastructure.
+- Supports multiple scanners, formats, and compliance mappings (OWASP Agentic Top 10, EU AI Act).
+- Designed for developer workflows with CLI, CI/CD, and dashboard support.
+
+### Cisco AIBOM
+
+- Open-source tool focused primarily on Python projects.
+- Uses LLM-based enrichment to extract model usage.
+- Limited scanner coverage and output formats compared to ai-bom.
+
+### Snyk AIBOM
+
+- Proprietary feature integrated into the Snyk platform.
+- Currently in early access / limited preview.
+- Provides CI/CD integration.
+- Public documentation on supported scanners and formats is limited.
+
+---
+
+_Last updated: 2026_