Skip to content

Releases: Trusera/ai-bom

AI-BOM v3.1.0 — JSON Flag, CycloneDX Summary, Docker Docs

12 Feb 18:28
@Zie619 Zie619
v3.1.0
ce55398

Choose a tag to compare

View all tags
AI-BOM v3.1.0 — JSON Flag, CycloneDX Summary, Docker Docs Latest
Latest

What's New

Features

  • --json / -j CLI flag — shorthand for --format json for easy piping to jq (#6)
  • CycloneDX scan summary — metadata.properties now includes total_components, severity counts, and scan_duration_seconds (#8)
  • Docker usage in README — run ai-bom via ghcr.io/trusera/ai-bom container (#9)

Bug Fixes

  • CI/CD policy gate — scoped to src/ to avoid false positives from demo/test API keys
  • CodeQL action — upgraded from v3 to v4 (v3 deprecated Dec 2026)

Already Implemented (closed)

  • Anthropic Claude API key detection (sk-ant-*) — was already in v3.0.0 (#5)
  • Google Gemini & Cohere model detection — was already in v3.0.0 (#7)

Full Changelog: v3.0.0...v3.1.0

Assets 2
Loading

AI-BOM v3.0.0 — 13 Scanners, Compliance, Parallel Scanning

10 Feb 13:09
@Zie619 Zie619
v3.0.0
3387baf

Choose a tag to compare

View all tags
AI-BOM v3.0.0 — 13 Scanners, Compliance, Parallel Scanning

What's New in v3.0.0

Major upgrade from v2.0 → v3.0 with 8,400+ new lines, 69 files changed, and 523 tests.

New Scanners (4)

  • GitHub Actions Scanner — detects AI-powered actions, Copilot integrations, and API keys in workflow files
  • Jupyter Notebook Scanner — parses .ipynb code cells for AI imports, model loading, and API usage
  • Model File Scanner — detects binary model files (.onnx, .pt, .safetensors, .gguf, .tflite, etc.)
  • MCP Config Scanner — scans MCP server configurations (mcp.json, claude_desktop_config.json, .cursor/mcp.json)

New Reporters (3)

  • CSV Reporter — flat tabular output for spreadsheets and data pipelines
  • JUnit XML Reporter — test-suite format for CI/CD integration (Jenkins, GitLab, etc.)
  • Diff Reporter — compare two scans to show new/removed components and risk changes

Compliance Modules (3)

  • OWASP Agentic Top 10 — maps findings to OWASP ASI risk categories (A01–A10)
  • EU AI Act Checker — flags high-risk AI systems per Annex III, checks Article 52/53 transparency
  • License Compliance — detects restrictive model licenses (CC-BY-NC, GPL on commercial projects)

Performance & DX

  • Parallel scanning--workers N runs scanners concurrently via ThreadPoolExecutor
  • Incremental cache--cache only re-scans changed files (SHA-256 hashing)
  • .ai-bomignore — gitignore-style pattern file to exclude paths from scanning
  • Watch modeai-bom watch . monitors filesystem for changes and re-scans automatically
  • Scan reliability — UTF-8/latin-1 fallback, symlink cycle detection, binary file detection, 10MB file guard

New CLI Commands

  • ai-bom list-scanners — show all registered scanners
  • ai-bom diff scan1.json scan2.json — compare two scan results
  • ai-bom serve --port 8080 — start FastAPI REST API server
  • ai-bom watch . — file watch mode with live re-scanning

Expanded Detection

  • 6 new dependency parsers: Cargo.toml, go.mod, Gemfile, pom.xml, build.gradle, .csproj
  • New API key patterns: Groq (gsk_), Fireworks (fw_), Perplexity (pplx-), Together AI, Mistral
  • 12 new AI packages across Ruby, .NET, Java, and Go ecosystems

Infrastructure

  • Dockerfile — multi-stage build, published to ghcr.io/trusera/ai-bom
  • MkDocs Material documentation site with 14 pages
  • Makefile with 14 build targets
  • Pre-commit hooks — ruff, trailing whitespace, YAML/JSON/TOML validation
  • Issue & PR templates — bug reports, feature requests, detection pattern submissions
  • ARCHITECTURE.md — scanner registry pattern, data flow, risk scoring docs

Install / Upgrade

pip install ai-bom==3.0.0

# With all optional features
pip install "ai-bom[all]==3.0.0"

# Docker
docker pull ghcr.io/trusera/ai-bom:3.0.0

Stats

Metric v2.0 v3.0
Scanners 9 13
Output formats 7 9
Tests 313 523
Detection patterns ~60 ~100
Compliance frameworks 0 3

Full Changelog: v0.1.0...v3.0.0

Loading

AI-BOM v0.1.0 — AI Bill of Materials Scanner

08 Feb 19:56
@Zie619 Zie619
v0.1.0
70ccbd5

Choose a tag to compare

View all tags
AI-BOM v0.1.0 — AI Bill of Materials Scanner
Marketplace
Marketplace

AI-BOM v0.1.0

Discover every AI agent, model, and API hiding in your infrastructure.

AI-BOM is a CLI tool and GitHub Action that automatically inventories AI/LLM components across your codebase, containers, cloud
resources, and workflow automation platforms.

Highlights

  • 5 Scanners: Code, Docker, Network, Cloud (AWS/Azure/GCP), n8n Workflows
  • AI SDK Detection: OpenAI, Anthropic, Google Gemini, Mistral, LangChain, CrewAI, AutoGen, and 20+ more
  • 5 Output Formats: Table, JSON/CycloneDX 1.6, HTML, Markdown, SARIF
  • Risk Scoring Engine: Multi-factor assessment with severity levels
  • Shadow AI Detection: Finds hardcoded API keys, unmanaged models, and webhook-exposed agents
  • GitHub Action: One-line integration with SARIF upload to Code Scanning

Install

pip install ai-bom

Quick Start

# Scan current directory
ai-bom scan .

# Try the built-in demo
ai-bom demo

# Output as CycloneDX SBOM
ai-bom scan . --format cyclonedx -o ai-bom.cdx.json

GitHub Action

- uses: Trusera/ai-bom@v0.1.0

Results appear in the Security → Code Scanning tab.

Stats

- 124 tests passing across Python 3.10–3.13
- 0 lint errors (ruff E/F/I/W)
- CycloneDX 1.6 spec compliant
- SARIF 2.1.0 spec compliant
Loading