A community wiki for all things AI/ML bill of materials (MLBOM, AIBOM) and transparency into AI/ML models.

Generate xBOMs enriched with AI, SaaS, Crypto and more using Static Code Analysis

Scan codebases for AI SDK usage and map compliance risks to NIST AI RMF, ISO 42001, and EU AI Act

Open security scanner for AI supply chain and infrastructure: agents, MCP, containers, cloud, GPU, and runtime with blast-radius analysis.

Open-source EU AI Act compliance scanner. 51 checks across Articles 9-15. Drop-in trust layers for LangChain, CrewAI, AutoGen, OpenAI. Local-first, no data leaves your machine.

Data and schema powering the worlds largest collection of SBOM/xBOM products, projects, and services

The industry-standard Agentic Identity & Inventory Scanner. Automatically inventory autonomous agents (LangChain, AutoGen, CrewAI, PydanticAI) using static analysis, network heuristics, and eBPF. Foundational tool for AIBOM compliance and AgentOps governance.

An AI-BOM visual viewer

Go CLI tool that scans a repository for Hugging Face model usage and emits a CycloneDX AI/ML Bill of Materials.

Policy-as-Code guardrails for ML and LLM systems: OPA/Kyverno policies, compliance mappings, signed bundles, evidence trails, and plugin index.

AI Agent Scanner - A standalone AI Agent scanner that can discover agent repos, configuration, system prompts, classify risk and produce compliance-ready reports

THIS IS H A K C I N G Q U A L I T Y

Automated transparency, woven from the ground up. SBOM generation for Python & AI projects. Extract metadata from GGUF, ONNX, PyTorch, and Safetensors models with native Hatchling build-hook support.

Example Template created from https://github.com/haKC-ai/hakcai_secure_repo_template_creator

AIBOM policy-as-code engine — deny risky combinations of models, tools, and data. OPA-style policy rules for AI supply chain governance. Enforce model pinning, tool approvals, and provider restrictions.

Runtime AIBOM emitter — generate AI Bills of Materials from what actually ran. Combines static inventory with runtime OTel trace evidence: models, tools, endpoints, versions. CycloneDX-compatible output.

An AI-BOM goof project for Snyk AI-BOM cli

Tamper-evident policy files for AI agent governance and regulatory compliance. Hash-chained Ed25519 signatures, K-of-N multisig, post-quantum hybrid (ML-DSA-65), SLSA provenance, OCI packaging. The gate your AI agent can't bypass.

AI-BOM emitter — sign and verify SPDX-AI provenance for AI-assisted code