PitchHut logo
Log in / Sign up
Your comprehensive inventory for AI agents, models, and APIs.
Preview url
Visit project
Pitch

AI-BOM streamlines AI component inventory management by scanning for every AI agent, model, and API in your infrastructure. With one command, it provides a risk-scored inventory, ensuring compliance with regulations like the EU AI Act and addressing the challenges of undocumented AI usage.

Description

AI-BOM: Your Comprehensive AI Bill of Materials

Overview

AI-BOM is a powerful tool designed to identify every AI agent, model, and API present within your infrastructure, addressing the growing necessity for comprehensive AI documentation. In light of EU AI Act (Article 53) mandates and the alarming fact that over 60% of AI usage remains undocumented, AI-BOM plays a crucial role in unveiling hidden AI components, thereby enhancing compliance and security.

Key Features

  • Single Command Setup: Execute a scan with just one command. This tool utilizes 13 dedicated scanners to generate a risk-scored inventory of AI components across multiple output formats.
  • Standards-Compliant: Generates an AI Bill of Materials that meets industry standards, ensuring that every AI component is accounted for.
  • Robust Scanning Capabilities: Detects various AI elements including LLM providers, agent frameworks, AI containers, cloud AI services, and more.

Quick Usage Example

To scan your project for AI components, simply run:

ai-bom scan .

This command will produce a detailed report listing all identified AI components.

Sample Commands

  • Generate a CycloneDX SBOM:

ai-bom scan . -f cyclonedx -o ai-bom.cdx.json

- Validate JSON output:  
  ```bash
ai-bom scan . -f cyclonedx --validate
  • Perform a scan and fail CI on critical findings:

ai-bom scan . --fail-on critical --quiet


### What It Finds
AI-BOM covers a range of categories, finding components such as:
- LLM Providers (e.g., OpenAI, Anthropic)
- Agent Frameworks (e.g., LangChain, CrewAI)
- Model References (e.g., gpt-4o, claude-3-5-sonnet)
- API Keys (e.g., OpenAI, HuggingFace)
- AI Containers (e.g., Ollama, NVIDIA Triton)
- Cloud AI Services (e.g., AWS Bedrock, Azure OpenAI)
- Jupyter Notebook dependencies.

### Feedback and Integration
The tool seamlessly integrates with continuous integration/continuous deployment (CI/CD) environments, ensuring that AI components are consistently monitored and that deployments do not introduce undocumented risks.  
For example, when integrated with GitHub Actions, you can automate scans and validate results effectively:
```yaml
name: AI-BOM Scan
on: [push, pull_request]
permissions:
  security-events: write
  contents: read

jobs:
  ai-bom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: Scan for AI components
        uses: trusera/ai-bom@main
        with:
          format: sarif
          output: ai-bom-results.sarif
          fail-on: critical
          scan-level: deep

Summary

By using AI-BOM, organizations can ensure the visibility and accountability of their AI components, enhancing compliance with emerging AI regulations while securing their operational infrastructure against potential vulnerabilities. For a more detailed guide, visit the official documentation of AI-BOM.

0 comments

No comments yet.

Sign in to be the first to comment.