Local AI/ML bill-of-materials generator
Project description
AI-BOM Generator
AI-BOM Generator is a small Python 3.12 CLI and GitHub Action for producing an AI/ML bill of materials from a local model project directory.
It records declared model metadata, in-root MODEL_CARD.md paths, model or
checkpoint digests, training-code references, dependency lockfiles, dataset
references, prompt templates, and eval artifact references, then exports
CycloneDX JSON 1.7 or an SPDX 3.0.1 AI Profile preview.
It is an evidence reporter. It is not a model registry, vulnerability scanner, legal compliance engine, dataset auditor, or AI governance platform.
Install
py -3.12 -m pip install ai-bom-generator
ai-bom --version
ai-bom --help
With uv, you can run the published package without installing it into the
current environment:
uv run --python 3.12 --with ai-bom-generator ai-bom --version
uv run --python 3.12 --with ai-bom-generator ai-bom --help
Quickstart
Clone the repository so the bundled minimal model project is available:
git clone https://github.com/0disoft/ai-bom-generator.git
cd ai-bom-generator
uv sync --locked
$out = Join-Path ([System.IO.Path]::GetTempPath()) ("ai-bom-example-" + [System.Guid]::NewGuid().ToString("N"))
New-Item -ItemType Directory -Path $out | Out-Null
uv run --python 3.12 ai-bom generate examples/minimal-model-project --format cyclonedx-json-1.7 --output (Join-Path $out "bom.cdx.json") --warning-report (Join-Path $out "warnings.json") --summary (Join-Path $out "summary.json")
Get-ChildItem -LiteralPath $out
Expected files:
bom.cdx.json
summary.json
summary.json.manifest.json
warnings.json
For the bundled minimal project, summary.json reports
"status": "success", "completeness_status": "complete",
"artifact_count": 1, and "warning_count": 0.
The command writes:
bom.cdx.json: CycloneDX JSON 1.7 BOM.warnings.json: machine-readable warning report.summary.json: generation status and output summary.summary.json.manifest.json: output-set manifest when the default manifest path is used.
Generated output paths must resolve outside the target model project directory.
Minimal Config
Example aibom.toml:
schema_version = "1"
[output]
format = "cyclonedx-json-1.7"
[model]
name = "minimal-example-model"
version = "0.1.0"
model_card = "MODEL_CARD.md"
license_declared = "NOASSERTION"
[artifacts]
include = ["models/*.safetensors"]
[[dependencies]]
path = "requirements.lock"
type = "pip"
[[datasets]]
name = "minimal-example-dataset"
license_declared = "NOASSERTION"
When --config is omitted, the CLI reads aibom.toml from the target model
directory if that file exists. It does not search parent directories or alternate
filenames. Artifact discovery defaults are opt-in with
[artifacts].discovery = true. The spdx-ai export format is available as a
partial SPDX 3.0.1 AI Profile preview; it explicitly marks unavailable SPDX AI
fields instead of inventing missing metadata. GitHub Marketplace registration is
deferred.
CLI
ai-bom --version
ai-bom generate <model-directory> [--config <path>] --format <cyclonedx-json-1.7|spdx-ai> --output <bom.json> --warning-report <warnings.json> --summary <summary.json> [--manifest <manifest.json>]
Missing optional metadata is reported as warnings without pretending the BOM is complete. Unreadable required files, invalid config, unsupported exporters, unsafe paths, and invalid generated BOM output fail with non-zero exit codes.
GitHub Action
- uses: actions/checkout@v7
- uses: actions/setup-python@v6
with:
python-version: "3.12"
- uses: astral-sh/setup-uv@v8.3.1
- id: ai-bom
uses: 0disoft/ai-bom-generator@v0
with:
model-directory: .
warnings: allow
- name: Verify AI-BOM outputs
shell: bash
run: |
set -euo pipefail
test -s "${{ steps.ai-bom.outputs.bom-path }}"
test -s "${{ steps.ai-bom.outputs.warning-report-path }}"
test -s "${{ steps.ai-bom.outputs.summary-path }}"
test "${{ steps.ai-bom.outputs.status }}" = "success"
The action invokes the packaged CLI with uv run --project, so consuming
workflows must make Python 3.12 and uv available before this action runs.
The current v0 contract intentionally keeps Python and uv setup
caller-managed instead of installing toolchains inside the action.
When format or warnings inputs are omitted, the action lets the CLI use the
discovered or explicit config values and CLI defaults. Generated files are
written to explicit paths when provided, or to a run-unique directory under
RUNNER_TEMP.
Summary-derived action outputs are published only when the generation manifest matches the BOM, warning report, and summary files from the current run.
Use @v0 for compatible patch updates, or pin the immutable @v0.1.4 tag
when a workflow needs exact release reproducibility.
Validation
Local validation source of truth is VALIDATION.md.
uv sync --locked
uv run --python 3.12 python -m compileall -q src tests scripts
uv run --python 3.12 ruff check src tests scripts
uv run --python 3.12 python -m unittest discover -s tests -v
uv build
uv run --python 3.12 python scripts/verify_wheel.py dist
uv run --python 3.12 python scripts/verify_github_action.py
Post-release verification:
$env:RELEASE_VERSION = "0.1.4"
$env:PUBLISH_RUN_ID = "<successful-publish-run-id>"
uv run --python 3.12 python scripts/verify_release.py --version $env:RELEASE_VERSION --publish-run-id $env:PUBLISH_RUN_ID
Project Docs
License
Apache-2.0.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ai_bom_generator-0.1.4.tar.gz.
File metadata
- Download URL: ai_bom_generator-0.1.4.tar.gz
- Upload date:
- Size: 100.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d3a97452b04bc7ef40dde9f2e6f441b83d1e984a241e68399ead2aa94fcc41d0
|
|
| MD5 |
b6dfd8b8d0213c574cc2a84b073c7037
|
|
| BLAKE2b-256 |
e7dfbb745c97f101372e129f45e25f7e81955fecfad7701e9958d9a903073794
|
Provenance
The following attestation bundles were made for ai_bom_generator-0.1.4.tar.gz:
Publisher:
publish-pypi.yml on 0disoft/ai-bom-generator
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ai_bom_generator-0.1.4.tar.gz -
Subject digest:
d3a97452b04bc7ef40dde9f2e6f441b83d1e984a241e68399ead2aa94fcc41d0 - Sigstore transparency entry: 2138081782
- Sigstore integration time:
-
Permalink:
0disoft/ai-bom-generator@bfe8b823acb3e8c2e6980444bd489c0e47734aae -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/0disoft
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@bfe8b823acb3e8c2e6980444bd489c0e47734aae -
Trigger Event:
push
-
Statement type:
File details
Details for the file ai_bom_generator-0.1.4-py3-none-any.whl.
File metadata
- Download URL: ai_bom_generator-0.1.4-py3-none-any.whl
- Upload date:
- Size: 97.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e56d51c4268ad4fe233c94e8a9770eebabf00a27c8a25fedad1177d8121bb766
|
|
| MD5 |
9f3ce30941d9d3cc06478c01cac618ef
|
|
| BLAKE2b-256 |
9bb8078da99e9b00cdba3a7212a1c2a91147f75c5605cf0a3476a529a403682c
|
Provenance
The following attestation bundles were made for ai_bom_generator-0.1.4-py3-none-any.whl:
Publisher:
publish-pypi.yml on 0disoft/ai-bom-generator
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ai_bom_generator-0.1.4-py3-none-any.whl -
Subject digest:
e56d51c4268ad4fe233c94e8a9770eebabf00a27c8a25fedad1177d8121bb766 - Sigstore transparency entry: 2138081785
- Sigstore integration time:
-
Permalink:
0disoft/ai-bom-generator@bfe8b823acb3e8c2e6980444bd489c0e47734aae -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/0disoft
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@bfe8b823acb3e8c2e6980444bd489c0e47734aae -
Trigger Event:
push
-
Statement type: