Skip to main content

Local AI/ML bill-of-materials generator

Project description

AI-BOM Generator

PyPI CI Release License

AI-BOM Generator is a small Python 3.12 CLI and GitHub Action for producing an AI/ML bill of materials from a local model project directory.

It records declared model metadata, in-root MODEL_CARD.md paths, model or checkpoint digests, training-code references, dependency lockfiles, dataset references, prompt templates, and eval artifact references, then exports CycloneDX JSON 1.7 or an SPDX 3.0.1 AI Profile preview.

It is an evidence reporter. It is not a model registry, vulnerability scanner, legal compliance engine, dataset auditor, or AI governance platform.

Install

py -3.12 -m pip install ai-bom-generator
ai-bom --version
ai-bom --help

With uv, you can run the published package without installing it into the current environment:

uv run --python 3.12 --with ai-bom-generator ai-bom --version
uv run --python 3.12 --with ai-bom-generator ai-bom --help

Quickstart

Clone the repository so the bundled minimal model project is available:

git clone https://github.com/0disoft/ai-bom-generator.git
cd ai-bom-generator
uv sync --locked
$out = Join-Path ([System.IO.Path]::GetTempPath()) ("ai-bom-example-" + [System.Guid]::NewGuid().ToString("N"))
New-Item -ItemType Directory -Path $out | Out-Null
uv run --python 3.12 ai-bom generate examples/minimal-model-project --format cyclonedx-json-1.7 --output (Join-Path $out "bom.cdx.json") --warning-report (Join-Path $out "warnings.json") --summary (Join-Path $out "summary.json")
Get-ChildItem -LiteralPath $out

Expected files:

bom.cdx.json
summary.json
summary.json.manifest.json
warnings.json

For the bundled minimal project, summary.json reports "status": "success", "completeness_status": "complete", "artifact_count": 1, and "warning_count": 0.

The command writes:

  • bom.cdx.json: CycloneDX JSON 1.7 BOM.
  • warnings.json: machine-readable warning report.
  • summary.json: generation status and output summary.
  • summary.json.manifest.json: output-set manifest when the default manifest path is used.

Generated output paths must resolve outside the target model project directory.

Minimal Config

Example aibom.toml:

schema_version = "1"

[output]
format = "cyclonedx-json-1.7"

[model]
name = "minimal-example-model"
version = "0.1.0"
model_card = "MODEL_CARD.md"
license_declared = "NOASSERTION"

[artifacts]
include = ["models/*.safetensors"]

[[dependencies]]
path = "requirements.lock"
type = "pip"

[[datasets]]
name = "minimal-example-dataset"
license_declared = "NOASSERTION"

When --config is omitted, the CLI reads aibom.toml from the target model directory if that file exists. It does not search parent directories or alternate filenames. Artifact discovery defaults are opt-in with [artifacts].discovery = true. The spdx-ai export format is available as a partial SPDX 3.0.1 AI Profile preview; it explicitly marks unavailable SPDX AI fields instead of inventing missing metadata. GitHub Marketplace registration is deferred.

CLI

ai-bom --version
ai-bom generate <model-directory> [--config <path>] --format <cyclonedx-json-1.7|spdx-ai> --output <bom.json> --warning-report <warnings.json> --summary <summary.json> [--manifest <manifest.json>]

Missing optional metadata is reported as warnings without pretending the BOM is complete. Unreadable required files, invalid config, unsupported exporters, unsafe paths, and invalid generated BOM output fail with non-zero exit codes.

GitHub Action

- uses: actions/checkout@v7

- uses: actions/setup-python@v6
  with:
    python-version: "3.12"

- uses: astral-sh/setup-uv@v8.3.1

- id: ai-bom
  uses: 0disoft/ai-bom-generator@v0
  with:
    model-directory: .
    warnings: allow

- name: Verify AI-BOM outputs
  shell: bash
  run: |
    set -euo pipefail
    test -s "${{ steps.ai-bom.outputs.bom-path }}"
    test -s "${{ steps.ai-bom.outputs.warning-report-path }}"
    test -s "${{ steps.ai-bom.outputs.summary-path }}"
    test "${{ steps.ai-bom.outputs.status }}" = "success"

The action invokes the packaged CLI with uv run --project, so consuming workflows must make Python 3.12 and uv available before this action runs. The current v0 contract intentionally keeps Python and uv setup caller-managed instead of installing toolchains inside the action. When format or warnings inputs are omitted, the action lets the CLI use the discovered or explicit config values and CLI defaults. Generated files are written to explicit paths when provided, or to a run-unique directory under RUNNER_TEMP.

Summary-derived action outputs are published only when the generation manifest matches the BOM, warning report, and summary files from the current run.

Use @v0 for compatible patch updates, or pin the immutable @v0.1.4 tag when a workflow needs exact release reproducibility.

Validation

Local validation source of truth is VALIDATION.md.

uv sync --locked
uv run --python 3.12 python -m compileall -q src tests scripts
uv run --python 3.12 ruff check src tests scripts
uv run --python 3.12 python -m unittest discover -s tests -v
uv build
uv run --python 3.12 python scripts/verify_wheel.py dist
uv run --python 3.12 python scripts/verify_github_action.py

Post-release verification:

$env:RELEASE_VERSION = "0.1.4"
$env:PUBLISH_RUN_ID = "<successful-publish-run-id>"
uv run --python 3.12 python scripts/verify_release.py --version $env:RELEASE_VERSION --publish-run-id $env:PUBLISH_RUN_ID

Project Docs

License

Apache-2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ai_bom_generator-0.1.4.tar.gz (100.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ai_bom_generator-0.1.4-py3-none-any.whl (97.4 kB view details)

Uploaded Python 3

File details

Details for the file ai_bom_generator-0.1.4.tar.gz.

File metadata

  • Download URL: ai_bom_generator-0.1.4.tar.gz
  • Upload date:
  • Size: 100.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ai_bom_generator-0.1.4.tar.gz
Algorithm Hash digest
SHA256 d3a97452b04bc7ef40dde9f2e6f441b83d1e984a241e68399ead2aa94fcc41d0
MD5 b6dfd8b8d0213c574cc2a84b073c7037
BLAKE2b-256 e7dfbb745c97f101372e129f45e25f7e81955fecfad7701e9958d9a903073794

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_bom_generator-0.1.4.tar.gz:

Publisher: publish-pypi.yml on 0disoft/ai-bom-generator

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ai_bom_generator-0.1.4-py3-none-any.whl.

File metadata

File hashes

Hashes for ai_bom_generator-0.1.4-py3-none-any.whl
Algorithm Hash digest
SHA256 e56d51c4268ad4fe233c94e8a9770eebabf00a27c8a25fedad1177d8121bb766
MD5 9f3ce30941d9d3cc06478c01cac618ef
BLAKE2b-256 9bb8078da99e9b00cdba3a7212a1c2a91147f75c5605cf0a3476a529a403682c

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_bom_generator-0.1.4-py3-none-any.whl:

Publisher: publish-pypi.yml on 0disoft/ai-bom-generator

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page