Local AI/ML bill-of-materials generator
Project description
AI-BOM Generator
AI-BOM Generator is a small Python 3.12 CLI and GitHub Action for producing an AI/ML bill of materials from a local model project directory.
It records declared model metadata, in-root MODEL_CARD.md paths, model or
checkpoint digests, training-code references, dependency files and parsed
Python packages, dataset references, prompt templates, and eval artifact
references, then exports CycloneDX JSON 1.7 or an SPDX 3.0.1 AI Profile preview.
It is an evidence reporter. It is not a model registry, vulnerability scanner, legal compliance engine, dataset auditor, or AI governance platform.
Install
py -3.12 -m pip install ai-bom-generator
ai-bom --version
ai-bom --help
With uv, you can run the published package without installing it into the
current environment:
uv run --python 3.12 --with ai-bom-generator ai-bom --version
uv run --python 3.12 --with ai-bom-generator ai-bom --help
Quickstart
Clone the repository so the bundled minimal model project is available:
git clone https://github.com/0disoft/ai-bom-generator.git
cd ai-bom-generator
uv sync --locked
$out = Join-Path ([System.IO.Path]::GetTempPath()) ("ai-bom-example-" + [System.Guid]::NewGuid().ToString("N"))
New-Item -ItemType Directory -Path $out | Out-Null
uv run --python 3.12 ai-bom generate examples/minimal-model-project --format cyclonedx-json-1.7 --output (Join-Path $out "bom.cdx.json") --warning-report (Join-Path $out "warnings.json") --summary (Join-Path $out "summary.json")
Get-ChildItem -LiteralPath $out
Expected files:
bom.cdx.json
summary.json
summary.json.manifest.json
warnings.json
For the bundled minimal project, summary.json reports
"status": "success", "completeness_status": "complete",
"artifact_count": 1, and "warning_count": 0.
The command writes:
bom.cdx.json: CycloneDX JSON 1.7 BOM.warnings.json: machine-readable warning report.summary.json: generation status and output summary.summary.json.manifest.json: output-set manifest when the default manifest path is used.
Generated output paths must resolve outside the target model project directory.
Minimal Config
Example aibom.toml:
schema_version = "1"
[output]
format = "cyclonedx-json-1.7"
[model]
name = "minimal-example-model"
version = "0.1.0"
model_card = "MODEL_CARD.md"
license_declared = "NOASSERTION"
[artifacts]
include = ["models/*.safetensors"]
[[dependencies]]
path = "requirements.lock"
type = "pip"
[[datasets]]
name = "minimal-example-dataset"
license_declared = "NOASSERTION"
Explicit uv.lock and requirements-file references are parsed locally into
package components by default. Set parse = false on a dependency reference
to keep file-level evidence only. Includes, constraints, editable requirement
directives, resolution, downloads, and automatic lockfile discovery are not
performed.
When --config is omitted, the CLI reads aibom.toml from the target model
directory if that file exists. It does not search parent directories or alternate
filenames. Artifact discovery defaults are opt-in with
[artifacts].discovery = true. The spdx-ai export format is available as a
partial SPDX 3.0.1 AI Profile preview; it explicitly marks unavailable SPDX AI
fields instead of inventing missing metadata. GitHub Marketplace registration is
deferred.
CLI
ai-bom --version
ai-bom generate <model-directory> [--config <path>] --format <cyclonedx-json-1.7|spdx-ai> --output <bom.json> --warning-report <warnings.json> --summary <summary.json> [--manifest <manifest.json>]
Missing optional metadata is reported as warnings without pretending the BOM is complete. Unreadable required files, invalid config, unsupported exporters, unsafe paths, and invalid generated BOM output fail with non-zero exit codes.
GitHub Action
- uses: actions/checkout@v7
- id: ai-bom
uses: 0disoft/ai-bom-generator@v0.2.0
with:
model-directory: .
warnings: allow
- name: Verify AI-BOM outputs
shell: bash
run: |
set -euo pipefail
test -s "${{ steps.ai-bom.outputs.bom-path }}"
test -s "${{ steps.ai-bom.outputs.warning-report-path }}"
test -s "${{ steps.ai-bom.outputs.summary-path }}"
test "${{ steps.ai-bom.outputs.status }}" = "success"
The action prepares Python 3.12 and pinned uv 0.11.28, disables the setup-uv
GitHub cache, and invokes the packaged CLI with uv run --project --locked.
Its virtual environment and uv download cache stay under RUNNER_TEMP; the
caller repository is not used for action runtime state.
When format or warnings inputs are omitted, the action lets the CLI use the
discovered or explicit config values and CLI defaults. Generated files are
written to explicit paths when provided, or to a run-unique directory under
RUNNER_TEMP.
Summary-derived action outputs are published only when the generation manifest matches the BOM, warning report, and summary files from the current run.
Use @v0 for compatible 0.x updates, or pin the immutable @v0.2.0 tag
when a workflow needs exact release reproducibility.
Validation
Local validation source of truth is VALIDATION.md.
uv sync --locked
uv run --python 3.12 python -m compileall -q src tests scripts
uv run --python 3.12 ruff check src tests scripts
uv run --python 3.12 python -m unittest discover -s tests -v
uv build
uv run --python 3.12 python scripts/verify_wheel.py dist
uv run --python 3.12 python scripts/verify_github_action.py
Post-release verification:
$env:RELEASE_VERSION = "0.2.0"
$env:PUBLISH_RUN_ID = "<successful-publish-run-id>"
$env:SMOKE_RUN_ID = "<successful-immutable-action-smoke-run-id>"
uv run --python 3.12 python scripts/verify_release.py --version $env:RELEASE_VERSION --publish-run-id $env:PUBLISH_RUN_ID --smoke-run-id $env:SMOKE_RUN_ID
Project Docs
License
Apache-2.0.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ai_bom_generator-0.2.0.tar.gz.
File metadata
- Download URL: ai_bom_generator-0.2.0.tar.gz
- Upload date:
- Size: 112.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8af409eb1772f632788a0c751e67a6ad3b77e4d79eb11ae8e80372c517b469d7
|
|
| MD5 |
5a4b8c6640d74c7b85303e5801d5482f
|
|
| BLAKE2b-256 |
9c3ffe0c9f6e24feec19b4764960d2fa4c617fd82c8d0b66517f800264b7073c
|
Provenance
The following attestation bundles were made for ai_bom_generator-0.2.0.tar.gz:
Publisher:
publish-pypi.yml on 0disoft/ai-bom-generator
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ai_bom_generator-0.2.0.tar.gz -
Subject digest:
8af409eb1772f632788a0c751e67a6ad3b77e4d79eb11ae8e80372c517b469d7 - Sigstore transparency entry: 2141833011
- Sigstore integration time:
-
Permalink:
0disoft/ai-bom-generator@b114eb468393ca6a5f5189658eead95cf1850eab -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/0disoft
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@b114eb468393ca6a5f5189658eead95cf1850eab -
Trigger Event:
push
-
Statement type:
File details
Details for the file ai_bom_generator-0.2.0-py3-none-any.whl.
File metadata
- Download URL: ai_bom_generator-0.2.0-py3-none-any.whl
- Upload date:
- Size: 102.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c42e3298d86610bea4b0ed48c2fcbe31303e6c21ada6a64e3d876c198e70c663
|
|
| MD5 |
5f628b96664933a0babdc507e7d2e670
|
|
| BLAKE2b-256 |
41746dbaf7678b4cfe19ffdafdfdadb04d5721d9c45eab57db7327926e634202
|
Provenance
The following attestation bundles were made for ai_bom_generator-0.2.0-py3-none-any.whl:
Publisher:
publish-pypi.yml on 0disoft/ai-bom-generator
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ai_bom_generator-0.2.0-py3-none-any.whl -
Subject digest:
c42e3298d86610bea4b0ed48c2fcbe31303e6c21ada6a64e3d876c198e70c663 - Sigstore transparency entry: 2141833059
- Sigstore integration time:
-
Permalink:
0disoft/ai-bom-generator@b114eb468393ca6a5f5189658eead95cf1850eab -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/0disoft
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@b114eb468393ca6a5f5189658eead95cf1850eab -
Trigger Event:
push
-
Statement type: