Skip to main content

Local AI/ML bill-of-materials generator

Project description

AI-BOM Generator

PyPI CI Release License

AI-BOM Generator is a small Python 3.12 CLI and GitHub Action for producing an AI/ML bill of materials from a local model project directory.

It records declared model metadata, in-root MODEL_CARD.md paths, model or checkpoint digests, training-code references, dependency files and parsed Python packages, dataset references, prompt templates, and eval artifact references, then exports CycloneDX JSON 1.7 or an SPDX 3.0.1 AI Profile preview.

It is an evidence reporter. It is not a model registry, vulnerability scanner, legal compliance engine, dataset auditor, or AI governance platform.

Install

py -3.12 -m pip install ai-bom-generator
ai-bom --version
ai-bom --help

With uv, you can run the published package without installing it into the current environment:

uv run --python 3.12 --with ai-bom-generator ai-bom --version
uv run --python 3.12 --with ai-bom-generator ai-bom --help

Quickstart

Clone the repository so the bundled minimal model project is available:

git clone https://github.com/0disoft/ai-bom-generator.git
cd ai-bom-generator
uv sync --locked
$out = Join-Path ([System.IO.Path]::GetTempPath()) ("ai-bom-example-" + [System.Guid]::NewGuid().ToString("N"))
New-Item -ItemType Directory -Path $out | Out-Null
uv run --python 3.12 ai-bom generate examples/minimal-model-project --format cyclonedx-json-1.7 --output (Join-Path $out "bom.cdx.json") --warning-report (Join-Path $out "warnings.json") --summary (Join-Path $out "summary.json")
Get-ChildItem -LiteralPath $out

Expected files:

bom.cdx.json
summary.json
summary.json.manifest.json
warnings.json

For the bundled minimal project, summary.json reports "status": "success", "completeness_status": "complete", "artifact_count": 1, and "warning_count": 0.

The command writes:

  • bom.cdx.json: CycloneDX JSON 1.7 BOM.
  • warnings.json: machine-readable warning report.
  • summary.json: generation status and output summary.
  • summary.json.manifest.json: output-set manifest when the default manifest path is used.

Generated output paths must resolve outside the target model project directory.

Minimal Config

Example aibom.toml:

schema_version = "1"

[output]
format = "cyclonedx-json-1.7"

[model]
name = "minimal-example-model"
version = "0.1.0"
model_card = "MODEL_CARD.md"
license_declared = "NOASSERTION"

[artifacts]
include = ["models/*.safetensors"]

[[dependencies]]
path = "requirements.lock"
type = "pip"

[[datasets]]
name = "minimal-example-dataset"
license_declared = "NOASSERTION"

Explicit uv.lock and requirements-file references are parsed locally into package components by default. Set parse = false on a dependency reference to keep file-level evidence only. Includes, constraints, editable requirement directives, resolution, downloads, and automatic lockfile discovery are not performed.

When --config is omitted, the CLI reads aibom.toml from the target model directory if that file exists. It does not search parent directories or alternate filenames. Artifact discovery defaults are opt-in with [artifacts].discovery = true. The spdx-ai export format is available as a partial SPDX 3.0.1 AI Profile preview; it explicitly marks unavailable SPDX AI fields instead of inventing missing metadata. GitHub Marketplace registration is deferred.

CLI

ai-bom --version
ai-bom generate <model-directory> [--config <path>] --format <cyclonedx-json-1.7|spdx-ai> --output <bom.json> --warning-report <warnings.json> --summary <summary.json> [--manifest <manifest.json>]

Missing optional metadata is reported as warnings without pretending the BOM is complete. Unreadable required files, invalid config, unsupported exporters, unsafe paths, and invalid generated BOM output fail with non-zero exit codes.

GitHub Action

- uses: actions/checkout@v7

- id: ai-bom
  uses: 0disoft/ai-bom-generator@v0.2.0
  with:
    model-directory: .
    warnings: allow

- name: Verify AI-BOM outputs
  shell: bash
  run: |
    set -euo pipefail
    test -s "${{ steps.ai-bom.outputs.bom-path }}"
    test -s "${{ steps.ai-bom.outputs.warning-report-path }}"
    test -s "${{ steps.ai-bom.outputs.summary-path }}"
    test "${{ steps.ai-bom.outputs.status }}" = "success"

The action prepares Python 3.12 and pinned uv 0.11.28, disables the setup-uv GitHub cache, and invokes the packaged CLI with uv run --project --locked. Its virtual environment and uv download cache stay under RUNNER_TEMP; the caller repository is not used for action runtime state. When format or warnings inputs are omitted, the action lets the CLI use the discovered or explicit config values and CLI defaults. Generated files are written to explicit paths when provided, or to a run-unique directory under RUNNER_TEMP.

Summary-derived action outputs are published only when the generation manifest matches the BOM, warning report, and summary files from the current run.

Use @v0 for compatible 0.x updates, or pin the immutable @v0.2.0 tag when a workflow needs exact release reproducibility.

Validation

Local validation source of truth is VALIDATION.md.

uv sync --locked
uv run --python 3.12 python -m compileall -q src tests scripts
uv run --python 3.12 ruff check src tests scripts
uv run --python 3.12 python -m unittest discover -s tests -v
uv build
uv run --python 3.12 python scripts/verify_wheel.py dist
uv run --python 3.12 python scripts/verify_github_action.py

Post-release verification:

$env:RELEASE_VERSION = "0.2.0"
$env:PUBLISH_RUN_ID = "<successful-publish-run-id>"
$env:SMOKE_RUN_ID = "<successful-immutable-action-smoke-run-id>"
uv run --python 3.12 python scripts/verify_release.py --version $env:RELEASE_VERSION --publish-run-id $env:PUBLISH_RUN_ID --smoke-run-id $env:SMOKE_RUN_ID

Project Docs

License

Apache-2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ai_bom_generator-0.2.0.tar.gz (112.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ai_bom_generator-0.2.0-py3-none-any.whl (102.4 kB view details)

Uploaded Python 3

File details

Details for the file ai_bom_generator-0.2.0.tar.gz.

File metadata

  • Download URL: ai_bom_generator-0.2.0.tar.gz
  • Upload date:
  • Size: 112.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ai_bom_generator-0.2.0.tar.gz
Algorithm Hash digest
SHA256 8af409eb1772f632788a0c751e67a6ad3b77e4d79eb11ae8e80372c517b469d7
MD5 5a4b8c6640d74c7b85303e5801d5482f
BLAKE2b-256 9c3ffe0c9f6e24feec19b4764960d2fa4c617fd82c8d0b66517f800264b7073c

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_bom_generator-0.2.0.tar.gz:

Publisher: publish-pypi.yml on 0disoft/ai-bom-generator

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ai_bom_generator-0.2.0-py3-none-any.whl.

File metadata

File hashes

Hashes for ai_bom_generator-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c42e3298d86610bea4b0ed48c2fcbe31303e6c21ada6a64e3d876c198e70c663
MD5 5f628b96664933a0babdc507e7d2e670
BLAKE2b-256 41746dbaf7678b4cfe19ffdafdfdadb04d5721d9c45eab57db7327926e634202

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_bom_generator-0.2.0-py3-none-any.whl:

Publisher: publish-pypi.yml on 0disoft/ai-bom-generator

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page