Skip to main content

Local AI/ML bill-of-materials generator

Project description

AI-BOM Generator

PyPI CI Release License

AI-BOM Generator is a small Python 3.12 CLI and GitHub Action for producing an AI/ML bill of materials from a local model project directory.

It records declared model metadata, in-root MODEL_CARD.md paths, model or checkpoint digests, training-code references, dependency files and parsed Python packages, dataset references, prompt templates, and eval artifact references, then exports CycloneDX JSON 1.7 or an SPDX 3.0.1 AI Profile preview.

It is an evidence reporter. It is not a model registry, vulnerability scanner, legal compliance engine, dataset auditor, or AI governance platform.

Install

py -3.12 -m pip install ai-bom-generator
ai-bom --version
ai-bom --help

With uv, you can run the published package without installing it into the current environment:

uv run --python 3.12 --with ai-bom-generator ai-bom --version
uv run --python 3.12 --with ai-bom-generator ai-bom --help

Quickstart

Clone the repository so the bundled minimal model project is available:

git clone https://github.com/0disoft/ai-bom-generator.git
cd ai-bom-generator
uv sync --locked
$out = Join-Path ([System.IO.Path]::GetTempPath()) ("ai-bom-example-" + [System.Guid]::NewGuid().ToString("N"))
New-Item -ItemType Directory -Path $out | Out-Null
uv run --python 3.12 ai-bom generate examples/minimal-model-project --format cyclonedx-json-1.7 --output (Join-Path $out "bom.cdx.json") --warning-report (Join-Path $out "warnings.json") --summary (Join-Path $out "summary.json")
Get-ChildItem -LiteralPath $out

Expected files:

bom.cdx.json
summary.json
summary.json.manifest.json
warnings.json

For the bundled minimal project, summary.json reports "status": "success", "completeness_status": "complete", "artifact_count": 1, and "warning_count": 0.

The command writes:

  • bom.cdx.json: CycloneDX JSON 1.7 BOM.
  • warnings.json: machine-readable warning report.
  • summary.json: generation status and output summary.
  • summary.json.manifest.json: output-set manifest when the default manifest path is used.

Generated output paths must resolve outside the target model project directory.

Minimal Config

Example aibom.toml:

schema_version = "1"

[output]
format = "cyclonedx-json-1.7"

[model]
name = "minimal-example-model"
version = "0.1.0"
model_card = "MODEL_CARD.md"
license_declared = "NOASSERTION"

[artifacts]
include = ["models/*.safetensors"]

[[dependencies]]
path = "requirements.lock"
type = "pip"

[[datasets]]
name = "minimal-example-dataset"
license_declared = "NOASSERTION"

Explicit uv.lock and requirements-file references are parsed locally into package components by default. Set parse = false on a dependency reference to keep file-level evidence only. Includes, constraints, editable requirement directives, resolution, downloads, and automatic lockfile discovery are not performed.

When --config is omitted, the CLI reads aibom.toml from the target model directory if that file exists. It does not search parent directories or alternate filenames. Artifact discovery defaults are opt-in with [artifacts].discovery = true. The spdx-ai export format is available as a partial SPDX 3.0.1 AI Profile preview; it explicitly marks unavailable SPDX AI fields instead of inventing missing metadata. GitHub Marketplace registration is deferred.

CLI

ai-bom --version
ai-bom generate <model-directory> [--config <path>] --format <cyclonedx-json-1.7|spdx-ai> --output <bom.json> --warning-report <warnings.json> --summary <summary.json> [--manifest <manifest.json>]

Missing optional metadata is reported as warnings without pretending the BOM is complete. Unreadable required files, invalid config, unsupported exporters, unsafe paths, and invalid generated BOM output fail with non-zero exit codes.

GitHub Action

- uses: actions/checkout@v7

- id: ai-bom
  uses: 0disoft/ai-bom-generator@v0.2.1
  with:
    model-directory: .
    warnings: allow

- name: Verify AI-BOM outputs
  shell: bash
  run: |
    set -euo pipefail
    test -s "${{ steps.ai-bom.outputs.bom-path }}"
    test -s "${{ steps.ai-bom.outputs.warning-report-path }}"
    test -s "${{ steps.ai-bom.outputs.summary-path }}"
    test "${{ steps.ai-bom.outputs.status }}" = "success"

The action prepares Python 3.12 and pinned uv 0.11.28, disables the setup-uv GitHub cache, and invokes the packaged CLI with uv run --project --locked. Its virtual environment and uv download cache stay under RUNNER_TEMP; the caller repository is not used for action runtime state. When format or warnings inputs are omitted, the action lets the CLI use the discovered or explicit config values and CLI defaults. Generated files are written to explicit paths when provided, or to a run-unique directory under RUNNER_TEMP.

Summary-derived action outputs are published only when the generation manifest matches the BOM, warning report, and summary files from the current run.

Use @v0 for compatible 0.x updates, or pin the exact @v0.2.1 tag when a workflow needs release reproducibility. GitHub-enforced immutable releases apply to versions published after v0.2.0.

Validation

Local validation source of truth is VALIDATION.md.

uv sync --locked
uv run --python 3.12 python -m compileall -q src tests scripts
uv run --python 3.12 ruff check src tests scripts
uv run --python 3.12 python -m unittest discover -s tests -v
uv build
uv run --python 3.12 python scripts/verify_wheel.py dist
uv run --python 3.12 python scripts/verify_github_action.py

Post-release verification:

$env:RELEASE_VERSION = "0.2.1"
$env:PUBLISH_RUN_ID = "<successful-publish-run-id>"
$env:SMOKE_RUN_ID = "<successful-exact-version-action-smoke-run-id>"
uv run --python 3.12 python scripts/verify_release.py --version $env:RELEASE_VERSION --publish-run-id $env:PUBLISH_RUN_ID --smoke-run-id $env:SMOKE_RUN_ID

Project Docs

Security

Report suspected vulnerabilities privately through the repository Security tab. Do not include real credentials, model weights, prompts, or private datasets. See SECURITY.md for supported versions and reporting guidance.

License

Apache-2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ai_bom_generator-0.2.1.tar.gz (114.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ai_bom_generator-0.2.1-py3-none-any.whl (103.2 kB view details)

Uploaded Python 3

File details

Details for the file ai_bom_generator-0.2.1.tar.gz.

File metadata

  • Download URL: ai_bom_generator-0.2.1.tar.gz
  • Upload date:
  • Size: 114.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ai_bom_generator-0.2.1.tar.gz
Algorithm Hash digest
SHA256 0cd7dfd64ef81b544bc66fc5fe99514326ebd1f4618769b3d19f109bbf94765a
MD5 77654f7f03c5afa0092c7e31c77a8402
BLAKE2b-256 b64dd766513f511aa39c4af8cd2b9bbb5dae342c8d6f913b40e85ba7732b2b9e

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_bom_generator-0.2.1.tar.gz:

Publisher: publish-pypi.yml on 0disoft/ai-bom-generator

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ai_bom_generator-0.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for ai_bom_generator-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 57db07b33d67ce9e0e93c23a5ed5b90de501d3d15c557ef47add48f70e742dc8
MD5 758309a371e28fa7327040d941aa3944
BLAKE2b-256 f1fcd4513bd4a1f291d363eec1d216738bafa0d76ce42f9b08ba27f22743f31b

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_bom_generator-0.2.1-py3-none-any.whl:

Publisher: publish-pypi.yml on 0disoft/ai-bom-generator

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page