Skip to main content

AI Finder - AI artifact scanner for supply chain security

Project description

ai-finder

License: MIT Python 3.9+

AI artifact scanner for supply chain security and compliance

About

ai-finder detects AI/ML artifacts in codebases for:

  • Supply Chain Security - Identify AI models, SDKs, and dependencies
  • EU AI Act Compliance - Generate SBOM reports for regulatory requirements
  • Risk Assessment - Detect API keys, model provenance, and usage patterns

Features

SDK Detection (12 languages)

Language SDKs Detected
Python OpenAI, Anthropic, HuggingFace, LangChain, LlamaIndex, Strands, CrewAI, AutoGen
JavaScript/TypeScript OpenAI, Anthropic, LangChain, Vercel AI SDK
Go go-openai, go-anthropic
Rust async-openai, anthropic-rs
Java/Kotlin openai-java, LangChain4j, Spring AI
And more... Ruby, PHP, C#, C++, Swift, Scala, Kotlin

AI Package Detection (150+ packages)

Comprehensive detection across categories:

Category Packages
LLM Clients OpenAI, Anthropic, Cohere, Groq, Mistral, Ollama, Google GenAI, Azure OpenAI
Agent Frameworks LangChain, LlamaIndex, Strands Agents, CrewAI, AutoGen, Semantic Kernel
ML Frameworks PyTorch, TensorFlow, Keras, JAX, Transformers, scikit-learn, XGBoost
Vector Databases ChromaDB, Pinecone, Weaviate, Qdrant, Milvus, FAISS, LanceDB
Speech/Audio AI OpenAI Whisper, Faster Whisper, ElevenLabs, Bark
AI Safety AIProxyGuard, Guardrails AI, NeMo Guardrails, LLM Guard
Tools & Utilities Tavily, LangSmith, W&B, MLflow, Accelerate, Datasets
MCP/Tool Use MCP, Anthropic Tools

Model File Detection (12 formats)

GGUF, SafeTensors, ONNX, PyTorch, TensorFlow, TFLite, CoreML, JAX, Keras, MXNet, PaddlePaddle, Pickle

Manifest Parsing (11 formats)

requirements.txt, pyproject.toml, package.json, go.mod, Cargo.toml, pom.xml, build.gradle, Gemfile, composer.json, *.csproj, Package.swift

Output Formats

  • JSON - Machine-readable findings
  • CycloneDX 1.6 - OWASP SBOM format with ML-BOM support
  • SPDX 2.3 - Linux Foundation SBOM format
  • SPDX 3.0 - Latest SPDX specification with JSON-LD

License Handling

  • Licenses are automatically enriched from PyPI, npm, and HuggingFace
  • Unknown licenses are marked as NOASSERTION per SPDX specification
  • Supports SPDX license expressions

Installation

pip install ai-finder

Requires Python 3.9 or later.

Usage

# Scan a directory
ai-finder scan /path/to/project

# Generate SBOM (CycloneDX)
ai-finder scan /path/to/project -f cyclonedx -o sbom.json

# Generate SBOM (SPDX)
ai-finder scan /path/to/project -f spdx -o sbom.spdx.json

# Identify a model file
ai-finder identify model.gguf

# Initialize local KB
ai-finder kb init

# Lookup model by PURL
ai-finder kb lookup pkg:huggingface/TinyLlama/TinyLlama-1.1B-Chat-v1.0

Telemetry

This tool collects anonymous usage telemetry to help improve the product. No file paths, code content, or scan targets are collected.

Disable telemetry:

# Per-session
ai-finder --no-telemetry scan .

# Environment variable
export AI_FINDER_TELEMETRY=0

# Or use the standard
export DO_NOT_TRACK=1

See docs/TELEMETRY.md for full details on what is collected.

Development

# Clone repository
git clone https://github.com/scanoss/ai-finder.git
cd ai-finder

# Install with uv
uv sync --all-packages --all-extras

# Run tests
uv run pytest

# Lint
uv run ruff check .

Contributing

We welcome contributions! Please read CONTRIBUTING.md before submitting a pull request.

Security

If you discover a security vulnerability, please follow our Security Policy.

License

This project is licensed under the MIT License - see LICENSE for details.

Copyright (c) 2026 SCANOSS.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ai_finder-0.3.8.tar.gz (211.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ai_finder-0.3.8-py3-none-any.whl (243.0 kB view details)

Uploaded Python 3

File details

Details for the file ai_finder-0.3.8.tar.gz.

File metadata

  • Download URL: ai_finder-0.3.8.tar.gz
  • Upload date:
  • Size: 211.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ai_finder-0.3.8.tar.gz
Algorithm Hash digest
SHA256 02a1c285bc45f456974fece4d1b02e1030724289bc6f9b79bbd33cdd0f721f30
MD5 593feba5c24b8fdeabdef9bdae7ed584
BLAKE2b-256 dbe5c1d16124174a1bb7e4688a66ccd1511677c48a37fc19f8419ec6aeb38f26

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_finder-0.3.8.tar.gz:

Publisher: promote-to-pypi.yml on scanoss/ai-finder

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ai_finder-0.3.8-py3-none-any.whl.

File metadata

  • Download URL: ai_finder-0.3.8-py3-none-any.whl
  • Upload date:
  • Size: 243.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ai_finder-0.3.8-py3-none-any.whl
Algorithm Hash digest
SHA256 8dfd2d6af2469bc62cbc195f8a11472614de5a164b05eef9428011752cd9c3ea
MD5 53326bbff22b695292503af313f0eefd
BLAKE2b-256 1f1bc85da0304f6697308b3c6aefca32a970ecfa96e828801db81e32dc0fe4b7

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_finder-0.3.8-py3-none-any.whl:

Publisher: promote-to-pypi.yml on scanoss/ai-finder

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page