Skip to main content

Comprehensive LLM security scanner - Palisade

Project description

๐Ÿฐ Palisade

Enterprise-grade ML model security scanner. Detects backdoors, supply chain attacks, and malicious payloads before they hit production.

Powered by a high-performance Rust core, Palisade delivers maximum speed and memory efficiency, enabling it to scan 70B+ parameter models on standard hardware.

โญ Key Capabilities

  • Blocks Pickle RCE - Completely prevents remote code execution via pickle files.
  • Detects Behavioral Backdoors - Identifies DoubleAgents, BadAgent, and fine-tuning attacks.
  • Validates Model Integrity - Verifies SafeTensors and GGUF formats against tampering.
  • Verifies Supply Chain - Enforces Sigstore signatures, SLSA provenance, and generates ML-BOMs.
  • Catches Injection Attacks - Prevents tokenizer hijacking, config manipulation, and metadata exploits.
  • Zero-Trust Architecture - Treats all models as potentially malicious until verified.

15 Security Validators provide multi-layered defense in depth (10 universal + 5 format-specific).

๐Ÿ“ฆ Installation

Requires Python 3.10-3.12 and Rust toolchain (cargo, rustc).

Prerequisites

Palisade depends on highflame-policy which is fetched from GitHub. For installation, you need one of the following:

Option 1: Configure GitHub access (for private repos)

# Set up git to use your GitHub token for HTTPS
export GITHUB_TOKEN=your_github_token
git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"

Option 2: Install highflame-policy from local checkout

# Clone highflame-policy first
git clone https://github.com/highflame-ai/highflame-policy.git

# Install it before installing palisade
pip install ./highflame-policy/packages/python

Quick Start (Recommended)

# Install UV (modern Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Install Rust dependencies
sudo apt install cargo rustc rustup
rustup toolchain install nightly

# Clone repositories
git clone https://github.com/highflame-ai/highflame-palisade.git
git clone https://github.com/highflame-ai/highflame-policy.git

cd highflame-palisade

# Create virtual environment (Python 3.10-3.12 required)
uv python install 3.12  # If you don't have Python 3.12
uv venv --python 3.12 && source .venv/bin/activate

# Install highflame-policy from local checkout first
uv pip install ../highflame-policy/packages/python

# Install Palisade
uv pip install -e ".[dev]"

# Verify installation
palisade --help

Optional: Inference-Based Detection

For DoubleAgents and behavioral backdoor detection via runtime analysis:

# Full inference support (PyTorch + GGUF with CUDA)
uv pip install -e ".[inference]"

# Or install components separately:
uv pip install -e ".[inference-pytorch]"  # PyTorch/SafeTensors only
uv pip install -e ".[inference-gguf]"     # GGUF only (includes CUDA wheels)
Using pip instead of uv?
# For GGUF with CUDA support, specify the wheel index:
pip install palisade[inference-gguf] \
    --extra-index-url https://abetlen.github.io/llama-cpp-python/whl/cu124

# For CPU-only GGUF:
pip install palisade[inference-gguf] \
    --extra-index-url https://abetlen.github.io/llama-cpp-python/whl/cpu

๐Ÿ› ๏ธ Usage Examples

Scan Models

Basic file scan:

palisade scan model.safetensors
# Scan a directory of models
palisade scan /path/to/models/

Recursive directory scan:

palisade scan /models --recursive --max-files 50

Policy-driven enforcement: Apply strict rules for production environments to block more threats:

palisade scan model.gguf --policy strict_production

JSON output for automation: Generate machine-readable reports for your pipeline:

palisade scan model.safetensors --format json --output report.json

SARIF output for tool integration: Export findings in SARIF 2.1.0 format for GitHub Code Scanning, VS Code, and other security tools:

# Generate SARIF report
palisade scan model.safetensors --format sarif --output results.sarif

# Directory scan with SARIF
palisade scan ./models --recursive --format sarif --output scan-results.sarif

SARIF (Static Analysis Results Interchange Format) enables:

  • ๐Ÿ”— GitHub Code Scanning - Automatically display findings in pull requests
  • ๐Ÿ” VS Code SARIF Viewer - Navigate findings directly in your IDE
  • ๐Ÿ“Š Centralized Dashboards - Aggregate results across multiple tools
  • ๐Ÿ›ก๏ธ Policy Integration - Findings include policy decisions (allow/deny/quarantine)

Inference-Based Backdoor Detection

Detect DoubleAgents-style attacks that fine-tune models to make covert malicious tool calls:

# Quick scan (~75 payloads, ~2 min)
palisade inference-scan model.gguf

# Deep scan with reference model for higher accuracy
palisade inference-scan suspect.gguf --reference clean-base.gguf --scan-type deep

# PyTorch/SafeTensors models
palisade inference-scan ./fine-tuned-model/ --reference ./base-model/

How it works:

  • Perplexity Gap Analysis: Compares suspect model's "confidence" on malicious payloads vs. a clean reference. A fine-tuned model will be suspiciously confident on attack strings it was trained on.
  • Functional Trap Testing: Prompts the model to use legitimate tools and watches for injected malicious tool calls.

Verify Supply Chain

Sigstore signature verification (verify-sigstore): Answers: "Who signed this model?" โ€” Validates cryptographic signatures to ensure the model came from a trusted source.

palisade verify-sigstore /models/llama-7b --public-key publisher.pub

SLSA provenance verification (verify-slsa): Answers: "How was this model built?" โ€” Validates build attestations to ensure supply chain integrity.

palisade verify-slsa /models/mistral-7b --strictness high

โš ๏ธ Cosign Requirement: Cryptographic verification with --public-key requires the cosign CLI to be installed. Without --public-key, only structural validation is performed (SLSA) or verification will fail (Sigstore).

Provenance tracking & ML-BOM (track-provenance): Answers: "What provenance exists?" โ€” Discovers all provenance documentation and generates ML-BOM inventory.

palisade track-provenance /models/gemma --generate-mlbom --format json

๐Ÿ“– See Model Signing Guide for detailed instructions on signing models, creating SLSA attestations, and understanding CoSAI maturity levels.

๐Ÿ–ฅ๏ธ Example Output

Clean Scan:

$ palisade scan test_models/performance/tiny/model.safetensors
โœ“ Using built-in default policy
 Scanning: test_models/performance/tiny/model.safetensors
   Size: 2098.20 MB
   Policy: Default security policy

2025-12-08 11:25:47,537 - INFO - Pattern compilation success rate: 100.0% (66/66)
Using streaming validation ...
๐Ÿ” Running security validators...
โœ… Metadata - Clean (0.28s)
โœ… ModelGenealogy - Clean (0.24s)
โœ… Provenance - Clean (0.25s)
โœ… BufferOverflow - Clean (13.34s)
โœ… Tokenizer - Clean (0.00s)
โœ… DecompressionBomb - Clean (0.00s)
โœ… Model - Clean (16.73s)
โœ… SupplyChain - Clean (16.55s)
โœ… Behavior - Clean (8.75s)
โœ… ToolCall - Clean (14.86s)
โœ… Backdoor - Clean (10.40s)
โœ… LoRAAdapter - Clean (1.09s)
โœ… Safetensors - Clean (16.25s)
๐Ÿ“Š Validation complete - No issues found (62.5 MB/s)
2025-12-08 11:26:21,110 - INFO - Applying policy evaluation (environment: default)
2025-12-08 11:26:21,110 - INFO - Policy evaluation complete - Overall effect: allow

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ ๐Ÿ“„ Palisade Security Scan โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ model.safetensors                                                                                                                                                             โ”‚
โ”‚ test_models/performance/tiny/model.safetensors                                                                                                                                โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

โœ… CLEAN: model.safetensors

 Scan Time             33.58s  
 Validators            13      
 Memory Used           35.1 MB 
 Warnings              0       

โœ… No security threats detected

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ ๐Ÿ›ก๏ธ Policy Decision โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ โœ… ALLOWED                                                                                                                                                                    โ”‚
โ”‚                                                                                                                                                                               โ”‚
โ”‚ Environment: default                                                                                                                                                          โ”‚
โ”‚ Model passed policy checks.                                                                                                                                                   โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

โœ… Model passed all security checks

Malicious Scan (Blocked):

$ palisade scan examples/models/gemma-3-270m/model_metadata_injection.safetensors 
โœ“ Using built-in default policy
 Scanning: examples/models/gemma-3-270m/model_metadata_injection.safetensors
   Size: 511.38 MB
   Policy: Default security policy

2025-12-08 11:37:36,052 - INFO - Pattern compilation success rate: 100.0% (66/66)
Using streaming validation ...
๐Ÿ” Running security validators...
โœ… Metadata - Clean (0.24s)
โœ… ModelGenealogy - Clean (0.13s)
โœ… Provenance - Clean (0.07s)
โœ… BufferOverflow - Clean (2.28s)
โœ… Tokenizer - Clean (0.00s)
โœ… DecompressionBomb - Clean (0.00s)
โœ… Model - Clean (2.51s)
โœ… SupplyChain - 1 warnings found (2.47s)
โœ… Safetensors - 1 warnings found (0.00s)
2025-12-08 11:37:38,966 - INFO - Suspicious patterns detected in model header (score: 0.300)
2025-12-08 11:37:38,977 - INFO -   Found 5 textual pattern matches in chunk 0
2025-12-08 11:37:38,977 - INFO -     Match 0: code_injection - eval\s*\( -> 'eval('
2025-12-08 11:37:38,977 - INFO -     Match 1: code_injection - os\.system -> 'os.system'
2025-12-08 11:37:38,977 - INFO -     Match 2: code_injection - system\s*\( -> 'system('
โœ… Behavior - 1 warnings found (1.79s)
โœ… Backdoor - 2 warnings found (1.46s)
โœ… LoRAAdapter - Clean (0.35s)
โœ… ToolCall - 1 warnings found (2.05s)
๐Ÿ“Š Validation complete - 6 warnings found (112.1 MB/s)
2025-12-08 11:37:40,616 - INFO - Applying policy evaluation (environment: default)
2025-12-08 11:37:40,618 - INFO - Policy evaluation complete - Overall effect: deny

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ ๐Ÿ“„ Palisade Security Scan โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ model_metadata_injection.safetensors                                                                                                                                          โ”‚
โ”‚ examples/models/gemma-3-270m/model_metadata_injection.safetensors                                                                                                             โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

๐Ÿ” SUSPICIOUS: model_metadata_injection.safetensors

 Scan Time             4.58s   
 Validators            13      
 Memory Used           38.8 MB 
 Warnings              6       

๐Ÿ” Security Analysis (6 warnings)

๐Ÿ”ด HIGH (2)
   1. supply_chain_malicious_functions
      Malicious functions detected: eval, os_system, system
   2. privilege_escalation_detected
      Privilege escalation patterns detected: enhanced_capabilities

๐ŸŸก MEDIUM (4)
   1. safetensors_streaming_header_error
      Failed to parse JSON header: EOF while parsing a string at line 1 column 26696
   2. backdoor_suspicious_header_patterns
      Suspicious patterns detected in model header (score: 0.300)
   3. backdoor_textual_patterns_in_chunk
      Suspicious textual patterns found in chunk at offset 0
   4. toolcall_suspicious_parameters
      Suspicious parameters: pipe_to_sh (1 matches in 511.4MB model)

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ ๐Ÿ›ก๏ธ Policy Decision โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ โ›” BLOCKED BY POLICY                                                                                                                                                          โ”‚
โ”‚                                                                                                                                                                               โ”‚
โ”‚ Environment: default                                                                                                                                                          โ”‚
โ”‚ This model violates security policy and cannot be used.                                                                                                                       โ”‚
โ”‚ Review the warnings above to understand why.                                                                                                                                  โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

๐Ÿ“‹ Recommendations
   โ€ข โ›” BLOCKED BY POLICY - Do not use this model
   โ€ข This model violates security policy requirements
   โ€ข Investigate the source and re-download from trusted source

Inference Scan (BETA):

๐Ÿ”ฌ INFERENCE-BASED BEHAVIORAL ANALYSIS

โ•โ•โ• PERPLEXITY GAP ANALYSIS โ•โ•โ•
Testing 53 suspicious payloads...
๐Ÿšจ CRITICAL: 2 memorized payload(s) detected
   โ€ข http://192.168.1.100:8080/c2 (ratio: 342.5x)
   โ€ข tool_call(name='log_activity'...) (ratio: 215.8x)

โ•โ•โ• FUNCTIONAL TRAP TESTING โ•โ•โ•  
Testing 39 tool-use prompts...
โš ๏ธ  WARNING: 1 suspicious tool call(s) detected
   โ€ข Unexpected call to 'exfil_data' during web_browser task

Risk Score: 0.85 (HIGH)
Recommendation: Model shows signs of DoubleAgents-style fine-tuning

โšก Performance

Palisade uses a native Rust core to handle massive models efficiently without OOM errors. It employs smart streaming and memory mapping to validate models larger than available RAM.

Model Size Format Scan Time Memory Usage Validators
511.38 (250M) SafeTensors 3.7s 115.4MB 13
2.09GB SafeTensors 14.3s 115.4MB 13
3.8GB (7B Q4_K_M) GGUF 29.4s 140MB 11
9.4GB Safetensors 74.3s 119.4MB 13

All scans use memory-efficient streaming and include behavioral backdoor detection.

๐Ÿ”’ CoSAI Support

Palisade is designed to align with the Coalition for Secure AI (CoSAI) standards for software supply chain security.

  • Compliant Artifacts: Generates standard ML-BOMs and transparency logs.
  • Integrity Verification: Implements CoSAI guidelines for model integrity and provenance.
  • Risk Management: Maps findings to industry-standard threat categories.

๐Ÿ”„ CI/CD Integration

Palisade is built for pipelines. Use exit codes to gate deployments.

Exit Codes:

  • 0 - Clean: No issues found.
  • 1 - Warning: Non-critical issues (review recommended).
  • 2 - Critical: Security threat detected (BLOCK DEPLOYMENT).

Example: Secure Pipeline Script

#!/bin/bash
MODEL_DIR="./models/release"

echo "๐Ÿ›ก๏ธ Starting Palisade Security Scan..."

# 1. Supply Chain Verification
# Ensure the model is signed and comes from a trusted builder
palisade verify-sigstore "$MODEL_DIR" --format json -o sigstore.json
if [ $? -ne 0 ]; then
    echo "โŒ Supply chain verification failed (exit code $?) - BLOCKING"
    exit 1
fi

# 2. Deep Security Scan
# Run all validators with strict production policy
palisade scan "$MODEL_DIR" \
    --recursive \
    --policy strict_production \
    --format json \
    --output scan_results.json

# 3. Check for blocking failures
if [ $? -eq 2 ]; then
    echo "๐Ÿšจ CRITICAL THREAT DETECTED - Deployment Blocked"
    exit 1
fi

echo "โœ… Security checks passed"

๐Ÿ›ก๏ธ Security Validators

Palisade runs 10 universal validators on all formats, plus format-specific validators for deeper analysis.

Universal Validators (All Formats)

Validator What it catches
Behavior Analysis Static patterns of behavioral backdoors in model weights
Tool Call Security Malicious tool schemas, privilege escalation via tool use
Buffer Overflow Format string vulns (%n), integer overflows in binaries
Tokenizer Hygiene Injection via control chars, Unicode confusables, prompt injection
Decompression Bomb ZIP/GZIP bombs, nested compression resource exhaustion
Model Genealogy Architecture spoofing, steganographic hiding (ShadowGenes)
Model Integrity Binary tampering, malware patterns, format corruption
Provenance Security Fine-tuning artifacts, signature validation, supply chain gaps
Metadata Security Config injection, path traversal, malicious URLs
Supply Chain Exfiltration patterns, untrusted sources, high-entropy anomalies

Format-Specific Validators

Validator Formats What it catches
SafeTensors Integrity .safetensors Tampering, corruption, missing tensors, format anomalies
Backdoor Detection .safetensors Multi-signal backdoor analysis, weight statistics, LSB stego
LoRA Adapter Security .safetensors, .pt Unauthorized adapters, model hijacking via fine-tunes
GGUF Safety .gguf Header/metadata manipulation, malicious quantization tags
Pickle Security .pt, .pkl, .joblib Remote Code Execution (RCE) via pickle deserialization

Inference-Based Detection (Separate Command)

Validator What it catches
Inference Scan โšก DoubleAgents, BadAgent via runtime perplexity analysis

Use palisade inference-scan for runtime behavioral analysis.

Interactive Demo

See Palisade in action catching real threats:

cd examples
uv sync --group examples
marimo run palisade_security_demo.py

๐Ÿ—๏ธ Development Guide

Setup Development Environment

# Clone with dependencies
git clone https://github.com/highflame-ai/highflame-palisade.git
git clone https://github.com/highflame-ai/highflame-policy.git

cd highflame-palisade

# Install with dev dependencies
uv venv --python 3.12 && source .venv/bin/activate

# Install highflame-policy from local checkout first
uv pip install ../highflame-policy/packages/python

# Install palisade with dev dependencies
uv pip install -e ".[dev]"

# Run tests
make test        # Python + Rust tests
make test-quick  # Python only (faster)

Adding New Warning Types

Palisade uses a YAML-based warning catalog for consistent SARIF output. When adding detection logic to a validator, you should also add the warning metadata to the catalog.

1. Add detection logic (Python validator):

# src/palisade/validators/my_validator.py
class MyValidator(BaseValidator):
    def validate(self, data: bytes) -> List[Dict[str, Any]]:
        if suspicious_pattern_detected:
            return [self.create_standard_warning(
                "my_custom_warning_type",  # โ† Warning ID
                "Suspicious pattern detected",
                Severity.HIGH,
            )]

2. Add warning metadata (YAML catalog):

# src/palisade/warnings/warning_catalog.yaml
warnings:
  my_custom_warning_type:
    sarif:
      id: PALISADE-CUSTOM-001
      name: MyValidator
      help_uri: https://docs.palisade.dev/rules/my-validator
    short_description: Suspicious pattern detected
    full_description: >
      Detailed explanation of what this warning means and why it matters.
    severity: high
    tags: [security, custom, pattern-detection]
    recommendation: >
      Steps to remediate this issue.
    validator: MyValidator

3. Use type-safe constants (optional but recommended):

from palisade.warnings import WarningIds

# IDE autocomplete works!
self.create_standard_warning(
    WarningIds.MY_CUSTOM_WARNING_TYPE,
    "Message here",
    Severity.HIGH,
)

The YAML catalog ensures:

  • โœ… Consistent SARIF output across all findings
  • โœ… Single source of truth for warning metadata
  • โœ… Easy to review all warnings in one place
  • โœ… Automatic documentation generation (future)

Release Guide

Check here


๐Ÿฐ Built with โค๏ธ by highflame โ€ข Securing the LLM supply chain

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

palisade-0.1.4.tar.gz (375.7 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

palisade-0.1.4-cp312-cp312-manylinux_2_34_x86_64.whl (1.0 MB view details)

Uploaded CPython 3.12manylinux: glibc 2.34+ x86-64

palisade-0.1.4-cp312-cp312-macosx_11_0_arm64.whl (907.0 kB view details)

Uploaded CPython 3.12macOS 11.0+ ARM64

palisade-0.1.4-cp312-cp312-macosx_10_12_x86_64.whl (943.1 kB view details)

Uploaded CPython 3.12macOS 10.12+ x86-64

palisade-0.1.4-cp311-cp311-manylinux_2_34_x86_64.whl (1.0 MB view details)

Uploaded CPython 3.11manylinux: glibc 2.34+ x86-64

palisade-0.1.4-cp311-cp311-macosx_11_0_arm64.whl (905.3 kB view details)

Uploaded CPython 3.11macOS 11.0+ ARM64

palisade-0.1.4-cp311-cp311-macosx_10_12_x86_64.whl (943.9 kB view details)

Uploaded CPython 3.11macOS 10.12+ x86-64

palisade-0.1.4-cp310-cp310-manylinux_2_34_x86_64.whl (1.0 MB view details)

Uploaded CPython 3.10manylinux: glibc 2.34+ x86-64

palisade-0.1.4-cp310-cp310-macosx_11_0_arm64.whl (905.5 kB view details)

Uploaded CPython 3.10macOS 11.0+ ARM64

palisade-0.1.4-cp310-cp310-macosx_10_12_x86_64.whl (943.9 kB view details)

Uploaded CPython 3.10macOS 10.12+ x86-64

File details

Details for the file palisade-0.1.4.tar.gz.

File metadata

  • Download URL: palisade-0.1.4.tar.gz
  • Upload date:
  • Size: 375.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for palisade-0.1.4.tar.gz
Algorithm Hash digest
SHA256 09bd4e83c7601efc3d364854566881ed2c497afa44601111b4dffae2ffe08e51
MD5 5ef71b07456b9f0e9f34a00dee777649
BLAKE2b-256 bce9174023924c05409599a3d9a43322e9f416e05c3a24b1e63ee7bcf914d7d6

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4.tar.gz:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file palisade-0.1.4-cp312-cp312-manylinux_2_34_x86_64.whl.

File metadata

File hashes

Hashes for palisade-0.1.4-cp312-cp312-manylinux_2_34_x86_64.whl
Algorithm Hash digest
SHA256 c898da78faa0ad8180926ca3ffeaa2b63c5ef5a819ce42143f81c236ec2c15b2
MD5 b067c1d2819315809e45117205cf99a6
BLAKE2b-256 468e2c2ac4abef4e3de24dbf22d37ce1a738454d7308c8613be2fe287bdf33be

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4-cp312-cp312-manylinux_2_34_x86_64.whl:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file palisade-0.1.4-cp312-cp312-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for palisade-0.1.4-cp312-cp312-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 2305982742891fa667e2f5dadfb8709b02ec74e8a17c65abcf6fea0392372387
MD5 d7486f2cb4582c43802904d969b62fb3
BLAKE2b-256 f2d509d682317c5bb5d988646604a53318c189f87482a12acd8499219c65b87f

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4-cp312-cp312-macosx_11_0_arm64.whl:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file palisade-0.1.4-cp312-cp312-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for palisade-0.1.4-cp312-cp312-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 e4cb836434f8e95cac51b9c3889fd2b0ecf6a5edc17b5aa34a8f15af641bc913
MD5 afb68f2858c70a881c119366cfea5246
BLAKE2b-256 41f33a00309a2def13919d6d21c1d70944bcd200121f3b9db1b81a447e93cdc3

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4-cp312-cp312-macosx_10_12_x86_64.whl:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file palisade-0.1.4-cp311-cp311-manylinux_2_34_x86_64.whl.

File metadata

File hashes

Hashes for palisade-0.1.4-cp311-cp311-manylinux_2_34_x86_64.whl
Algorithm Hash digest
SHA256 b1c7300818361ae4c0fe975a0b827aedfef89c12fae23960543114f5a7145790
MD5 34d8c4df1238e61c9ab230a564ab5c30
BLAKE2b-256 96f50ef170e0bb6f98b37f7a4b2993511e7e74753339b56014fcb386f45d4aa0

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4-cp311-cp311-manylinux_2_34_x86_64.whl:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file palisade-0.1.4-cp311-cp311-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for palisade-0.1.4-cp311-cp311-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 9050136769fa2adc086989de20cf51aec050bfa0ea8421417ee570c2f67e8e1c
MD5 2d3eac134a93dd7dab2d84a2c5a10d9c
BLAKE2b-256 a78796e1744acbe51c6c56108738100c636be2913ec088e2203866f52bac230d

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4-cp311-cp311-macosx_11_0_arm64.whl:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file palisade-0.1.4-cp311-cp311-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for palisade-0.1.4-cp311-cp311-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 db3fff89c1a875eb383190b06961c0fbfa1fa64070fb9384b2fcb0199708f349
MD5 c258bab6a2cc1647a39667f7b562fa26
BLAKE2b-256 10666e75d2a35decc6e07b123980de512d008c706796747a15673346fccdc1e3

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4-cp311-cp311-macosx_10_12_x86_64.whl:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file palisade-0.1.4-cp310-cp310-manylinux_2_34_x86_64.whl.

File metadata

File hashes

Hashes for palisade-0.1.4-cp310-cp310-manylinux_2_34_x86_64.whl
Algorithm Hash digest
SHA256 2ddf70c1ce9c907588405ecfaaaba9d113132af2920f135048b1f62fbba3c55a
MD5 9fadb4a7415ec68c216862a6ba94cf53
BLAKE2b-256 736cb7de95b9dadad332524e3bba5d281d719aa9b779e5e419818e87f31b472a

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4-cp310-cp310-manylinux_2_34_x86_64.whl:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file palisade-0.1.4-cp310-cp310-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for palisade-0.1.4-cp310-cp310-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 c71aec070f3bdc9e29d4fa0009b950a76951e89b0d54fa4c0b2f896425977d0b
MD5 22cb3b75902d8ccb8d9f30737194c34a
BLAKE2b-256 6116f40f514b75bc0ce2b919b000a59b6301f0014d78bf2af13f5c354ab90a2b

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4-cp310-cp310-macosx_11_0_arm64.whl:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file palisade-0.1.4-cp310-cp310-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for palisade-0.1.4-cp310-cp310-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 32c61e0b41a4a4a5325e76eb2b8ce9b065e10d37b75646f7c6263130eb53731c
MD5 a0ae25574874d1e9edf5505178b27756
BLAKE2b-256 6bcb9c33d4c2ab800d760b4abc3e85f4c3a642e86b2c4f536fcfe564a3b2eeba

See more details on using hashes here.

Provenance

The following attestation bundles were made for palisade-0.1.4-cp310-cp310-macosx_10_12_x86_64.whl:

Publisher: release.yml on highflame-ai/highflame-palisade

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page