Supply Chain Security for AI. Scans models (Pickle, PyTorch, Keras, GGUF) for malware and verifies integrity.
Project description
๐ก๏ธ Veritensor: AI Supply Chain Security
Veritensor is the Zero-Trust security platform for the AI Supply Chain. We replace naive scanning with deep AST analysis and cryptographic verification.
Unlike standard antiviruses, Veritensor understands AI formats (Pickle, PyTorch, Keras, GGUF) and ensures that your models:
- Are Safe: Do not contain malicious code (RCE, Reverse Shells, Lambda injections).
- Are Authentic: Have not been tampered with (Hash-to-API verification against Hugging Face).
- Are Trusted: Can be cryptographically signed before deployment.
๐ Features
- Deep Static Analysis: Decompiles Pickle bytecode and Keras Lambda layers to find obfuscated attacks (e.g.,
STACK_GLOBALexploits). - Identity Verification: Automatically verifies model hashes against the official Hugging Face registry to detect Man-in-the-Middle attacks.
- Supply Chain Security: Integrates with Sigstore Cosign to sign Docker containers only if the model inside is clean.
- CI/CD Native: Ready for GitHub Actions, GitLab, and Pre-commit pipelines.
- Zero-Trust Policy: Blocks unknown globals by default, not just known signatures.
๐ฆ Installation
Via PyPI (Recommended for local use)
pip install veritensor
Via Docker (Recommended for CI/CD)
docker pull arseniibrazhnyk/veritensor:latest
โก Quick Start
1. Scan a local model
Check a file or directory for malware:
veritensor scan ./models/bert-base.pt
Example Output:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ๐ก๏ธ Veritensor Security Scanner โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Scan Results
โโโโโโโโโโโโโโโโณโโโโโโโโโณโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโ
โ File โ Status โ Threats / Details โ SHA256 (Short) โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ model.pt โ FAIL โ CRITICAL: os.system (RCE Detected) โ a1b2c3d4... โ
โโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโ
โ BLOCKING DEPLOYMENT
2. Verify against Hugging Face
Ensure the file on your disk matches the official version from the registry (detects tampering):
veritensor scan ./pytorch_model.bin --repo meta-llama/Llama-2-7b
If the hash doesn't match the official repo, Veritensor will block deployment.
๐ Supply Chain Security (Container Signing)
Veritensor integrates with Sigstore Cosign to cryptographically sign your Docker images only if they pass the security scan. This ensures that no unverified or malicious containers are ever deployed to your cluster.
1. Generate Keys
Generate a key pair for signing:
veritensor keygen
# Output: veritensor.key (Private) and veritensor.pub (Public)
2. Scan & Sign
Pass the --image flag and the path to your private key (via env var).
# Set path to your private key
export VERITENSOR_PRIVATE_KEY_PATH=veritensor.key
# If scan passes -> Sign the image
veritensor scan ./models/my_model.pkl --image my-org/my-app:v1.0.0
3. Verify (In Kubernetes / Production)
Before deploying, verify the signature to ensure the model was scanned:
cosign verify --key veritensor.pub my-org/my-app:v1.0.0
๐ ๏ธ Integrations
GitHub Actions
Add this to your .github/workflows/security.yml to block malicious models in Pull Requests:
name: AI Security Scan
on: [pull_request]
jobs:
veritensor-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan Models
uses: ArseniiBrazhnyk/Veritensor@v1.0.1
with:
path: './models'
repo: 'meta-llama/Llama-2-7b' # Optional: Verify integrity
force: 'false' # Set to true to not fail build on threats
Pre-commit Hook
Prevent committing malicious models to your repository. Add this to .pre-commit-config.yaml:
repos:
- repo: https://github.com/ArseniiBrazhnyk/Veritensor
rev: v1.0.1
hooks:
- id: veritensor-scan
๐ Supported Formats
| Format | Extension | Analysis Method |
|---|---|---|
| PyTorch | .pt, .pth, .bin |
Zip extraction + Pickle VM Bytecode Analysis |
| Pickle | .pkl, .joblib |
Deep AST Analysis (Stack Emulation) |
| Keras | .h5, .keras |
Lambda Layer Detection & Config Analysis |
| Safetensors | .safetensors |
Header Parsing & Metadata Validation |
| GGUF | .gguf |
Binary Parsing & Metadata Validation |
โ๏ธ Configuration
You can customize policies by creating a veritensor.yaml file in your project root:
# veritensor.yaml
fail_on_severity: CRITICAL
# Allow specific modules that are usually blocked
allowed_modules:
- "my_company.internal_layer"
- "sklearn.tree"
# Ignore specific warnings
ignored_rules:
- "WARNING: h5py missing"
๐ License
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file veritensor-1.0.3.tar.gz.
File metadata
- Download URL: veritensor-1.0.3.tar.gz
- Upload date:
- Size: 32.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5b54cac5f873c0f3cb32beedd3ebc5dfe3a6f819bcfdb6b928fc005568c419ad
|
|
| MD5 |
af42a9c4db42c98deea5eae16c0185d2
|
|
| BLAKE2b-256 |
fdc37e71462a51099f5648a7272adf94ba9579484073666e1c5e7c820738058b
|
File details
Details for the file veritensor-1.0.3-py3-none-any.whl.
File metadata
- Download URL: veritensor-1.0.3-py3-none-any.whl
- Upload date:
- Size: 36.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
13a65edbfa17e897a1d82fb261045d60a7ea9adcc5989f1f4dca9c911ef43fdf
|
|
| MD5 |
49c58681d3cca53c4f9bbee0d065be75
|
|
| BLAKE2b-256 |
388a01b2529a7ca6e88d4675a88273741416e7ebfe8bcf676742525613ebaeee
|
