veritensor 1.3.1

Supply Chain Security for AI. Scans models (Pickle, PyTorch, Keras, GGUF) for malware and verifies integrity.

🛡️ Veritensor: AI Supply Chain Security

Veritensor is the Zero-Trust security platform for the AI Supply Chain. We replace naive model scanning with deep AST analysis and cryptographic verification.

Unlike standard antiviruses, Veritensor understands AI formats (Pickle, PyTorch, Keras, GGUF, Wheels) and ensures that your models:

1. Are Safe: Do not contain malicious code (RCE, Reverse Shells, Lambda injections).
2. Are Authentic: Have not been tampered with (Hash-to-API verification against Hugging Face).
3. Are Compliant: Do not violate commercial license terms (e.g., CC-BY-NC, AGPL).
4. Are Trusted: Can be cryptographically signed before deployment.

---

🚀 Features

• Deep Static Analysis: Decompiles Pickle bytecode and Keras Lambda layers to find obfuscated attacks (e.g., STACK_GLOBAL exploits). Now supports deep scanning of Zip archives (PyTorch) and Python Wheels.
• Identity Verification: Automatically verifies model hashes against the official Hugging Face registry to detect Man-in-the-Middle attacks.
• License Firewall: Blocks models with restrictive licenses (e.g., Non-Commercial, AGPL). Veritensor performs a hybrid check: it inspects embedded file metadata first, and automatically falls back to the Hugging Face API if metadata is missing (requires --repo).
• Supply Chain Security: Integrates with Sigstore Cosign to sign Docker containers. Includes timestamps to prevent replay attacks.
• CI/CD Native: Ready for GitHub Actions, GitLab, and Pre-commit pipelines.

---

📦 Installation

Via PyPI (Recommended for local use)

Lightweight installation (no heavy ML libraries required).

pip install veritensor

Via Docker (Recommended for CI/CD)

docker pull arseniibrazhnyk/veritensor:latest

---

⚡ Quick Start

1. Scan a local model

Check a file or directory for malware:

veritensor scan ./models/bert-base.pt

Example Output:

╭────────────────────────────────╮
│ 🛡️  Veritensor Security Scanner │
╰────────────────────────────────╯
                                    Scan Results
┏━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
┃ File         ┃ Status ┃ Threats / Details                    ┃ SHA256 (Short) ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
│ model.pt     │  FAIL  │ CRITICAL: os.system (RCE Detected)   │ a1b2c3d4...    │
└──────────────┴────────┴──────────────────────────────────────┴────────────────┘
❌ BLOCKING DEPLOYMENT

2. Verify against Hugging Face

Ensure the file on your disk matches the official version from the registry (detects tampering):

veritensor scan ./pytorch_model.bin --repo meta-llama/Llama-2-7b

3. License Compliance Check

Veritensor automatically reads metadata from safetensors and GGUF files. If a model has a Non-Commercial license (e.g., cc-by-nc-4.0), it will raise a HIGH severity alert.

To override this (Break-glass mode), use:

veritensor scan ./model.safetensors --force

---

📊 Reporting & Compliance

Veritensor supports industry-standard formats for integration with security dashboards and audit tools.

1. GitHub Security (SARIF)

Generate a report compatible with GitHub Code Scanning:

veritensor scan ./models --sarif > veritensor-report.sarif

2. Software Bill of Materials (SBOM)

Generate a CycloneDX v1.5 SBOM to inventory your AI assets:

veritensor scan ./models --sbom > sbom.json

3. Raw JSON

For custom parsers and SOAR automation:

veritensor scan ./models --json

---

🔐 Supply Chain Security (Container Signing)

Veritensor integrates with Sigstore Cosign to cryptographically sign your Docker images only if they pass the security scan.

1. Generate Keys

Generate a key pair for signing:

veritensor keygen
# Output: veritensor.key (Private) and veritensor.pub (Public)

2. Scan & Sign

Pass the --image flag and the path to your private key (via env var).

# Set path to your private key
export VERITENSOR_PRIVATE_KEY_PATH=veritensor.key

# If scan passes -> Sign the image
veritensor scan ./models/my_model.pkl --image my-org/my-app:v1.0.0

3. Verify (In Kubernetes / Production)

Before deploying, verify the signature to ensure the model was scanned:

cosign verify --key veritensor.pub my-org/my-app:v1.0.0

---

🛠️ Integrations

GitHub Actions

Add this to your .github/workflows/security.yml to block malicious models in Pull Requests:

name: AI Security Scan
on: [pull_request]

jobs:
  veritensor-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Scan Models
        uses: ArseniiBrazhnyk/Veritensor@v1.3.1
        with:
          path: './models'
          repo: 'meta-llama/Llama-2-7b' # Optional: Verify integrity
          force: 'false' # Set to true to not fail build on threats

Pre-commit Hook

Prevent committing malicious models to your repository. Add this to .pre-commit-config.yaml:

repos:
  - repo: https://github.com/ArseniiBrazhnyk/Veritensor
    rev: v1.3.1
    hooks:
      - id: veritensor-scan

---

📂 Supported Formats

Format	Extension	Analysis Method
PyTorch	.pt, .pth, .bin	Zip extraction + Pickle VM Bytecode Analysis
Pickle	.pkl, .joblib	Deep AST Analysis (Stack Emulation)
Keras	.h5, .keras	Lambda Layer Detection & Config Analysis
Safetensors	.safetensors	Header Parsing & Metadata Validation
GGUF	.gguf	Binary Parsing & Metadata Validation
Python Wheel	.whl	Archive Inspection & Heuristic Analysis

---

⚙️ Configuration

You can customize security policies by creating a veritensor.yaml file in your project root. Pro Tip: You can use regex: prefix for flexible matching.

# veritensor.yaml

# 1. Security Threshold
# Fail the build if threats of this severity (or higher) are found.
# Options: CRITICAL, HIGH, MEDIUM, LOW.
fail_on_severity: CRITICAL

# 2. License Firewall Policy
# If true, blocks models that have no license metadata.
fail_on_missing_license: false

# List of license keywords to block (case-insensitive).
custom_restricted_licenses:
  - "cc-by-nc"       # Non-Commercial
  - "agpl"           # Viral licenses
  - "research-only"

# 3. Static Analysis Exceptions (Pickle)
# Allow specific Python modules that are usually blocked by the strict scanner.
allowed_modules:
  - "my_company.internal_layer"
  - "sklearn.tree"

# 4. Model Whitelist (License Bypass)
# List of Repo IDs that are trusted. Veritensor will SKIP license checks for these.
# Supports Regex!
allowed_models:
  - "meta-llama/Meta-Llama-3-70B-Instruct"  # Exact match
  - "regex:^google-bert/.*"                 # Allow all BERT models from Google
  - "internal/my-private-model"

To generate a default configuration file, run: veritensor init

---

🧠 Threat Intelligence (Signatures)

Veritensor uses a decoupled signature database (signatures.yaml) to detect malicious patterns. This ensures that detection logic is separated from the core engine.

• Automatic Updates: To get the latest threat definitions, simply upgrade the package:

  pip install --upgrade veritensor
  

• Transparent Rules: You can inspect the default signatures in src/veritensor/engines/static/signatures.yaml.
• Custom Policies: If the default rules are too strict for your use case (false positives), use veritensor.yaml to whitelist specific modules or models.

---

📜 License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details.