AI SBOM generator with portable schema
This project has been archived.
The maintainers of this project have marked this project as archived. No new releases are expected.
Project description
Xelo
Xelo is an open-source AI SBOM generator for agentic and LLM-powered applications. It scans code and configuration, produces AI-BOM JSON, and can export CycloneDX-compatible output for security and compliance workflows.
Why Xelo
- Detects AI-specific components (agents, models, tools, prompts, datastores, auth, deployment artifacts).
- Works on mixed Python and TypeScript repositories.
- Uses deterministic extraction by default.
- Supports optional LLM enrichment when you explicitly enable it.
Installation
Install from PyPI:
pip install xelo
Install for deXelopment:
pip install -e ".[dev]"
Quickstart
Generate an AI-BOM from a local path:
xelo scan path ./my-repo --format json --output sbom.json
Validate a generated document:
xelo validate sbom.json
Export the JSON schema used by the models:
xelo schema --output ai_bom.schema.json
CLI alias: ai-sbom.
CLI Commands
| Command | Description |
|---|---|
xelo scan path <PATH> |
Scan a local repository path |
xelo scan repo <URL> |
Clone and scan a remote repository |
xelo validate <FILE> |
Validate AI-BOM JSON against schema models |
xelo schema --output <FILE> |
Export schema JSON |
Run xelo --help or xelo <command> --help for all flags.
Configuration
xelo scan can be configured via .env values and CLI flags. CLI flags take precedence.
Environment variables:
AISBOM_DETERMINISTIC_ONLY=true|falseAISBOM_LLM_MODEL=<litellm model string>AISBOM_LLM_BUDGET_TOKENS=<int>AISBOM_LLM_API_KEY=<optional key>
Example enabling enrichment:
xelo scan path ./my-repo --enable-llm --llm-model gpt-4o-mini --output sbom.json
DeXelopment
pip install -e ".[dev]"
ruff check src tests
mypy src
pytest
Project Docs
License
Apache-2.0. See LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file xelo-0.1.1.tar.gz.
File metadata
- Download URL: xelo-0.1.1.tar.gz
- Upload date:
- Size: 120.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fafb0c3490ab939e98b8f5e9bb6e200b360cb9cc7b1cca1ecc9ea16d6ffd9f33
|
|
| MD5 |
b0cb7cafe975746a7436ffc438f9357e
|
|
| BLAKE2b-256 |
752911be96d68f600c049ceac42291fe245c5a4880e21fd32e6129a121dfa1a2
|
File details
Details for the file xelo-0.1.1-py3-none-any.whl.
File metadata
- Download URL: xelo-0.1.1-py3-none-any.whl
- Upload date:
- Size: 126.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6e2d2baff4518d67703f56cb34ed2f4d57f55f1539aaf31c01579c2b703e6ddc
|
|
| MD5 |
1b1f0f016bb9405da5c5cbbf42c2e751
|
|
| BLAKE2b-256 |
3cdbecb2b4ebfcc3c411e1f9465d617c8ad650f14a0d1a8d29d6e8b0f473c59e
|
