AI SBOM generator with portable schema
This project has been archived.
The maintainers of this project have marked this project as archived. No new releases are expected.
Project description
Xelo
Xelo is an open-source AI SBOM generator for agentic and LLM-powered applications. It scans code and configuration, produces AI-BOM JSON, and can export CycloneDX-compatible output for security and compliance workflows.
Why Xelo
- Detects AI-specific components (agents, models, tools, prompts, datastores, guardrails, auth, deployment artifacts).
- Works on mixed Python and TypeScript repositories.
- Recursively scans
requirements.txt,pyproject.toml, andpackage.jsonfiles at any depth in the project tree. - Uses deterministic extraction by default.
- Supports optional LLM enrichment when you explicitly enable it.
Supported Frameworks
Xelo detects components from the following AI/agent frameworks out of the box:
Python: LangChain, LangGraph, OpenAI Agents SDK, CrewAI (code + YAML configs), AutoGen (code + YAML configs), Google ADK, LlamaIndex, Agno, AWS BedrockAgentCore, Azure AI Agent Service, Guardrails AI, MCP Server, Semantic Kernel
TypeScript / JavaScript: LangChain.js, LangGraph.js, OpenAI Agents (TS), Azure AI Agents (TS), Agno (TS), MCP Server (TS)
Installation
pip install xelo
Install for development:
pip install -e ".[dev]"
Quickstart
Generate an AI-BOM from a local path:
xelo scan path ./my-repo --format json --output sbom.json
CLI alias: ai-sbom.
CLI Commands
| Command | Description |
|---|---|
xelo scan path <PATH> |
Scan a local repository path |
xelo scan repo <URL> |
Clone and scan a remote repository |
Run xelo --help or xelo <command> --help for all flags.
Configuration
xelo scan can be configured via .env values and CLI flags. CLI flags take precedence.
Environment variables:
AISBOM_ENABLE_LLM=true|falseAISBOM_LLM_MODEL=<litellm model string>AISBOM_LLM_BUDGET_TOKENS=<int>AISBOM_LLM_API_KEY=<optional key>
Example enabling enrichment:
xelo scan path ./my-repo --enable-llm --llm-model gpt-4o-mini --output sbom.json
Development
pip install -e ".[dev]"
ruff check src tests
mypy src
pytest
Project Docs
- Documentation Index
- Getting Started
- CLI Reference
- Developer Guide
- Troubleshooting
- Documentation Changelog
- Contributing
- Security Policy
- Support
- Governance
- Roadmap
- Code of Conduct
License
Apache-2.0. See LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file xelo-0.1.2.tar.gz.
File metadata
- Download URL: xelo-0.1.2.tar.gz
- Upload date:
- Size: 138.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c454e577e54a9ffa36193462506727439a52a9d6124d8f24fc732e21e512120c
|
|
| MD5 |
806284893794cfff039f9b828e40d38e
|
|
| BLAKE2b-256 |
fb1ffe8ef09965c7a6e587e8ad11d8872357b65a6e55b61120c9ab7264784bc9
|
File details
Details for the file xelo-0.1.2-py3-none-any.whl.
File metadata
- Download URL: xelo-0.1.2-py3-none-any.whl
- Upload date:
- Size: 152.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2662389a3372b60d38b8e6d0e0ccaee1a79e13bbb774caa97b92c59dac524cd1
|
|
| MD5 |
786fa8c1095661cfe174c0aa37205681
|
|
| BLAKE2b-256 |
0bc7b6ccfdbcc8479a658a8723ad2d162551e55aa8cb96a9d7bf8600be353a95
|
