AIsbom – 开源 CLI，用于检测 PyTorch 模型中的“Pickle炸弹”。

AIsbom – 开源 CLI，用于检测 PyTorch 模型中的“Pickle炸弹”。
AIsbom – open-source CLI to detect "Pickle Bombs" in PyTorch models

原始链接: https://github.com/Lab700xOrg/aisbom

## AIsbom：机器学习模型的安全与合规 AIsbom 是一款专门的扫描器，旨在识别机器学习 (ML) 模型制品中的安全漏洞和法律风险——超越传统的软件物料清单 (SBOM) 工具。与仅关注 `requirements.txt` 的工具不同，AIsbom 对模型文件 (.pt, .pkl, .safetensors) 进行**深度二进制内省**，以检测隐藏的恶意软件（如远程代码执行 – RCE）和限制性许可协议。安装通过 PyPI (`aisbom-cli`) 非常简单。扫描 (`aisbom scan ./my-project-folder`) 会生成包含 SHA256 哈希和许可数据的 CycloneDX v1.6 JSON SBOM，以及基于终端的风险评估。新的离线查看器 (`aisbom.io/viewer.html`) 提供了一个可视化仪表板。 AIsbom 独特地识别隐藏在模型权重*内部*的风险，例如恶意 Pickle 字节码或非商业许可协议 (CC-BY-NC)，这些风险通常被标准扫描器遗漏。它通过快速的仅头部分析实现这一点，无需完全将模型加载到内存中即可检测危险代码模式。可以生成测试制品以验证功能，并且可以与 GitHub Actions 集成用于 CI/CD 管道。

## AIsbom：检测PyTorch模型中的安全风险 AIsbom是一个新的开源CLI工具，旨在检测“Pickle炸弹”——潜在的远程代码执行漏洞——存在于从Hugging Face等来源下载的PyTorch模型（.pt文件）中。标准的PyTorch文件包含Python Pickle字节码，在加载时可以执行任意代码，构成重大安全风险，且常常被忽视。 AIsbom通过静态分析模型结构（*无需*将其加载到内存中），使用`pickletools`搜索危险代码模式（例如对`os.system`的调用）。它生成CycloneDX SBOM，以兼容企业安全工具，并标记Safetensors文件中的潜在问题许可协议（例如非商业用途）。虽然生态系统正在转向更安全的格式，如Safetensors和GGUF，但该工具解决了研究中.pt文件持续存在的问题，以及由模型元数据中嵌入的限制性许可协议可能引起的法律问题。开发者欢迎反馈，特别是关于边缘情况和潜在的检测逻辑改进。 [https://github.com/Lab700xOrg/aisbom](https://github.com/Lab700xOrg/aisbom)

原文

AIsbom is a specialized security and compliance scanner for Machine Learning artifacts.

Unlike generic SBOM tools that only parse requirements.txt, AIsbom performs Deep Binary Introspection on model files (.pt, .pkl, .safetensors) to detect malware risks and legal license violations hidden inside the serialized weights.

Install directly from PyPI. No cloning required.

Note: The package name is aisbom-cli, but the command you run is aisbom.

Point it at any directory containing your ML project. It will find requirements files AND binary model artifacts.

aisbom scan ./my-project-folder

You will see a combined Security & Legal risk assessment in your terminal:

🧠 AI Model Artifacts Found

Filename	Framework	Security Risk	Legal Risk
`bert_finetune.pt`	PyTorch	🔴 CRITICAL (RCE Detected: posix.system)	UNKNOWN
`safe_model.safetensors`	SafeTensors	🟢 LOW (Binary Safe)	UNKNOWN
`restricted_model.safetensors`	SafeTensors	🟢 LOW	LEGAL RISK (cc-by-nc-4.0)

A compliant sbom.json (CycloneDX v1.6) including SHA256 hashes and license data will be generated in your current directory.

4. Visualize the Report (New!)

Don't like reading JSON? You can visualize your security posture using our offline viewer.

Run the scan.
Go to aisbom.io/viewer.html.
Drag and drop your sbom.json.
Get an instant dashboard of risks, license issues, and compliance stats.

Note: The viewer is client-side only. Your SBOM data never leaves your browser.

AI models are not just text files; they are executable programs and IP assets.

The Security Risk: PyTorch (.pt) files are Zip archives containing Pickle bytecode. A malicious model can execute arbitrary code (RCE) instantly when loaded.
The Legal Risk: A developer might download a "Non-Commercial" model (CC-BY-NC) and deploy it to production. Since the license is hidden inside the binary header, standard tools miss it.
Pickle files can execute arbitrary code (RCE) instantly upon loading.
The Solution: Legacy scanners look at requirements.txt manifest files but ignore binary model weights. We look inside. We decompile the bytecode headers without loading the heavy weights into RAM.

🧠 Deep Introspection: Peeks inside PyTorch Zip structures and Safetensors headers without loading weights into RAM.
💣 Pickle Bomb Detector: Disassembles bytecode to detect os.system, subprocess, and eval calls before they run.
⚖️ License Radar: Extracts metadata from .safetensors to flag restrictive licenses (e.g., CC-BY-NC, AGPL) that threaten commercial use.
🛡️ Compliance Ready: Generates standard CycloneDX v1.6 JSON for enterprise integration (Dependency-Track, ServiceNow).
⚡ Blazing Fast: Scans GB-sized models in milliseconds by reading headers only and using streaming hash calculation.

🧪 How to Verify (The "Trust Factor")

Security tools require trust. To maintain a safe repository, we do not distribute malicious binaries. However, AIsbom includes a built-in generator so you can create safe "test dummies" to verify the scanner works.

1. Install:

2. Generate Test Artifacts: Run this command to create a fake "Pickle Bomb" and a "Restricted License" model in your current folder.

# Generate a mock Pickle Bomb (Security Risk) and a mock Non-Commercial Model (Legal Risk)
aisbom generate-test-artifacts

Result: Files named mock_malware.pt and mock_restricted.safetensors are created.

3. Scan it:

# You can use your globally installed aisbom, or poetry run aisbom
aisbom scan .

You will see the scanner flag mock_malware.pt as CRITICAL and mock_restricted.safetensors as a LEGAL RISK.

AIsbom uses a static analysis engine to disassemble Python Pickle opcodes. It looks for specific GLOBAL and STACK_GLOBAL instructions that reference dangerous modules:

os / posix (System calls)
subprocess (Shell execution)
builtins.eval / exec (Dynamic code execution)
socket (Network reverse shells)

🤖 GitHub Actions Integration

Add AIsbom to your CI/CD pipeline to block unsafe models before they merge.

name: AI Security Scan
on: [pull_request]

jobs:
  aisbom-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Scan AI Models
        uses: Lab700xOrg/aisbom@v0
        with:
          directory: '.'