Skip to content

Carlos-Projects/modelchain

Repository files navigation

ModelChain

GitHub Release Python 3.11+ License: MIT CI Star History

Software Bill of Materials (SBOM) generator for AI models with provenance tracking, cryptographic integrity verification, and compliance reporting.

ModelChain creates a complete provenance record of the AI model supply chain: base model → datasets → fine-tuning → adapters → deployment. It verifies integrity at each step and generates cryptographic manifests for audit and compliance.

Features

  • SBOM Generation — Complete model SBOM (base model, datasets, adapters, hyperparameters, dependencies)
  • Provenance Tracking — Trace each component's origin with cryptographic verification
  • Supply Chain Audit — Detect compromised components in the supply chain
  • Integrity Manifests — SHA-256 manifests for every component
  • Dependency Analysis — Analyze model dependencies for known vulnerabilities
  • Compliance Reporting — EU AI Act & NIST AI RMF reports
  • Multi-Format Output — CycloneDX, SPDX 2.3, ModelChain native format, JSON, HTML

Installation

git clone https://github.com/Carlos-Projects/modelchain.git
cd modelchain
pip install -e ".[dev]"

Note: Package not yet published on PyPI. Install from source. Coming soon.

Quick Start

Basic SBOM Generation

modelchain generate my-model 1.0.0 \
  --type llm \
  --base meta-llama/Meta-Llama-3-8B \
  --framework transformers --framework-version 4.36.0 \
  --author "Carlos-Projects" \
  --description "My fine-tuned model"

With Datasets, Adapters, and Dependencies

modelchain generate security-model 1.0.0 \
  --type llm \
  --base meta-llama/Meta-Llama-3-8B \
  --dataset "security-instruct:2.1.0:huggingface:a1b2c3d4" \
  --adapter "security-lora:LoRA:local:e5f6a1b2" \
  --dependency "transformers:4.36.0:framework" \
  --dependency "torch:2.1.0:framework" \
  --output ./reports/sbom \
  -v

Verify Integrity

modelchain verify manifest.json --base-path ./models

Audit Supply Chain

modelchain audit sbom.json

Compliance Reports

modelchain report sbom.json --format console
modelchain report sbom.json --format json --output report.json
modelchain report sbom.json --format html --output report.html

Output Formats

Format Command Description
ModelChain --format modelchain (default) Native JSON format with all provenance data
CycloneDX --format cyclonedx CycloneDX 1.6 AI SBOM standard
SPDX --format spdx SPDX 2.3 format

Compliance Frameworks

  • EU AI Act — Checks transparency (Art. 13), documentation (Art. 11), human oversight (Art. 14), accuracy/robustness/cybersecurity (Art. 15), data governance (Art. 10), risk management (Art. 9)
  • NIST AI RMF 1.0 — Checks Govern, Map, Measure, Manage categories

Ecosystem Integration

Project Integration
reverse-abliterate Shared integrity manifest patterns (SHA-256), same CLI style
mcp-taxonomy MCP security taxonomy integration
MCPGuard Compatible policy generation
MCPscop Consumable report formats

Development

# Run tests
python -m pytest tests/ -v

# Run with coverage
python -m pytest tests/ --cov=modelchain -v

# Lint
ruff check src/

# Type check
mypy src/modelchain/

Project Structure

src/modelchain/
├── cli.py              # Typer CLI (generate, verify, audit, report, sbom)
├── generator.py        # Core SBOM generator
├── provenance/         # Provenance tracking & verification
├── sbom/               # SBOM builders (modelchain, cyclonedx, spdx)
├── supply_chain/       # Supply chain auditing & vulnerability correlation
├── integrity/          # SHA-256 manifests, fingerprints, diffs
├── compliance/         # EU AI Act & NIST AI RMF checkers
├── reporters/          # Console (Rich), JSON, HTML (Jinja2) output
└── utils/              # Cryptographic utilities

Contributing

See CONTRIBUTING.md for development guidelines.

Security

Found a vulnerability? See SECURITY.md.

License

MIT License — see LICENSE for details.

About

SBOM generator for AI models with provenance tracking, integrity verification, and compliance reporting

Topics

Resources

License

Contributing

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors

Languages