Squash automates EU AI Act compliance so ML teams spend engineering time building, not documenting.
β° EU AI Act high-risk enforcement: August 2, 2026
Squash generates your Annex IV technical documentation, runs policy checks against 10+ regulatory frameworks, and produces cryptographically signed audit records β all inside your CI/CD pipeline.
pip install squash-ai
squash attest ./my-model --policy eu-ai-actβ CycloneDX 1.7 ML-BOM generated β ./my-model/cyclonedx-mlbom.json
β SPDX 2.3 SBOM generated β ./my-model/sbom.spdx.json
β EU AI Act policy: PASS (18/18) β ./my-model/attestation.json
β OWASP LLM Top 10: PASS (10/10)
β NIST AI RMF: PASS (42/42 controls)
β SLSA Level 2 provenance β ./my-model/provenance.json
β ModelScan security: PASS (0 findings)
β Signed via Sigstore Rekor
| Problem | Cost |
|---|---|
| Annex IV documentation (manual) | 3β6 months engineering time |
| Non-compliance fine | up to β¬35M or 7% of global turnover |
| Compliance consultant (typical) | β¬150Kββ¬400K/year per AI system |
| Squash (automated) | < 5 seconds in CI/CD |
| Capability | Detail |
|---|---|
| EU AI Act Annex IV | Auto-generates all 12 required documentation sections |
| CycloneDX 1.7 ML-BOM | Machine-readable model bill of materials |
| SPDX 2.3 SBOM | Full dependency and lineage graph |
| 10+ Policy Frameworks | EU AI Act Β· NIST AI RMF Β· ISO 42001 Β· OWASP LLM Top 10 Β· FedRAMP Β· CMMC Β· NTIA |
| ModelScan Security | Detects pickle exploits, serialization attacks, unsafe ops |
| Sigstore Signing | Keyless signing via Rekor transparency log |
| SLSA Provenance | Level 1β3 provenance attestation |
| VEX Feed | Live vulnerability tracking for AI model components |
| Drift Detection | Alerts when model behavior diverges from attested baseline |
| 10 MLOps Integrations | MLflow Β· W&B Β· HuggingFace Β· LangChain Β· SageMaker Β· Vertex AI Β· Ray Β· Kubernetes Β· Azure DevOps Β· CircleCI |
| Open-core | Community tier free and self-hostable under Apache 2.0 |
# Community (free, Apache 2.0)
pip install squash-ai
# With REST API server
pip install "squash-ai[api]"
# With cryptographic signing
pip install "squash-ai[signing,sbom]"
# All features
pip install "squash-ai[all]"squash attest ./my-model \
--policy eu-ai-act \
--policy nist-ai-rmf \
--sign \
--fail-on-violation- name: Squash compliance gate
uses: konjoai/squash-action@v1
with:
model-path: ./my-model
policy: eu-ai-act
fail-on-violation: truefrom squash import AttestPipeline, AttestConfig
config = AttestConfig(
model_path="./my-model",
policies=["eu-ai-act", "owasp-llm"],
sign=True,
)
result = AttestPipeline(config).run()
print(f"Policy: {'PASS' if result.passed else 'FAIL'}")
print(f"Attestation ID: {result.attestation_id}")uvicorn squash.api:app --host 0.0.0.0 --port 4444
curl -X POST http://localhost:4444/v1/attest \
-H "Authorization: Bearer $SQUASH_API_KEY" \
-d '{"model_path": "/models/my-model", "policies": ["eu-ai-act"]}'| Framework | Status | Key Checks |
|---|---|---|
| EU AI Act (Annex IV) | β Full | Technical documentation, risk classification, human oversight |
| NIST AI RMF 1.0 | β Full | 42 controls across GOVERN Β· MAP Β· MEASURE Β· MANAGE |
| OWASP LLM Top 10 | β Full | LLM01βLLM10 vulnerability categories |
| ISO 42001 | β Core | Clause 6 (Planning), Clause 8 (Operation), Clause 9 (Evaluation) |
| NTIA Minimum Elements | β Full | 7 required SBOM fields |
| FedRAMP AI | π Sprint 2 | Federal AI procurement requirements |
| CMMC Level 2 | π Sprint 2 | DoD contractor AI requirements |
| Tier | Price | Attestations/mo | Features |
|---|---|---|---|
| Community | Free | 10 | Full CLI, SBOM, policy checks, signing, self-hosted |
| Professional | $299/mo | 200 | Cloud API, Annex IV auto-generation, drift alerts, audit export |
| Team | $899/mo | 1,000 | Multi-tenant dashboard, VEX feed, SAML SSO, HITL workflows |
| Enterprise | Custom | Unlimited | On-premise, air-gapped, dedicated support, EU data residency |
squash attest ./my-model
β
βββ ModelScanner β Security scan (pickle, unsafe ops, CVEs)
βββ CycloneDXBuilder β ML-BOM (CycloneDX 1.7)
βββ SpdxBuilder β SBOM (SPDX 2.3)
βββ PolicyEngine β EU AI Act Β· NIST Β· OWASP Β· ISO checks
βββ SlsaBuilder β SLSA Level 1β3 provenance
βββ VexEvaluator β Live vulnerability feed
βββ OmsSigner β Sigstore keyless signing
βββ AttestPipeline β Signed audit record (JSON)
Squash and Squish form the complete AI deployment stack for regulated environments:
# Build and compress with Squish
squish compress ./my-model --quant int4
# Gate on compliance with Squash
squash attest ./my-model --policy eu-ai-act --sign
# Deploy with confidenceSquish handles Apple Silicon inference optimization. Squash handles compliance. Different buyers, different toolchains, one ecosystem.
git clone https://github.com/konjoai/squash
cd squash
pip install -e ".[api,signing,sbom,dev]"
# Run tests
python -m pytest tests/ -v --timeout=120
# Run a specific wave's tests
python -m pytest tests/test_squash_wave83.py -vCommunity edition: Apache 2.0
Enterprise features (cloud API, multi-tenant dashboard, VEX feed subscription, on-premise deployment) are available under a commercial license. Contact us β
Built by Konjo AI Β· Make it konjo β build, ship, rest, repeat.