Hugging Face's logo

Spaces:
GenAISecurityProject
/
OWASP-AIBOM-Generator
Running

App Files
OWASP-AIBOM-Generator
File size: 3,370 Bytes
6165ba9
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# πŸ€– OWASP GenAI Security Project - AIBOM Generator

This is the official GitHub repository for the **OWASP AIBOM Generator** β€” an open-source tool for generating **AI Bills of Materials (AIBOMs)** in [CycloneDX](https://cyclonedx.org) format.  
The tool is also listed in the official **[CycloneDX Tool Center](https://cyclonedx.org/tool-center/)**.

πŸš€ **Try the tool live:**  
πŸ‘‰ https://owasp-genai-aibom.org  
πŸ”– Bookmark and share: https://owasp-genai-aibom.org 

🌐 OWASP AIBOM Initiative: [genai.owasp.org](https://genai.owasp.org/)

> This initiative is about making AI transparency practical. The OWASP AIBOM Generator, running under the OWASP GenAI Security Project, is focused on helping organizations understand what’s actually inside AI models and systems, starting with open models on Hugging Face.
> Join OWASP GenAI Security Project - AIBOM Initiative to contribute.

---

## πŸ“¦ What It Does

- Extracts metadata from models hosted on Hugging Face πŸ€—  
- Generates an **AIBOM** (AI Bill of Materials) in CycloneDX 1.6 JSON format  
- Calculates **AIBOM completeness scoring** with recommendations  
- Supports metadata extraction from model cards, configurations, and repository files  

---

## πŸ›  Features

- Human-readable AIBOM viewer  
- JSON download  
- Completeness scoring & improvement tips  
- API endpoints for automation  
- Standards-aligned generation (CycloneDX 1.6, compatible with SPDX AI Profile)

---

## οΏ½ Installation & Usage

### 1. Install Dependencies
```bash

pip install -r requirements.txt

```

Or, if you prefer [uv](https://docs.astral.sh/uv/) for faster dependency management:
```bash

uv sync

```

### 2. Run Web Application
Start the local server at `http://localhost:8000`:
```bash

python3 -m src.main

```

### 3. Run via CLI
Generate an AIBOM for a Hugging Face model directly from your terminal:

**Basic Usage:**
```bash

python3 -m src.cli google-bert/bert-base-uncased

```

**Advanced Usage:**
You can specify additional metadata like component name, version, and supplier.
```bash

python3 -m src.cli google-bert/bert-base-uncased \

  --name "My Custom BERT" \

  --version "1.0.0" \

  --manufacturer "Acme Corp" \

  --output "my_sbom.json"

```

**Command Line Options:**

| Option | Shorthand | Description |
|--------|-----------|-------------|
| `model_id` | | Hugging Face Model ID (e.g., `owner/model`) |
| `--test` | `-t` | Run test mode for multiple predefined models |
| `--output` | `-o` | Custom output file path |
| `--name` | `-n` | Override component name in metadata |
| `--version` | `-v` | Override component version in metadata |
| `--manufacturer` | `-m` | Override component manufacturer/supplier |
| `--inference` | `-i` | Use AI inference for enhanced metadata (requires API key) |
| `--summarize` | `-s` | Enable intelligent description summarization |
| `--verbose` | | Enable verbose logging |

*   Metrics and produced SBOMs are saved to the `sboms/` directory by default.

---

## �🐞 Found a Bug or Have an Improvement Request?

We welcome contributions and feedback.

➑ **Log an issue:**  
https://github.com/GenAI-Security-Project/aibom-generator/issues

---

## πŸ“„ License

This project is open-source and available under the [Apache 2.0 License](LICENSE).