Key Capabilities
Supply Chain Security
Identify AI models, frameworks, SDKs, APIs and dependencies used throughout your software ecosystem to improve visibility and reduce supply chain risk.AI Compliance and Governance
Generate AI-focused SBOMs and compliance reports to support regulatory frameworks such as the EU AI Act and internal governance policies.Risk Assessment and Provenance Analysis
Detect AI service integrations, exposed model endpoints, API keys, model origins and usage patterns to support security reviews and risk management.Features
SDK Detection (12 languages)
| Language | SDKs Detected |
|---|---|
| Python | OpenAI, Anthropic, HuggingFace, LangChain, LlamaIndex, Strands, CrewAI, AutoGen |
| JavaScript/TypeScript | OpenAI, Anthropic, LangChain, Vercel AI SDK |
| Go | go-openai, go-anthropic |
| Rust | async-openai, anthropic-rs |
| Java/Kotlin | openai-java, LangChain4j, Spring AI |
| And more… | Ruby, PHP, C#, C++, Swift, Scala, Kotlin |
AI Package Detection (150+ packages)
Comprehensive detection across categories:| Category | Packages |
|---|---|
| LLM Clients | OpenAI, Anthropic, Cohere, Groq, Mistral, Ollama, Google GenAI, Azure OpenAI |
| Agent Frameworks | LangChain, LlamaIndex, Strands Agents, CrewAI, AutoGen, Semantic Kernel |
| ML Frameworks | PyTorch, TensorFlow, Keras, JAX, Transformers, scikit-learn, XGBoost |
| Vector Databases | ChromaDB, Pinecone, Weaviate, Qdrant, Milvus, FAISS, LanceDB |
| Speech/Audio AI | OpenAI Whisper, Faster Whisper, ElevenLabs, Bark |
| AI Safety | AIProxyGuard, Guardrails AI, NeMo Guardrails, LLM Guard |
| Tools & Utilities | Tavily, LangSmith, W&B, MLflow, Accelerate, Datasets |
| MCP/Tool Use | MCP, Anthropic Tools |
Model File Detection (12 formats)
GGUF, SafeTensors, ONNX, PyTorch, TensorFlow, TFLite, CoreML, JAX, Keras, MXNet, PaddlePaddle, PickleManifest Parsing (11 formats)
requirements.txt, pyproject.toml, package.json, go.mod, Cargo.toml, pom.xml, build.gradle, Gemfile, composer.json, *.csproj, Package.swiftOutput Formats
- JSON - Machine-readable findings
- CycloneDX 1.6 - OWASP SBOM format with ML-BOM support
- SPDX 2.3 - Linux Foundation SBOM format
- SPDX 3.0 - Latest SPDX specification with JSON-LD
SBOM Compliance
Generated SBOMs are compliant with major standards:| Standard | Status | Notes |
|---|---|---|
| CISA Minimum SBOM Elements | Compliant | Supplier, name, version, PURL, timestamp, author |
| OpenChain ISO/IEC 5230 | Compliant | Document namespace, SPDX-License-Identifier, creator info |
| EU AI Act | Ready | License info, descriptions, external references for AI components |
| CycloneDX ML-BOM | Supported | modelCard, modelParameters, architecture metadata |
License Handling
- Licenses are automatically enriched from PyPI, npm, and HuggingFace
- Unknown licenses are marked as
NOASSERTIONper SPDX specification - Supports SPDX license expressions