Files
promptfoo--promptfoo/site/docs/model-audit/index.md
T
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

351 lines
15 KiB
Markdown

---
title: ModelAudit - Static Security Scanner for ML Models
description: Scan AI/ML models for security vulnerabilities, malicious code, and backdoors. Supports PyTorch, TensorFlow, ONNX, Keras, and 30+ model formats.
keywords:
[
model security,
AI security,
ML security scanning,
static analysis,
malicious model detection,
pytorch security,
tensorflow security,
model vulnerability scanner,
]
sidebar_label: Overview
sidebar_position: 1
---
# Model Scanning
## Overview
ModelAudit is a lightweight static security scanner for machine learning models accessible through Promptfoo. It scans AI/ML models for potential security risks before deployment.
Promptfoo provides a wrapper command `promptfoo scan-model` that integrates ModelAudit scanning capabilities.
![example model scan results](/img/docs/modelaudit/modelaudit-result.png)
Promptfoo also includes a UI that allows you to set up a scan:
![model scan](/img/docs/modelaudit/model-audit-setup.png)
And displays the results:
![model scan results](/img/docs/modelaudit/model-audit-results.png)
## Purpose
AI/ML models can introduce security risks through:
- Malicious code embedded in pickled models
- Suspicious TensorFlow operations
- Potentially unsafe Keras Lambda layers
- Dangerous pickle opcodes
- Encoded payloads hidden in model structures
- Risky configurations in model architectures
- Malicious content in ZIP archives
- Embedded executables in binary model files
- Hidden credentials (API keys, tokens, passwords)
- Network communication patterns (URLs, IPs, sockets)
- JIT/Script execution in TorchScript and ONNX models
ModelAudit helps identify these risks before models are deployed to production environments, ensuring a more secure AI pipeline.
## Installation
### Using Promptfoo
The easiest way to use ModelAudit is through Promptfoo:
```bash
# Install Promptfoo globally
npm install -g promptfoo
# Install modelaudit dependency
pip install modelaudit
```
### Standalone Installation
You can also install ModelAudit directly:
```bash
# Basic installation
pip install modelaudit
# With optional dependencies for specific model formats
pip install modelaudit[tensorflow,h5,pytorch]
# For all dependencies
pip install modelaudit[all]
# Or install specific components:
pip install modelaudit[tensorflow,h5,pytorch] # Core ML frameworks
pip install modelaudit[cloud,mlflow] # Remote model access
pip install modelaudit[numpy1] # NumPy 1.x compatibility
```
### Docker
```bash
# Pull from GitHub Container Registry
docker pull ghcr.io/promptfoo/modelaudit:latest
# Use specific variants
docker pull ghcr.io/promptfoo/modelaudit:latest-full # All ML frameworks
docker pull ghcr.io/promptfoo/modelaudit:latest-tensorflow # TensorFlow only
# Run with Docker
docker run --rm -v $(pwd):/data ghcr.io/promptfoo/modelaudit:latest scan /data/model.pkl
```
## Usage
### Basic Command Structure
```bash
promptfoo scan-model [OPTIONS] PATH...
```
### Examples
```bash
# Scan a single model file
promptfoo scan-model model.pkl
# Scan a model directly from HuggingFace without downloading
promptfoo scan-model https://huggingface.co/bert-base-uncased
promptfoo scan-model hf://microsoft/resnet-50
# Scan from cloud storage
promptfoo scan-model s3://my-bucket/model.pt
promptfoo scan-model gs://my-bucket/model.h5
# Scan from MLflow registry
promptfoo scan-model models:/MyModel/1
# Scan multiple models and directories
promptfoo scan-model model.pkl model2.h5 models_directory
# Export results to JSON
promptfoo scan-model model.pkl --format json --output results.json
# Export results to SARIF for security tool integration
promptfoo scan-model model.pkl --no-write --format sarif --output results.sarif
# Add custom blacklist patterns
promptfoo scan-model model.pkl --blacklist "unsafe_model" --blacklist "malicious_net"
# Enable verbose output
promptfoo scan-model model.pkl --verbose
# Set file size limits
promptfoo scan-model models/ --max-size 1GB
# Generate Software Bill of Materials
promptfoo scan-model model.pkl --sbom sbom.json
# Enable strict mode for security-critical scans
promptfoo scan-model model.pkl --strict
# List scanner IDs and run only selected scanners
promptfoo scan-model --list-scanners
promptfoo scan-model models/ --scanners pickle,tf_savedmodel
# Preview scan without actually processing
promptfoo scan-model model.pkl --dry-run
```
See the [Advanced Usage](./usage.md) guide for detailed authentication setup for cloud storage, JFrog, and other remote sources.
:::info Alternative Installation and Usage
- **Standalone**: Install modelaudit directly using `pip install modelaudit`. `modelaudit scan` behaves the same as `promptfoo scan-model`.
- **Web Interface**: For a GUI experience, use `promptfoo view` and navigate to `/model-audit` for visual scanning and configuration.
:::
### Options
| Option | Description |
| ------------------- | --------------------------------------------------------------- |
| `--blacklist`, `-b` | Additional blacklist patterns to check against model names |
| `--format`, `-f` | Output format (`text` \| `json` \| `sarif`) [default: text] |
| `--output`, `-o` | Output file path (prints to stdout if not specified) |
| `--timeout`, `-t` | Scan timeout in seconds [default: 300] |
| `--verbose`, `-v` | Enable verbose output |
| `--max-size` | Maximum total size to scan (e.g., `500MB`, `1GB`) |
| `--sbom` | Generate CycloneDX Software Bill of Materials with license info |
| `--strict` | Fail on warnings; enable stricter validation |
| `--dry-run` | Preview scan without processing files |
| `--scanners` | Only run selected scanners |
| `--exclude-scanner` | Exclude scanners from the default scanner set |
| `--list-scanners` | Print available scanner IDs and class names |
| `--quiet` | Suppress non-critical output |
| `--progress` | Force-enable progress reporting |
| `--no-cache` | Disable caching of downloaded files |
| `--no-write` | Skip writing results to database |
## Web Interface
Promptfoo includes a web interface for ModelAudit at `/model-audit` with visual path selection, real-time progress tracking, and detailed results visualization.
**Access:** Run `promptfoo view` and navigate to `http://localhost:15500/model-audit`
**Key Features:**
- Visual file/directory selection with current working directory context
- GUI configuration for all scan options (blacklist patterns, timeouts, file limits)
- Live scanning progress and tabbed results display with severity color coding
- Scan history and automatic installation detection
## Supported Formats
ModelAudit supports scanning 30+ specialized file format scanners across major ML frameworks:
### Model Formats
| Format | Extensions | Description |
| ------------------------- | ---------------------------------------------------- | ------------------------------------------------------- |
| **PyTorch** | `.pt`, `.pth`, `.bin` | PyTorch model files and checkpoints |
| **TensorFlow SavedModel** | `.pb`, directories | TensorFlow's standard model format |
| **TensorFlow Lite** | `.tflite` | Mobile-optimized TensorFlow models |
| **TensorRT** | `.engine`, `.plan` | NVIDIA GPU-optimized inference engines |
| **Keras** | `.h5`, `.keras`, `.hdf5` | Keras/TensorFlow models in HDF5 format |
| **ONNX** | `.onnx` | Open Neural Network Exchange format |
| **SafeTensors** | `.safetensors` | Hugging Face's secure tensor format |
| **GGUF/GGML** | `.gguf`, `.ggml`, `.ggmf`, `.ggjt`, `.ggla`, `.ggsa` | Quantized models (LLaMA, Mistral, etc.) |
| **Flax/JAX** | `.msgpack`, `.flax`, `.orbax`, `.jax` | JAX-based model formats |
| **JAX Checkpoints** | `.ckpt`, `.checkpoint`, `.orbax-checkpoint` | JAX training checkpoints |
| **Pickle** | `.pkl`, `.pickle`, `.dill` | Python serialization (includes Dill) |
| **Joblib** | `.joblib` | Scikit-learn and general ML serialization |
| **NumPy** | `.npy`, `.npz` | NumPy array storage formats |
| **PMML** | `.pmml` | Predictive Model Markup Language (XML) |
| **ZIP Archives** | `.zip` | Compressed model archives with recursive scanning |
| **Container Manifests** | `.manifest` | OCI/Docker layer scanning |
| **Binary Files** | `.bin` | Auto-detected format (PyTorch, ONNX, SafeTensors, etc.) |
### Remote Sources
| Source | URL Format | Example |
| ------------------------ | ---------------------------------------------------- | ------------------------------------------------------- |
| **HuggingFace Hub** | `https://huggingface.co/`, `https://hf.co/`, `hf://` | `hf://microsoft/resnet-50` |
| **Amazon S3** | `s3://` | `s3://my-bucket/model.pt` |
| **Google Cloud Storage** | `gs://` | `gs://my-bucket/model.h5` |
| **Cloudflare R2** | `r2://` | `r2://my-bucket/model.safetensors` |
| **MLflow Registry** | `models:/` | `models:/MyModel/1` |
| **JFrog Artifactory** | `https://*.jfrog.io/` | `https://company.jfrog.io/artifactory/models/model.pkl` |
| **DVC** | `.dvc` files | `model.pkl.dvc` |
## Security Checks Performed
The scanner looks for various security issues, including:
- **Malicious Code**: Detecting potentially dangerous code in pickled models
- **Suspicious Operations**: Identifying risky TensorFlow operations and custom ONNX operators
- **Unsafe Layers**: Finding potentially unsafe Keras Lambda layers
- **Blacklisted Names**: Checking for models with names matching suspicious patterns
- **Dangerous Serialization**: Detecting unsafe pickle opcodes, nested pickle payloads, and decode-exec chains
- **Enhanced Dill/Joblib Security**: ML-aware scanning with format validation and bypass prevention
- **Encoded Payloads**: Looking for suspicious strings that might indicate hidden code
- **Risky Configurations**: Identifying dangerous settings in model architectures
- **XML Security**: Detecting XXE attacks and malicious content in PMML files
- **Embedded Executables**: Detecting Windows PE, Linux ELF, and macOS Mach-O files
- **Container Security**: Scanning model files within OCI/Docker container layers
- **Compression Attacks**: Detecting zip bombs and decompression attacks
- **Weight Anomalies**: Statistical analysis to detect potential backdoors
- **Format Integrity**: Validating file format structure
- **License Compliance**: Detecting AGPL obligations and commercial restrictions
- **DVC Integration**: Automatic resolution and scanning of DVC-tracked models
- **Secrets Detection**: Finding embedded API keys, tokens, and credentials
- **Network Analysis**: Detecting URLs, IPs, and socket usage that could enable data exfiltration
- **JIT Code Detection**: Scanning TorchScript, ONNX custom ops, and other JIT-compiled code
## Interpreting Results
The scan results are classified by severity:
- **CRITICAL**: Definite security concerns that should be addressed immediately
- **WARNING**: Potential issues that require review
- **INFO**: Informational findings, not necessarily security concerns
- **DEBUG**: Additional details (only shown with `--verbose`)
Some issues include a "Why" explanation to help understand the security risk:
```
1. suspicious_model.pkl (pos 28): [CRITICAL] Suspicious module reference found: posix.system
Why: The 'os' module provides direct access to operating system functions.
```
## Integration in Workflows
ModelAudit is particularly useful in CI/CD pipelines when incorporated with Promptfoo:
```bash
# Example CI/CD script segment
npm install -g promptfoo
pip install modelaudit
promptfoo scan-model --format json --output scan-results.json ./models/
if [ $? -ne 0 ]; then
echo "Security issues found in models! Check scan-results.json"
exit 1
fi
```
### Exit Codes
ModelAudit returns specific exit codes for automation:
- **0**: No security issues found ✅
- **1**: Security issues detected (warnings or critical) 🟡
- **2**: Operational errors or inconclusive scans occurred (installation, file access, timeouts, no scanned files, etc.) 🔴
:::tip CI/CD Best Practice
In CI/CD pipelines, exit code 1 indicates findings that should be reviewed but don't necessarily block deployment. Only exit code 2 represents actual scan failures.
:::
## Requirements
ModelAudit is included with Promptfoo, but specific model formats may require additional dependencies:
```bash
# For TensorFlow models
pip install tensorflow
# For PyTorch models
pip install torch
# For Keras models with HDF5
pip install h5py
# For YAML configuration scanning
pip install pyyaml
# For SafeTensors support
pip install safetensors
# For HuggingFace URL scanning
pip install huggingface-hub
# For cloud storage scanning
pip install boto3 google-cloud-storage
# For MLflow registry scanning
pip install mlflow
```
### NumPy Compatibility
ModelAudit supports both NumPy 1.x and 2.x. If you encounter NumPy compatibility issues:
```bash
# Force NumPy 1.x if needed for full compatibility
pip install modelaudit[numpy1]
```
## See Also
- [Advanced Usage](./usage.md)
- [Scanner Reference](./scanners.md)