0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
351 lines
15 KiB
Markdown
351 lines
15 KiB
Markdown
---
|
|
title: ModelAudit - Static Security Scanner for ML Models
|
|
description: Scan AI/ML models for security vulnerabilities, malicious code, and backdoors. Supports PyTorch, TensorFlow, ONNX, Keras, and 30+ model formats.
|
|
keywords:
|
|
[
|
|
model security,
|
|
AI security,
|
|
ML security scanning,
|
|
static analysis,
|
|
malicious model detection,
|
|
pytorch security,
|
|
tensorflow security,
|
|
model vulnerability scanner,
|
|
]
|
|
sidebar_label: Overview
|
|
sidebar_position: 1
|
|
---
|
|
|
|
# Model Scanning
|
|
|
|
## Overview
|
|
|
|
ModelAudit is a lightweight static security scanner for machine learning models accessible through Promptfoo. It scans AI/ML models for potential security risks before deployment.
|
|
|
|
Promptfoo provides a wrapper command `promptfoo scan-model` that integrates ModelAudit scanning capabilities.
|
|
|
|

|
|
|
|
Promptfoo also includes a UI that allows you to set up a scan:
|
|
|
|

|
|
|
|
And displays the results:
|
|
|
|

|
|
|
|
## Purpose
|
|
|
|
AI/ML models can introduce security risks through:
|
|
|
|
- Malicious code embedded in pickled models
|
|
- Suspicious TensorFlow operations
|
|
- Potentially unsafe Keras Lambda layers
|
|
- Dangerous pickle opcodes
|
|
- Encoded payloads hidden in model structures
|
|
- Risky configurations in model architectures
|
|
- Malicious content in ZIP archives
|
|
- Embedded executables in binary model files
|
|
- Hidden credentials (API keys, tokens, passwords)
|
|
- Network communication patterns (URLs, IPs, sockets)
|
|
- JIT/Script execution in TorchScript and ONNX models
|
|
|
|
ModelAudit helps identify these risks before models are deployed to production environments, ensuring a more secure AI pipeline.
|
|
|
|
## Installation
|
|
|
|
### Using Promptfoo
|
|
|
|
The easiest way to use ModelAudit is through Promptfoo:
|
|
|
|
```bash
|
|
# Install Promptfoo globally
|
|
npm install -g promptfoo
|
|
|
|
# Install modelaudit dependency
|
|
pip install modelaudit
|
|
```
|
|
|
|
### Standalone Installation
|
|
|
|
You can also install ModelAudit directly:
|
|
|
|
```bash
|
|
# Basic installation
|
|
pip install modelaudit
|
|
|
|
# With optional dependencies for specific model formats
|
|
pip install modelaudit[tensorflow,h5,pytorch]
|
|
|
|
# For all dependencies
|
|
pip install modelaudit[all]
|
|
|
|
# Or install specific components:
|
|
pip install modelaudit[tensorflow,h5,pytorch] # Core ML frameworks
|
|
pip install modelaudit[cloud,mlflow] # Remote model access
|
|
pip install modelaudit[numpy1] # NumPy 1.x compatibility
|
|
```
|
|
|
|
### Docker
|
|
|
|
```bash
|
|
# Pull from GitHub Container Registry
|
|
docker pull ghcr.io/promptfoo/modelaudit:latest
|
|
|
|
# Use specific variants
|
|
docker pull ghcr.io/promptfoo/modelaudit:latest-full # All ML frameworks
|
|
docker pull ghcr.io/promptfoo/modelaudit:latest-tensorflow # TensorFlow only
|
|
|
|
# Run with Docker
|
|
docker run --rm -v $(pwd):/data ghcr.io/promptfoo/modelaudit:latest scan /data/model.pkl
|
|
```
|
|
|
|
## Usage
|
|
|
|
### Basic Command Structure
|
|
|
|
```bash
|
|
promptfoo scan-model [OPTIONS] PATH...
|
|
```
|
|
|
|
### Examples
|
|
|
|
```bash
|
|
# Scan a single model file
|
|
promptfoo scan-model model.pkl
|
|
|
|
# Scan a model directly from HuggingFace without downloading
|
|
promptfoo scan-model https://huggingface.co/bert-base-uncased
|
|
promptfoo scan-model hf://microsoft/resnet-50
|
|
|
|
# Scan from cloud storage
|
|
promptfoo scan-model s3://my-bucket/model.pt
|
|
promptfoo scan-model gs://my-bucket/model.h5
|
|
|
|
# Scan from MLflow registry
|
|
promptfoo scan-model models:/MyModel/1
|
|
|
|
# Scan multiple models and directories
|
|
promptfoo scan-model model.pkl model2.h5 models_directory
|
|
|
|
# Export results to JSON
|
|
promptfoo scan-model model.pkl --format json --output results.json
|
|
|
|
# Export results to SARIF for security tool integration
|
|
promptfoo scan-model model.pkl --no-write --format sarif --output results.sarif
|
|
|
|
# Add custom blacklist patterns
|
|
promptfoo scan-model model.pkl --blacklist "unsafe_model" --blacklist "malicious_net"
|
|
|
|
# Enable verbose output
|
|
promptfoo scan-model model.pkl --verbose
|
|
|
|
# Set file size limits
|
|
promptfoo scan-model models/ --max-size 1GB
|
|
|
|
# Generate Software Bill of Materials
|
|
promptfoo scan-model model.pkl --sbom sbom.json
|
|
|
|
# Enable strict mode for security-critical scans
|
|
promptfoo scan-model model.pkl --strict
|
|
|
|
# List scanner IDs and run only selected scanners
|
|
promptfoo scan-model --list-scanners
|
|
promptfoo scan-model models/ --scanners pickle,tf_savedmodel
|
|
|
|
# Preview scan without actually processing
|
|
promptfoo scan-model model.pkl --dry-run
|
|
```
|
|
|
|
See the [Advanced Usage](./usage.md) guide for detailed authentication setup for cloud storage, JFrog, and other remote sources.
|
|
|
|
:::info Alternative Installation and Usage
|
|
|
|
- **Standalone**: Install modelaudit directly using `pip install modelaudit`. `modelaudit scan` behaves the same as `promptfoo scan-model`.
|
|
- **Web Interface**: For a GUI experience, use `promptfoo view` and navigate to `/model-audit` for visual scanning and configuration.
|
|
|
|
:::
|
|
|
|
### Options
|
|
|
|
| Option | Description |
|
|
| ------------------- | --------------------------------------------------------------- |
|
|
| `--blacklist`, `-b` | Additional blacklist patterns to check against model names |
|
|
| `--format`, `-f` | Output format (`text` \| `json` \| `sarif`) [default: text] |
|
|
| `--output`, `-o` | Output file path (prints to stdout if not specified) |
|
|
| `--timeout`, `-t` | Scan timeout in seconds [default: 300] |
|
|
| `--verbose`, `-v` | Enable verbose output |
|
|
| `--max-size` | Maximum total size to scan (e.g., `500MB`, `1GB`) |
|
|
| `--sbom` | Generate CycloneDX Software Bill of Materials with license info |
|
|
| `--strict` | Fail on warnings; enable stricter validation |
|
|
| `--dry-run` | Preview scan without processing files |
|
|
| `--scanners` | Only run selected scanners |
|
|
| `--exclude-scanner` | Exclude scanners from the default scanner set |
|
|
| `--list-scanners` | Print available scanner IDs and class names |
|
|
| `--quiet` | Suppress non-critical output |
|
|
| `--progress` | Force-enable progress reporting |
|
|
| `--no-cache` | Disable caching of downloaded files |
|
|
| `--no-write` | Skip writing results to database |
|
|
|
|
## Web Interface
|
|
|
|
Promptfoo includes a web interface for ModelAudit at `/model-audit` with visual path selection, real-time progress tracking, and detailed results visualization.
|
|
|
|
**Access:** Run `promptfoo view` and navigate to `http://localhost:15500/model-audit`
|
|
|
|
**Key Features:**
|
|
|
|
- Visual file/directory selection with current working directory context
|
|
- GUI configuration for all scan options (blacklist patterns, timeouts, file limits)
|
|
- Live scanning progress and tabbed results display with severity color coding
|
|
- Scan history and automatic installation detection
|
|
|
|
## Supported Formats
|
|
|
|
ModelAudit supports scanning 30+ specialized file format scanners across major ML frameworks:
|
|
|
|
### Model Formats
|
|
|
|
| Format | Extensions | Description |
|
|
| ------------------------- | ---------------------------------------------------- | ------------------------------------------------------- |
|
|
| **PyTorch** | `.pt`, `.pth`, `.bin` | PyTorch model files and checkpoints |
|
|
| **TensorFlow SavedModel** | `.pb`, directories | TensorFlow's standard model format |
|
|
| **TensorFlow Lite** | `.tflite` | Mobile-optimized TensorFlow models |
|
|
| **TensorRT** | `.engine`, `.plan` | NVIDIA GPU-optimized inference engines |
|
|
| **Keras** | `.h5`, `.keras`, `.hdf5` | Keras/TensorFlow models in HDF5 format |
|
|
| **ONNX** | `.onnx` | Open Neural Network Exchange format |
|
|
| **SafeTensors** | `.safetensors` | Hugging Face's secure tensor format |
|
|
| **GGUF/GGML** | `.gguf`, `.ggml`, `.ggmf`, `.ggjt`, `.ggla`, `.ggsa` | Quantized models (LLaMA, Mistral, etc.) |
|
|
| **Flax/JAX** | `.msgpack`, `.flax`, `.orbax`, `.jax` | JAX-based model formats |
|
|
| **JAX Checkpoints** | `.ckpt`, `.checkpoint`, `.orbax-checkpoint` | JAX training checkpoints |
|
|
| **Pickle** | `.pkl`, `.pickle`, `.dill` | Python serialization (includes Dill) |
|
|
| **Joblib** | `.joblib` | Scikit-learn and general ML serialization |
|
|
| **NumPy** | `.npy`, `.npz` | NumPy array storage formats |
|
|
| **PMML** | `.pmml` | Predictive Model Markup Language (XML) |
|
|
| **ZIP Archives** | `.zip` | Compressed model archives with recursive scanning |
|
|
| **Container Manifests** | `.manifest` | OCI/Docker layer scanning |
|
|
| **Binary Files** | `.bin` | Auto-detected format (PyTorch, ONNX, SafeTensors, etc.) |
|
|
|
|
### Remote Sources
|
|
|
|
| Source | URL Format | Example |
|
|
| ------------------------ | ---------------------------------------------------- | ------------------------------------------------------- |
|
|
| **HuggingFace Hub** | `https://huggingface.co/`, `https://hf.co/`, `hf://` | `hf://microsoft/resnet-50` |
|
|
| **Amazon S3** | `s3://` | `s3://my-bucket/model.pt` |
|
|
| **Google Cloud Storage** | `gs://` | `gs://my-bucket/model.h5` |
|
|
| **Cloudflare R2** | `r2://` | `r2://my-bucket/model.safetensors` |
|
|
| **MLflow Registry** | `models:/` | `models:/MyModel/1` |
|
|
| **JFrog Artifactory** | `https://*.jfrog.io/` | `https://company.jfrog.io/artifactory/models/model.pkl` |
|
|
| **DVC** | `.dvc` files | `model.pkl.dvc` |
|
|
|
|
## Security Checks Performed
|
|
|
|
The scanner looks for various security issues, including:
|
|
|
|
- **Malicious Code**: Detecting potentially dangerous code in pickled models
|
|
- **Suspicious Operations**: Identifying risky TensorFlow operations and custom ONNX operators
|
|
- **Unsafe Layers**: Finding potentially unsafe Keras Lambda layers
|
|
- **Blacklisted Names**: Checking for models with names matching suspicious patterns
|
|
- **Dangerous Serialization**: Detecting unsafe pickle opcodes, nested pickle payloads, and decode-exec chains
|
|
- **Enhanced Dill/Joblib Security**: ML-aware scanning with format validation and bypass prevention
|
|
- **Encoded Payloads**: Looking for suspicious strings that might indicate hidden code
|
|
- **Risky Configurations**: Identifying dangerous settings in model architectures
|
|
- **XML Security**: Detecting XXE attacks and malicious content in PMML files
|
|
- **Embedded Executables**: Detecting Windows PE, Linux ELF, and macOS Mach-O files
|
|
- **Container Security**: Scanning model files within OCI/Docker container layers
|
|
- **Compression Attacks**: Detecting zip bombs and decompression attacks
|
|
- **Weight Anomalies**: Statistical analysis to detect potential backdoors
|
|
- **Format Integrity**: Validating file format structure
|
|
- **License Compliance**: Detecting AGPL obligations and commercial restrictions
|
|
- **DVC Integration**: Automatic resolution and scanning of DVC-tracked models
|
|
- **Secrets Detection**: Finding embedded API keys, tokens, and credentials
|
|
- **Network Analysis**: Detecting URLs, IPs, and socket usage that could enable data exfiltration
|
|
- **JIT Code Detection**: Scanning TorchScript, ONNX custom ops, and other JIT-compiled code
|
|
|
|
## Interpreting Results
|
|
|
|
The scan results are classified by severity:
|
|
|
|
- **CRITICAL**: Definite security concerns that should be addressed immediately
|
|
- **WARNING**: Potential issues that require review
|
|
- **INFO**: Informational findings, not necessarily security concerns
|
|
- **DEBUG**: Additional details (only shown with `--verbose`)
|
|
|
|
Some issues include a "Why" explanation to help understand the security risk:
|
|
|
|
```
|
|
1. suspicious_model.pkl (pos 28): [CRITICAL] Suspicious module reference found: posix.system
|
|
Why: The 'os' module provides direct access to operating system functions.
|
|
```
|
|
|
|
## Integration in Workflows
|
|
|
|
ModelAudit is particularly useful in CI/CD pipelines when incorporated with Promptfoo:
|
|
|
|
```bash
|
|
# Example CI/CD script segment
|
|
npm install -g promptfoo
|
|
pip install modelaudit
|
|
promptfoo scan-model --format json --output scan-results.json ./models/
|
|
if [ $? -ne 0 ]; then
|
|
echo "Security issues found in models! Check scan-results.json"
|
|
exit 1
|
|
fi
|
|
```
|
|
|
|
### Exit Codes
|
|
|
|
ModelAudit returns specific exit codes for automation:
|
|
|
|
- **0**: No security issues found ✅
|
|
- **1**: Security issues detected (warnings or critical) 🟡
|
|
- **2**: Operational errors or inconclusive scans occurred (installation, file access, timeouts, no scanned files, etc.) 🔴
|
|
|
|
:::tip CI/CD Best Practice
|
|
In CI/CD pipelines, exit code 1 indicates findings that should be reviewed but don't necessarily block deployment. Only exit code 2 represents actual scan failures.
|
|
:::
|
|
|
|
## Requirements
|
|
|
|
ModelAudit is included with Promptfoo, but specific model formats may require additional dependencies:
|
|
|
|
```bash
|
|
# For TensorFlow models
|
|
pip install tensorflow
|
|
|
|
# For PyTorch models
|
|
pip install torch
|
|
|
|
# For Keras models with HDF5
|
|
pip install h5py
|
|
|
|
# For YAML configuration scanning
|
|
pip install pyyaml
|
|
|
|
# For SafeTensors support
|
|
pip install safetensors
|
|
|
|
# For HuggingFace URL scanning
|
|
pip install huggingface-hub
|
|
|
|
# For cloud storage scanning
|
|
pip install boto3 google-cloud-storage
|
|
|
|
# For MLflow registry scanning
|
|
pip install mlflow
|
|
```
|
|
|
|
### NumPy Compatibility
|
|
|
|
ModelAudit supports both NumPy 1.x and 2.x. If you encounter NumPy compatibility issues:
|
|
|
|
```bash
|
|
# Force NumPy 1.x if needed for full compatibility
|
|
pip install modelaudit[numpy1]
|
|
```
|
|
|
|
## See Also
|
|
|
|
- [Advanced Usage](./usage.md)
|
|
- [Scanner Reference](./scanners.md)
|