Standards-first, CI-native AIBOM generator for Python/LangChain/JS-TS/Java/Go/.NET projects with SPDX/CycloneDX/SARIF/VEX exports, drift gates, and attestation workflows.
pip install -e .
pip install -r requirements.txtaibom generate . -o AI_BOM.json
aibom summarize --input AI_BOM.jsonAIBOM keeps the canonical AI_BOM.json schema stable by default. For ai-bom-style ergonomics, use --profile ai-bom-like.
aibom generate . -o AI_BOM.json --profile ai-bom-like
# writes AI_BOM.json + AI_BOM_ai_profile.json and prints a concise terminal summaryThis profile adds a companion presentation JSON with:
- executive summary counts
- grouped AI assets
- risk highlights
- provenance/compliance rollup
- detector coverage stats
aibom scan-github \
--repo openai/openai-quickstart-python \
--output-dir out \
--profile ai-bom-likeMulti-repo scan:
aibom scan-github \
--repos-file repos.txt \
--output-dir out \
--max-repos 20 \
--timeout-sec 240 \
--fail-on new-model,new-tool,new-external-provider \
--max-high-risk 0 \
--max-unsupported 0Output layout:
out/<owner__repo>/AI_BOM.jsonout/<owner__repo>/AI_BOM_ai_profile.json(when--profile ai-bom-like)out/SUMMARY.mdout/summary.json
aibom generateaibom scan-githubaibom summarizeaibom validateaibom exportaibom diffaibom bundleaibom attestaibom risk
generate,validate,export,diff,bundle,attest, andriskremain functional and backward compatible.- New
scan-githubandsummarizecommands are additive. - ai-bom-like output is opt-in (
--profile ai-bom-like) to avoid schema-breaking changes to canonical AIBOM consumers. scan-githubreturns nonzero when any repo scan errors or configured gates fail, while still producing aggregate summary files for partial failures.