惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Heimdal Security Blog
A
Arctic Wolf
K
Kaspersky official blog
V
Vulnerabilities – Threatpost
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
L
LINUX DO - 热门话题
MongoDB | Blog
MongoDB | Blog
T
Threat Research - Cisco Blogs
D
Docker
爱范儿
爱范儿
T
Tenable Blog
C
Check Point Blog
B
Blog
C
Cisco Blogs
Vercel News
Vercel News
The Cloudflare Blog
T
Threatpost
NISL@THU
NISL@THU
T
Tor Project blog
V2EX - 技术
V2EX - 技术
P
Palo Alto Networks Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
T
Tailwind CSS Blog
G
GRAHAM CLULEY
P
Privacy & Cybersecurity Law Blog
SecWiki News
SecWiki News
博客园 - 司徒正美
S
Security @ Cisco Blogs
GbyAI
GbyAI
S
Secure Thoughts
Microsoft Security Blog
Microsoft Security Blog
The Register - Security
The Register - Security
Recorded Future
Recorded Future
Cloudbric
Cloudbric
Webroot Blog
Webroot Blog
N
News and Events Feed by Topic
Y
Y Combinator Blog
博客园_首页
T
Troy Hunt's Blog
The Hacker News
The Hacker News
雷峰网
雷峰网
Google DeepMind News
Google DeepMind News
U
Unit 42
AWS News Blog
AWS News Blog
PCI Perspectives
PCI Perspectives
V
Visual Studio Blog
博客园 - 聂微东
有赞技术团队
有赞技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell

Show HN

GitHub - steveking-gh/firmion: Firmion is DSL and engine for firmware image generation. GitHub - villagesql/villagesql-skills: Agent skills for VillageSQL - gemini-cli-extension; claude-code-plugin GitHub - flightdeckhq/flightdeck: Observability and control plane for AI agents. CSP Radar GitHub - Light-Heart-Labs/DreamServer: Turn your PC, Mac, or Linux box into an AI server. LLM inference, chat UI, voice, agents, workflows, RAG, and image generation. GitHub - Diplomat-ai/diplomat-agent-ts: What can your TypeScript AI agent do to the real world? Scan your code. See which tool calls have zero checks Code Block Selector - Visual Studio Marketplace Prometheus dependency graph — interactive showcase | Riftmap Show HN: I made a vi-like modal keyboard plugin for Figma GitHub - run-llama/liteparse: A fast, helpful, and open-source document parser GitHub - dalemyers/Roar: A macOS CLI tool for notifications GitHub - district-solutions/open-agent-tools-coder: Enables small-to-large self-hosted ai models to use local source code when running tool-calling agentic workloads. We actively data mine 20,900+ (2+ TB) popular github repos using large and small ai models to create reuseable: json, markdown and parquet files for local-first tool-calling models. GitHub - progapandist/stripeek: A local TUI proxy for real-time Stripe API debugging, built for navigating complex payloads fast. GitHub - sir1st/hermes-desktop: All-in-one cross-platform desktop app for Hermes Agent — bundles Python + hermes-agent + hermes-web-ui GitHub - astefanutti/shaderbang: Shebang for Shaders Show HN: Generate Claude Code Workflows using Spec Driven Development approach GitHub - nixys/nxs-universal-chart: The Helm chart you can use to install any of your applications into Kubernetes/OpenShift Show HN: AI agents for UK GDAD PCF roles and their skills The Two Pillars: Mixer Mode and Meta-Software in the Reorganization of Software Work After AI GitHub - JaiCode08/teleport-env What 1,000+ Harness Experiments Taught Me About Self-Improving Agents Show HN: Liiists, a Markdown-first, iOS and CLI list app SwiperTab – Get this Extension for 🦊 Firefox (en-US) GitHub - kouhxp/fftext: Summarize, explain, fact-check, or translate any text, URL, or file. No GPU. No cloud. One command GitHub - sweetpad-dev/sweetpad: Develop Swift/iOS projects using VSCode GitHub - dogmaticdev/IRON: IRON a.k.a. Intermediate Representation Object Notation is a Interpreter/Database that is used to create Programming Languages. GitHub - sjhalani7/vaen: Package your AI coding harness into a portable .agent file, and share it across repos, teams, & the community without ever having to copy-paste instructions, skills, MCP config, or secrets. Show HN: Gandalf the Grader Show HN: Citadeld – replay any CI failure locally from a single file GitHub - tdortman/cuSBF: High-Performance GPU Super Bloom Filter coral-ai/claude-code-token-xray at main · Coral-Bricks-AI/coral-ai GitHub - ulyssestenn/funes: Funes is a Git-based framework for LLM-managed knowledge work: an AI Librarian ingests raw sources, builds an interlinked Markdown knowledge base, and uses it to produce cited reports, analyses, and other outputs. GitHub - ThatXliner/gah: Git Add Hunk, built for agents to use GitHub - harmont-dev/harmont-cli: Command-line client for the Harmont CI platform GitHub - brooksmcmillin/mcp-authflow: OAuth 2.0 Authorization Server framework for MCP servers GitHub - javaid-codes/audit-supply-chain-agents GitHub - amorey/gochan: A small library of common channel architectures for Go, inspired by Rust GitHub - arifozgun/OpenGem: Free, Open-Source AI API Gateway with Gemini, OpenAI & Anthropic Compatibility in 1 file GitHub - Pranesh950/BioPetals: 🌸 Run BIOxAI models at home, BitTorrent-style. Fine-tuning and inference up to 10x faster than offloading GitHub - cnguyen14/bounty-doctor: Diagnose a GitHub bounty issue before you waste hours: detects honeypot scam repos, AI-bot attempt swarms, and stale contests. Show HN: CoreMCP – MCP Server for On-Prem DBs Show HN: KittyHTML – Render HTML/CSS as an inline image in your terminal GitHub - bingud/filemat: Web-based file manager Show HN: TruthLens – Free multi-signal deepfake image detector GitHub - apexlocal-jz/claude-usage-tray: Windows system-tray app showing your Claude Code rate-limit usage at a glance. Zero deps, ~300 lines of PowerShell. Cross-IDE (works regardless of VS Code, Cursor, plain terminal). Release v0.1.2.1 · kouhxp/yapsnap GitHub - noopolis/moltnet: Self-hostable chat network for AI agents. Pre-built bridges for Claude Code, Codex, and the Claws. Rooms, DMs, history. No Slack bots, no Matrix, no glue code. GitHub - tamerh/enju: Coordinating Humans, AI Agents, and Compute as Peers on a Shared Workflow Graph Show HN: Continuity-auth – Respect-weighted rate limits for the open web GitHub - luml-ai/luml: AI lifecycle platform where engineers and agents track experiments, train models, and ship to production. GitHub - mrdanielcasper/CoreTex: A UNIX-inspired, biomimetic, flat-file AI harness and knowledge engine. GitHub - clemg/pierre-github: Pierre's diffs.com and trees.software for Github GitHub - lyriks-io/unspaghettit: Behavior-driven AI development without prompt spaghetti. GitHub - sofumel/claude-handoff-revive: Resume Claude Code work after rate/usage/context limits without replaying the prior transcript. Auto-saves at 90%/95% usage. Plugin-installable, 10 languages. GitHub - dotexorg/saferpc: Typed, end-to-end encrypted RPC over any bidirectional channel. GitHub - BeeZeeAgent/beezee: Agent harness orchestration Legato Next.js Boilerplate for Internal Tools · CoreUI GitHub - clark-labs-inc/clark-hash: Clark Hash, 32x smaller searchable sketches for embeddings GitHub - ZeroPointRepo/youtube-mcp: The fastest YouTube transcript + YouTube search MCP for AI agents. Try for free. Typing Mastery — climb toward 100+ WPM, deliberately GitHub - Andebugulin/Awareen GitHub - fayzan123/claude-workflow-composer: Visual desktop app for composing multi-agent coding workflows. Drag agents, attach skills and MCPs, wire handoffs, export to .claude/ GitHub - harshaneel/humanize: Best static AI text humanizer. Two research-grounded skills that work in any LLM (Claude, ChatGPT, Gemini, Codex): humanize beats perplexity-based detectors, ai-check produces forensic scoring with evidence-quoted flags. Nine levers, 50+ peer-reviewed sources, 2024-2026 detection literature. GitHub - StackOneHQ/stack-nudge GitHub - nodes-app/swift-markdown-engine: A native AppKit Markdown editor for macOS, built on TextKit 2 and bridged to SwiftUI. We hardened an LLM agent. Each defense we added made it more exploitable. GitHub - alkait/WhatsKept: Agent-queryable WhatsApp history from an iOS backup — a single Go binary. GitHub - octelium/cordium: Open-source, general-purpose sandbox platform for devs and AI agents that provides identity-based secure access to infrastructure without credentials. WAR.GOV/UFO Microfilm5 GitHub - scosman/videowright: Build animated explainer videos with your coding agent GitHub - dipankar/dscode: The code editor you can take apart. GitHub - zoharbabin/web-researcher-mcp: MCP server (Go) for AI assistants: web search, content extraction, academic/patent/news research. Multi-provider routing, 4-tier scraping, search lenses. Works with Claude, Cursor, and any MCP client. GitHub - ruvnet/RuView: π RuView turns commodity WiFi signals into real-time spatial intelligence, vital sign monitoring, and presence detection — all without a single pixel of video. GitHub - scanaislop/aislop: Catch the slop AI coding agents leave in your code: narrative comments, swallowed exceptions, as-any casts, dead code, oversized functions. 50+ rules across 7 languages (TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP). Sub-second, deterministic, no LLM at runtime. MIT-licensed. GitHub - kouhxp/cheap-im: CPU-only voice agent approximating Thinking Machines' Interaction Models demo GitHub - unprovable/OrchidMantis: Orchid Mantis — standalone framework for Zero-Knowledge Proofs of eXploit (ZKPoX). GitHub - MarcellM01/TinySearch: Shrink the web for your local LLMs! GitHub - TangibleResearch/Halgorithem: A Algo designed to detect AI Hallucitions GitHub - DO-SAY-GO/freelang: I love freelang GitHub - CarpseDeam/Aura-IDE: An AI coding harness that shaped itself - Planner/Worker agents, repo awareness, surgical edits, validation, recovery, and safe diff approvals. GitHub - chojs23/concord: A feature-rich TUI client for Discord GitHub - tommyjepsen/awesome-ux-skills: UX & AI Product designs skills you can use today in Claude Code GitHub - aerf-spec/aerf: Agent Evidence Receipt Format (AERF) — an open specification for tamper-evident, independently verifiable records of AI agent actions. GitHub - kklimuk/docx-cli: CLI for AI agents (Claude, Codex) to read, edit, and comment on .docx files with full format fidelity. GitHub - Jwrede/tokentoll: Catch LLM cost changes in code review. Infracost for LLM spend. GitHub - samchon/ttsc: A `typescript-go` toolchain for compiler-powered plugins and type-safe execution + 500x faster lint integrated into compiler GitHub - Higangssh/homebutler: 🏠 Manage your homelab from chat. Single binary, zero dependencies. GitHub - olalie/tapmap: See where your computer connects and what stands out on a live world map. GitHub - Diplomat-ai/diplomat-agent: What can your AI agent do to the real world? Scan your code. See which tool calls have zero checks GitHub - Bajusz15/beacon: Open-source agent for secure remote access, monitoring, and deploys across home-lab and self-hosted machines like Raspberry Pi, N100, or any Linux server. Open web based TTY or tunnel Home Assistant and other local services securely without opening ports. BigTech AI News - Chrome 应用商店 GitHub - vinhnx/VTCode: VT Code is an open-source coding agent with LLM-native code understanding and robust shell safety. Supports multiple LLM providers with automatic failover and efficient context management. GitHub - michaelaz774/decision-engine: A decision operating system for startup founders, powered by Claude Code. Synthesizes wisdom from 25+ legendary founders and investors into interactive AI-driven decision frameworks. GitHub - Chrilleweb/dotenv-diff: Validate environment variable usage in your codebase GitHub - Lumen-Labs/brainapi2: BrainAPI is a knowledge graph–powered AI memory layer that transforms unstructured data into structured knowledge, enabling intelligent search, recommendations, and contextual memory for AI agents and applications. GitHub - familiar-software/familiar: Let AI watch you work. Familiar lets your AI update its memory, skills, and knowledge by watching your screen. GitHub - skorotkiewicz/rudo: A small, elegant dock for Wayland GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. make sidebar/address bar rounded corner toggleable
GitHub - mmccalla/model-due-diligence: model-due-diligence is not a model safety verifier. It is a static evidence-gathering control for AI model supply-chain review. It supports provenance, artefact integrity, unsafe serialisation detection, secret exposure checks, suspicious code review, dependency risk detection, and audit reporting before first model execution.
djhope99 · 2026-06-13 · via Show HN

model-due-diligence static supply-chain security infographic

model-due-diligence is a Python command-line tool for performing static supply-chain due diligence on local AI model files and cloned model repositories before they are imported into runtimes such as Ollama, llama.cpp, LM Studio or Transformers.

It is designed to help answer one practical question:

“Is there obvious static evidence that this model artefact or repository should not be trusted, loaded or run without further review?”

It reduces practical risk from unsafe serialisation, suspicious repository content, weak provenance, exposed secrets, unexpected binaries, unsafe dependency files and malformed model metadata.

It does not prove that a model is safe.

A clean report means only that this tool did not identify the specific static artefact risks it is designed to detect. It must not be treated as proof that model weights, repository content, runtime behaviour or downstream use are benign.


Contents

  • What the tool does
  • What the tool does not do
  • Architecture
  • Scanner coverage
  • Risk scoring
  • Install
  • Quick start
  • CLI reference
  • Example workflows
  • Reports and outputs
  • Recommended operating model
  • Development workflow
  • Testing and quality gates
  • Repository structure
  • Security posture
  • Standards alignment
  • Limitations
  • Roadmap
  • Contributing
  • Licence

What the tool does

model-due-diligence statically inspects a local path and generates reviewable evidence.

It checks:

  • file inventory, SHA-256 hashes, permissions and symlinks;
  • high-risk serialisation formats such as pickle, .pt, .pth, .bin, .joblib and H5;
  • lower-risk model formats such as .gguf, .safetensors and .onnx;
  • GGUF magic bytes and version metadata;
  • safetensors header metadata;
  • suspicious text and binary strings;
  • Python AST indicators such as eval, exec, compile, pickle.loads, os.system and subprocess;
  • trust_remote_code=True usage in Python and text files;
  • risky pickle-like byte markers in high-risk serialisation formats;
  • high-entropy non-model files;
  • Git provenance, origin remote, current commit, dirty worktree and Git LFS listing where available;
  • external scanner output from ModelScan, Semgrep, Bandit, pip-audit and detect-secrets;
  • optional quality self-checks using Ruff, Pyright and mypy.

The tool produces:

  • a human-readable Markdown report;
  • a deterministic JSON report for automation;
  • an optional SARIF report for code-scanning workflows;
  • raw external scanner outputs where external tools are run.

What the tool does not do

The tool is intentionally static. During normal scanning it does not:

  • load model weights;
  • import untrusted repository code;
  • execute model-specific scripts;
  • run model inference;
  • send artefacts to external services;
  • require network access for local scanning;
  • decide automatically that a model is safe.

Static scanning cannot reliably detect:

  • malicious behaviour encoded directly into model weights;
  • sleeper-agent or trigger-based backdoors;
  • training-data poisoning;
  • benchmark-specific manipulation;
  • malicious behaviour that appears only after fine-tuning;
  • malicious behaviour that appears only after tools are connected;
  • prompt-injection obedience in downstream RAG or agent workflows;
  • data exfiltration behaviour that only appears at runtime;
  • vulnerabilities in local model runtimes;
  • all unsafe deserialisation evasions.

Use it as a risk-reduction gate, not as a trust oracle.


Architecture

The project uses a modular monolith architecture. This keeps installation and local execution simple while maintaining clear internal boundaries between CLI, orchestration, scanners, risk scoring and reports.

flowchart LR
    user[User / CI] --> cli[CLI]
    cli --> app[Application Orchestrator]
    app --> inventory[File Inventory]
    app --> native[Native Static Scanners]
    app --> external[External Scanner Adapters]
    app --> risk[Risk Scorer]
    risk --> report_model[Audit Report Model]
    app --> report_model
    report_model --> markdown[Markdown Report]
    report_model --> json[JSON Report]
    report_model --> sarif[SARIF Report]

    native --> text[Text Patterns]
    native --> ast[Python AST]
    native --> binary[Binary Strings]
    native --> entropy[Entropy]
    native --> metadata[Model Metadata]
    native --> pickle[Pickle Heuristics]
    native --> git[Git Provenance]

    external --> modelscan[ModelScan]
    external --> semgrep[Semgrep]
    external --> bandit[Bandit]
    external --> pipaudit[pip-audit]
    external --> secrets[detect-secrets]
    external --> quality[Quality Self-Checks]
Loading

Runtime flow

sequenceDiagram
    participant U as User / CI
    participant C as CLI
    participant A as App
    participant I as Inventory
    participant N as Native Scanners
    participant E as External Scanners
    participant R as Risk Scorer
    participant W as Report Writers

    U->>C: mdd <target> --out <dir>
    C->>C: Parse arguments and build ScanContext
    C->>A: Run scan
    A->>I: Build file inventory and hashes
    I-->>A: FileRecord[] + Finding[]
    A->>N: Run static native scanners
    N-->>A: Finding[] + ModelMetadata[]
    A->>E: Run optional external scanners
    E-->>A: CommandResult[] + Finding[]
    A->>R: Score findings and tool outcomes
    R-->>A: Risk score + risk level
    A-->>C: AuditReport
    C->>W: Write Markdown / JSON / SARIF
    C-->>U: Print risk score, risk level and report paths
Loading

Internal dependency direction

Dependencies should flow in one direction:

cli -> app -> domain
app -> inventory
app -> scanners
app -> external
app -> reporting
scanners -> domain/config/utils
external -> domain/config/command_runner
reporting -> domain/config

Rules:

  • scanners must not import app;
  • reporters must not run scanners;
  • external adapters must not write final project reports directly;
  • domain models must not depend on filesystem, subprocess or reporting modules;
  • native scanners must not execute model artefacts or repository code.

Scanner coverage

Coverage area Native support External support Status
File inventory, hashes and permissions Yes No Covered
Symlink detection Yes No Covered
Executable/script detection Yes Semgrep / Bandit Covered
High-risk serialisation detection Yes ModelScan Covered
Pickle heuristic indicators Yes ModelScan Covered
GGUF header inspection Yes No Basic coverage
Safetensors header inspection Yes No Basic coverage
Suspicious text/code patterns Yes Semgrep / Bandit Covered
Python AST dangerous-call detection Yes Bandit / CodeQL Covered
Binary string indicators Yes No Basic coverage
High-entropy anomaly detection Yes No Basic coverage
Secrets detection Yes detect-secrets Covered
Dependency vulnerability checks No pip-audit / Dependabot Covered for requirements.txt
Git provenance checks Yes No Basic coverage
Project code quality No Ruff / Pyright / mypy / pytest Covered
Repository semantic security analysis No CodeQL Covered in GitHub Actions
SARIF output Yes CodeQL native SARIF Partial
SBOM generation No No Planned
Sigstore / SLSA provenance No No Planned
Licence compatibility checks No No Planned
Model-card quality checks No No Planned
Weight-level backdoor detection No No Not reliably detectable
Runtime behavioural testing No No Planned separately

Risk scoring

Findings are normalised into severities and converted into a bounded score from 0 to 100.

Severity Current score contribution
INFO 0
LOW 3
MEDIUM 10
HIGH 30
CRITICAL 60

External scanner non-zero exits can also contribute to the score when the tool was available and produced reviewable signals.

Risk level Score range Meaning Recommended action
LOW 0-29 No obvious supported static artefact risks were found Acceptable for sandboxed first run
MEDIUM 30-69 Reviewable findings exist Do not import until findings are understood
HIGH 70-89 Material risk indicators exist Do not load unless every finding is justified
CRITICAL 90-100 Severe or multiple high-risk indicators exist Treat as unsafe by default

The score is intentionally conservative. It is a decision aid, not an automated trust verdict.


Install

Prerequisites

  • Python 3.11 or later;
  • Git;
  • a Unix-like shell for the provided scripts;
  • optional external scanner CLIs if you want full coverage.

Recommended local setup

python3 -m venv .venv
source .venv/bin/activate
python -m pip install --upgrade pip
python -m pip install -e ".[dev,scanners]"

Or use the setup script:

For a lighter install without optional scanner integrations:

./scripts/dev-setup.sh --no-scanners

Verify installation

mdd --help
mdd-ollama --help
model-due-diligence --help
python -m model_due_diligence --help

Quick start

Scan a cloned model repository:

mdd ./downloaded-model --out ./audit

Scan a local GGUF file:

mdd ~/models/qwen.gguf --out ./audit-qwen

Scan an installed Ollama model by name:

mdd-ollama qwen3:4b --out ./audit-qwen3-ollama

Fail the command when the risk level is medium or above:

mdd ./downloaded-model --out ./audit --fail-on medium

Run a fast smoke scan without optional external tools:

mdd tests/fixtures/safe_repo \
  --out ./audit-smoke \
  --fail-on critical \
  --skip-external

Generate only JSON output:

mdd ./downloaded-model \
  --out ./audit-json \
  --format json

CLI reference

usage: model-due-diligence [-h] [--out OUT] [--timeout TIMEOUT]
                           [--format FORMATS] [--skip-external]
                           [--skip-modelscan] [--skip-semgrep]
                           [--skip-bandit] [--skip-pip-audit]
                           [--skip-detect-secrets]
                           [--skip-quality-self-check]
                           [--quality-self-check]
                           [--fail-on {low,medium,high,critical}]
                           [--version]
                           target
Argument Description
target Path to a model file or model directory
--out Output report directory
--timeout Per-tool timeout in seconds
--format Comma-separated report formats: markdown,json,sarif
--skip-external Skip all optional external scanner tools
--skip-modelscan Skip ModelScan only
--skip-semgrep Skip Semgrep only
--skip-bandit Skip Bandit only
--skip-pip-audit Skip pip-audit only
--skip-detect-secrets Skip detect-secrets only
--quality-self-check Run Ruff, Pyright and mypy against this project as optional self-checks
--skip-quality-self-check Skip quality self-checks
--fail-on Return non-zero when risk is at or above the selected level
--version Print package version

mdd-ollama

mdd-ollama resolves an installed Ollama model from the local OLLAMA_MODELS store, stages scan-friendly filenames in a temporary directory, and then runs the normal static due-diligence flow on that staged directory.

It does not require the Ollama server to be running as long as the local manifest and blob store is present.

usage: mdd-ollama [-h] [--ollama-models-dir OLLAMA_MODELS_DIR] [--out OUT]
                  [--timeout TIMEOUT] [--format FORMATS] [--skip-external]
                  [--skip-modelscan] [--skip-semgrep] [--skip-bandit]
                  [--skip-pip-audit] [--skip-detect-secrets]
                  [--skip-quality-self-check] [--quality-self-check]
                  [--fail-on {low,medium,high,critical}] [--keep-staged]
                  model

Typical usage:

mdd-ollama llama3:8b --out ./audit-llama3

For an uninstalled checkout, run it with:

PYTHONPATH=src python3 -m model_due_diligence.ollama_cli llama3:8b --out ./audit-llama3

Example workflows

Audit a Hugging Face clone

Use the helper script:

./examples/audit-huggingface-clone.sh \
  https://huggingface.co/Qwen/Qwen3-8B-GGUF \
  ./audit-qwen3

The script clones into a temporary directory, runs the scanner, writes reports to the output directory and removes the temporary clone afterwards.

Audit a local GGUF file

./examples/audit-local-gguf.sh \
  ~/models/qwen3-8b-q4_k_m.gguf \
  ./audit-qwen3-gguf

Audit an installed Ollama model

./examples/audit-installed-ollama.sh \
  qwen3:4b \
  ./audit-qwen3-ollama

Use in CI

A conservative CI smoke gate can run without optional external scanners:

mdd tests/fixtures/safe_repo \
  --out ./audit-smoke \
  --fail-on critical \
  --skip-external

A fuller CI gate can install scanner extras and run:

mdd ./downloaded-model \
  --out ./audit \
  --fail-on high

Reports and outputs

A normal run can produce:

audit/
├── model_due_diligence_report.md
├── model_due_diligence_report.json
├── model_due_diligence_report.sarif
├── modelscan.json
├── semgrep.json
├── bandit.json
├── pip-audit-<hash>.json
└── detect-secrets.json
File Purpose
model_due_diligence_report.md Human-readable review report
model_due_diligence_report.json Machine-readable deterministic report
model_due_diligence_report.sarif Static-analysis output suitable for code-scanning workflows
modelscan.json Raw ModelScan output
semgrep.json Raw Semgrep output
bandit.json Raw Bandit output
pip-audit-<hash>.json Raw pip-audit output per requirements file
detect-secrets.json Raw detect-secrets output

Generated audit outputs may contain local paths, hashes, snippets and scanner evidence. Do not commit them unless you have reviewed them for sensitive content.


Recommended operating model

Use model-due-diligence as one control in a broader model supply-chain process:

Official or reputable source
+ pinned commit or hash
+ static due-diligence scan
+ first run in a no-network sandbox
+ no credentials mounted
+ restricted filesystem access
+ adversarial behavioural test suite
+ runtime monitoring
+ human review
= reasonable practical risk reduction

Recommended practice:

  1. Prefer official publisher repositories or reputable quantisers.
  2. Avoid floating tags such as latest for operational use.
  3. Pin exact Git revisions and record SHA-256 hashes.
  4. Run model-due-diligence before importing or loading artefacts.
  5. Review all HIGH and CRITICAL findings manually.
  6. Run first inference in a network-disabled container or VM.
  7. Do not mount API keys, SSH keys, cloud credentials or client data.
  8. Test prompt-injection and tool-use behaviour before RAG or agent deployment.
  9. Keep reports and accepted hashes for reproducibility.

Development workflow

Set up the environment:

./scripts/dev-setup.sh
source .venv/bin/activate

Run quality gates:

Run tests:

Build the package:

./scripts/build-package.sh

Build without running local checks first:

./scripts/build-package.sh --skip-checks

Testing and quality gates

The expected local quality gates are:

ruff format --check src tests
ruff check src tests
pyright
mypy src tests
pytest
mdd tests/fixtures/safe_repo --out ./audit-smoke --fail-on critical --skip-external

The helper script runs the same pattern:

Use fix mode for Ruff formatting and safe lint fixes:

./scripts/run-quality.sh --fix

Run unit tests only:

./scripts/run-tests.sh --unit

Run integration tests only:

./scripts/run-tests.sh --integration

Run with coverage:

./scripts/run-tests.sh --coverage

Repository structure

model-due-diligence/
├── .github/
│   ├── workflows/
│   │   ├── ci.yml
│   │   ├── codeql.yml
│   │   └── release.yml
│   ├── dependabot.yml
│   └── pull_request_template.md
├── docs/
│   ├── architecture.md
│   ├── contribution-guide.md
│   ├── limitations.md
│   ├── scanner-coverage.md
│   ├── standards-alignment.md
│   └── threat-model.md
├── examples/
│   ├── audit-installed-ollama.sh
│   ├── audit-huggingface-clone.sh
│   ├── audit-local-gguf.sh
│   └── sample-report.md
├── scripts/
│   ├── build-package.sh
│   ├── dev-setup.sh
│   ├── run-quality.sh
│   └── run-tests.sh
├── src/model_due_diligence/
│   ├── cli.py
│   ├── app.py
│   ├── config/
│   ├── domain/
│   ├── external/
│   ├── inventory/
│   ├── ollama.py
│   ├── ollama_cli.py
│   ├── reporting/
│   ├── scanners/
│   └── utils.py
├── tests/
│   ├── fixtures/
│   ├── integration/
│   └── unit/
├── .env.example
├── .gitattributes
├── .gitignore
├── .python-version
├── LICENSE
├── pyproject.toml
└── README.md

Security posture

The project follows these design rules:

  • static by default;
  • no model execution during scanning;
  • no untrusted repository code execution during scanning;
  • no shell invocation for external scanner commands;
  • external tool failures are visible in reports;
  • findings include severity, category, file, message, evidence where available and recommendation;
  • missing scanners are reported rather than silently ignored;
  • generated reports are ignored by Git by default;
  • real model artefacts are ignored by Git by default;
  • dependency updates are managed through Dependabot;
  • CodeQL runs through GitHub Actions;
  • releases build source and wheel distributions and validate metadata before publishing.

Standards alignment

An explicit control mapping for relevant NIST, MITRE, and OWASP guidance is in docs/standards-alignment.md.


Limitations

A clean report does not mean a model is safe.

Static checks cannot reliably detect:

  • subtle weight-level backdoors;
  • sleeper-agent behaviour;
  • poisoned training data;
  • malicious behaviour activated by rare prompts;
  • malicious behaviour activated only through tool use;
  • all deserialisation evasions;
  • all obfuscated payloads;
  • prompt-injection obedience in downstream RAG or agent workflows;
  • runtime exfiltration behaviour;
  • vulnerabilities in Ollama, llama.cpp, LM Studio, Transformers or other runtimes.

This tool should not be the sole approval mechanism for regulated production deployment, client-data processing, internet-connected agentic systems, autonomous coding agents with write access, or systems with access to secrets or privileged infrastructure.


Roadmap

Planned or candidate improvements:

  • fuller GGUF metadata validation;
  • safetensors tensor offset and shape validation;
  • Hugging Face metadata retrieval using pinned revisions;
  • SBOM generation;
  • Sigstore or SLSA provenance checks;
  • licence compatibility checks;
  • model-card quality scoring;
  • SARIF upload workflow;
  • sandboxed behavioural test harness for local inference;
  • prompt-injection and tool-use behavioural tests for RAG and agent workloads.

Contributing

See docs/contribution-guide.md.

Before opening a pull request, run:

Contributions should preserve the project’s core boundary: scanning must remain static by default and must not execute untrusted model artefacts or repository code.


Licence

Licensed under the Apache License, Version 2.0. See LICENSE.