Metadata-Version: 2.4
Name: ai-finder
Version: 0.3.7
Summary: AI Finder - AI artifact scanner for supply chain security
Project-URL: Homepage, https://scanoss.com
Project-URL: Repository, https://github.com/scanoss/ai-finder
Author-email: SCANOSS <info@scanoss.com>
License: MIT
Keywords: ai,compliance,sbom,scanner,supply-chain
Classifier: Development Status :: 3 - Alpha
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries
Requires-Python: >=3.9
Requires-Dist: click>=8.0
Requires-Dist: osslili>=1.6
Requires-Dist: ptelemetry>=0.2.2
Requires-Dist: python-levenshtein>=0.25.1
Requires-Dist: python-tlsh>=4.5.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: requests>=2.28
Requires-Dist: tomli>=2.0; python_version < '3.11'
Requires-Dist: tqdm>=4.65
Provides-Extra: dev
Requires-Dist: pytest-cov>=4.0; extra == 'dev'
Requires-Dist: pytest-mock>=3.10; extra == 'dev'
Requires-Dist: pytest>=7.0; extra == 'dev'
Provides-Extra: relationships
Requires-Dist: tree-sitter-c-sharp>=0.21; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter-cpp>=0.21; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter-go>=0.21; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter-java>=0.21; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter-javascript>=0.21; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter-php>=0.22; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter-python>=0.21; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter-ruby>=0.21; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter-rust>=0.21; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter-typescript>=0.21; (python_version >= '3.10') and extra == 'relationships'
Requires-Dist: tree-sitter>=0.22; (python_version >= '3.10') and extra == 'relationships'
Description-Content-Type: text/markdown

# ai-finder

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)

> AI artifact scanner for supply chain security and compliance

## About

**ai-finder** detects AI/ML artifacts in codebases for:

- **Supply Chain Security** - Identify AI models, SDKs, and dependencies
- **EU AI Act Compliance** - Generate SBOM reports for regulatory requirements
- **Risk Assessment** - Detect API keys, model provenance, and usage patterns

## Features

### SDK Detection (12 languages)

| Language | SDKs Detected |
|----------|---------------|
| Python | OpenAI, Anthropic, HuggingFace, LangChain, LlamaIndex, Strands, CrewAI, AutoGen |
| JavaScript/TypeScript | OpenAI, Anthropic, LangChain, Vercel AI SDK |
| Go | go-openai, go-anthropic |
| Rust | async-openai, anthropic-rs |
| Java/Kotlin | openai-java, LangChain4j, Spring AI |
| And more... | Ruby, PHP, C#, C++, Swift, Scala, Kotlin |

### AI Package Detection (150+ packages)

Comprehensive detection across categories:

| Category | Packages |
|----------|----------|
| **LLM Clients** | OpenAI, Anthropic, Cohere, Groq, Mistral, Ollama, Google GenAI, Azure OpenAI |
| **Agent Frameworks** | LangChain, LlamaIndex, Strands Agents, CrewAI, AutoGen, Semantic Kernel |
| **ML Frameworks** | PyTorch, TensorFlow, Keras, JAX, Transformers, scikit-learn, XGBoost |
| **Vector Databases** | ChromaDB, Pinecone, Weaviate, Qdrant, Milvus, FAISS, LanceDB |
| **Speech/Audio AI** | OpenAI Whisper, Faster Whisper, ElevenLabs, Bark |
| **AI Safety** | AIProxyGuard, Guardrails AI, NeMo Guardrails, LLM Guard |
| **Tools & Utilities** | Tavily, LangSmith, W&B, MLflow, Accelerate, Datasets |
| **MCP/Tool Use** | MCP, Anthropic Tools |

### Model File Detection (12 formats)

GGUF, SafeTensors, ONNX, PyTorch, TensorFlow, TFLite, CoreML, JAX, Keras, MXNet, PaddlePaddle, Pickle

### Manifest Parsing (11 formats)

requirements.txt, pyproject.toml, package.json, go.mod, Cargo.toml, pom.xml, build.gradle, Gemfile, composer.json, *.csproj, Package.swift

### Output Formats

- **JSON** - Machine-readable findings
- **CycloneDX 1.6** - OWASP SBOM format with ML-BOM support
- **SPDX 2.3** - Linux Foundation SBOM format
- **SPDX 3.0** - Latest SPDX specification with JSON-LD

### License Handling

- Licenses are automatically enriched from PyPI, npm, and HuggingFace
- Unknown licenses are marked as `NOASSERTION` per SPDX specification
- Supports SPDX license expressions

## Installation

```bash
pip install ai-finder
```

Requires Python 3.9 or later.

## Usage

```bash
# Scan a directory
ai-finder scan /path/to/project

# Generate SBOM (CycloneDX)
ai-finder scan /path/to/project -f cyclonedx -o sbom.json

# Generate SBOM (SPDX)
ai-finder scan /path/to/project -f spdx -o sbom.spdx.json

# Identify a model file
ai-finder identify model.gguf

# Initialize local KB
ai-finder kb init

# Lookup model by PURL
ai-finder kb lookup pkg:huggingface/TinyLlama/TinyLlama-1.1B-Chat-v1.0
```

## Telemetry

This tool collects anonymous usage telemetry to help improve the product. No file paths, code content, or scan targets are collected.

**Disable telemetry:**
```bash
# Per-session
ai-finder --no-telemetry scan .

# Environment variable
export AI_FINDER_TELEMETRY=0

# Or use the standard
export DO_NOT_TRACK=1
```

See [docs/TELEMETRY.md](https://github.com/scanoss/ai-finder/blob/main/docs/TELEMETRY.md) for full details on what is collected.

## Development

```bash
# Clone repository
git clone https://github.com/scanoss/ai-finder.git
cd ai-finder

# Install with uv
uv sync --all-packages --all-extras

# Run tests
uv run pytest

# Lint
uv run ruff check .
```

## Contributing

We welcome contributions! Please read [CONTRIBUTING.md](https://github.com/scanoss/ai-finder/blob/main/CONTRIBUTING.md) before submitting a pull request.

## Security

If you discover a security vulnerability, please follow our [Security Policy](https://github.com/scanoss/ai-finder/blob/main/SECURITY.md).

## License

This project is licensed under the MIT License - see [LICENSE](https://github.com/scanoss/ai-finder/blob/main/LICENSE) for details.

Copyright (c) 2026 SCANOSS.
