AI Security Posture Management

Application Securityv1.1.0

AI/ML project SAST scanner with 149+ rules across 26 categories, covering NIST AI RMF, EU AI Act, OWASP ML Top 10, and MITRE ATLAS

149+
rules
26
categories
4
frameworks

01Overview

Traditional SAST tools were built for web apps and miss the entire class of risks that AI/ML systems introduce. AI Security Posture Management (AI-SPM) closes that gap: a single-file, zero-dependency Python scanner that statically analyzes AI/ML codebases end-to-end — from data ingestion and model training through deployment and live inference — and flags the security misconfigurations, unsafe patterns, and compliance gaps that generic scanners walk straight past.

Point it at a repo and it does three things at once. It runs 145 AI-specific SAST rules across 26 categories (unsafe pickle/torch.load model loading, prompt injection, data poisoning, PII leakage to LLM APIs, missing guardrails, over-autonomous agents, RAG and MCP exposure, shadow AI, and more). It builds an AI/ML inventory — auto-discovering the frameworks, models, APIs, vector databases, and experiment trackers actually present in the code. And it checks the supply chain, matching pinned dependency versions against a curated database of 33 real AI/ML CVEs in packages like TensorFlow, PyTorch, LangChain, mlflow, Ray (ShadowRay), Ollama, and ChromaDB.

Every finding is mapped to four AI-specific governance frameworks — NIST AI RMF, the EU AI Act, OWASP ML Top 10, and MITRE ATLAS — so a security finding doubles as a compliance signal. It scans Python, JS/TS, Jupyter notebooks, .env, YAML/TOML, Terraform, Dockerfiles, and dependency manifests, and emits colored console output, machine-parseable JSON, and an interactive HTML report.

It is built for AppSec engineers, ML platform teams, and AI governance leads who need to shift AI risk left. Because the whole scanner is one portable Python 3.10+ stdlib file with no pip installs, it drops into any CI pipeline (GitHub Actions, GitLab, Azure DevOps, Jenkins) and gates builds via an exit code of 1 on CRITICAL or HIGH findings — no agents, no cloud, no dependency management.

02Key Capabilities

145 AI-Specific SAST Rules

Regex-driven static analysis across 26 categories covering the full AI lifecycle, from unsafe model deserialization to over-autonomous agents.

AI/ML Inventory Discovery

Automatically fingerprints the frameworks, models, LLM APIs, vector databases, and experiment trackers present in your codebase for governance and shadow-AI visibility.

Unsafe Model-Loading Detection

Catches pickle/joblib deserialization, torch.load without weights_only, np.load allow_pickle, and trust_remote_code before they become arbitrary code execution.

Prompt Injection & LLM Output Sink Analysis

Flags user input flowing into prompts, jailbreak patterns, and LLM output reaching shells, SQL, or eval() without validation.

Agentic AI Risk Checks

Detects unrestricted tool/shell/filesystem access, missing human-in-the-loop, unbounded iterations, and unsafe LangChain/CrewAI/AutoGen/LangGraph patterns.

Supply-Chain CVE Matching

Compares pinned dependency versions against 33 curated AI/ML CVEs (TensorFlow, PyTorch, LangChain, mlflow, Ray ShadowRay, Ollama, ChromaDB and more) across PyPI and npm manifests.

RAG, MCP & Multimodal Coverage

Checks vector DBs without auth, unsanitized retrieval, MCP servers with shell access or no auth, and image/audio/video inputs without validation or NSFW filtering.

AI Infrastructure-as-Code Scanning

Detects Terraform misconfigurations for SageMaker, Bedrock, Vertex AI, and Azure OpenAI, plus K8s AI-serving issues in KServe, Seldon, and Triton.

Four-Framework Compliance Mapping

Tags every finding with applicable NIST AI RMF, EU AI Act, OWASP ML Top 10, and MITRE ATLAS controls to turn security output into compliance evidence.

Model Card Compliance Check

Directory-level check that flags AI projects missing MODEL_CARD.md documentation required by the EU AI Act for high-risk systems.

Three Output Formats

Color-coded ANSI console, machine-parseable JSON for CI/CD, and a self-contained interactive dark-themed HTML report with severity filters and compliance tags.

CI/CD-Ready Exit Codes

Returns exit code 1 on CRITICAL or HIGH findings so it can gate pipelines out of the box, with ready-made GitHub Actions, GitLab, Azure DevOps, and Jenkins snippets.

03Architecture

The entire scanner is one self-contained Python file (ai_spm_scanner.py, ~2,230 LOC, stdlib only). Rules live as module-level lists of dicts; an AISPMScanner class walks the target, dispatches each file by extension to a language-specific scanner, runs the regex SAST engine line-by-line, and simultaneously builds an AI/ML inventory and checks dependency manifests against a CVE database. Findings (a Finding dataclass carrying CWE, CVE, and compliance tags) are then rendered to console, JSON, or HTML.

1
Rule & CVE Knowledge Base
23 module-level *_RULES lists (145 pattern rules), the COMPLIANCE_MAP of 24 framework controls, and AI_VULNERABLE_PACKAGES / AI_NPM_VULNERABLE_PACKAGES CVE databases.
2
Traversal & Dispatch
scan_path → _scan_directory walks the tree (skipping node_modules, __pycache__, etc.); _dispatch_file routes each file to the right scanner by extension.
3
Language Scanners
Dedicated handlers _scan_python, _scan_js, _scan_env, _scan_config, _scan_terraform, _scan_docker, _scan_requirements, _scan_pyproject, _scan_package_json, and _scan_notebook.
4
SAST Regex Engine
The shared _sast_scan applies compiled regex rules line-by-line, emitting a Finding with rule metadata, CWE, and compliance mappings.
5
AI Inventory & Supply-Chain Analysis
In parallel, detects AI/ML frameworks, models, APIs, vector DBs, and trackers, and version-compares dependencies against the curated CVE database.
6
Compliance & Model Card Layer
Tags findings with NIST AI RMF / EU AI Act / OWASP ML / MITRE ATLAS controls and runs the directory-level _check_model_card EU AI Act documentation check.
7
Reporting
print_report renders color-coded console output, JSON, and a self-contained interactive HTML report, then sets a CI-friendly exit code.

04Project Structure

ai_spm_scanner.pyThe entire scanner — a single ~2,230-line, zero-dependency Python file containing all rules, engine, and reporters.
README.mdFull documentation: rule catalog, compliance mapping, CVE tables, usage, CI/CD recipes, and architecture diagram.
CLAUDE.mdProject instructions describing the shared scanner architecture, rule-category counts, and contribution conventions.
banner.svgProject banner graphic used in the README header.
LICENSEMIT License.
.gitignoreStandard Python gitignore.
tests/samples/Intentionally vulnerable fixture files used to validate that rules fire correctly.
tests/samples/vulnerable_ai_app.pyInsecure Python AI patterns (pickle, prompt injection, PII, agents, MCP, fine-tuning, multimodal, bias) — produces 100 findings when scanned.
tests/samples/requirements_ai.txtAI/ML packages pinned to versions with known CVEs to exercise supply-chain scanning.
tests/samples/ai_infra.tfVulnerable Terraform for SageMaker, Bedrock, Vertex AI, and Azure OpenAI.
tests/samples/k8s_ai_serving.yamlInsecure K8s AI workloads for KServe, Seldon, and Triton.
tests/samples/vulnerable_frontend.tsxInsecure JS/TS AI frontend with client-side key exposure, XSS, and eval on model output.

05Security Controls

Model Security (AISPM-MODEL)
10 rules for unsafe pickle/joblib/torch.load, np.load allow_pickle, trust_remote_code, exec on model output, unencrypted weights, and missing hash verification.
Prompt / LLM Security (AISPM-PROMPT)
10 rules for user input in prompts, system-prompt exposure, jailbreak patterns, LLM output into shell/SQL, unvalidated function calling, and nested template injection.
Agent Security (AISPM-AGENT)
10 rules for unrestricted shell/filesystem access, no human-in-the-loop, unbounded iterations, and unsafe LangChain/CrewAI/AutoGen/LangGraph agent patterns.
Guardrails (AISPM-GUARD)
8 rules for missing content-safety filters, temperature >1.5, no max_tokens, disabled safety settings, and missing rate limits, timeouts, and input-length validation.
Privacy & Data Pipeline (AISPM-PRIV / AISPM-DATA)
12 rules for PII/PHI sent to AI APIs, prompt logging, training-without-consent, PII in embeddings, plus untrusted training data, label poisoning, and missing lineage.
RAG & MCP Security (AISPM-RAG / AISPM-MCP)
10 rules for vector DBs without auth, unsanitized external documents, missing access control on retrieval, MCP servers with shell access or no auth, and auto-approve clients.
Infrastructure & Secrets (AISPM-INFRA / AISPM-SECRET / AISPM-ENV)
22 rules for unauthenticated inference endpoints, 0.0.0.0 binding, Jupyter/MLflow without auth, CORS wildcards, and hardcoded API keys for OpenAI, Anthropic, HuggingFace, Pinecone, and more.
Cloud & Container IaC (AISPM-IAC / AISPM-K8S-AI / AISPM-DOCKER / AISPM-CFG)
22 rules for Terraform SageMaker/Bedrock/Vertex/Azure OpenAI misconfigs, KServe/Seldon/Triton serving issues, privileged/root ML containers, and API keys in Dockerfiles.
Supply-Chain CVEs (AISPM-DEP-CVE)
33 curated AI/ML CVEs across PyPI and npm — TensorFlow, PyTorch, LangChain, mlflow, Ray (ShadowRay), Ollama, ChromaDB, gradio, vllm — matched by version comparison.
Compliance & Governance (AISPM-DOC + mappings)
Model Card compliance check plus mapping of every finding to 24 controls across NIST AI RMF, EU AI Act, OWASP ML Top 10, and MITRE ATLAS.

06Technology Stack

Language
Python 3.10+ (modern type-hint syntax with `from __future__ import annotations`; stdlib only)
Dependencies
None — zero external packages, pure standard library (re, argparse, json, dataclasses, pathlib)
Distribution
Single self-contained file (ai_spm_scanner.py, ~2,230 LOC)
Analysis Engine
Regex-based line-by-line SAST across module-level rule dicts
Output Formats
ANSI console, JSON, self-contained interactive HTML (dark purple-gradient theme)
Testing
Intentionally vulnerable fixture files under tests/samples/ for rule validation
CI/CD
Exit-code gating with documented GitHub Actions, GitLab CI, Azure DevOps, and Jenkins recipes
Platforms
Windows, macOS, Linux (no compilation, no venv required)

07Quick Start

$ git clone https://github.com/Krishcalin/AI-Secure-Posture-Management.git && cd AI-Secure-Posture-Management
$ python ai_spm_scanner.py --version   # verify: AI-SPM Scanner v1.1.0
$ python ai_spm_scanner.py /path/to/your/ai-project   # scan a whole project
$ python ai_spm_scanner.py ./my-project --json report.json --html report.html   # JSON + interactive HTML reports
$ python ai_spm_scanner.py ./my-project --severity HIGH   # only CRITICAL and HIGH findings (CI gate)
$ python ai_spm_scanner.py tests/samples/ --verbose   # run against bundled vulnerable fixtures

08Compliance & Frameworks

NIST AI RMF
Findings mapped to the GOVERN, MAP, MEASURE, and MANAGE functions of the AI risk-management lifecycle.
EU AI Act
High-Risk, Limited-Risk, and GPAI obligations, including a Model Card documentation check for high-risk systems.
OWASP ML Top 10
Full ML01–ML10 coverage (input manipulation, data poisoning, model inversion, model theft, supply chain, output integrity, and more).
MITRE ATLAS
Seven adversarial-ML tactics: Reconnaissance, Resource Development, Initial Access, ML Attack Execution, Persistence, Exfiltration, and Impact.
CWE
Each rule carries a CWE identifier (e.g. CWE-502 deserialization) for standardized weakness classification.

09Integrations & Outputs

Input formats: Python (.py/.pyw), Jupyter (.ipynb), JS/TS (.js/.jsx/.ts/.tsx/.mjs/.cjs), .env, YAML/TOML, Terraform (.tf), Dockerfile, requirements.txt/Pipfile/pyproject.toml, package.jsonExport formats: colored console (ANSI), JSON report, self-contained interactive HTML reportCI/CD: GitHub Actions, GitLab CI, Azure DevOps, Jenkins (exit code 1 on CRITICAL/HIGH gates the build)CVE data: curated AI/ML PyPI + npm vulnerability database with clickable NVD links in HTML output

Explore AI Security Posture Management

Full source, documentation, and deployment guides live on GitHub.