Guides
Start typing to search…

Detecting Shadow AI in Source Code Using the CLI

This feature requires an subscription to the Manifest AI Risk Module. For more information, reach out to [email protected].

Overview

The AI scanner tool helps organizations identify AI/ML models and frameworks that developers may be using without proper governance oversight. This scanner integrates seamlessly into your existing workflows to provide comprehensive AI discovery and risk assessment.

Prerequisites

  • Access to the Manifest AI Risk module
  • Source code repositories to scan

What Gets Detected

  • AI Frameworks: PyTorch, TensorFlow, Keras, ONNX models
  • Transformer Models: Hugging Face libraries and pre-trained models
  • AI APIs: OpenAI, Anthropic Claude, and other ML service calls
  • Model Files: Trained models, weights, and configuration files
  • Risk Assessment: Each finding will receive a HIGH/MEDIUM/LOW risk rating
  • Datasets

Getting Started

Please make sure that you have the Manifest CLI set up. Full instructions can be found on Manifest's CLI Github page.

To automatically upload your AI discovery results to the Manifest platform, make sure to Create an API Token as well. You will need to enable the following scopes:


Running AI Scans

To run a scan on your AI model, paste the following into the command line.

To scanwithout uploading the SBOM to Manifest:

./manifest-cli generate /path/to/your/code --detect-ai –-install dependencies

To scan and automatically upload the SBOM to Manifest

export MANIFEST_API_KEY=your-api-token
./manifest-cli generate /path/to/your/code --detect-ai –-install dependencies --publish

Understanding Your Results

When the scanner finds AI models in your code, you'll see results like:


The generated SBOM includes all associated AI/ML models as machine-learning-model components with:

  • Model name and framework identification
  • Technology stack (e.g., "PyTorch", "Hugging Face Transformers")
  • Precise file:line locations in your source code
  • Risk level classification (HIGH/MEDIUM/LOW)
  • Integration with standard SBOM formats (CycloneDX, SPDX)

After scanning, the model analysis can easily be found in Manifest. To see the analysis go to:

  1. Go to Uploads and click on the AIBOM that was just generated
  2. Click on the name of the file that matches what you see in “Output file.”
  3. On the asset details page, click on the tab called “AI Models.” Here will be a list of all models that are included in the scan.

Updated 27 days ago