Initial release v0.1.0

AI Bill of Materials scanner — discovers every AI agent, model, and API
hiding in your infrastructure.

Features:
- 5 scanners: code, docker, network, cloud, n8n workflows
- AI SDK detection for OpenAI, Anthropic, Google, Mistral, and more
- 5 output formats: table, JSON/CycloneDX, HTML, Markdown, SARIF
- Risk scoring engine with multi-factor assessment
- Shadow AI and hardcoded API key detection
- 124 tests with full coverage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Zie619

.dockerignore

@@ -0,0 +1,18 @@
+.venv/
+venv/
+.git/
+__pycache__/
+*.py[cod]
+dist/
+build/
+*.egg-info/
+.pytest_cache/
+.ruff_cache/
+.coverage
+htmlcov/
+tests/
+.github/
+*.md
+!README.md
+.idea/
+.vscode/

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,36 @@
+---
+name: Bug Report
+about: Report a bug in ai-bom
+title: "[BUG] "
+labels: bug
+assignees: ""
+---
+
+## Describe the bug
+A clear and concise description of what the bug is.
+
+## To Reproduce
+Steps to reproduce the behavior:
+1. Run `ai-bom scan ...`
+2. With options: `--format ... --severity ...`
+3. On target: (describe the project/file structure)
+
+## Expected behavior
+What you expected to happen.
+
+## Actual behavior
+What actually happened. Include the full output or error message.
+
+## Environment
+- ai-bom version: (`ai-bom version`)
+- Python version: (`python --version`)
+- OS: (e.g., Ubuntu 22.04, macOS 14, Windows 11)
+
+## Scan Configuration
+- Output format used: (table / cyclonedx / json / html / markdown / sarif)
+- Severity filter: (none / critical / high / medium / low)
+- Scanner flags: (e.g., `--include-tests`, `--n8n-local`, `--no-color`)
+- Target type: (directory / single file / git URL)
+
+## Additional context
+Add any other context, logs, or screenshots.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,22 @@
+---
+name: Feature Request
+about: Suggest an idea for ai-bom
+title: "[FEATURE] "
+labels: enhancement
+assignees: ""
+---
+
+## Problem
+A clear description of the problem this feature would solve.
+
+## Proposed Solution
+Describe the solution you'd like.
+
+## Alternatives Considered
+Describe any alternative solutions or features you've considered.
+
+## Use Case
+Who would benefit from this feature and how?
+
+## Additional context
+Add any other context, mockups, or references.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,28 @@
+## Summary
+Brief description of changes.
+
+## Changes
+- [ ] Change 1
+- [ ] Change 2
+
+## Type
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Breaking change
+- [ ] Documentation
+
+## Testing
+- [ ] Added/updated tests
+- [ ] All tests pass (`pytest -v`)
+- [ ] Linting passes (`ruff check`)
+
+## Checklist
+- [ ] Code follows project style
+- [ ] Self-reviewed the diff
+- [ ] No sensitive data (API keys, credentials) committed
+
+## Scanner Changes (if applicable)
+- [ ] New scanner uses `__init_subclass__` auto-registration (set `name` class attribute)
+- [ ] Scanner implements `supports()` and `scan()` methods
+- [ ] New detection patterns added to `config.py`
+- [ ] Reporter registered in `reporters/__init__.py` REPORTERS dict

.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Lint with ruff
+        run: ruff check src/ tests/
+
+      - name: Run tests
+        run: pytest -v

.github/workflows/dogfood.yml

@@ -0,0 +1,35 @@
+name: Dogfood (ai-bom scans itself)
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  security-events: write
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: 'pip'
+
+      - name: Install ai-bom
+        run: pip install -e .
+
+      - name: Run ai-bom scan (SARIF)
+        run: ai-bom scan . --format sarif -o results.sarif
+        continue-on-error: true
+
+      - name: Upload SARIF to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: hashFiles('results.sarif') != ''
+        with:
+          sarif_file: results.sarif

.github/workflows/publish.yml

@@ -0,0 +1,31 @@
+name: Publish to PyPI
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: pypi
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: pip install build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

.gitignore

@@ -0,0 +1,35 @@
+# Virtual environments
+.venv/
+venv/
+env/
+
+# Python bytecode
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Build artifacts
+dist/
+build/
+*.egg-info/
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+
+# Linting
+.ruff_cache/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Node
+node_modules/
+
+# OS
+.DS_Store
+Thumbs.db

CHANGELOG.md

@@ -0,0 +1,30 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.1.0] - 2026-02-08
+
+### Added
+- 5 scanners: code, docker, network, cloud (Terraform/CloudFormation), n8n workflows
+- AI SDK detection for OpenAI, Anthropic, Google, Mistral, Cohere, HuggingFace, and more
+- Model version pinning and deprecation checks
+- Shadow AI detection (undeclared AI dependencies)
+- Hardcoded API key detection
+- n8n workflow agent chain analysis with MCP risk assessment
+- 5 output formats: table, JSON/CycloneDX, HTML, Markdown, SARIF
+- SARIF 2.1.0 output for GitHub Code Scanning integration
+- Single-file and directory scanning
+- Git repository URL scanning (auto-clone)
+- Severity filtering (critical, high, medium, low)
+- Risk scoring engine with multi-factor assessment
+- GitHub Action for CI/CD integration (`trusera/ai-bom@v1`)
+- Docker container distribution
+- 124 tests with full coverage of scanners and reporters
+
+[Unreleased]: https://github.com/trusera/ai-bom/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/trusera/ai-bom/releases/tag/v0.1.0

CODE_OF_CONDUCT.md

@@ -0,0 +1,40 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior:
+
+* The use of sexualized language or imagery and unwelcome sexual attention
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information without explicit permission
+* Other conduct which could reasonably be considered inappropriate
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project team at **conduct@trusera.dev**.
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org),
+version 2.1.