The only AI Bill of Materials tool that bulk scans entire GitHub organizations. Inventory AI models, agents, and risks across hundreds of repos with drift detection, compliance exports, and automated gating. Works with Python, JavaScript, Java, Go, and .NET.
aibom scan-github --repo owner/repo --output-dir results
aibom generate .aibom generate .
View all features →
Stop scanning repositories one by one. AIBOM clones, analyzes, and aggregates AI inventories across your entire GitHub organization in one command.
Parallel cloning and analysis. No more manual inventory of AI usage across your org.
Fail scans when high-risk AI usage exceeds thresholds. Enforce policies across all repos.
One Markdown summary across all repos. Perfect for security reviews and compliance audits.
Compare current scan against baselines. Catch new AI providers and tools before they hit prod.
AIBOM finds AI components in your code and maps them to a structured inventory with OWASP LLM risk analysis.
from langchain import ChatOpenAI
llm = ChatOpenAI(
model="gpt-4",
temperature=0.7
)import OpenAI from "openai";
const client = new OpenAI({
model: "gpt-4o-mini"
});import dev.langchain4j.model.openai.OpenAiChatModel;
OpenAiChatModel model = OpenAiChatModel.builder()
.modelName("gpt-4")
.build();import "github.com/openai/openai-go"
client := openai.NewClient()
resp, err := client.Chat.Completions.New(
ctx,
openai.ChatCompletionNewParams{
Model: "gpt-4",
},
)from langchain.agents import initialize_agent
agent = initialize_agent(
tools,
llm,
agent="zero-shot-react-description"
)from langchain.tools import Tool
search = Tool(
name="SerpAPI",
func=search_run
)AIBOM detects AI components across your entire polyglot codebase with specialized parsers for each language.
Full AST parsing for LangChain, OpenAI, Anthropic, and more
Pattern-based detection for OpenAI SDK, LangChain.js
Detect LangChain4j, Spring AI, and OpenAI integrations
Find OpenAI and Anthropic SDK usage in Go applications
Scan C# projects for Semantic Kernel and AI integrations
AIBOM generates a structured JSON document mapping all AI components in your codebase with risk findings and provenance tracking.
From single-repo scanning to organization-wide AI inventory, AIBOM scales with your needs.
Built-in heuristics aligned with OWASP LLM Top 10. Detect third-party providers, exfiltration surfaces, and prompt injection risks.
Detect AI components in Python, Jupyter notebooks, JavaScript, TypeScript, Java, Go, and .NET codebases.
Sign evidence bundles with X.509 certificates. Verify provenance, certificate chains, and enforce signer allowlists.
Compare AIBOM versions to detect new models, tools, or external providers. Gate CI/CD pipelines on unauthorized changes.
Define organization-specific risk rules with allowlists, thresholds, and severity overrides in JSON or YAML format.
Schedule recurring scans with trend analysis. Track novel components over time and maintain historical snapshots.
The only AIBOM tool that scans entire GitHub organizations. Clone, analyze, and aggregate results across hundreds of repos with drift gates and risk thresholds.
Generate executive-friendly reports with risk highlights, asset summaries, and detector coverage metrics.
Other AIBOM tools make you scan repos one by one. AIBOM is built for organizations that need visibility across hundreds of repositories without the manual work.
Models, prompts, tools, datasets, and APIs form complex dependency graphs that are invisible to traditional SBOM tools.
Prompt injection, model poisoning, and data leakage require visibility into how AI components interact with your systems.
Organizations need to track AI usage for compliance, risk management, and responsible AI practices.
Large organizations have AI spread across hundreds of repos. Manual inventory is impossible. AIBOM scans them all in one command.
Scale from a single repo to your entire GitHub organization in minutes.
One command to install. Works locally or in CI/CD pipelines.
pip install aibom
Scan a single repo locally, or bulk scan your entire GitHub organization. AIBOM clones, analyzes, and aggregates results automatically.
# Single repoaibom generate .# Bulk GitHub scanaibom scan-github --repos-file org-repos.txt --output-dir audit/
Set risk thresholds, detect drift, and export to SPDX, CycloneDX, SARIF, or VEX for compliance.
# Fail on new external AI providersaibom diff baseline.json new.json --fail-on new-external-provider
One tool. Two workflows. Scan locally or bulk scan your entire GitHub organization.
pip install aibom && aibom generate .
aibom scan-github --repos-file repos.txt --output-dir results/
aibom scan-github --repos-file repos.txt
Use case: Bulk scan with risk gates
aibom scan-github --repos-file repos.txt --baseline base.json
Use case: Organization audit with drift detection
aibom generate . --audit-mode --bundle-out evidence.zip
Use case: Create signed compliance bundle
aibom export --input AI_BOM.json --format spdx-json
Use case: Export to SPDX for compliance tools
AIBOM is the only open-source AIBOM tool with native bulk GitHub scanning. Join us in building the future of AI supply chain security, whether you are adding new language detectors, risk rules, or scaling features for enterprise use.
Build support for new AI frameworks and languages
Implement new OWASP LLM-aligned risk detections
Add new SBOM and compliance export formats
Help us improve by reporting issues and edge cases
AIBOM is MIT licensed and free forever. Get started with a single repo, or scale to scan your entire GitHub organization with no licensing tiers, no limits.