Getting Started
Trusera is an AI security platform that helps organizations discover, inventory, and secure all AI components across their infrastructure. At its core is AI-BOM (AI Bill of Materials) - an open-source scanner that detects AI agents, LLM integrations, model references, and API keys hiding in your codebase.
What is AI-BOM?
AI-BOM is the first tool purpose-built for AI supply chain visibility. While tools like Trivy and Syft cover traditional dependencies, they miss AI-specific components entirely. AI-BOM fills that gap with 13 specialized scanners and 9 output formats.
One command gives you a complete inventory:
pipx install ai-bom
ai-bom scan .
What it detects
| Category | Examples |
|---|---|
| LLM Providers | OpenAI, Anthropic, Google AI, Mistral, Cohere, Ollama, DeepSeek |
| Agent Frameworks | LangChain, CrewAI, AutoGen, LlamaIndex, LangGraph |
| Model References | gpt-4o, claude-3-5-sonnet, gemini-1.5-pro, llama-3 |
| API Keys | Hardcoded credentials (sk-, sk-ant-, hf_*) |
| AI Containers | Ollama, vLLM, HuggingFace TGI, NVIDIA Triton, ChromaDB |
| Cloud AI | AWS Bedrock/SageMaker, Azure OpenAI/ML, Google Vertex AI |
| AI Endpoints | api.openai.com, api.anthropic.com, localhost:11434 |
| n8n AI Nodes | AI Agents, LLM Chat, MCP Client, Tools, Embeddings |
| MCP Servers | Model Context Protocol server configurations |
| A2A Protocol | Google Agent-to-Agent protocol |
| Jupyter Notebooks | AI imports and model usage in .ipynb files |
| GitHub Actions | AI-related actions and model deployments |
| Model Files | .gguf, .safetensors, .onnx, .pt binary model files |
25+ AI SDKs detected across Python, JavaScript, TypeScript, Java, Go, Rust, and Ruby.
Why AI-BOM?
- EU AI Act compliance (Article 53, Aug 2025) requires a complete AI component inventory. No existing SBOM tool covers AI.
- Shadow AI - 60%+ of AI usage is undocumented. Developers ship LLM integrations without security review.
- n8n workflow scanning - n8n is the backbone of enterprise AI automation but invisible to Trivy, Syft, and Grype.
Quick start
Scan a local project
ai-bom scan .
Generate a CycloneDX SBOM
ai-bom scan . -f cyclonedx -o ai-bom.cdx.json
Generate SARIF for GitHub Code Scanning
ai-bom scan . -f sarif -o results.sarif
Fail CI on critical findings
ai-bom scan . --fail-on critical --quiet
How it works
AI-BOM uses a multi-scanner architecture:
- File System Scanning - Regex-based detection of AI imports, model names, and API keys across source code
- Docker Scanning - Detection of AI containers, GPU allocations, and AI environment variables
- Network Scanning - Discovery of AI endpoints and hardcoded credentials in config files
- Cloud IaC Scanning - 60+ AWS/Azure/GCP AI resource types in Terraform and CloudFormation
- AST Analysis - Deep Python analysis for decorator patterns (
@agent,@tool,@crew)
Scanners auto-register via __init_subclass__ and execute in parallel via thread pool. Results are scored with a 0-100 risk score and mapped to severity levels (critical, high, medium, low).
Next steps
- Installation - All installation methods
- CLI Reference - Full command documentation
- Scanner Overview - What each scanner detects
- Platform Guide - SaaS platform features