Python Scanner

AI-BOM's Code Scanner and AST Scanner work together to provide comprehensive Python AI component detection.

What it scans

Dependency files

The scanner checks these files for declared AI packages:

requirements.txt
requirements-*.txt (e.g., requirements-dev.txt)
pyproject.toml
setup.py
setup.cfg
Pipfile
poetry.lock
conda.yaml / environment.yml

Source files

All .py files are scanned for:

AI SDK import statements
Model name references
API key patterns
Framework-specific usage patterns

Detected AI packages

AI-BOM detects 25+ Python AI SDKs, including:

Package	Provider
`openai`	OpenAI
`anthropic`	Anthropic
`google-generativeai`	Google AI
`mistralai`	Mistral
`cohere`	Cohere
`ollama`	Ollama
`langchain` / `langchain-core`	LangChain
`crewai`	CrewAI
`autogen` / `pyautogen`	Microsoft AutoGen
`llama-index`	LlamaIndex
`langgraph`	LangGraph
`transformers`	Hugging Face
`torch` / `pytorch`	PyTorch
`tensorflow`	TensorFlow
`boto3` (bedrock)	AWS Bedrock
`azure-ai-*`	Azure AI Services
`vertexai`	Google Vertex AI

Detection examples

Import detection

# These imports are detected by the Code Scanner
import openai
from anthropic import Anthropic
from langchain.llms import OpenAI
from crewai import Agent, Task, Crew

Model reference detection

# Model names are detected and flagged
client.chat.completions.create(model="gpt-4o")
response = anthropic.messages.create(model="claude-3-5-sonnet-20241022")

API key detection

# Hardcoded API keys are detected as critical severity
openai.api_key = "sk-proj-abc123..."
client = Anthropic(api_key="sk-ant-api03-...")

Shadow AI detection

When AI SDK usage is found in source code but no corresponding dependency is declared in requirements.txt or pyproject.toml, AI-BOM flags it as "shadow AI" - undocumented AI usage.

Deep scanning (AST mode)

Enable with --deep for Python AST-based analysis:

ai-bom scan . --deep

The AST scanner detects:

Decorator patterns

# CrewAI decorators
@agent
def researcher(self):
    return Agent(role="researcher")

@task
def research_task(self):
    return Task(description="Research AI security")

@crew
def security_crew(self):
    return Crew(agents=[self.researcher()])

@flow
def analysis_flow(self):
    pass

Function call analysis

# Direct API calls detected via AST
openai.ChatCompletion.create(
    model="gpt-4",
    messages=[{"role": "user", "content": "Hello"}]
)

String literal analysis

Model name references in string literals are detected even when not part of a recognized API call pattern.

Risk scoring

Each detected component receives a risk score (0-100) based on:

Component type - API keys score higher than library imports
Severity flags - Hardcoded credentials, deprecated models, unpinned versions
Shadow AI - Undeclared usage scores higher than declared dependencies
Provider sensitivity - Production LLM providers score higher than local tools

Configuration

Create an .ai-bomignore file to exclude directories from scanning:

.venv/
__pycache__/
.eggs/
dist/
build/

What it scans​

Dependency files​

Source files​

Detected AI packages​

Detection examples​

Import detection​

Model reference detection​

API key detection​

Shadow AI detection​

Deep scanning (AST mode)​

Decorator patterns​

Function call analysis​

String literal analysis​

Risk scoring​

Configuration​