Detect AI SDKs, model files, frameworks, and dependencies directly in your codebase with AI Finder
AI components have moved from research into production faster than most organisations can track them. SDK calls, framework dependencies, model files, and vector databases now sit alongside conventional open source components, but they rarely appear in standard inventories with the detail needed to assess risk or demonstrate compliance.
As the EU AI Act enforcement timelines come into effect, knowing exactly what AI is in use, where it came from, and under what licence has become a practical requirement.
You cannot secure, govern, or comply with AI use you have not inventoried. AI Finder is designed to close that gap by bringing AI artefact detection directly into the developer workflow.
What’s new
AI Finder is a new, open source CLI that scans codebases to detect AI/ML artefacts at source level. Instead of relying solely on dependency manifests, it identifies concrete AI usage — SDK calls, package imports, model files, and framework references — directly in source files and project configuration.
The tool detects:
- AI SDKs across 12 languages, including OpenAI, Anthropic, HuggingFace, LangChain, LlamaIndex, and agent frameworks such as Strands, CrewAI, and AutoGen
- 134+ AI packages, covering LLM clients, agent frameworks, ML frameworks, vector databases, AI safety tooling, and MCP/tool use libraries
- Model files in 12 formats, including GGUF, SafeTensors, ONNX, PyTorch, TensorFlow, TFLite, CoreML, and JAX
- Manifests in 11 formats, from requirements.txt and pyproject.toml to go.mod, Cargo.toml, pom.xml, and Package.swift
This combination gives developers and compliance teams a complete picture of AI usage across polyglot codebases, including the model layer that most SBOM tooling does not cover.
How it works
AI Finder is designed to fit naturally into a developer’s workflow. You point it at a repository, and it produces structured output that can be reviewed locally or passed downstream into CI/CD and governance tooling.
AI Finder at a glance
Install via pip:
pip install ai-finder
Scan a directory:
ai-finder scan /path/to/project
Generate a CycloneDX SBOM with ML-BOM support:
ai-finder scan /path/to/project -f cyclonedx -o sbom.json
Generate an SPDX SBOM:
ai-finder scan /path/to/project -f spdx -o sbom.spdx.json
Identify a specific model file:
ai-finder identify model.gguf
Why it matters
AI artefacts behave differently from conventional open source components. Model files carry provenance, licence, training data assumptions, and weight-level attributes that affect both security and compliance posture. SDK and framework usage shows how AI is being called, which dependency lists alone do not reveal.
AI Finder produces structured, machine and human-readable output covering SDK detection, package usage, model file identification, and manifest content. Output can be emitted as JSON, CycloneDX 1.6 with ML-BOM, SPDX 2.3, or SPDX 3.0 with JSON-LD, making AI inventory consumable by existing supply chain tooling and CI/CD pipelines.
Generated SBOMs are compliant with major standards: CISA Minimum SBOM Elements, OpenChain ISO/IEC 5230, CycloneDX ML-BOM, and EU AI Act readiness. This integration-first approach allows teams to evaluate AI usage where policy decisions already take place, rather than enforcing them in isolation.
For developers, AI Finder turns AI artefact tracking from an ad-hoc audit task into a continuous part of the development cycle. For compliance and security teams, it provides the source-level evidence needed to demonstrate that AI use is governed, documented, and ready for review.
Where to find it
AI Finder is released as open source under MIT licence and available today.
https://github.com/scanoss/ai-finder
For organisations addressing AI governance, EU AI Act readiness, or open source compliance more broadly, the SCANOSS team is available.
