# Scan Model Files - Once the Model Scanner CLI image has been deployed, it can be run as a container using the `docker run` command as described below. - See [Deploy Model Scanner CLI](/docs/products/model-scanner/cli/install_model_scanner_cli) for deployment instructions. - The examples below include the US and EU regions. - See [Command-line Arguments](/docs/products/model-scanner/cli/commandline_arguments) for more information. Select OS Select your operating system to view installation instructions. macOS Select Deployment Type and Region Select your deployment type and region. See [Hybrid and Disconnected modes](/docs/products/model-scanner/cli/hybrid_disconnected) for more information. Hybrid Mode - US Region - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm \ -e HL_LICENSE \ -e HL_CLIENT_ID \ -e HL_CLIENT_SECRET \ -v /home/user/models:/files-to-scan \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan --persist --model-name= --model-version= ``` Hybrid Mode - EU Region - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm \ -e HL_LICENSE \ -e HL_CLIENT_ID \ -e HL_CLIENT_SECRET \ -e HL_MODEL_SCANNER_PLATFORM_BASE_URL='https://api.eu.hiddenlayer.ai' \ -e HL_MODEL_SCANNER_TOKEN_URL=https://auth.eu.hiddenlayer.ai/ \ -v /home/user/models:/files-to-scan \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan --persist --model-name= --model-version= ``` Local Mode - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. ``` docker run --rm \ -e HL_LICENSE \ -v /home/user/models:/files-to-scan \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan ``` Linux Select Deployment Type and Region Select your deployment type and region. See [Hybrid and Disconnected modes](/docs/products/model-scanner/cli/hybrid_disconnected) for more information. Hybrid Mode - US Region - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm \ -e HL_LICENSE \ -e HL_CLIENT_ID \ -e HL_CLIENT_SECRET \ -v /home/user/models:/files-to-scan \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan --persist --model-name= --model-version= ``` Hybrid Mode - EU Region - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm \ -e HL_LICENSE \ -e HL_CLIENT_ID \ -e HL_CLIENT_SECRET \ -e HL_MODEL_SCANNER_PLATFORM_BASE_URL='https://api.eu.hiddenlayer.ai' \ -e HL_MODEL_SCANNER_TOKEN_URL=https://auth.eu.hiddenlayer.ai/ \ -v /home/user/models:/files-to-scan \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan --persist --model-name= --model-version= ``` Local Mode - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. ``` docker run --rm \ -e HL_LICENSE \ -v /home/user/models:/files-to-scan \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan ``` Windows Select Deployment Type and Region Select your deployment type and region. See [Hybrid and Disconnected modes](/docs/products/model-scanner/cli/hybrid_disconnected) for more information. Hybrid Mode - US Region - Replace `c:/work/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm ^ -e HL_LICENSE ^ -e HL_CLIENT_ID ^ -e HL_CLIENT_SECRET ^ -v c:/work/models:/files-to-scan ^ quay.io/hiddenlayer/distro-cli-modelscanner:latest ^ --input /files-to-scan --persist --model-name= --model-version= ``` Hybrid Mode - EU Region - Replace `c:/work/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm ^ -e HL_LICENSE ^ -e HL_CLIENT_ID ^ -e HL_CLIENT_SECRET ^ -e HL_MODEL_SCANNER_PLATFORM_BASE_URL='https://api.eu.hiddenlayer.ai' ^ -e HL_MODEL_SCANNER_TOKEN_URL=https://auth.eu.hiddenlayer.ai/ ^ -v /home/user/models:/files-to-scan ^ quay.io/hiddenlayer/distro-cli-modelscanner:latest ^ --input /files-to-scan --persist --model-name= --model-version= ``` Local Mode - Replace `c:/work/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. ``` docker run --rm ^ -e HL_LICENSE ^ -v c:/work/models:/files-to-scan ^ quay.io/hiddenlayer/distro-cli-modelscanner:latest ^ --input /files-to-scan ``` ## Add Certificate to Run Command If you need to add an SSL certificate to the `docker run` command, you can mount the certificate at runtime. Select OS Select your operating system to view installation instructions. macOS Select Deployment Type and Region Select your deployment type and region. See [Hybrid and Disconnected modes](/docs/products/model-scanner/cli/hybrid_disconnected) for more information. Hybrid Mode - US Region - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - This example uses $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro to mount the SSL certificate. - `$(pwd)/certs/internal-root.crt` is the path to the certificate on the host system. - `/etc/ssl/certs/internal-root.crt` is the container path where the certificate will be mounted. - `ro` specifies the mount as read-only. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm \ -e HL_LICENSE \ -e HL_CLIENT_ID \ -e HL_CLIENT_SECRET \ -e SSL_CERT_FILE=/etc/ssl/certs/internal-root.crt \ -v /home/user/models:/files-to-scan \ -v $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan --persist --model-name= --model-version= ``` Hybrid Mode - EU Region - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - This example uses $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro to mount the SSL certificate. - `$(pwd)/certs/internal-root.crt` is the path to the certificate on the host system. - `/etc/ssl/certs/internal-root.crt` is the container path where the certificate will be mounted. - `ro` specifies the mount as read-only. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm \ -e HL_LICENSE \ -e HL_CLIENT_ID \ -e HL_CLIENT_SECRET \ -e HL_MODEL_SCANNER_PLATFORM_RESULTS_URL='https://api.eu.hiddenlayer.ai' \ -e HL_MODEL_SCANNER_TOKEN_URL=https://auth.eu.hiddenlayer.ai/ \ -e SSL_CERT_FILE=/etc/ssl/certs/internal-root.crt \ -v /home/user/models:/files-to-scan \ -v $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan --persist --model-name= --model-version= ``` Local Mode - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - This example uses $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro to mount the SSL certificate. - `$(pwd)/certs/internal-root.crt` is the path to the certificate on the host system. - `/etc/ssl/certs/internal-root.crt` is the container path where the certificate will be mounted. - `ro` specifies the mount as read-only. ``` docker run --rm \ -e HL_LICENSE \ -e SSL_CERT_FILE=/etc/ssl/certs/internal-root.crt \ -v /home/user/models:/files-to-scan \ -v $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan ``` Linux Select Deployment Type and Region Select your deployment type and region. See [Hybrid and Disconnected modes](/docs/products/model-scanner/cli/hybrid_disconnected) for more information. Hybrid Mode - US Region - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - This example uses $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro to mount the SSL certificate. - `$(pwd)/certs/internal-root.crt` is the path to the certificate on the host system. - `/etc/ssl/certs/internal-root.crt` is the container path where the certificate will be mounted. - `ro` specifies the mount as read-only. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm \ -e HL_LICENSE \ -e HL_CLIENT_ID \ -e HL_CLIENT_SECRET \ -e SSL_CERT_FILE=/etc/ssl/certs/internal-root.crt \ -v /home/user/models:/files-to-scan \ -v $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan --persist --model-name= --model-version= ``` Hybrid Mode - EU Region - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - This example uses $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro to mount the SSL certificate. - `$(pwd)/certs/internal-root.crt` is the path to the certificate on the host system. - `/etc/ssl/certs/internal-root.crt` is the container path where the certificate will be mounted. - `ro` specifies the mount as read-only. - Replace `` with either the name of an existing model from the inventory (to add a new scan version to the existing model) or a new, unique name (to create a new model entry in the inventory). - Replace `` with either the next version number for an existing model from the inventory or a first version for a new model for the inventory. - Using `--persist` adds the scan results to an existing model in the AISec Platform Console. ``` docker run --rm \ -e HL_LICENSE \ -e HL_CLIENT_ID \ -e HL_CLIENT_SECRET \ -e HL_MODEL_SCANNER_PLATFORM_RESULTS_URL='https://api.eu.hiddenlayer.ai' \ -e HL_MODEL_SCANNER_TOKEN_URL=https://auth.eu.hiddenlayer.ai/ \ -e SSL_CERT_FILE=/etc/ssl/certs/internal-root.crt \ -v /home/user/models:/files-to-scan \ -v $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan --persist --model-name= --model-version= ``` Local Mode - Replace `/home/users/models` with the path on the local machine where models to be scanned are located. - To scan a specific file in the folder, update `--input /files-to-scan` with the file name. Example: `--input /files-to-scan/test_model.pkl`. - This example uses $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro to mount the SSL certificate. - `$(pwd)/certs/internal-root.crt` is the path to the certificate on the host system. - `/etc/ssl/certs/internal-root.crt` is the container path where the certificate will be mounted. - `ro` specifies the mount as read-only. ``` docker run --rm \ -e HL_LICENSE \ -e SSL_CERT_FILE=/etc/ssl/certs/internal-root.crt \ -v /home/user/models:/files-to-scan \ -v $(pwd)/certs/internal-root.crt:/etc/ssl/certs/internal-root.crt:ro \ quay.io/hiddenlayer/distro-cli-modelscanner:latest \ --input /files-to-scan ``` ## Inspect Scan Results of Test ML Model At scan completion, a scan result similar to the following will be emitted to stdout. Scan results will be JSON-minified, but are shown formatted here for readability. ``` { "scan_id": "13c0f8a4-c938-43ee-9d95-2803ccd7de10", "start_time": "2025-02-12T17:55:36.511Z", "end_time": "2025-02-12T17:55:36.517Z", "status": "done", "version": "latest", "$schema_version": "3.1.0", "inventory": { "requested_scan_location": "/files-to-scan/ZS_withConfig.nemo", "model_id": "00000000-0000-0000-0000-000000000000", "model_name": "cli-latest-cdffd55e-802b-4440-8403-698e930e5bb9", "model_version": "1739382936", "model_version_id": "00000000-0000-0000-0000-000000000000" }, "file_results": [ { "file_instance_id": "01c8c57d-dd77-488b-b459-709f1933f7b2", "file_location": "/files-to-scan/ZS_withConfig.nemo", "status": "done", "start_time": "2025-02-12T17:55:36.511Z", "end_time": "2025-02-12T17:55:36.517Z", "details": { "sha256": "6a15d94d7c9a67d2574ba8226cfa7d678524899d61f18f98cb218da6e30f0570", "file_type": "TAR", "file_type_details": {}, "estimated_time": "" }, "seen": "2025-02-12T17:55:36.511Z", "detections": [ { "detection_id": "b3598a21-bdb0-4f4d-9c66-c7f127894b43", "rule_id": "NEMO_0008_202408", "category": "Decompression Vulnerabilities", "description": "Archive Contains Tar Slip attack, which can be used to overwrite files on the system.", "severity": "high", "mitre_atlas": [ { "technique": "AML.T0010", "tactic": "AML.TA0004" } ], "owasp": [ "ML06", "LLM05" ], "cwe": "", "cwe_href": "" } ] } ], "detection_count": 1, "file_count": 1, "files_with_detections_count": 1, "summary": { "detection_count": 1, "file_count": 1, "severity": "high", "files_with_detections_count": 1, "detection_categories": [ "Decompression Vulnerabilities" ] } } ```