Safeguard.sh Documentation Center

AI Security Posture Management (AI-SPM)

Scan model artifacts for malware and unsafe deserialization — pickle opcode disassembly, torch-zip inspection, safetensors/GGUF validation, and ONNX graph inspection — before untrusted weights ever load.

AI Security Posture Management (AI-SPM)

Model weights are executable supply chain artifacts. A malicious pickle can run arbitrary code the moment a model is loaded. AI-SPM inspects model artifacts before they are trusted, catching malware and unsafe deserialization in the formats teams actually ship.

AI-SPM is the lifecycle wrapper around Safeguard's AI security — discover, assess, protect, govern, monitor. Model-artifact scanning (below) is the shipped core; it sits alongside AI-BOM discovery, which inventories the models it scans, and the AI Gateway, the runtime LLM firewall.

Model-artifact malware scanning

AI-SPM statically analyzes model files without loading them:

FormatWhat AI-SPM does
Pickle (.pkl, .bin, PyTorch state dicts)Disassembles the pickle opcode stream and flags dangerous operations — imports of os / subprocess / eval, and REDUCE / BUILD opcodes that can trigger arbitrary code execution during deserialization. Mapped to CWE-502 (unsafe deserialization) and CWE-94 (code injection).
PyTorch .pt / .zip archivesA torch-zip walker unpacks the archive and inspects each embedded pickle for the same dangerous patterns.
safetensorsValidates the file structure and header to confirm it is a genuine, tensor-only artifact with no executable payload.
GGUFValidates the GGUF container structure so malformed or tampered files are caught before use.
ONNXA non-executing protobuf walker parses the model graph without running it and flags two risks: (a) custom / non-standard-domain operators and embedded code-execution ops — CWE-94 (code injection); and (b) external_data references whose path escapes the model directory (absolute paths, .., UNC paths, or URLs) — CWE-22 (path traversal). Malformed input fails safe.

Because pickle-based formats can execute code on load, AI-SPM treats any dangerous opcode as a high-signal finding — the whole point is to catch it before the weights are deserialized. Format coverage expands over time; ONNX is the most recent addition to the model formats AI-SPM inspects.

Findings

Each finding identifies the artifact, the format, the specific opcode or import that fired, and the mapped CWE. Findings flow into the unified findings model discriminated as aisec, tenant/org-scoped end to end.

Configuration

AI-SPM is admin-toggleable via a feature flag, enforced server-side. Once enabled, model artifacts are scanned as they are ingested through your registries and pipelines.

On this page