"""squash/hf_scanner.py — Sprint 14 W205 (B1) — public HuggingFace model scanner. The free top-of-funnel growth tool: any engineer can run squash scan hf://meta-llama/Llama-3.1-8B-Instruct against any public HuggingFace model and get a structured security + license + policy preview in under a minute. No login, no enterprise SaaS, no sales call. Squash's brand-builder on the platform with the largest concentration of ML engineers in the world. The scanner builds on the existing :mod:`squash.scanner` (security findings) and :mod:`squash.policy` (compliance preview); this module adds: 1. ``hf://owner/model`` URI parsing 2. Lazy ``huggingface_hub.snapshot_download`` wrapper with optional revision pinning 3. Repo-metadata enrichment (license, downloads, last_modified, library_name) so the report contains the social-proof fields HF reviewers care about 4. A signed JSON + human-readable Markdown report keyed to the ``squash-hf-scan.{json,md}`` convention Stdlib-only. ``huggingface_hub`` is lazy-imported so the module ships in environments without it (the CLI surfaces a clean ImportError when the user actually invokes the hf:// path). """ from __future__ import annotations import json import logging import re import shutil import tempfile from dataclasses import dataclass, field from pathlib import Path from typing import Any log = logging.getLogger(__name__) # ── URI parsing ────────────────────────────────────────────────────────────── HF_URI_PATTERN = re.compile( r"^hf://(?P[A-Za-z0-9][A-Za-z0-9._-]*)/(?P[A-Za-z0-9][A-Za-z0-9._-]*)" r"(?:@(?P[A-Za-z0-9._/-]+))?$" ) @dataclass class HFRef: """Parsed ``hf://owner/model[@revision]`` reference.""" owner: str model: str revision: str = "" @property def repo_id(self) -> str: return f"{self.owner}/{self.model}" @property def url(self) -> str: base = f"https://huggingface.co/{self.repo_id}" return f"{base}/tree/{self.revision}" if self.revision else base def parse_hf_uri(uri: str) -> HFRef: """Parse an ``hf://owner/model[@revision]`` URI. Raises: ValueError: if the URI is malformed. """ if not uri.startswith("hf://"): raise ValueError( f"Not an hf:// URI: {uri!r}. Expected form: hf://owner/model[@revision]" ) m = HF_URI_PATTERN.match(uri) if not m: raise ValueError( f"Malformed hf:// URI: {uri!r}. Expected form: hf://owner/model[@revision]" ) return HFRef( owner=m.group("owner"), model=m.group("model"), revision=m.group("revision") or "", ) def is_hf_uri(s: str) -> bool: """Cheap-check whether *s* is an hf:// URI (no network calls).""" return isinstance(s, str) and s.startswith("hf://") # ── Repo metadata ──────────────────────────────────────────────────────────── @dataclass class RepoMetadata: """Subset of HF repo metadata we surface in the scan report.""" repo_id: str revision: str = "" license: str = "" downloads: int = 0 last_modified: str = "" library_name: str = "" pipeline_tag: str = "" tags: list[str] = field(default_factory=list) sha: str = "" def to_dict(self) -> dict[str, Any]: return { "repo_id": self.repo_id, "revision": self.revision, "license": self.license or "unknown", "downloads": self.downloads, "last_modified": self.last_modified, "library_name": self.library_name, "pipeline_tag": self.pipeline_tag, "tags": list(self.tags), "sha": self.sha, } # ── Scan report (wraps a ScanResult) ───────────────────────────────────────── @dataclass class HFScanReport: """End-to-end report: HF metadata + scanner findings + policy preview.""" ref: HFRef metadata: RepoMetadata scan_status: str # "clean" | "unsafe" | "warning" | "error" | "skipped" is_safe: bool findings: list[dict[str, Any]] = field(default_factory=list) license_warnings: list[str] = field(default_factory=list) policy_results: dict[str, dict[str, Any]] = field(default_factory=dict) file_count: int = 0 weight_format: str = "" squash_version: str = "hf_scan_v1" def to_dict(self) -> dict[str, Any]: return { "squash_version": self.squash_version, "uri": f"hf://{self.ref.repo_id}" + (f"@{self.ref.revision}" if self.ref.revision else ""), "url": self.ref.url, "metadata": self.metadata.to_dict(), "scan": { "status": self.scan_status, "is_safe": self.is_safe, "file_count": self.file_count, "weight_format": self.weight_format, "findings": list(self.findings), }, "license_warnings": list(self.license_warnings), "policy_results": dict(self.policy_results), } def to_json(self, indent: int = 2) -> str: return json.dumps(self.to_dict(), indent=indent, sort_keys=True) def to_markdown(self) -> str: """Human-readable Markdown summary suitable for the HF Spaces UI.""" m = self.metadata scan_emoji = "✅" if self.is_safe else "⚠️" if self.scan_status == "warning" else "❌" lines = [ f"# Squash Scan — `{m.repo_id}`", "", f"**URL:** {self.ref.url} ", f"**Revision:** `{m.revision or 'main'}` " + (f"({m.sha[:12]}…)" if m.sha else ""), "", "## Repo Metadata", "", f"| Field | Value |", f"|---|---|", f"| License | `{m.license or 'unknown'}` |", f"| Downloads | {m.downloads:,} |", f"| Last modified | {m.last_modified or 'unknown'} |", f"| Library | {m.library_name or '—'} |", f"| Pipeline tag | {m.pipeline_tag or '—'} |", f"| Tags | {', '.join('`' + t + '`' for t in m.tags[:8]) or '—'} |", "", "## Security Scan", "", f"{scan_emoji} **Status:** `{self.scan_status.upper()}` " f"({len(self.findings)} findings across {self.file_count} files) ", f"**Weight format detected:** {self.weight_format or 'unknown'}", "", ] if self.findings: lines.append("| Severity | File | Title |") lines.append("|---|---|---|") for f in self.findings[:25]: sev = str(f.get("severity", "info")).upper() fp = f.get("file_path") or f.get("file") or "-" title = str(f.get("title", "")).replace("|", "\\|") lines.append(f"| {sev} | `{Path(fp).name}` | {title} |") if len(self.findings) > 25: lines.append(f"| … | _{len(self.findings) - 25} more_ | |") else: lines.append("_No findings._") lines.append("") if self.license_warnings: lines.append("## License Warnings") lines.append("") for w in self.license_warnings: lines.append(f"- ⚠️ {w}") lines.append("") if self.policy_results: lines.append("## Policy Preview") lines.append("") lines.append("| Policy | Status | Errors | Warnings |") lines.append("|---|---|---|---|") for name in sorted(self.policy_results): pr = self.policy_results[name] emoji = "✅" if pr.get("passed") else "❌" lines.append( f"| `{name}` | {emoji} {('PASS' if pr.get('passed') else 'FAIL')} " f"| {pr.get('errors', 0)} | {pr.get('warnings', 0)} |" ) lines.append("") lines.append("---") lines.append( "*Generated by [squash](https://getsquash.dev). " f"Run yourself: `pip install squash-ai && squash scan hf://{m.repo_id}`*" ) return "\n".join(lines) + "\n" def save( self, output_dir: Path | str, stem: str = "squash-hf-scan", ) -> dict[str, Path]: """Write JSON + Markdown to *output_dir*. Returns mapping fmt → path.""" output_dir = Path(output_dir) output_dir.mkdir(parents=True, exist_ok=True) written: dict[str, Path] = {} json_path = output_dir / f"{stem}.json" json_path.write_text(self.to_json(), encoding="utf-8") written["json"] = json_path md_path = output_dir / f"{stem}.md" md_path.write_text(self.to_markdown(), encoding="utf-8") written["md"] = md_path return written # ── Scanner orchestrator ───────────────────────────────────────────────────── # Allowed HF download patterns — block large weight files unless the caller # explicitly opts in via download_weights=True. Default profile fetches model # cards + configs + small auxiliary files only, which is enough for the scanner # to detect pickle / unsafe ops in tokenizers + small artefacts. Full-weight # scan is opt-in. _DEFAULT_ALLOW_PATTERNS: tuple[str, ...] = ( "*.json", "*.txt", "*.md", "*.py", "*.yaml", "*.yml", "tokenizer*", "vocab*", "merges.txt", "special_tokens_map.json", "config.json", "generation_config.json", "*.gguf", "*.safetensors", ) _WEIGHT_LIGHT_DENY_PATTERNS: tuple[str, ...] = ( "*.bin", "*.pt", "*.pth", "*.gguf", "*.safetensors", "*.h5", "*.tflite", "*.onnx", "*.msgpack", ) _KNOWN_PERMISSIVE_LICENSES: frozenset[str] = frozenset({ "apache-2.0", "mit", "bsd-2-clause", "bsd-3-clause", "cc-by-4.0", "cc-by-sa-4.0", "cc0-1.0", "openrail", "openrail++", }) _KNOWN_RESTRICTED_LICENSES: frozenset[str] = frozenset({ # Permitted but with use-case / commercial restrictions worth flagging. "llama2", "llama3", "llama3.1", "llama3.2", "llama3.3", "gemma", "gemma2", "gemma3", "creativeml-openrail-m", "bigscience-openrail-m", "bigscience-bloom-rail-1.0", "deepseek", }) class HFScanner: """Resolve an ``hf://`` reference, scan it, return a structured report. Usage:: scanner = HFScanner() report = scanner.scan("hf://microsoft/phi-3-mini-4k-instruct", policies=["enterprise-strict"]) report.save("./out") The scanner is stateless — every call builds a fresh temp dir. """ def scan( self, uri: str, *, policies: list[str] | None = None, download_weights: bool = False, keep_download: bool = False, token: str = "", ) -> HFScanReport: """Resolve, fetch, scan, render. Returns :class:`HFScanReport`. Args: uri: ``hf://owner/model[@revision]``. policies: Names from ``AVAILABLE_POLICIES`` to preview. ``None`` skips the policy step. download_weights: If ``True``, fetches full weight files. Default ``False`` — small artefacts only — keeps the public scanner fast and cheap. keep_download: Retain the temp directory after scanning. Use only for debugging — the path is logged. token: Optional HF Hub token for private repos. The public scanner is intended for public models; this flag is escape-hatch only. Raises: ValueError: malformed URI. ImportError: ``huggingface_hub`` not installed. """ ref = parse_hf_uri(uri) local_dir = self._snapshot_download( ref, download_weights=download_weights, token=token, ) try: metadata = self._fetch_metadata(ref, token=token) scan_result = self._run_scanner(local_dir) policy_results = self._run_policies(local_dir, policies or []) license_warnings = self._license_warnings(metadata) weight_format = self._detect_weight_format(local_dir) findings_dicts = [ { "severity": f.severity, "finding_id": f.finding_id, "title": f.title, "detail": f.detail, "file_path": str(Path(f.file_path).relative_to(local_dir)) if Path(f.file_path).is_absolute() and self._is_under(Path(f.file_path), local_dir) else f.file_path, "cve": f.cve, } for f in scan_result.findings ] file_count = sum(1 for _ in local_dir.rglob("*") if _.is_file()) report = HFScanReport( ref=ref, metadata=metadata, scan_status=scan_result.status, is_safe=scan_result.is_safe, findings=findings_dicts, license_warnings=license_warnings, policy_results=policy_results, file_count=file_count, weight_format=weight_format, ) return report finally: if not keep_download: shutil.rmtree(local_dir, ignore_errors=True) else: log.info("hf_scanner: kept download at %s", local_dir) # ── Internals ───────────────────────────────────────────────────────── def _snapshot_download( self, ref: HFRef, *, download_weights: bool, token: str, ) -> Path: try: from huggingface_hub import snapshot_download # type: ignore except ImportError as exc: raise ImportError( "hf:// scanning requires `huggingface_hub`. " "Install with: pip install huggingface_hub" ) from exc tmp = Path(tempfile.mkdtemp(prefix="squash-hf-")) kwargs: dict[str, Any] = { "repo_id": ref.repo_id, "local_dir": str(tmp), "local_dir_use_symlinks": False, } if ref.revision: kwargs["revision"] = ref.revision if token: kwargs["token"] = token if not download_weights: kwargs["allow_patterns"] = list(_DEFAULT_ALLOW_PATTERNS) kwargs["ignore_patterns"] = list(_WEIGHT_LIGHT_DENY_PATTERNS) snapshot_download(**kwargs) return tmp def _fetch_metadata(self, ref: HFRef, *, token: str) -> RepoMetadata: try: from huggingface_hub import HfApi # type: ignore except ImportError: return RepoMetadata(repo_id=ref.repo_id, revision=ref.revision or "main") try: api = HfApi(token=token or None) info = api.model_info(repo_id=ref.repo_id, revision=ref.revision or None) except Exception as exc: # noqa: BLE001 — surface metadata errors gently log.warning("hf_scanner: model_info failed: %s", exc) return RepoMetadata(repo_id=ref.repo_id, revision=ref.revision or "main") card_data = getattr(info, "card_data", None) or {} # card_data may be a dict or a CardData object — duck-type if hasattr(card_data, "to_dict"): card_dict = card_data.to_dict() elif isinstance(card_data, dict): card_dict = card_data else: card_dict = {} license_val = card_dict.get("license") or getattr(info, "license", "") or "" if isinstance(license_val, list): license_val = license_val[0] if license_val else "" last_modified = "" lm = getattr(info, "last_modified", None) if lm is not None: last_modified = lm.isoformat() if hasattr(lm, "isoformat") else str(lm) tags = list(getattr(info, "tags", []) or []) return RepoMetadata( repo_id=ref.repo_id, revision=ref.revision or getattr(info, "sha", "") or "main", license=str(license_val).lower() if license_val else "", downloads=int(getattr(info, "downloads", 0) or 0), last_modified=last_modified, library_name=getattr(info, "library_name", "") or "", pipeline_tag=getattr(info, "pipeline_tag", "") or "", tags=tags, sha=getattr(info, "sha", "") or "", ) def _run_scanner(self, local_dir: Path): from squash.scanner import ModelScanner return ModelScanner.scan_directory(local_dir) def _run_policies( self, local_dir: Path, policy_names: list[str], ) -> dict[str, dict[str, Any]]: if not policy_names: return {} # Build a minimal SBOM-shaped dict so PolicyEngine can evaluate. # The public scanner's policy preview is a *light* compliance check — # it does not run the full attestation pipeline. We surface # rule-level pass/fail counts only. try: from squash.policy import PolicyEngine, AVAILABLE_POLICIES except ImportError as exc: log.warning("hf_scanner: policy preview unavailable: %s", exc) return {} # Construct a minimal CycloneDX-shaped SBOM for policy evaluation. # Real attestation builds a richer one; the preview is honest about # being a preview by exposing only what we can reliably populate # from public metadata + a light scan. bom: dict[str, Any] = { "bomFormat": "CycloneDX", "specVersion": "1.7", "components": [{ "type": "machine-learning-model", "name": local_dir.name, "version": "unknown", }], "squash:scan_result": "clean", # populated by the real attest path "squash:hf_preview": True, } out: dict[str, dict[str, Any]] = {} for name in policy_names: if name not in AVAILABLE_POLICIES: out[name] = { "passed": False, "errors": 0, "warnings": 0, "error": f"unknown policy: {name}", } continue try: pr = PolicyEngine.evaluate(bom, name) except Exception as exc: # noqa: BLE001 out[name] = { "passed": False, "errors": 0, "warnings": 0, "error": str(exc), } continue out[name] = { "passed": bool(pr.passed), "errors": int(pr.error_count), "warnings": int(pr.warning_count), } return out @staticmethod def _license_warnings(metadata: RepoMetadata) -> list[str]: out: list[str] = [] lic = (metadata.license or "").lower() if not lic or lic == "unknown": out.append( "License is not declared in the repo card. Treat as " "all-rights-reserved unless verified directly with the publisher." ) return out if lic in _KNOWN_RESTRICTED_LICENSES: out.append( f"License `{lic}` carries deployment-specific restrictions " "(commercial / MAU thresholds / use-case clauses). Run " "`squash license-check --deployment-type ` before deploy." ) elif lic not in _KNOWN_PERMISSIVE_LICENSES: out.append( f"License `{lic}` is not on the squash-permissive list. " "Verify deployment compatibility manually." ) return out @staticmethod def _detect_weight_format(local_dir: Path) -> str: """Best-effort weight-format detection from filenames present on disk.""" names = {p.name.lower() for p in local_dir.rglob("*") if p.is_file()} suffixes = {p.suffix.lower() for p in local_dir.rglob("*") if p.is_file()} if any(n.endswith(".safetensors") for n in names): return "safetensors" if ".gguf" in suffixes: return "gguf" if any(s in suffixes for s in (".bin", ".pt", ".pth")): return "pickle (pytorch)" if any(s in suffixes for s in (".h5", ".tflite")): return "tensorflow" if ".onnx" in suffixes: return "onnx" # Light-mode default — weights deliberately not downloaded return "metadata-only (use --download-weights for full scan)" @staticmethod def _is_under(p: Path, parent: Path) -> bool: try: p.resolve().relative_to(parent.resolve()) return True except (ValueError, OSError): return False __all__ = [ "HFRef", "RepoMetadata", "HFScanReport", "HFScanner", "parse_hf_uri", "is_hf_uri", "HF_URI_PATTERN", ]