AI Governance Policy Loader for ML-BOM Scanning

Module

Scanner

Status

IMPLEMENTED

Description

Configurable AI governance policies for scanner-level enforcement of model card requirements, training data lineage thresholds, and EU AI Act compliance categories during SBOM analysis.

Implementation Details

Policy Loader:
- src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Policy/AiGovernancePolicyLoader.cs - Loads and validates AI governance policy configurations
- src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Policy/AiGovernancePolicy.cs - Policy model defining model card requirements, training data lineage thresholds, and EU AI Act compliance categories
Enforcement Analyzers:
- src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelCardCompletenessAnalyzer.cs - Enforces model card completeness requirements from policy
- src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelCardScoring.cs - Scores model cards against policy thresholds
- src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/TrainingDataProvenanceAnalyzer.cs - Validates training data lineage against policy thresholds
- src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/AiSafetyRiskAnalyzer.cs - EU AI Act risk classification
Worker Integration:
- src/Scanner/StellaOps.Scanner.Worker/Processing/AiMlSecurity/AiMlSecurityStageExecutor.cs - Stage executor that loads governance policy and runs analyzers during scan
Models: src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Models/AiMlSecurityModels.cs

E2E Test Plan

Configure an AI governance policy with specific model card requirements (e.g., require description, intended use, limitations fields)
Scan an image containing an ML model with incomplete model card metadata
Verify the scan produces findings for missing model card fields per policy
Configure training data lineage threshold and verify scan flags models below threshold
Configure EU AI Act compliance category and verify classification is applied to findings
Verify policy changes are picked up on subsequent scans without service restart

2.2 KiB Raw Blame History