top | item 46291979

(no title)

lab700xdev | 2 months ago

The comparison to npm is spot on. We are seeing the exact same pattern: a massive explosion of dependency complexity, but now the "dependencies" aren't 50KB JavaScript files, they are 10GB binary blobs that we treat as black boxes. The "Shadow AI" problem (developers cloning a random repo + downloading a model from a Google Drive link to get a specific uncensored tune) is exactly what we built the CLI for. We want to make it trivial to run a "hygiene check" on that download folder before mounting it into a container.

discuss

ivape|2 months ago

Consider adding a little UI to this. If I can just right-click a model/zip/folder and click "scan", then there's really no reason not to have this around (speaking in terms of removing any practical barrier, including laziness).

lab700xdev|2 months ago

That barrier to entry ("laziness") is the #1 security vulnerability. If it takes 3 minutes to set up a scanner, nobody does it. That's actually why we built the Web Viewer - so you can just drag-and-drop the JSON output rather than reading terminal logs. But a native OS "Right Click --> Scan with AIsbom" Context Menu integration is a fantastic idea for a future desktop release. Thanks.