Hugging Face Model Analysis
Hugging Face Ecosystem
IQ Server Hugging Face application analysis supports all AI/ML models hosted on the Hugging Face (HF) platform. These include a variety of popular AI/ML models in use by the developer community, e.g. Large Language Models (LLMs), image classification, object detection, speech recognition etc.
What is Supported
You can scan applications that include any model from the Hugging Face platform with Sonatype CLI and view the evaluation reports.
The table below lists the formats and extensions for the models supported by Sonatype CLI:
Format | Extension |
|---|---|
.bin, .pt, .pth, .pkl, .pickle | |
.safetensors | |
.h5 | |
.bin | |
.bin | |
.bin | |
.gguf | |
Rust | .ot |
Transformers Pytorch | .bin.index.json |
Transformers Safetensors | .safetensors.index.json |
Transformers TensorFlow | .h5.index.json |
.onnx | |
.bin | |
Transformers Flax | .msgpack.index.json |
.msgpack | |
.bin |
Models on the HF platform are hosted as Git repositories.
Git Large File Storage (git-lfs) may be necessary for cloning the models. This will ensure that the git clone commands actually download the model files. Without git-lfs, the clone commands create pointers instead of downloading the actual models, and cause the IQ scanner/Sonatype CLI to fail.
Types of Repositories Supported
Models on the HF platform could be organized in different folder structures inside a single repositories.
IQ scanner/Sonatype CLI can scan:
Repositories with a single model as one single file.
Repositories with a single model which is sharded (split across multiple files).
Repositories with multiple models (different formats) in multiple non-sharded files.
Repositories with multiple models (different formats) in different folders (directories).
Steps To Analyze
1. Clone/download the repository from the HF platform. The name of the model is also the name of the repository.
Example:
2. Invoke Sonatype IQ CLI to scan the model files. The model files are evaluated against policy conditions and the link for a detailed evaluation report is generated.
3. Go to Sonatype Lifecycle > Reports to view the application report.