Skip to main content

Hugging Face Model Analysis

Hugging Face Ecosystem

IQ Server Hugging Face application analysis supports all AI/ML models hosted on the Hugging Face (HF) platform. These include a variety of popular AI/ML models in use by the developer community, e.g. Large Language Models (LLMs), image classification, object detection, speech recognition etc.

What is Supported

You can scan applications that include any model from the Hugging Face platform with Sonatype CLI and view the evaluation reports.

The table below lists the formats and extensions for the models supported by Sonatype CLI:

Format

Extension

Pytorch

.bin, .pt, .pth, .pkl, .pickle

Safetensors

.safetensors

TensorFlow

.h5

TensorFlow.js

.bin

OpenVino

.bin

MLC-LLM

.bin

GGUF

.gguf

Rust

.ot

Transformers Pytorch

.bin.index.json

Transformers Safetensors

.safetensors.index.json

Transformers TensorFlow

.h5.index.json

ONNX

.onnx

GGML

.bin

Transformers Flax

.msgpack.index.json

Flax/Jax

.msgpack

FastText

.bin

Models on the HF platform are hosted as Git repositories.

Git Large File Storage (git-lfs) may be necessary for cloning the models. This will ensure that the git clone commands actually download the model files. Without git-lfs, the clone commands create pointers instead of downloading the actual models, and cause the IQ scanner/Sonatype CLI to fail.

Types of Repositories Supported

Models on the HF platform could be organized in different folder structures inside a single repositories.

IQ scanner/Sonatype CLI can scan:

  1. Repositories with a single model as one single file.

  2. Repositories with a single model which is sharded (split across multiple files).

  3. Repositories with multiple models (different formats) in multiple non-sharded files.

  4. Repositories with multiple models (different formats) in different folders (directories).

Steps To Analyze

1. Clone/download the repository from the HF platform. The name of the model is also the name of the repository.

Example:

HFdownload_model.png

2. Invoke Sonatype IQ CLI to scan the model files. The model files are evaluated against policy conditions and the link for a detailed evaluation report is generated.

3. Go to Sonatype Lifecycle > Reports to view the application report.