Hugging Face Model Analysis
Hugging Face Ecosystem
IQ Server Hugging Face application analysis supports all AI/ML models hosted on the Hugging Face (HF) platform. These include a variety of popular AI/ML models in use by the developer community, e.g. Large Language Models (LLMs), image classification, object detection, speech recognition etc.
What is Supported
You can scan applications that include any model from the Hugging Face platform with Sonatype CLI and view the evaluation reports.
The table below lists the formats and extensions for the models supported by Sonatype CLI:
Format | Extension |
|---|---|
.bin, .pt, .pth, .pkl, .pickle | |
.safetensors | |
.h5 | |
.bin | |
.bin | |
.bin | |
.gguf | |
Rust | .ot |
Transformers Pytorch | .bin.index.json |
Transformers Safetensors | .safetensors.index.json |
Transformers TensorFlow | .h5.index.json |
.onnx | |
.bin | |
Transformers Flax | .msgpack.index.json |
.msgpack | |
.bin |
Types of Repositories Supported
Models on the HF platform could be organized in different folder structures inside a single repositories.
Sonatype CLI can scan:
Repositories with a single model as one single file.
Repositories with a single model which is sharded (split across multiple files).
Repositories with multiple models (different formats) in multiple non-sharded files.
Repositories with multiple models (different formats) in different folders (directories).
Using Git LFS
Models on the HF platform are hosted as Git repositories.
Enabling Git Large File Storage (git-lfs) may be necessary for cloning the models. This will ensure that the git clone commands actually download the model files on the disk.
Starting release 189, you can scan the model files without enabling git-lfs and downloading the complete model file.
Steps To Analyze
1. Clone/download the repository from the HF platform. The name of the model is also the name of the repository.
Example:
Should I enable Git LFS?
Starting release 189, you can scan both:
A fully cloned model file, with
git-lfsenabled (supported for all previous versions.)A model cloned without enabling
git-lfs. In this case, the clone command creategit-lfspointer files and does not download the complete model file. Sonatype IQ CLI (version 2.3.0 released April 2025) uses thegit-lfspointer files to determine the identity of the model.
2. Invoke Sonatype IQ CLI to scan the model files. The model files are evaluated against policy conditions and the link for a detailed evaluation report is generated.
3. Go to Sonatype Lifecycle > Reports to view the application report.