Discovery of AI Components
Overview
This article explains how to use AI Components and also touches upon its current limitations.
Prerequisites
A Mend AI entitlement for your organization.
Once enabled, Mend AI discovers AI Components automatically as part of an SCA CLI scan (mend dep/mend sca).
To run an SCA scan, please follow the steps in this article.
Getting it done
Mend AI-enabled organizations in the AppSec Platform are now equipped with default system labels for AI. These labels are essential to the experience of consuming AI Components data provided by Mend AI.
Figure A - System Labels for AI in the Main Dashboard of your Organization
The Steps
Step 1 - Check the relevant AI labels in your organization’s main Security Dashboard.
At this stage, the AppSec Platform will filter the Applications in the dashboard based on the selected labels.
Step 2 - Click the Applications widget.
Figure B - Selected Labels to Display Apps/Projects Containing RAG and HuggingFace AI Components
Step 3 - Click the Labels column on the application you wish to review
Step 4 - You are now taken to the application’s Labels window, where all the AI Components are listed
Figure D - A List of AI Components in the Application
How Does Mend AI Identify AI Components?
Mend AI searches through the package inventory of your application/project to identify AI components.
This is done in a few ways:
Mend AI flags a specific package, e.g., OpenAI.
Mend AI relies on a set of packages that tells a story about a specific component/framework.
In more advanced cases, we have a set of AI components that can tell a story about another important component/framework.
In the case of RAG, in this example, we have a vector database, an embedding model and a generator model.
Mend AI flags important AI packages, e.g., OpenAI
Mend AI flags sentence transformers, which are related to an open-source embedding model
Limitations
No dedicated column/view for the evidence (Roadmap Item)
No organization-level statistics (Roadmap Item)