Skip to main content
Skip table of contents

Discovery of Third-Party AI Models and Providers

Note: Mend AI is available as part of the Mend AppSec Platform.
Some features require a Mend AI Premium entitlement for your organization.
Please contact your Customer Success Manager at Mend.io to learn about enabling Mend AI.

Overview

The following article explains how to utilize Mend AI’s discovery of Third-Party AI Models and Providers in your project/application inventory, in the Mend AppSec Platform.

Note: Mend AI’s Third-Party AI Models and Providers discovery is at the code-level, not the artifact-level (contradictory to earlier iterations of this offering).

Getting it done

Prerequisites

  • A Mend AI entitlement for your organization.

  • Mend AI discovers third-party AI models automatically as part of an SCA CLI scan (mend dep / mend sca), however it uses a separate scanner, which must be enabled for automatic AI discovery to take place as part of your SCA scans.

To run an SCA scan, please follow the steps in this article.

The Steps

Step 1 - Navigate to the application you wish to review under Applications.

image-20250209-132841.png

Step 2 - Once in the desired application, select AI → AI Models from the left-pane menu.

image-20250310-170010.png

This will take you to the AI Model Inventory table, containing a list of Models, accompanied by additional information such as the number of Projects in the application that use the model in question, the model Category, Provider, License, Origin and more.

image-20241129-070316.png

Note: Some column headers have tooltips (marked byimage-20250311-081134.png) containing a comprehensive explanation about the column:

image-20250321-110501.png

The Risk Factors tooltip

Category: Indicates whether the AI model is provided as a inference provider (AI Service) or runs locally (Self-Hosted).

Provider: If the model is not self-hosted, this refers to the external company that provides inference services and API access for the AI model.

Origin Type: The detection mechanism used to identify the component. Possible values:
code - component was detected through source code scanning.
artifacts - component was detected in AI artifacts during static or dynamic analysis.

Origin: The location or path where the component was discovered, indicating its source in the system or project.

Risk Factors: Identified risks associated with the AI component, including models, metadata, and relevant information.

Model License: Specifies the model’s licensing type. If open-source, it includes details about the license (e.g., MIT, Apache). Not applicable for proprietary or closed-source models.

Model License Risk: Indicates the level of risk associated with the model’s license. The risk level is assessed by Mend.io’s research team based on the license terms, compliance obligations, and potential restrictions on usage, redistribution, or modifications.

Step 3 - Click a desired finding in the AI Model Inventory table. This will take you to its Finding Details window, where you can get an overview of the finding:

image-20241129-070041.png

The Overview tab will, among other things:
A. List the Project(s) in which the finding was detected.
B. Provide a Description of the finding.
C. Show you the relevant Lines in the code.
D. Allow you to review the source code in GitHub, by clicking “Show full source code on GitHub”.

Limitations

  • For open-source models, Mend AI covers Hugging Face and Kaggle.

  • For closed source models accessed through inference providers, Mend AI covers models that can be served from OpenAI, Mistral, Anthropic and DeepSeek.
    AWS Bedrock, Google Vertex and Azure Foundry are planned to be added soon.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close