Install AI Model Security

1. Generate the pip index link.

   Copy the script below and save it to your local environment (alternatively, you can create your own script using this as a reference).

   
   #!/bin/bash
   #
   # Model Security Private PyPI Authentication Script
   # Authenticates with SCM and retrieves PyPI repository URL
   #
   
   set -euo pipefail
   
   # Check required environment variables
   : "${MODEL_SECURITY_CLIENT_ID:?Error: MODEL_SECURITY_CLIENT_ID not set}"
   : "${MODEL_SECURITY_CLIENT_SECRET:?Error: MODEL_SECURITY_CLIENT_SECRET not set}"
   : "${TSG_ID:?Error: TSG_ID not set}"
   
   # Set default endpoints
   API_ENDPOINT="${MODEL_SECURITY_API_ENDPOINT:-https://api.sase.paloaltonetworks.com/aims}"
   TOKEN_ENDPOINT="${MODEL_SECURITY_TOKEN_ENDPOINT:-https://auth.apps.paloaltonetworks.com/oauth2/access_token}"
   
   # Get SCM access token
   TOKEN_RESPONSE=$(curl -sf -X POST "$TOKEN_ENDPOINT" \
       -H "Content-Type: application/x-www-form-urlencoded" \
       -u "$MODEL_SECURITY_CLIENT_ID:$MODEL_SECURITY_CLIENT_SECRET" \
       -d "grant_type=client_credentials&scope=tsg_id:$TSG_ID") || {
       echo "Error: Failed to obtain SCM access token" >&2
       exit 1
   }
   
   SCM_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
   if [[ -z "$SCM_TOKEN" || "$SCM_TOKEN" == "null" ]]; then
       echo "Error: Failed to extract access token from response" >&2
       exit 1
   fi
   
   # Get PyPI URL
   PYPI_RESPONSE=$(curl -sf -X GET "$API_ENDPOINT/mgmt/v1/pypi/authenticate" \
       -H "Authorization: Bearer $SCM_TOKEN") || {
       echo "Error: Failed to retrieve PyPI URL" >&2
       exit 1
   }
   
   PYPI_URL=$(echo "$PYPI_RESPONSE" | jq -r '.url')
   if [[ -z "$PYPI_URL" || "$PYPI_URL" == "null" ]]; then
       echo "Error: Failed to extract PyPI URL from response" >&2
       exit 1
   fi
   
   echo "$PYPI_URL"
   

2. Set up authentication using environment variables.

   After placing the script in an executable location, you'll need to set several environment variables before running it. Both the AI Model Security CLI and SDK require authentication credentials set as environment variables. The client automatically manages OAuth2 authentication with the provided credentials.

   
   export MODEL_SECURITY_CLIENT_ID=<your-client-id>
   export MODEL_SECURITY_CLIENT_SECRET=<your-client-secret>
   export TSG_ID=<your-tsg-id>
   export MODEL_SECURITY_API_ENDPOINT="https://api.sase.paloaltonetworks.com/aims"

   Mandatory Environment Variables

   Environmental Variable	Description
   MODEL_SECURITY_CLIENT_ID	Client ID of the SCM service account.
   MODEL_SECURITY_CLIENT_SECRET	Client secret of the SCM service account.
   TSG_ID	TSG ID of your tenant service group.
   MODEL_SECURITY_API_ENDPOINT	URL of the AI Model Security API service.

   Optional Environment Variables

   Environmental Variable	Description
   Set Commands
   --base-url	Base URL of the Model Security API that overrides the MODEL_SECURITY_API_ENDPOINT environment variable.
   --log-level	Log level settings: critical error (default) info debug Setting debug log level is helpful when you want to troubleshoot any issue.
   --silent	(CLI only) Disables all output and logging to standard output.
   Show commands
   --version or -v	(CLI only) Displays the CLI version information.
   --help	(CLI only) Displays the help information.

3. Install AI Model Security package (both SDK and CLI) with uv or pip.

   The SDK enables model scanning across multiple cloud storage platforms. Install the SDK with support for all model sources or select specific cloud providers to minimize package size.

   Available model source types: aws, gcp, azure, artifactory, gitlab, and all.

   1. Install AI Model Security package (both SDK and CLI) using uv, or.

      
      uv add "model-security-client[all]" --index $(/path/to/script.sh)

   2. Install AI Model Security package (both SDK and CLI) using pip.

      pip install "model-security-client[all]" --extra-index-url <URL from Script>
      

      For example, to install AWS cloud storage support.

      pip install "model-security-client[aws]" --extra-index-url <URL from Script>

   The SDK leverages boto3 for S3, google-cloud-storage for GCS, and azure-storage-blob for Azure. Authentication is handled by these underlying SDKs. Refer the respective SDK documentation for authentication setup and additional configuration options.

   • AWS: Credentials - Boto3 1.42.26 documentation.
   • GCS: How Application Default Credentials works | Authentication | Google Cloud Documentation.
   • Azure: Authorize access to blobs using Microsoft Entra ID - Azure Storage.
   • JFrog Artifactory:
     • Use basic authentication. Identity tokens are not supported.
       • Access Tokens
       • Comparing Identity Reference Tokens With API Keys
     • The model-security-client requires the ARTIFACTORY_TOKEN environment variable for the token and ARTIFACTORY_USERNAME for the username.
   • Gitlab Model Registry:
     • Generate token following the instructions in REST API authentication | GitLab Docs.
     • The model-security-client requires the token as the GITLAB_TOKEN environment variable.
     • OAuth not supported, refer OAuth 2.0 identity provider API for details.
4. Initialize the AI Model Security Python SDK.

   To use the Python SDK in your code, import and initialize the AI Model Security client.

   
   from uuid import UUID
   from model_security_client.api import ModelSecurityAPIClient
   
   # Initialize the client
   client = ModelSecurityAPIClient(
       base_url="https://api.sase.paloaltonetworks.com/aims"
   )

   The AI Model Security client uses the same environment variables for authentication as the CLI.