Focus

Prisma AIRS

Scanning Models

Table of Contents

Scanning Models

Scan a HuggingFace model, local model, or object storage model using CLI/SDK.

Where Can I Use This?	What Do I Need?
Prisma AIRS (AI Model Security)	Prisma AIRS AI Model Security License

Once your Security Group is configured, you can scan models through either the CLI or Python SDK. The process varies slightly depending on whether you're scanning HuggingFace models or local models.

Scan a HuggingFace Model

To scan a model hosted on HuggingFace, provide the model URI and your Security Group UUID.

Scan using CLI

model-security scan \
  --security-group-uuid "12345678-1234-1234-1234-123456789012" \
  --model-uri "https://huggingface.co/microsoft/DialoGPT-medium"

Scan using Python SDK


from model_security_client.api import ModelSecurityAPIClient

# Initialize the client
client = ModelSecurityAPIClient(
    base_url="https://api.sase.paloaltonetworks.com/aims"
)

result = client.scan(
    security_group_uuid="12345678-1234-1234-1234-123456789012",
    model_uri="https://huggingface.co/microsoft/DialoGPT-medium"
)

print(f"Scan completed: {result.eval_outcome}")

The AI Model Security automatically fetches the latest version from HuggingFace. To scan a specific version, include the version parameter.

Scan using CLI


model-security scan \
  --security-group-uuid "12345678-1234-1234-1234-123456789012" \
  --model-uri "https://huggingface.co/microsoft/DialoGPT-medium" \
  --model-version "7b40bb0f92c45fefa957d088000d8648e5c7fa33"

Scan using Python SDK


from model_security_client.api import ModelSecurityAPIClient

# Initialize the client
client = ModelSecurityAPIClient(
    base_url="https://api.sase.paloaltonetworks.com/aims"
)
result = client.scan(
    security_group_uuid="12345678-1234-1234-1234-123456789012",
    model_uri="https://huggingface.co/microsoft/DialoGPT-medium",
    model_version="7b40bb0f92c45fefa957d088000d8648e5c7fa33"
)

Filter Files in HuggingFace Scans

Large HuggingFace repositories may contain files you don't need to scan. Use global patterns to include or exclude specific files.

Scan using CLI


model-security scan \
  --security-group-uuid "12345678-1234-1234-1234-123456789012" \
  --model-uri "https://huggingface.co/microsoft/DialoGPT-medium" \
  --allow-patterns "*.bin" "*.json" \
  --ignore-patterns "*.md" "*.txt"

Scan using Python SDK


from model_security_client.api import ModelSecurityAPIClient

# Initialize the client
client = ModelSecurityAPIClient(
    base_url="https://api.sase.paloaltonetworks.com/aims"
)
result = client.scan(
    security_group_uuid="12345678-1234-1234-1234-123456789012",
    model_uri="https://huggingface.co/microsoft/DialoGPT-medium",
    allow_patterns=["*.bin", "*.json"],
    ignore_patterns=["*.md", "*.txt"]
)

Scan a Local Model

For models stored locally, specify the path to the model directory.

Scan using CLI


model-security scan \
  --security-group-uuid "12345678-1234-1234-1234-123456789012" \
  --model-path "path/to/local/model"

Scan using Python SDK


from model_security_client.api import ModelSecurityAPIClient

# Initialize the client
client = ModelSecurityAPIClient(
    base_url="https://api.sase.paloaltonetworks.com/aims"
)
result = client.scan(
    security_group_uuid="12345678-1234-1234-1234-123456789012",
    model_path="path/to/local/model"
)

Scan a Model from Object Storage

To scan a model from object storage (such as S3), provide both the local path and the storage URI.

Scan using CLI


model-security scan \
  --security-group-uuid "12345678-1234-1234-1234-123456789012" \
  --model-path "path/to/local/model" \
  --model-uri "s3://your-bucket/model-directory" \
  --model-name "production-classifier" \
  --model-author "ml-team" \
  --model-version "v2.1"

Scan using Python SDK


from model_security_client.api import ModelSecurityAPIClient

# Initialize the client
client = ModelSecurityAPIClient(
    base_url="https://api.sase.paloaltonetworks.com/aims"
)
result = client.scan(
    security_group_uuid="12345678-1234-1234-1234-123456789012",
    model_path="path/to/local/model",
    model_uri="s3://your-bucket/model-directory",
    model_name="production-classifier",
    model_author="ml-team",
    model_version="v2.1"
)

The CLI shows scan results in real-time as they finish. Each scan tests the model against all active rules in your Security Group. The output shows whether the model passes or fails based on your rule configuration.

A model fails if any blocking rule detects a violation. Non-blocking rules record findings without preventing the model from being approved.

Customize Model Scans

You can configure scan execution and adjust result timeout settings.

Customize Scan using CLI


model-security scan \
  --security-group-uuid "12345678-1234-1234-1234-123456789012" \
  --model-uri "https://huggingface.co/microsoft/DialoGPT-medium" \
  --poll-interval-secs 10 \
  --poll-timeout-secs 900 \
  --block-on-errors

Customize Scan using Python SDK


from model_security_client.api import ModelSecurityAPIClient

# Initialize the client
client = ModelSecurityAPIClient(
    base_url="https://api.sase.paloaltonetworks.com/aims"
)
result = client.scan(
    security_group_uuid="12345678-1234-1234-1234-123456789012",
    model_uri="https://huggingface.co/microsoft/DialoGPT-medium",
    poll_interval_secs=10,
    poll_timeout_secs=900,
    scan_timeout_secs=900
)

Following are the configuration options to customize the scan for AI models.

Configuration Option	Description	Default Value
poll_interval_secs	Specify the frequency of scan status checks.	5 seconds
poll_timeout_secs	Specify the maximum wait time for scan completion.	600 seconds
scan_timeout_secs	(`SDK only`) Specify the timeout for local model scanning.	600 seconds
block_on_errors	(`CLI only`) CLI exits with an error code when scan errors occurs.	NA

Default Security Groups and Rules

Viewing Scan Results

Prisma AIRS Docs

Scanning Models

Prisma AIRS Docs

Scanning Models

Scan a HuggingFace Model

Filter Files in HuggingFace Scans

Scan a Local Model

Scan a Model from Object Storage

Customize Model Scans

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring