Skip to content

konjoai/squash

BranchesTags

Repository files navigation

Squash β€” Squash violations, not velocity.

The pytest of AI compliance. Runs in your CI/CD pipeline. Ships in 10 seconds.

PyPI CI License Python EU AI Act

⏰ EU AI Act high-risk enforcement: August 2, 2026

Non-compliance: up to €35M or 7% of global turnover. Annex IV documentation alone takes 3–6 months manually. Squash does it in 10 seconds.

See it in 10 seconds

pip install squash-ai
squash demo
────────────────────────────────────────────────────
  Squash violations, not velocity.
  Running demo attestation on sample BERT model…
────────────────────────────────────────────────────

  Model:   bert-base-uncased (sample)
  Policy:  eu-ai-act

βœ… Attestation PASSED

  Artifacts generated:
    cyclonedx-mlbom.json                   48,392 bytes
    sbom.spdx.json                         22,104 bytes
    attestation.json                        3,841 bytes
    annex-iv-technical-documentation.md    18,299 bytes
    provenance.json                         1,203 bytes

────────────────────────────────────────────────────
  This is squash. It runs in CI in <10 seconds.
  pip install squash-ai && squash attest ./your-model
────────────────────────────────────────────────────

Install

# Community (free, Apache 2.0)
pip install squash-ai

# With REST API server
pip install "squash-ai[api]"

# Full feature set
pip install "squash-ai[api,signing,sbom]"

CI/CD in one line

GitHub Actions

- uses: konjoai/squash@v1
  with:
    model-path: ./my-model
    policy: eu-ai-act
    fail-on-violation: true

GitLab CI

include:
  - remote: 'https://raw.githubusercontent.com/konjoai/squash/main/integrations/gitlab-ci/squash.gitlab-ci.yml'

CLI

squash attest ./my-model \
  --policy eu-ai-act \
  --policy nist-ai-rmf \
  --sign \
  --fail-on-violation

Output:

βœ“ CycloneDX 1.7 ML-BOM            β†’ cyclonedx-mlbom.json
βœ“ SPDX 2.3 SBOM                   β†’ sbom.spdx.json
βœ“ EU AI Act Annex IV: PASS        β†’ annex-iv.md
βœ“ NIST AI RMF: PASS (42/42)
βœ“ OWASP LLM Top 10: PASS
βœ“ SLSA Level 2 provenance         β†’ provenance.json
βœ“ ModelScan: PASS (0 findings)
βœ“ Signed via Sigstore Rekor

Why Squash

Without Squash With Squash
Annex IV documentation: 3–6 months Annex IV documentation: 10 seconds
Compliance consultant: €150K–€400K/yr Squash Professional: $299/month
Manual risk assessment per model squash attest ./model --policy eu-ai-act
Violation discovered in audit Violation blocked in CI before merge
Zero visibility squash_models_compliant_ratio 0.979 in Grafana

Features

Capability Detail
EU AI Act Annex IV All 12 required documentation sections, auto-generated
CycloneDX 1.7 ML-BOM Machine-readable model bill of materials
SPDX 2.3 SBOM Full dependency and lineage graph
10+ Policy Frameworks EU AI Act Β· NIST AI RMF Β· ISO 42001 Β· OWASP LLM Top 10 Β· FedRAMP Β· CMMC
ModelScan Security Pickle exploits, serialization attacks, unsafe ops
Sigstore Signing Keyless signing via Rekor transparency log
SLSA Provenance Level 1–3 provenance attestation
VEX Feed Live CVE tracking for deployed AI model components
Drift Detection Alerts when model behavior diverges from attested baseline
Prometheus /metrics Grafana-compatible attestation counts, violations, latency
Slack / Teams Alerts Webhook notifications on violations, drift events, CVE hits
JIRA / Linear / GitHub Issues Auto-creates tickets on policy violations
FastAPI / Django Middleware X-Squash-Compliant header on every inference response
Compliance Badge ![Squash](https://api.getsquash.dev/badge/eu-ai-act/compliant)
squash watch Re-attests on model file change β€” continuous local compliance
squash install-hook git pre-push hook β€” blocks non-compliant pushes
10 MLOps Integrations MLflow Β· W&B Β· HuggingFace Β· LangChain Β· SageMaker Β· Vertex AI Β· Ray Β· Kubernetes
Open-core Community tier free forever under Apache 2.0

Set up a new project in 60 seconds

squash init ./my-model
# Auto-detects PyTorch / TensorFlow / JAX / MLflow / HuggingFace
# Writes .squash.yml, runs a dry-run attestation

Compliance badge in your README

![Squash EU AI Act compliant](https://api.getsquash.dev/badge/eu-ai-act/compliant)

Available statuses: compliant Β· non-compliant Β· partial Β· unknown
Available frameworks: eu-ai-act Β· nist-ai-rmf Β· iso-42001 Β· anything

Policy Frameworks

Framework Status Key Checks
EU AI Act (Annex IV) βœ… Full Technical documentation, risk classification, human oversight
NIST AI RMF 1.0 βœ… Full 42 controls: GOVERN Β· MAP Β· MEASURE Β· MANAGE
OWASP LLM Top 10 βœ… Full LLM01–LLM10 vulnerability categories
ISO 42001 βœ… Core Clause 6, 8, 9
NTIA Minimum Elements βœ… Full 7 required SBOM fields
FedRAMP AI βœ… Core Federal AI procurement requirements
CMMC Level 2 βœ… Core DoD contractor AI requirements

Python API

from squash import AttestPipeline, AttestConfig

result = AttestPipeline.run(AttestConfig(
    model_path="./my-model",
    policies=["eu-ai-act", "owasp-llm"],
    sign=True,
    fail_on_violation=True,
))

print(f"Passed: {result.passed}")
print(f"Attestation ID: {result.attestation_id}")

REST API

pip install "squash-ai[api]"
uvicorn squash.api:app --host 0.0.0.0 --port 4444

curl -X POST http://localhost:4444/v1/attest \
  -H "Authorization: Bearer $SQUASH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model_path": "/models/bert-base", "policies": ["eu-ai-act"]}'

Prometheus metrics

# HELP squash_attestations_total Total attestation runs
squash_attestations_total{result="passed",policy="eu-ai-act"} 142
squash_models_compliant_ratio 0.979
squash_api_latency_seconds_bucket{le="0.1"} 138

Tiers & Pricing

Tier Price Attestations/mo Features
Community Free 10 Full CLI, SBOM, policy checks, signing, self-hosted
Professional $299/mo 200 Cloud API, Annex IV auto-generation, drift alerts, Slack/Teams
Startup $499/mo 500 Everything in Pro + VEX read, 3 users, GitHub Issues ticketing
Team $899/mo 1,000 Multi-tenant, SAML SSO, HITL workflows, audit export
Enterprise Custom Unlimited On-premise, air-gapped, EU data residency, dedicated support

Start free β†’ Β· Pricing β†’

Architecture

squash attest ./my-model
    β”‚
    β”œβ”€β”€ ModelScanner      β†’ Security scan (pickle, unsafe ops, CVEs)
    β”œβ”€β”€ CycloneDXBuilder  β†’ ML-BOM (CycloneDX 1.7)
    β”œβ”€β”€ SpdxBuilder       β†’ SBOM (SPDX 2.3)
    β”œβ”€β”€ PolicyEngine      β†’ EU AI Act Β· NIST Β· OWASP Β· ISO checks
    β”œβ”€β”€ SlsaBuilder       β†’ SLSA Level 1–3 provenance
    β”œβ”€β”€ AnnexIVGenerator  β†’ All 12 Annex IV sections (MD/HTML/PDF)
    β”œβ”€β”€ VexEvaluator      β†’ Live CVE vulnerability feed
    β”œβ”€β”€ OmsSigner         β†’ Sigstore keyless signing
    β”œβ”€β”€ DriftDetector     β†’ Baseline behavioral comparison
    └── AttestPipeline    β†’ Signed audit record (JSON)

Development

git clone https://github.com/konjoai/squash
cd squash
pip install -e ".[api,signing,sbom,dev]"

# Run all tests (2,299 passing)
python -m pytest tests/ -v --timeout=120

# Try it immediately
squash demo

# Watch mode
squash watch ./my-model

License

Community edition: Apache 2.0

Enterprise features (cloud API, multi-tenant dashboard, VEX feed, on-premise) are available under a commercial license. Contact β†’

Built by Konjo AI Β· "Squash violations, not velocity."

About

πŸ›‘οΈ Automated EU AI Act compliance for AI/ML teams β€” Annex IV docs, SBOMs, policy checks, and signed audit records inside your CI/CD pipeline. August 2, 2026 enforcement deadline. ⏰

github.com/konjoai/squash

Topics

owasp cicd spdx mlops sbom policy-as-code compliance-automation cyclonedx slsa ai-compliance sigstore ai-governance llm-security eu-ai-act nist-ai-rmf model-signature annex-iv

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages