Checkmarx • Application security
Checkmarx AI Supply Chain Security scans ML models (including Hugging Face artifacts), traces training-data provenance, generates AI/ML SBOMs, and surfaces AI dependency risk so AppSec teams running AI workloads stop treating model artifacts like opaque binaries.
Programs adopting AI Supply Chain Security through Merito get the workload mapping, Hugging Face source registration, AI/ML SBOM wiring, and CI/CD integration that fold AI artifacts into the existing AppSec backlog rather than spinning up a separate ML-only program.
What it is
Checkmarx AI Supply Chain Security is the AI/ML-aware scanner inside the Checkmarx One Supply Chain pillar. It treats AI artifacts the way SCA treats OSS dependencies: model files (PyTorch, TensorFlow, ONNX, GGUF, safetensors), training-data sources, AI inference dependencies (transformers, langchain, llama.cpp, vLLM), and the prompt-engineering surface that connects them. Programs running AI workloads inside customer-facing applications without scanning the AI supply chain are running unscanned production code by another name.
Hugging Face awareness is the marquee capability. The Hugging Face Hub is where most enterprise AI development pulls models from, and Hugging Face artifacts ship with arbitrary code execution surfaces (custom modeling code, pickle-format weights that execute on load, tokenizer config that can run scripts). Checkmarx scans Hugging Face downloads for malicious model artifacts, validates checksums against known-good versions, and flags models that were silently re-uploaded with different content. The pattern is similar to typosquatting but on model namespaces.
Training-data provenance is the harder problem. Where did the data come from, was it licensed for the use case, does it contain regulated PII, and has it been validated against poisoning indicators. Checkmarx surfaces what is known about the provenance from artifact metadata, training-config files, and registered datasets. It does not solve provenance where the answer is not present in the artifact, but it makes the gap visible rather than implicit. Programs that took a shortcut and trained on whatever happened to be in the bucket find out they did during the scan rather than during regulatory review.
What kills AI Supply Chain Security adoption is treating it as an ML-team-only product. The findings need to flow into the same AppSec backlog as SAST and SCA, the policy needs to live with the rest of the AppSec policies, and the developers using AI APIs need the same PR-time visibility they get on SCA findings. Programs that silo AI security under a separate ML governance group end up with two policies, two backlogs, and a gap where they meet. Merito's engagement integrates AI Supply Chain Security into the broader AppSec program from day one.
Ideal use cases
What it is best at
Scans Hugging Face model downloads, validates checksums, and flags models that were silently re-uploaded with different content. The Hugging Face supply chain is where most enterprise AI begins, and tools without it are scanning the wrong layer.
Detects arbitrary code execution surfaces inside model artifacts (pickle weights, custom modeling code, tokenizer scripts). These are the AI equivalent of postinstall scripts and run on model load.
Generates SBOMs that include model artifacts, training-data sources where known, and AI inference dependencies. Standard SBOM tools cannot do this. Programs subject to EU AI Act or sector AI mandates need it.
Surfaces what is known about training-data origin, license, and poisoning indicators from artifact metadata. Makes provenance gaps visible rather than implicit.
AI findings flow into the same Checkmarx One backlog as SCA and SAST, with Triage and Remediation clustering on root cause. AppSec runs one program, not two.
Core capabilities
Treating AI model files like the rest of the supply chain rather than opaque binaries.
Hugging Face Hub scanning
Validates checksums on Hugging Face downloads, flags silent re-uploads, and surfaces tampered models before they enter the build.
Pickle and serialized-weight scanning
Detects arbitrary code execution inside model artifacts. Pickle, GGUF, and serialized PyTorch weights are scanned for suspicious payloads.
Model format coverage
PyTorch, TensorFlow, ONNX, GGUF, safetensors, Hugging Face Transformers. Programs running heterogeneous model formats get one scanner.
Custom modeling code review
Hugging Face models often ship with custom modeling code. Checkmarx scans the code as if it were a dependency, surfacing risky patterns.
Making the AI supply chain auditable rather than implicit.
Training-data provenance surfacing
Inspects metadata, training-config, and registered datasets for provenance signals. Surfaces gaps where provenance is missing.
License compliance for training data
Cross-references known dataset licenses with use-case constraints. Flags incompatible licensing.
Poisoning-indicator detection
Surfaces dataset characteristics consistent with known poisoning patterns where signals exist.
Audit-ready evidence for regulated AI programs.
AI/ML SBOM generation
Generates SBOMs that include model artifacts, training-data sources, and AI inference dependencies. CycloneDX-aligned where the spec covers AI.
AI dependency risk
Tracks vulnerabilities in transformers, langchain, llama.cpp, vLLM, and the AI library ecosystem alongside the rest of SCA.
Cross-product correlation
AI findings cross-link to SAST flow paths, SCA dependency findings, and Triage and Remediation clusters inside Checkmarx One.
Compliance reporting
Audit-ready evidence for EU AI Act, NIST AI RMF, ISO 42001, and sector-specific AI mandates.
Where it fits in the stack
Deployment and implementation
Licensing and packaging
Checkmarx One Enterprise (includes AI Supply Chain Security)
Enterprise bundle adding AI Supply Chain Security, AI agents (Developer Assist, Triage and Remediation), Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs running production AI workloads with regulated provenance requirements.
AI Supply Chain Security add-on (Advanced bundle customers)
AI Supply Chain Security added to an existing Checkmarx One Advanced subscription without the full Enterprise bundle.
Best for: Programs piloting AI supply-chain governance without a full Enterprise upgrade.
Merito services
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
AI workload mapping, Hugging Face source registration, AI/ML SBOM wiring, and policy-gate design.
Explore service02AI supply-chain governance scoping for AI Supply Chain Security alongside generic SCA tools without ML awareness.
Explore service03AI-aware policy gates inside CI/CD pipelines for AI inference services.
Explore service04ML platform team enablement around AI sourcing standards and provenance discipline.
Explore service05Named engineer, priority SLAs, and release-time coverage for AI Supply Chain Security.
Explore service06Long-term run support including Hugging Face source registration maintenance, AI/ML SBOM operation, and policy-gate evolution.
Explore service07Role-based training for AppSec architects, ML platform leads, and AI compliance owners.
Explore service08Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.
Explore serviceCheckmarx AI Supply Chain Security licensing
AI Supply Chain Security pricing arrives with the workload mapping, Hugging Face source registration, AI/ML SBOM wiring, and policy-gate design that turn AI supply-chain governance into real AppSec rather than aspiration.
Merito point of view
Merito has worked with programs shipping AI inference services into customer-facing applications while running zero scanning against the model artifacts, the training-data sources, or the AI library dependencies. The reasoning is usually that the ML team owns AI security separately. The reality is that a tampered Hugging Face model that ships pickle weights with arbitrary code execution is a production breach, and AppSec finds out about it through an incident rather than a scanner. AI Supply Chain Security exists because the supply-chain attack surface is real on AI workloads.
Merito recommends AI Supply Chain Security specifically when the program runs production AI workloads from Hugging Face or other model hubs, when training-data provenance matters for regulatory or contractual reasons, and when the AI dependency surface (transformers, langchain, vLLM) is large enough that SCA alone is not sufficient. For programs that consume AI through hosted APIs (OpenAI, Anthropic, Bedrock) without self-hosting models, the supply-chain surface is narrower and AI Supply Chain Security has less to do. Merito surfaces that during scoping rather than overstating the value.
Hugging Face awareness is the marquee capability and the place where most enterprise AI security exposure actually lives. Programs that download models from Hugging Face without checksum validation are running unscanned binaries by another name. Generic SCA tools without ML awareness do not see the layer.
What buyers usually underestimate
Related from Merito
Related solutions
Related services
Related products
Frequently Asked Questions
Consultation request
Share your AI workload shape (self-hosted models vs. hosted APIs), training-data posture, and AI compliance landscape. A Merito Checkmarx specialist follows up within one business day.
ML-format awareness
Scans model artifacts, pickle weights, custom modeling code, and Hugging Face downloads. Generic SCA cannot do this.
AI/ML SBOM
SBOM that includes models, training-data sources, and AI dependencies. Programs subject to EU AI Act or NIST AI RMF need it.
Next step
A Merito AI Supply Chain Security engagement starts with workload mapping and Hugging Face source registration. Generic SCA without ML awareness scans the wrong layer.