As part of our long-standing commitment to providing a safe and reliable platform for the ML community, we are pleased to announce our partnership with JFrog, creator of the JFROG Software Supply Chain Platform.
We have decided to continue improving the security of our hugging face hubs by adding JFROG scanners to our platform. JFrog’s scanner brings new features to your scans, aimed at reducing false positives in the hub. Indeed, what we are currently observing is that model weights can include code that is executed at deintervention and sometimes at inference, depending on the form. This code is often non-toxic practical for developers. Picklescan scanners only perform pattern matching on module names, so it is not always possible to confirm that the use of a particular function or module is malicious. JFrog goes a step further and analyzes and analyzes code found in model weights to see potential malicious uses.
Interested in joining a security partnership/providing scan information about hubs? Please contact us at security@huggingface.co.
Model Security Refresher
Serialize models, configurations, and other data structures to facilitate storage and transport to share models. Some serialization formats are vulnerable to nasty exploits, such as arbitrary code execution (see pickles), potentially putting shared models using those formats in danger.
The embracing face has become a popular platform for model sharing and we hope to help protect our community from now on. So I want to develop the reasons why I developed a tool like Picklescan and why it integrates JFrog into the Scanner suite.
Pickles is not the only form of abuse. See How to misuse the Keras Lambda Layer to achieve arbitrary code execution. The good news is that JFrog will catch both of these exploits in an additional file format. For the latest scanner information, see the model threat page.
Read all the security documentation here: https://huggingface.co/docs/hub/security🔥
Integration
There’s nothing you have to do to make a profit from now on! All public model repositories are automatically scanned by JFrog as soon as you push the file into the hub. Below is an example repository that you can check to see what functionality is in use: McPotato/42-eicar-Street.
`mcpotato/42-eicar-street`’s ‘`danger.dat` Scan Result
Note that as of today, you may not see scans of your models, as of today, as there are millions of model repositories. It may take some time to catch up.
In total, we’ve already scanned hundreds of millions of files. This is because we believe empowering communities to share models in a safe and frictionless way will lead to growth throughout the field.
