Posted on
Artificial Intelligence

Artificial Intelligence Security Checklists

Author
  • User
    linuxbash
    Posts by this author
    Posts by this author

The Bash-Friendly AI Security Checklist: Lock Down Your Models and Pipelines

Artificial intelligence is shipping faster than ever—and so are attacks against it. From poisoned datasets and malicious PyPI wheels to leaked API keys and unconfined runtimes, AI stacks make juicy targets. If you build, train, or deploy models on Linux, you need a security checklist that lives where you live: the shell.

This post gives you a practical, bash-first checklist to secure AI projects—complete with reasons why it matters, copy-paste commands, and distro-specific install instructions (apt, dnf, zypper) for every tool we use.


Why this matters (and what’s different with AI)

  • AI artifacts aren’t just code. You have model files, datasets, embeddings, and prompts that can be poisoned or tampered with.

  • Supply-chain risk is amplified. ML engineers frequently install heavy dependencies from package managers (OS and language), which increases the attack surface.

  • Secrets sprawl is real. API keys for inference endpoints, vector DBs, GPUs, and storage buckets end up in notebooks, scripts, and logs.

  • Runtime exposure is unique. Model runtimes often need large file access and may fetch remote content—prime terrain for sandbox escapes or data exfiltration if not contained.

Bottom line: treat AI projects like high-value software supply chains.


Quick install: tools used below

Run the set for your distro. These packages cover everything referenced in the checklist.

APT (Debian/Ubuntu):

sudo apt update
sudo apt install -y \
  python3 python3-venv python3-pip \
  git-secrets sops age minisign \
  firejail bubblewrap podman \
  openssl jq

DNF (Fedora/RHEL/CentOS Stream):

sudo dnf install -y \
  python3 python3-pip \
  git-secrets sops age minisign \
  firejail bubblewrap podman \
  openssl jq

Zypper (openSUSE/SLE):

sudo zypper refresh
sudo zypper install -y \
  python3 python3-pip \
  git-secrets sops age minisign \
  firejail bubblewrap podman \
  openssl jq

Tip: We’ll use Trivy via a container to avoid adding external repos.


The AI Security Checklist (with commands that work)

1) Lock down dependencies and environments

Why: Many real-world compromises start with a malicious dependency or a vulnerable transitive package pulled during a late-night pip install.

Actions:

  • Use isolated virtual environments.

  • Pin and hash dependencies.

  • Audit for CVEs before you run.

Create a venv and upgrade pip:

python3 -m venv .venv
source .venv/bin/activate
python -m pip install --upgrade pip wheel setuptools

Use a hashed requirements file:

# requirements.txt (example)
numpy==1.26.4 --hash=sha256:9e... --hash=sha256:1a...
torch==2.2.0 --hash=sha256:ab... --hash=sha256:cd...

Install with hash verification:

pip install --require-hashes -r requirements.txt

Audit Python deps for known vulns:

pip install pip-audit
pip-audit

Bonus: keep OS packages patched routinely. Example for Debian/Ubuntu:

sudo apt update && sudo apt upgrade -y

Real-world note: PyPI typosquats frequently target ML engineers (e.g., packages named like popular DL libs). Hash pinning helps you avoid “same-name, different-binary” tricks.


2) Guard secrets and configs

Why: API keys in Git repos or logs are still the most common breach root cause—and AI apps tend to juggle lots of them.

Block secrets from being committed with git-secrets:

git secrets --install
git secrets --register-aws    # common patterns, even if not on AWS
# Scan entire repo now
git secrets --scan

Encrypt config with sops + age:

# Create an age key pair
age-keygen -o ~/.config/sops/age/keys.txt

# Export a recipient (public key)
recipient=$(grep -m1 "public key:" ~/.config/sops/age/keys.txt | awk '{print $4}')

# Encrypt a YAML/JSON file
sops --encrypt --age "$recipient" config.yaml > config.enc.yaml

# Decrypt when needed
sops --decrypt config.enc.yaml > config.yaml

Pro tip: Add a pre-commit hook that runs git-secrets and fails on findings.


3) Verify and inventory models and datasets

Why: You need to know exactly what you trained on and deployed. Hashes and signatures catch corruption, tampering, and “mystery file” drift.

Create a manifest of checksums:

# For all model/data artifacts in models/ and data/
find models data -type f -print0 | xargs -0 sha256sum > SHA256SUMS

Verify later (e.g., on a deploy host or CI runner):

sha256sum -c SHA256SUMS

Sign artifacts with minisign (lightweight signing):

# One-time key generation
minisign -G -p minisign.pub -s minisign.key

# Sign a model file
minisign -S -s minisign.key -m models/model.onnx

# Verify signature before use
minisign -V -p minisign.pub -m models/model.onnx -x models/model.onnx.minisig

Store SHA256SUMS and signatures alongside releases. Treat model files like binaries.


4) Sandbox and restrict AI runtimes

Why: Inference or training code often processes untrusted input and may fetch remote content. Sandboxing limits blast radius if something goes sideways.

Run without network using firejail:

firejail --quiet --private --net=none \
  --read-only=$PWD \
  --blacklist=/home --blacklist=/root \
  python serve.py

Minimal sandbox with bubblewrap:

bwrap \
  --unshare-net \
  --ro-bind /usr /usr \
  --ro-bind $(pwd) /app \
  --chdir /app \
  --dev /dev \
  --proc /proc \
  --tmpfs /tmp \
  python infer.py --model models/model.onnx

Containerized and rootless with Podman:

# Build (or pull) your runtime image first
podman run --rm --network=none --read-only \
  -v $PWD:/app:ro -w /app \
  localhost/ai-runtime:latest \
  python infer.py --model models/model.onnx

Add resource controls to keep runaway jobs in check:

# Example: limit CPU and memory with podman
podman run --rm --cpus=2 --memory=4g ...

5) Scan images and files before shipping

Why: Shipping an image with a known CVE or a stray secret is an avoidable own goal.

Use Trivy via container (no host install needed):

# Scan a local directory for vulns, secrets, IaC issues
podman run --rm -v $PWD:/project -w /project \
  docker.io/aquasec/trivy:latest fs .

# Scan a container image you built
podman run --rm \
  docker.io/aquasec/trivy:latest image localhost/ai-runtime:latest

Scan Git history for secrets before tagging:

git secrets --scan -r

Make it CI-friendly: fail builds on high/critical findings.


Real-world mini-scenarios

  • Data poisoning in the wild: A single compromised CSV introduced label noise that skewed fraud predictions; the team lacked pre-ingest checksums. Fix: require signed manifests and hash verification in CI before training.

  • Malicious wheel incident: An ML pipeline pulled a new minor version of a dependency that exfiltrated AWS creds during import. Fix: hash-pinned requirements and git-secrets blocking leaked tokens reduced impact and sped recovery.

  • Overshared inference box: A research notebook server leaked model weights via a browser extension over outbound connections. Fix: sandbox with no-network by default; allowlist egress only when needed.


Copy/paste starter: a tiny checklist script

Wire this into your repo as scripts/ai-sec-check.sh and extend as needed.

#!/usr/bin/env bash
set -euo pipefail

echo "[1/5] Verifying hashes..."
test -f SHA256SUMS && sha256sum -c SHA256SUMS || echo "No SHA256SUMS found; skip."

echo "[2/5] Scanning repo for secrets..."
if command -v git >/dev/null && command -v git-secrets >/dev/null; then
  git secrets --scan -r
else
  echo "git or git-secrets not installed; skip."
fi

echo "[3/5] Auditing Python deps (if venv active)..."
if command -v pip-audit >/dev/null; then
  pip-audit || true
else
  echo "pip-audit not installed in current env; run: pip install pip-audit"
fi

echo "[4/5] Trivy filesystem scan (if podman available)..."
if command -v podman >/dev/null; then
  podman run --rm -v "$PWD":/project -w /project docker.io/aquasec/trivy:latest fs .
else
  echo "podman not installed; skip Trivy."
fi

echo "[5/5] Suggest sandboxed run:"
echo "  firejail --private --net=none python your_script.py"

Make it executable:

chmod +x scripts/ai-sec-check.sh

Conclusion and next steps

Security for AI doesn’t need to be mysterious. With a handful of well-chosen, distro-friendly tools—and a repeatable checklist—you can meaningfully reduce risk without slowing down your team.

Your next steps:

  • Add the tools with the install commands above.

  • Commit a hashed requirements.txt and a SHA256SUMS manifest.

  • Wire the checklist script into CI and fail on high findings.

  • Run your training/inference under a sandbox by default.

If you only do two things this week: pin-and-hash your dependencies and sandbox your runtimes. Those alone eliminate a large class of real-world AI incidents.

Got a trick to add to this checklist? Drop it into your team’s runbook and keep iterating—security is a practice, not a product.