Black Duck SCA takes on AI: Securing the future of software with model scanning
Nov 12, 2025 | 2 min read
Subscribe to the blog newsletter
Get answers from the Community
If you’ve been keeping an eye on the software landscape, you know AI and machine learning models are no longer a shiny new toy. They’re the backbone of modern apps, with over 850,000 models hitting platforms like Hugging Face in 2024 alone. That’s why the latest release of Black Duck® SCA introduces AI model scanning to bring clarity and control to your AI-driven software supply chain. Let’s dive into what this means for you.
Why AI models matter
AI models are transforming how we build software, from autogenerating code to powering intelligent features. But they’re also a new frontier of risk. Hidden in your apps, these models can carry licensing issues, murky origins, or modifications that don’t align with your security policies. Without visibility, you can’t navigate regulations like the EU AI Act and the stakeholders demanding accountability. That’s not just a compliance headache—it’s a business risk.
Black Duck’s answer: AI model scanning
AI model scanning, which rolled out in October 2025, is built to tackle these challenges head-on. Here’s the rundown.
- Spot models anywhere: Our signature-based scanning detects AI/ML models even if they’re deliberately obscured or not listed in your build manifest. No more guessing what’s in your codebase.
- License clarity: Black Duck SCA identifies model licenses to keep you compliant, whether it’s open source or commercial, saving you from costly legal surprises.
- Deep insights made simple: A dedicated UI screen serves up model-specific metadata showing what the model is good at (e.g., code completion) and details on datasets. This helps teams build usage policies like “no retrained foundational models” with ease.
- Seamless integration: AI model scanning plugs right into your existing Black Duck workflows, leveraging our SBOM engine for a unified SCA experience.
- Supply chain transparency: Any model identified or manually added to a project can be included in an SBOM to satisfy customer and industry requirements.
This is our MVP, focused on identification and licensing, but it’s built to scale. Future updates will bring deeper insights into security and operational risks introduced by models, and more customized policy configuration.
The Black Duck difference
Security shouldn’t slow your pipelines.
Our edge is built on signature-based scanning, which delivers unmatched depth and accuracy. Unlike tools that only glance at manifest files, Black Duck's technology can pierce your application’s source files to detect AI/ML models even if they are intentionally obfuscated or buried deep within your application.
This deep identification capability provides the governance required by modern standards, giving you the definitive answer on a model's origin and insight into whether it was simply consumed or significantly retrained. This level of forensic detail in identification is why Black Duck consistently receives recognition from both customers and industry analysts for the quality and accuracy of our scanning.
We couple this market-leading precision with an intuitive UI that makes complex AI insights immediately accessible, ensuring that your teams can govern their AI projects without being overwhelmed.
Why it matters to you
This release empowers you to innovate with confidence. By tracking every model in your apps, you can ensure license compliance and alignment with your policies, Black Duck reduces risks and speeds AI project deployment. Whether you’re in tech, finance, or healthcare, you’ll stay compliant with emerging standards like the EU AI Act and build trust with stakeholders who care about responsible AI.
Stay secure, stay innovative. And let’s keep building the future of software—responsibly.
Continue Reading
