Production-ready GitHub Actions workflow for automated AI/ML model security scanning using Palo Alto Networks Prisma AIRS (AI Runtime Security).
This pipeline scans AI models for security vulnerabilities before deployment, implementing MLSecOps best practices to prevent:
- Backdoor Detection: Identifies hidden triggers that cause malicious behavior
- Trojan Analysis: Detects neural network trojans and poisoned weights
- Model Poisoning: Validates model integrity against data poisoning attacks
- Adversarial Robustness: Tests resistance to adversarial examples
- Supply Chain Security: Verifies model provenance and integrity
Policy Enforcement: Models with security violations automatically fail the pipeline - preventing deployment of compromised models.
Required Secrets (Settings → Secrets and variables → Actions → Secrets):
MODEL_SECURITY_CLIENT_SECRET- Your Prisma AIRS OAuth2 client secret
Required Variables (Settings → Secrets and variables → Actions → Variables):
MODEL_SECURITY_CLIENT_ID- Your Prisma AIRS OAuth2 client IDTSG_ID- Your Tenant Service Group IDMODEL_SECURITY_API_ENDPOINT- API endpoint (default:https://api.sase.paloaltonetworks.com/aims)
- Go to Actions tab in your repository
- Select "Prisma AIRS Model Security Scan"
- Click "Run workflow"
- Enter required inputs:
- Model URL: Hugging Face model URL (e.g.,
https://huggingface.co/bert-base-uncased) - Security Profile ID: Your Prisma AIRS security group UUID
- Fail on Severity (optional): Comma-separated severity levels that trigger failure (default:
CRITICAL,HIGH)
- Model URL: Hugging Face model URL (e.g.,
- Click "Run workflow"
- Green check: Model passed all security checks
- Red X: Security violations detected - check the scan report artifact
- Scan Report: Download from workflow artifacts (
model-scan-report)
| Input | Required | Default | Description |
|---|---|---|---|
model_url |
Yes | - | Hugging Face model URL |
security_profile_id |
Yes | - | Prisma AIRS security group UUID |
fail_on_severity |
No | CRITICAL,HIGH |
Severities that trigger pipeline failure |
Override defaults by setting these as GitHub Variables:
| Variable | Default | Description |
|---|---|---|
MODEL_SECURITY_API_ENDPOINT |
https://api.sase.paloaltonetworks.com/aims |
Prisma AIRS API endpoint |
MODEL_SECURITY_TOKEN_ENDPOINT |
https://auth.apps.paloaltonetworks.com/oauth2/access_token |
OAuth2 token endpoint |
By default, the pipeline fails if the scan finds:
- CRITICAL severity findings
- HIGH severity findings
- Scan outcome is not
PASS,CLEAN, orSUCCESS
Configure per-environment thresholds using the fail_on_severity input:
Production (strict):
fail_on_severity: CRITICAL,HIGH,MEDIUMStaging (moderate):
fail_on_severity: CRITICAL,HIGHDevelopment (permissive):
fail_on_severity: CRITICALThe pipeline uses two-layer validation:
- Primary: Validates scan outcome status
- Secondary: Deep inspection of individual findings by severity
Both checks must pass for deployment to proceed.
| Outcome | Meaning | Pipeline Result |
|---|---|---|
PASS / CLEAN / SUCCESS |
No violations found | ✅ Passes |
BLOCKED |
Security policy violation | ❌ Fails |
WARNING |
Suspicious patterns detected | ❌ Fails |
FAILURE |
Scan error or critical issue | ❌ Fails |
| Severity | Description | Default Action |
|---|---|---|
| CRITICAL | Confirmed exploit or backdoor | Fail |
| HIGH | Serious security risk | Fail |
| MEDIUM | Moderate security concern | Pass (configurable) |
| LOW | Minor issue or best practice violation | Pass |
| INFO | Informational finding | Pass |
Download the model-scan-report.json artifact to see:
- Detailed finding descriptions
- Severity classifications
- Affected model components
- Remediation recommendations
Error: Failed to obtain SCM access token
Causes:
- Invalid
MODEL_SECURITY_CLIENT_IDorMODEL_SECURITY_CLIENT_SECRET - Incorrect
TSG_ID - Network connectivity issues
Fix:
- Verify credentials in Prisma AIRS console
- Confirm TSG ID matches your tenant
- Check repository secrets are set correctly
Error: Failed to retrieve PyPI URL
Causes:
- SCM authentication failed
- API endpoint misconfigured
Fix:
- Verify
MODEL_SECURITY_API_ENDPOINTis set correctly - Check SCM token has proper permissions
- Review
getPYPIurl.shoutput for detailed errors
Error: Workflow exceeds 30-minute timeout
Causes:
- Large model files
- Network latency to Hugging Face
- API rate limiting
Fix:
- Use smaller models for testing
- Contact Palo Alto Networks support for rate limit increases
- Consider local model scanning instead of remote URLs
Issue: Legitimate model flagged as malicious
Resolution:
- Review scan report details
- Adjust security profile thresholds in Prisma AIRS console
- Use
fail_on_severityto temporarily allow MEDIUM/LOW findings - Contact PANW support with scan ID for investigation
# Install dependencies
pip install model-security-client tenacity
# Set environment variables
export MODEL_SECURITY_CLIENT_ID="your-client-id"
export MODEL_SECURITY_CLIENT_SECRET="your-client-secret"
export TSG_ID="your-tsg-id"
export MODEL_SECURITY_API_ENDPOINT="https://api.sase.paloaltonetworks.com/aims"
export MODEL_SECURITY_TOKEN_ENDPOINT="https://auth.apps.paloaltonetworks.com/oauth2/access_token"
# Run scan
python model_scan.py \
--model-path "https://huggingface.co/bert-base-uncased" \
--security-group-id "your-security-group-uuid" \
--fail-on-severity "CRITICAL,HIGH"# Make script executable
chmod +x getPYPIurl.sh
# Get PyPI URL
./getPYPIurl.sh- Install - Authenticate to private PyPI and install
model-security-client - Scan - Download model, perform security analysis, validate findings
- Artifact - Save scan report for audit trail (runs even on failure)
- Ephemeral Credentials: PyPI URLs generated on-demand, never stored
- Fail-Safe Defaults: Only explicitly safe outcomes allowed
- Exit Code Enforcement: Violations return exit code 1, blocking deployment
- Artifact Retention: Scan reports saved for compliance audits
- HTTPS-Only: Rejects insecure HTTP model URLs
Add this workflow as a required status check for pull requests:
on:
pull_request:
paths:
- 'models/**'
- 'requirements.txt'Create separate security profiles for each environment:
- Development: Permissive (CRITICAL only)
- Staging: Moderate (CRITICAL + HIGH)
- Production: Strict (CRITICAL + HIGH + MEDIUM)
When a scan fails:
- Download the scan report artifact
- Identify the specific findings
- Determine if it's a true positive or false positive
- If true positive: quarantine the model, investigate source
- If false positive: adjust security profile, create exception
- Documentation: Prisma AIRS Documentation
- Issues: Report bugs or feature requests in this repository
- Enterprise Support: Contact Palo Alto Networks support with your TSG ID
This repository is provided as a reference implementation. Modify as needed for your organization's requirements.
Security Note: This pipeline only prevents deployment of flagged models. Implement runtime monitoring with Prisma AIRS for defense-in-depth protection against zero-day model attacks.
Scott Thornton — AI Security Researcher
- Website: perfecxion.ai
- Email: [email protected]
- LinkedIn: linkedin.com/in/scthornton
- ORCID: 0009-0008-0491-0032
- GitHub: @scthornton
Security Issues: Please report via SECURITY.md