SecAI-Hub
diff --git a/‎docs/test-counts.json‎
Lines changed: 4 additions & 4 deletions b/‎docs/test-counts.json‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎files/scripts/build-services.sh‎
Lines changed: 9 additions & 1 deletion b/‎files/scripts/build-services.sh‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎recipes/recipe.yml‎
Lines changed: 1 addition & 0 deletions b/‎recipes/recipe.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎services/diffusion-worker/Containerfile.sandbox‎
Lines changed: 3 additions & 3 deletions b/‎services/diffusion-worker/Containerfile.sandbox‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎services/diffusion-worker/app.py‎
Lines changed: 6 additions & 6 deletions b/‎services/diffusion-worker/app.py‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎services/quarantine/quarantine/pipeline.py‎
Lines changed: 15 additions & 1 deletion b/‎services/quarantine/quarantine/pipeline.py‎
Lines changed: 15 additions & 1 deletion
@@ -2,7 +2,7 @@
   "generated": "2026-04-28",
   "go": {
     "airlock": 11,
-    "registry": 21,
+    "registry": 22,
     "tool-firewall": 15,
     "gpu-integrity-watch": 62,
     "mcp-firewall": 71,
@@ -11,7 +11,7 @@
     "integrity-monitor": 50,
     "incident-recorder": 97
   },
-  "go_total": 427,
-  "python_total": 1117,
-  "grand_total": 1544
+  "go_total": 428,
+  "python_total": 1119,
+  "grand_total": 1547
 }
@@ -341,7 +341,15 @@ for scanner in ${SCANNERS}; do
     echo "  Installing: ${scanner}"
     scanner_venv="${SCANNER_ROOT}/${scanner}"
     scanner_package="$(scanner_package_spec "${scanner}")"
-    if python3 -m venv "${scanner_venv}" && \
+    scanner_python="${SCANNER_PYTHON:-python3}"
+    if [ "${scanner}" = "modelscan" ]; then
+        # Upstream modelscan 0.8.x currently declares Python <3.13. Keep it
+        # isolated on Fedora's still-supported Python 3.12 until the audited
+        # fork is intentionally integrated.
+        scanner_python="${MODELSCAN_PYTHON:-python3.12}"
+    fi
+    if command -v "${scanner_python}" >/dev/null 2>&1 && \
+        "${scanner_python}" -m venv "${scanner_venv}" && \
         "${scanner_venv}/bin/python" -m pip install --no-cache-dir --upgrade \
             pip==26.0.1 setuptools==82.0.1 wheel==0.46.2 && \
         "${scanner_venv}/bin/python" -m pip install --no-cache-dir "${scanner_package}" && \
 
@@ -18,6 +18,7 @@ modules:
       - cosign
       - jq
       - python3
+      - python3.12                    # modelscan 0.8.x declares Python <3.13
       - python3-pip
       - python3-pyyaml
       - python3-flask
 
@@ -1,11 +1,11 @@
 ARG COMPUTE=cpu
 ARG TORCH_CUDA_VERSION=2.6.0+cu124
 ARG TORCH_ROCM_VERSION=2.5.1+rocm6.1
-ARG TORCH_CPU_VERSION=2.6.0+cpu
+ARG TORCH_CPU_VERSION=2.11.0+cpu
 ARG TORCHVISION_CUDA_VERSION=0.21.0+cu124
 ARG TORCHVISION_ROCM_VERSION=0.20.1+rocm6.1
-ARG TORCHVISION_CPU_VERSION=0.21.0+cpu
-ARG IPEX_CPU_VERSION=2.6.0
+ARG TORCHVISION_CPU_VERSION=0.26.0+cpu
+ARG IPEX_CPU_VERSION=2.11.0
 
 FROM cgr.dev/chainguard/python:latest-dev@sha256:2c0fbbac86b72ebb4bfee15b64d8cd5fd6b49dfe7bb279b5c9f193198a84c1c9 AS build
 
 
@@ -392,9 +392,9 @@ def generate_image():
             },
         })
 
-    except Exception as e:
+    except Exception:
         log.exception("image generation failed")
-        return jsonify({"error": str(e)}), 500
+        return jsonify({"error": "image generation failed"}), 500
 
 
 # --- Video Generation ---
@@ -523,9 +523,9 @@ def generate_video():
             },
         })
 
-    except Exception as e:
+    except Exception:
         log.exception("video generation failed")
-        return jsonify({"error": str(e)}), 500
+        return jsonify({"error": "video generation failed"}), 500
 
 
 # --- Image-to-Image ---
@@ -613,9 +613,9 @@ def generate_img2img():
             "elapsed_seconds": elapsed,
         })
 
-    except Exception as e:
+    except Exception:
         log.exception("img2img generation failed")
-        return jsonify({"error": str(e)}), 500
+        return jsonify({"error": "img2img generation failed"}), 500
 
 
 # --- Unload / Memory Management ---
 
@@ -49,6 +49,20 @@ def _http_urlopen(target, timeout: int = 30):
         raise URLError(f"unsupported URL scheme: {scheme or 'none'}")
     return urlopen(target, timeout=timeout)  # nosec B310
 
+
+def _source_registry_host(source_url: str) -> str:
+    """Extract a registry host from a URL or image reference."""
+    raw = str(source_url or "").strip()
+    if not raw:
+        return ""
+    parsed = urlparse(raw if "://" in raw else f"//{raw}")
+    return (parsed.hostname or "").lower().rstrip(".")
+
+
+def _supports_cosign_provenance(source_url: str) -> bool:
+    host = _source_registry_host(source_url)
+    return host in {"ghcr.io", "docker.io"} or host.endswith(".docker.io")
+
 MODELS_LOCK_PATH = Path(
     os.getenv("MODELS_LOCK_PATH", "/etc/secure-ai/policy/models.lock.yaml")
 )
@@ -533,7 +547,7 @@ def check_provenance(artifact_path: Path, source_url: str) -> dict:
     except (FileNotFoundError, subprocess.TimeoutExpired):
         has_cosign = False
 
-    if has_cosign and ("ghcr.io" in source_url or "docker.io" in source_url):
+    if has_cosign and _supports_cosign_provenance(source_url):
         try:
             result = subprocess.run(
                 ["cosign", "verify", "--key", "/etc/secure-ai/keys/cosign.pub", source_url],