Rule Reference
Sentinel detection rules organize model-file, prompt, agent, container, archive, secret, and supply-chain risks into searchable categories.
Categories
- PICKLE — Detects unsafe Python pickle streams, joblib artifacts, and embedded pickle payloads in ML model files.
- TORCH — Detects unsafe PyTorch checkpoint loading, TorchScript custom operators, and dynamic hub imports.
- ONNX — Detects risky ONNX graph metadata, external tensor paths, and custom operators.
- Safetensors — Detects malformed safetensors headers, suspicious tensor metadata, and missing integrity controls.
- GGUF — Detects malformed GGUF metadata, risky chat templates, and untrusted quantized model bundles.
- Network — Detects model, agent, or evaluation configurations that can reach sensitive network locations.
- Symbols — Detects dangerous exported symbols, native library load hooks, and unresolved entry points in model runtimes.
- JIT — Detects unsafe just-in-time compilation, dynamic evaluation, and cache poisoning patterns in AI workloads.
- CVE — Detects known vulnerable packages, runtimes, model-serving components, and scanner advisory matches.
- OCI — Detects risky container image configuration, secrets in layers, and unpinned base images.
- 7Z — Detects traversal, decompression bombs, and unsafe links in 7z archives used for model bundles.
- Manifest — Detects unsafe model, plugin, MCP, and agent manifests with risky permissions or missing integrity fields.
- Jinja2 — Detects server-side template injection and unsafe template constructs in prompt, chat, and report templates.
- Compressed — Detects unsafe compressed archives across ZIP, tar, gzip, xz, and nested model bundles.
- RAR — Detects traversal, decompression bombs, and opaque encrypted payloads in RAR archives.
- Secrets — Detects credentials, private keys, tokens, and sensitive data embedded in model artifacts and adjacent files.
- Size limits — Reports files, archives, or tensor metadata that exceed safe scanning and runtime thresholds.
Which rule family should you start with?
If you are starting AI security from scratch, keep the order simple: first Secrets and Pickle/Torch findings with direct production risk, then Manifest/Network boundaries for agents and MCP, and finally Size limits and metadata hygiene.
RECOMMENDED START
- If you download models or HuggingFace repos: PICKLE, TORCH, SAFETENSORS, GGUF.
- If you use LLM agents or MCP: MANIFEST, Network, Jinja2, Secrets.
- If you build CI/CD gates: CVE, OCI, Compressed, Size limits.
Rule index
| Rule ID | Category | Severity | Title | CWE | Fix Hint |
|---|---|---|---|---|---|
| PICKLE-EXEC | PICKLE | CRITICAL | Dangerous Pickle Execution | CWE-502 | Do not load untrusted pickle files. Convert the artifact to a non-executable format. |
| PICKLE-GLOBAL-IMPORT | PICKLE | HIGH | Unexpected Global Import | CWE-502CWE-829 | Restrict allowed globals and require signed model artifacts. |
| PICKLE-STRUCT | PICKLE | HIGH | Pickle Opcode Structural Tampering | CWE-915 | Reject structurally abnormal pickle artifacts during intake. |
| TORCH-LOAD-UNTRUSTED | TORCH | CRITICAL | Untrusted torch.load Deserialization | CWE-502 | Load tensors, not executable Python objects. |
| TORCH-SCRIPT-CUSTOM-OP | TORCH | HIGH | TorchScript Custom Operator | CWE-94CWE-829 | Review and sign custom operators before promotion. |
| TORCH-HUB-DYNAMIC-IMPORT | TORCH | MEDIUM | Dynamic Torch Hub Import | CWE-829CWE-494 | Replace remote hub execution with pinned, vendored model code. |
| ONNX-EXTERNAL-DATA-PATH | ONNX | HIGH | External Data Path Escape | CWE-22 | Reject external data paths outside the model bundle. |
| ONNX-CUSTOM-OP | ONNX | HIGH | ONNX Custom Operator | CWE-94CWE-829 | Approve custom operators explicitly or remove them from the graph. |
| ONNX-METADATA-TAMPER | ONNX | MEDIUM | Suspicious ONNX Metadata | CWE-345 | Add provenance metadata and sign the model release. |
| SAFETENSORS-HEADER-OVERFLOW | SAFETENSORS | HIGH | Oversized Safetensors Header | CWE-400CWE-770 | Keep safetensors headers small and predictable. |
| SAFETENSORS-DTYPE-SHAPE-MISMATCH | SAFETENSORS | MEDIUM | Tensor Shape and Byte Range Mismatch | CWE-20 | Validate tensor byte ranges before loading. |
| SAFETENSORS-MISSING-HASH | SAFETENSORS | LOW | Missing Safetensors Integrity Hash | CWE-345 | Hash and sign safetensors artifacts. |
| GGUF-METADATA-OVERFLOW | GGUF | HIGH | GGUF Metadata Overflow Pattern | CWE-190CWE-787 | Do not load malformed GGUF metadata. |
| GGUF-JINJA-TEMPLATE | GGUF | HIGH | Unsafe GGUF Chat Template | CWE-94 | Review tokenizer templates before use. |
| GGUF-UNTRUSTED-QUANT | GGUF | MEDIUM | Untrusted Quantized Model | CWE-345 | Treat quantized models as release artifacts with provenance. |
| NET-METADATA-ENDPOINT | NET | HIGH | Cloud Metadata Endpoint Access | CWE-918 | Deny metadata service access from model and agent runtimes. |
| NET-PRIVATE-RANGE-EGRESS | NET | MEDIUM | Private Network Egress | CWE-200 | Constrain agent network access to approved hosts. |
| NET-UNPINNED-MODEL-URL | NET | MEDIUM | Unpinned Remote Model URL | CWE-494 | Download only hash-verified model artifacts. |
| SYM-DANGEROUS-EXPORT | SYM | HIGH | Dangerous Native Export | CWE-749 | Block native plugins with dangerous exports unless explicitly approved. |
| SYM-NATIVE-LOAD-HOOK | SYM | HIGH | Unsafe Native Load Hook | CWE-829 | Pin native loader paths to signed artifacts. |
| SYM-UNRESOLVED-ENTRYPOINT | SYM | LOW | Unresolved Native Entrypoint | CWE-477 | Keep native runtime ABI and extension versions aligned. |
| JIT-EVAL-COMPILE | JIT | HIGH | Dynamic eval or compile | CWE-95 | Do not compile user-controlled strings. |
| JIT-DYNAMIC-KERNEL | JIT | HIGH | Dynamic Kernel Generation | CWE-94 | Separate kernel code from runtime data. |
| JIT-CACHE-POISONING | JIT | MEDIUM | Writable JIT Cache | CWE-345 | Protect compiled caches from untrusted writes. |
| CVE-KNOWN-EXPLOITED | CVE | CRITICAL | Known Exploited Vulnerability | CWE-1104 | Upgrade to a fixed version before release. |
| CVE-VULNERABLE-RUNTIME | CVE | HIGH | Vulnerable AI Runtime Component | CWE-1104 | Patch model-serving and parser dependencies. |
| CVE-STALE-ADVISORY-DATA | CVE | INFO | Stale Advisory Data | CWE-1104 | Keep vulnerability intelligence current. |
| OCI-ROOT-USER | OCI | MEDIUM | Container Runs as Root | CWE-250 | Set a non-root USER in the image. |
| OCI-SECRET-IN-LAYER | OCI | CRITICAL | Secret in Container Layer | CWE-798 | Never bake credentials into images. |
| OCI-UNPINNED-BASE | OCI | MEDIUM | Unpinned Base Image | CWE-494 | Use immutable OCI digests for base images. |
| 7Z-PATH-TRAVERSAL | 7Z | HIGH | 7z Path Traversal | CWE-22 | Block archive entries that resolve outside the destination root. |
| 7Z-BOMB | 7Z | HIGH | 7z Decompression Bomb | CWE-409 | Cap archive extraction size and nesting depth. |
| 7Z-SYMLINK-ESCAPE | 7Z | MEDIUM | 7z Symlink Escape | CWE-59 | Treat archive links as untrusted paths. |
| MANIFEST-REMOTE-CODE | MANIFEST | HIGH | Manifest Loads Remote Code | CWE-829 | Do not execute mutable remote manifest code. |
| MANIFEST-OVERBROAD-TOOLS | MANIFEST | HIGH | Overbroad Agent Tool Permissions | CWE-266 | Narrow agent tool permissions before deployment. |
| MANIFEST-MISSING-INTEGRITY | MANIFEST | MEDIUM | Missing Manifest Integrity | CWE-353 | Record and verify artifact integrity in manifests. |
| JINJA2-SSTI-001 | JINJA2 | CRITICAL | Server-Side Template Injection | CWE-94 | Treat prompt templates as code and review them before load. |
| JINJA2-UNSANDBOXED-TEMPLATE | JINJA2 | HIGH | Unsandboxed Jinja2 Rendering | CWE-94 | Sandbox template rendering and avoid dynamic template strings. |
| JINJA2-SECRET-EXPOSURE | JINJA2 | HIGH | Template Secret Exposure | CWE-200 | Keep credentials out of render context. |
| COMPRESSED-ZIP-SLIP | COMPRESSED | HIGH | Compressed Archive Path Traversal | CWE-22 | Normalize archive paths before extraction. |
| COMPRESSED-DECOMPRESSION-BOMB | COMPRESSED | HIGH | Decompression Bomb | CWE-409 | Limit archive expansion and file counts. |
| COMPRESSED-NESTED-DEPTH | COMPRESSED | MEDIUM | Excessive Nested Archive Depth | CWE-400 | Avoid deeply nested model bundles. |
| RAR-PATH-TRAVERSAL | RAR | HIGH | RAR Path Traversal | CWE-22 | Block RAR entries outside the target directory. |
| RAR-BOMB | RAR | HIGH | RAR Decompression Bomb | CWE-409 | Constrain RAR extraction size. |
| RAR-ENCRYPTED-PAYLOAD | RAR | MEDIUM | Encrypted RAR Payload | CWE-693 | Do not promote opaque encrypted archives. |
| MODEL-SECRET-API-KEY | MODEL-SECRET | CRITICAL | API Key in Model Bundle | CWE-798 | Rotate exposed API keys immediately. |
| MODEL-SECRET-PRIVATE-KEY | MODEL-SECRET | CRITICAL | Private Key in Artifact | CWE-522 | Never publish private keys in model repositories. |
| MODEL-SECRET-PII | MODEL-SECRET | HIGH | Sensitive Personal Data in Model Context | CWE-200 | Keep real user data out of model release bundles. |
| SCAN-SIZE-MAX-FILE | SCAN-SIZE | INFO | File Exceeds Scan Size Policy | CWE-400 | Tune max file size intentionally. |
| SCAN-SIZE-ARCHIVE-RATIO | SCAN-SIZE | MEDIUM | Archive Expansion Ratio Exceeds Policy | CWE-409 | Limit decompression ratio. |
| SCAN-SIZE-TENSOR-DIMENSION | SCAN-SIZE | MEDIUM | Excessive Tensor Dimension | CWE-770 | Reject tensor metadata that exceeds runtime budgets. |
Eresus support
Turn the finding into an action your team can actually close.
If you need exploit evidence, prioritization, remediation direction, and retesting for Sentinel rule set and release gate design, Eresus can help scope the work with your team.
Start Security Test