ONNX Model Rules

Detects risky ONNX graph metadata, external tensor paths, and custom operators.

Definition

The ONNX rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.

ONNX is safer than pickle for weights, but graph metadata and external data references can still be abused for path traversal, tampering, or unsafe runtime behavior.

Canonical help URL

Supported inputs

.onnx
.pb
.ort
ONNX external data sidecars

Typical attack scenarios

A model references tensor data outside the expected model directory.
A custom operator requires an untrusted runtime extension.
Metadata hides provenance changes or unexpected producer fields.

Detection logic

Sentinel ties ONNX evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.

Triage

Do not read ONNX findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.

Operational checklist

Source: where did the file, manifest, prompt, archive, or dependency come from?
Impact: code execution, data leakage, supply chain, or resource consumption?
Control: allowlist, hash, sandbox, egress policy, or secret rotation?
Evidence: does the same rule category return clean after the fix?

Remediation

Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.

CI policy

sentinel-policy.yml

category: ONNX
fail_on:
  - CRITICAL
  - HIGH
ticket_on:
  - MEDIUM
retest: "sentinel artifact ./models/ --rule ONNX"

Rule index

Rule ID	Severity	Title	CWE	Fix Hint
ONNX-EXTERNAL-DATA-PATH	HIGH	External Data Path Escape	CWE-22	Reject external data paths outside the model bundle.
ONNX-CUSTOM-OP	HIGH	ONNX Custom Operator	CWE-94 CWE-829	Approve custom operators explicitly or remove them from the graph.
ONNX-METADATA-TAMPER	MEDIUM	Suspicious ONNX Metadata	CWE-345	Add provenance metadata and sign the model release.

ONNX-EXTERNAL-DATA-PATH — External Data Path Escape

HIGH

Rule ID	ONNX-EXTERNAL-DATA-PATH
Category	ONNX
Severity	HIGH
CWE	CWE-22
OWASP LLM	LLM03 — Supply Chain
FP Risk	LOW
Owner	AI/ML platform or model release owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Detects ONNX external tensor references that escape the artifact directory or use absolute paths.

Why it matters

ONNX is safer than pickle for weights, but graph metadata and external data references can still be abused for path traversal, tampering, or unsafe runtime behavior.

When it fires

Sentinel fires this rule in the ONNX category when it sees externaldataproto location value containing ../, absolute paths, url schemes, or platform-specific drive prefixes.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

ExternalDataProto location value containing ../, absolute paths, URL schemes, or platform-specific drive prefixes.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is low. If evidence points directly to a file, opcode, secret pattern, path, or manifest field, treat it as real and require closure evidence.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: ExternalDataProto location value containing ../, absolute paths, URL schemes, or platform-specific drive prefixes.
Closure: sentinel artifact ./models/ --rule ONNX must return clean output.

How to fix

Normalize paths, keep tensor sidecars inside the artifact root, and verify file hashes before load.

CLI

sentinel artifact ./models/ --rule ONNX

Policy example

sentinel-policy.yml

rules:
  ONNX-EXTERNAL-DATA-PATH:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule ONNX"

Expected output

ONNX-EXTERNAL-DATA-PATH HIGH
External Data Path Escape
Reject external data paths outside the model bundle.

Example

Bad

external_data: [
  { key: "location", value: "../../secrets.bin" }
]

Good

external_data: [
  { key: "location", value: "weights/model_data.bin" }
]
# Path is normalized and hash-pinned in the manifest.

Related rules

ONNX-CUSTOM-OP: ONNX Custom Operator
ONNX-METADATA-TAMPER: Suspicious ONNX Metadata

ONNX-CUSTOM-OP — ONNX Custom Operator

HIGH

Rule ID	ONNX-CUSTOM-OP
Category	ONNX
Severity	HIGH
CWE	CWE-94 CWE-829
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Flags custom domains or operator references that require runtime extensions outside standard ONNX kernels.

Why it matters

ONNX is safer than pickle for weights, but graph metadata and external data references can still be abused for path traversal, tampering, or unsafe runtime behavior.

When it fires

Sentinel fires this rule in the ONNX category when it sees graph nodes with non-standard domain values or extension operator names.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Graph nodes with non-standard domain values or extension operator names.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Graph nodes with non-standard domain values or extension operator names.
Closure: sentinel artifact ./models/ --rule ONNX must return clean output.

How to fix

Require extension review, signed runtime packages, and sandboxed inference before production use.

CLI

sentinel artifact ./models/ --rule ONNX

Policy example

sentinel-policy.yml

rules:
  ONNX-CUSTOM-OP:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule ONNX"

Expected output

ONNX-CUSTOM-OP HIGH
ONNX Custom Operator
Approve custom operators explicitly or remove them from the graph.

Example

Bad

external_data: [
  { key: "location", value: "../../secrets.bin" }
]

Good

external_data: [
  { key: "location", value: "weights/model_data.bin" }
]
# Path is normalized and hash-pinned in the manifest.

Related rules

ONNX-EXTERNAL-DATA-PATH: External Data Path Escape
ONNX-METADATA-TAMPER: Suspicious ONNX Metadata

ONNX-METADATA-TAMPER — Suspicious ONNX Metadata

MEDIUM

Rule ID	ONNX-METADATA-TAMPER
Category	ONNX
Severity	MEDIUM
CWE	CWE-345
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Finds missing or inconsistent producer, domain, license, hash, or training provenance metadata.

Why it matters

ONNX is safer than pickle for weights, but graph metadata and external data references can still be abused for path traversal, tampering, or unsafe runtime behavior.

When it fires

Sentinel fires this rule in the ONNX category when it sees producer fields do not match the release manifest, metadata is stripped, or graph hash differs from recorded provenance.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Producer fields do not match the release manifest, metadata is stripped, or graph hash differs from recorded provenance.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: Producer fields do not match the release manifest, metadata is stripped, or graph hash differs from recorded provenance.
Closure: sentinel artifact ./models/ --rule ONNX must return clean output.

How to fix

Regenerate the model card and release manifest from the trusted build pipeline.

CLI

sentinel artifact ./models/ --rule ONNX

Policy example

sentinel-policy.yml

rules:
  ONNX-METADATA-TAMPER:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule ONNX"

Expected output

ONNX-METADATA-TAMPER MEDIUM
Suspicious ONNX Metadata
Add provenance metadata and sign the model release.

Example

Bad

external_data: [
  { key: "location", value: "../../secrets.bin" }
]

Good

external_data: [
  { key: "location", value: "weights/model_data.bin" }
]
# Path is normalized and hash-pinned in the manifest.

Related rules

ONNX-EXTERNAL-DATA-PATH: External Data Path Escape
ONNX-CUSTOM-OP: ONNX Custom Operator

References

PreviousTORCH NextSafetensors