---
title: "Security policies for HuggingFace models"
description: "Hugging Face is an open-source platform and community for AI and machine learning, providing a central hub to find, share, and use thousands of pre-trained models, datasets, and demo applications for tasks like natural language processing. Cloudsmith EPM policies now support the HuggingFace format."
canonical_url: "https://cloudsmith.com/blog/extend-epm-policies-to-huggingface-artifacts"
last_updated: "2025-12-03T09:06:57.030Z"
---
# Security policies for HuggingFace models

By now it’s clear the use of GenAI tooling like Cursor and Claude has fundamentally changed how code is written. This shift, which we explored in depth in our previous post, moves the security perimeter beyond just the generated code. Today, every engineering team building an AI-native application must equally prioritise securing the AI models and LLMs they pull into their tech stack. This forces us to rethink supply chain security for the AI era.



This post will dive deep into a concrete solution: leveraging Cloudsmith's Enterprise Policy Manager ([**EPM**](https://help.cloudsmith.io/docs/enterprise-policy-management)) to enforce rigorous security and governance policies on LLMs and datasets sourced from the [**Hugging Face Hub**](https://huggingface.co/docs/hub/en/models-the-hub) and consumed via Cloudsmith.



## **A Custom Data Model for Hugging Face**

Effective governance hinges on detailed metadata. Cloudsmith addresses this by providing a customised data model specifically for Hugging Face models and datasets. This is the crucial enabler, allowing developers and SecOps teams to write granular policies in [**Rego**](https://www.openpolicyagent.org/docs/policy-language#why-use-rego) that target attributes unique to this package type.



The following examples showcase how EPM policies can be constructed to tackle common, yet critical, supply chain risks associated with adopting LLMs.  


```json
{
  "_key": "c48c13eb6aa8",
  "_type": "tableBlock",
  "caption": "Sample Rego Recipes for HuggingFace",
  "firstRowIsHeader": true,
  "markDefs": null,
  "table": {
    "rows": [
      {
        "_key": "56814cac-2642-4690-999f-de36bc4accb9",
        "_type": "tableRow",
        "cells": [
          "Policy Name",
          "Security Objective",
          "Rego"
        ]
      },
      {
        "_key": "4082eba5-cf03-4163-a622-60301a7b9c5e",
        "_type": "tableRow",
        "cells": [
          "Whitelist of trusted publishers",
          "Isolates risk by enforcing a pre-approved list of model creators  (eg: NVIDIA, Microsoft)",
          "https://github.com/cloudsmith-io/rego-recipes/blob/main/huggingface-recipes/trusted_publishers.rego"
        ]
      },
      {
        "_key": "84dc3294-c1bc-4dfc-9c76-f64d620c91dd",
        "_type": "tableRow",
        "cells": [
          "Block models with unsafe files",
          "Quarantines models based on aggregated security scan data from Hugging Face Hub (Clam AV, Protect AI, etc.)",
          "https://github.com/cloudsmith-io/rego-recipes/blob/main/huggingface-recipes/security_scan.rego"
        ]
      },
      {
        "_key": "c26540bc-48e5-4994-a77d-6fea0c732c20",
        "_type": "tableRow",
        "cells": [
          "Policy based on model card data",
          "Enables governance based on model provenance  (eg: blocking models trained on a specific, prohibited dataset)",
          "https://github.com/cloudsmith-io/rego-recipes/blob/main/huggingface-recipes/model_card.rego"
        ]
      },
      {
        "_key": "ca73a338-f358-479d-804c-eef3fb92f44e",
        "_type": "tableRow",
        "cells": [
          "Block models with risky file formats",
          "Mitigates deserialisation attacks by quarantining models containing inherently risky formats like pickle.",
          "https://github.com/cloudsmith-io/rego-recipes/blob/main/huggingface-recipes/risky_files.rego"
        ]
      }
    ]
  }
}
```



### **Whitelisting trusted publishers to enforce provenance**

For mature organisations, time-to-market often depends on leveraging high-quality, pre-vetted artifacts from established entities like [**NVIDIA**](https://huggingface.co/nvidia), [**Microsoft**](https://huggingface.co/microsoft), or [**Apple**](https://huggingface.co/apple). Instead of subjecting these known-good sources to redundant policy checks, you can use an EPM policy to create a allowlist.



**The Strategy:**

- Create a terminal policy with the highest precedence (`precedence: 0`).
- If the model's publisher is on the approved list, the policy immediately sets the package state to '`AVAILABLE`' and applies a '`trusted-publisher`' tag [**package action**](https://docs.cloudsmith.com/supply-chain-security/epm/getting-started#step-3-adding-actions-to-a-policy). All subsequent policies are bypassed, dramatically streamlining ingestion for high-confidence artifacts.



Below is the [**trusted_publishers.rego**](https://github.com/cloudsmith-io/rego-recipes/blob/main/huggingface-recipes/trusted_publishers.rego) and the associated policy `payload` for the implementation:



```json
{
  "_key": "ec3798871f69",
  "_type": "code",
  "code": "wget https://raw.githubusercontent.com/cloudsmith-io/rego-recipes/refs/heads/main/huggingface-recipes/trusted_publishers.rego\nescaped_policy=$(jq -Rs . < trusted_publishers.rego)\ncat <<EOF > payload.json\n{\n  \"name\": \"Huggingface Trusted Publishers\",\n  \"description\": \"A whitelist for models & datasets from trusted publishers on Hugging Face Hub.\",\n  \"rego\": $escaped_policy,\n  \"enabled\": true,\n  \"is_terminal\": true,\n  \"precedence\": 0\n}\nEOF",
  "filename": null,
  "language": "json",
  "markDefs": null
}
```



**<u>Note</u>**: The [**trusted_publishers.rego**](https://github.com/cloudsmith-io/rego-recipes/blob/main/huggingface-recipes/trusted_publishers.rego) policy primarily targets packages pulled via a Hugging Face upstream and ignores packages that are pushed directly into Cloudsmith. This ensures reliable traceability, as packages pushed directly to Cloudsmith lack the verified publisher metadata from the Hub.



### **Blocking Models with Unsafe Files via Security Scans**

The concept of a security vulnerability extends beyond traditional CVEs when dealing with LLMs. Models can contain malicious code or file formats. Hugging Face Hub has mitigated this by providing [**public security data**](https://huggingface.co/docs/hub/security) powered by tools like [**Clam AV**](https://huggingface.co/docs/hub/security-malware), [**Pickle Scan**](https://huggingface.co/docs/hub/security-pickle), and [**Protect AI**](https://huggingface.co/docs/hub/security-protectai).



Cloudsmith captures this crucial upstream security data and exposes it to EPM. This allows you to write a policy that enforces a zero-tolerance stance on models flagged as unsafe by any of the integrated scanners.



Download the [**security_scan.rego**](https://github.com/cloudsmith-io/rego-recipes/blob/main/huggingface-recipes/security_scan.rego) and create the associated `payload.json` with the below command:



```json
{
  "_key": "0b222bf3f63f",
  "_type": "code",
  "code": "wget https://raw.githubusercontent.com/cloudsmith-io/rego-recipes/refs/heads/main/huggingface-recipes/security_scan.rego\nescaped_policy=$(jq -Rs . < security_scan.rego)\ncat <<EOF > payload.json\n{\n  \"name\": \"Huggingface Hub Security Scan\",\n  \"description\": \"Match models & datasets where the security scan data from Hugging Face Hub indicates unsafe content.\",\n  \"rego\": $escaped_policy,\n  \"enabled\": true,\n  \"is_terminal\": false,\n  \"precedence\": 3\n}\nEOF",
  "filename": null,
  "language": "json",
  "markDefs": null
}
```



After the policy has been created, associate an [**Action**](https://docs.cloudsmith.com/supply-chain-security/epm/getting-started#step-3-adding-actions-to-a-policy) with the Policy to `SetPackageState` to `QUARANTINE`.



If a package matches the policy, you can use the decision logs to view the detailed results of the security scan for the package. The [**decision log**](https://docs.cloudsmith.com/supply-chain-security/epm#decision-logs) will contain the full output of each scanner from Hugging Face.



### **Policy based on Model Card data**

Hugging Face models and datasets come with [**Model Cards**](https://huggingface.co/docs/hub/model-cards). Think of Model Cards as the _Software Bill of Materials_ ([**SBOM**](https://docs.cloudsmith.com/artifact-management/sbom)) for LLMs. It provides essential metadata about the model’s intended use, limitations, and, critically, its training data provenance. To confirm, Model Cards are metadata created by the publisher of a model itself to provide better documentation and transparency about the characteristics of the model. Cloudsmith is able to parse this information and expose it to EPM so you can write policies with this data.



Model Cards currently come in two forms.  
One for **datasets** and one for **models**.



In EPM's [**Open API spec**](https://api.cloudsmith.io/v2/swagger/#/workspaces), the types `PolicyHuggingfaceModelCard` and `PolicyHuggingfaceDatasetCard` describe what data these can contain.



As an example, Hugging Face publishes a language model called [**SmolLM-135M**](https://huggingface.co/HuggingFaceTB/SmolLM-135M). If you visit the [**README.md**](https://huggingface.co/HuggingFaceTB/SmolLM-135M/blob/main/README.md) of the model, you will see a **metadata** section encoded in YAML that states the model was trained on the dataset **HuggingFaceTB/smollm-corpus**. Perhaps you wish to block models that use this training set.



Imagine an organisation needs to block any model trained using the [**smollm-corpus**](https://huggingface.co/datasets/HuggingFaceTB/smollm-corpus) dataset due to licensing or compliance concerns. The below [**model_card.rego**](https://github.com/cloudsmith-io/rego-recipes/blob/main/huggingface-recipes/model_card.rego) policy uses the data exposed in the `PolicyHuggingfaceModelCard` (or `PolicyHuggingfaceDatasetCard`) type to look for that specific training set reference and quarantines the package if a match is found.



```json
{
  "_key": "d1f6e9bea9c2",
  "_type": "code",
  "code": "wget https://raw.githubusercontent.com/cloudsmith-io/rego-recipes/refs/heads/main/huggingface-recipes/model_card.rego\nescaped_policy=$(jq -Rs . < model_card.rego)\ncat <<EOF > payload.json\n{\n  \"name\": \"Huggingface Hub Model Card Training Set\",\n  \"description\": \"Prohibit models trained with a smollm-corpus dataset.\",\n  \"rego\": $escaped_policy,\n  \"enabled\": true,\n  \"is_terminal\": false,\n  \"precedence\": 2\n}\nEOF",
  "filename": null,
  "language": "json",
  "markDefs": null
}
```



In short, this EPM policy example prohibits the use of **SmolLM-135M** because its Model Card metadata references a prohibited training dataset.



### **Mitigating serialisation attacks by blocking risky file formats**

This is arguably the most critical security policy for LLM adoption. Many of the file formats used by models and datasets suffer from serialisation attacks. For example, [**Pickle**](https://docs.python.org/3/library/pickle.html) is a popular file format used in Hugging Face models that has well-known exploits. Further, some formats, such as Keras can be securely deserialised but can come with embedded code extensions (eg: [**Keras Lambda layer**](https://keras.io/api/layers/core_layers/lambda/)) that allow for arbitrary code execution. Alternative, safer model file-formats have been developed, such as [**safetensors**](https://github.com/huggingface/safetensors) from Hugging Face and [**ONNX**](https://onnx.ai) that do not suffer from these attacks. For background on these attack vectors [**see here**](https://github.com/protectai/modelscan/blob/main/docs/model_serialization_attacks.md).



The following [**risky_files.rego**](https://github.com/cloudsmith-io/rego-recipes/blob/main/huggingface-recipes/risky_files.rego) policy will match models coming from Hugging Face Hub that contain risky formats, such as pickle-based formats or other files such as **zips**, [**pytorch**](https://cloudsmith.com/navigator/pypi/pytorch-lightning), **keras**, and [**tensorflow**](https://cloudsmith.com/navigator/pypi/tensorflow) h5 models. After the policy has been created, associate an [**Action**](https://docs.cloudsmith.com/supply-chain-security/epm/getting-started#step-3-adding-actions-to-a-policy) with the Policy to `SetPackageState` to `QUARANTINE`.



```json
{
  "_key": "b9ff94356f19",
  "_type": "code",
  "code": "wget https://raw.githubusercontent.com/cloudsmith-io/rego-recipes/refs/heads/main/huggingface-recipes/risky_files.rego\nescaped_policy=$(jq -Rs . < risky_files.rego)\ncat <<EOF > payload.json\n{\n  \"name\": \"Huggingface Hub Prohibited Formats\",\n  \"description\": \"Prohibit models with risky file formats.\",\n  \"rego\": $escaped_policy,\n  \"enabled\": true,\n  \"is_terminal\": false,\n  \"precedence\": 1\n}\nEOF",
  "filename": null,
  "language": "json",
  "markDefs": null
}
```



The shift to **AI-native development** necessitates a robust approach to software artifact governance. By combining EPM with the rich metadata of the Hugging Face ecosystem, engineering, security, and operations teams can implement fine-grained, automated, and declarative policies (via Rego) to secure the AI supply chain. This integration ensures that only trusted, compliant, and safe models reach production.



To start building your EPM policies in Cloudsmith, explore our easy-to-follow [**Rego Cookbook**](https://cloudsmith.com/campaigns/cloudsmith-rego-policy-cookbook), which provides relevant copy-and-paste code snippets for policy-as-code design. Alternatively, we provide a bunch of other useful [**reports and guides**](https://cloudsmith.com/reports-and-guides) for understanding the state of modern software artifact security.
