Skip to main content
complior scan analyzes your code through multiple deterministic layers — from file presence checks to deep AST pattern matching. Result: a compliance score and actionable findings. 
complior scan
Principle: LLM never makes compliance decisions. Layers L1–L4 are fully deterministic (AST + rules). Layer L5 is opt-in and only clarifies uncertain findings.

Analysis layers

LayerWhat it checksWeightExample findings
L1: File PresenceKey files (README, LICENSE, .env, passport)1.00Missing privacy policy, no Agent Passport
L2: Document StructureRequired sections in compliance docs0.95Incomplete FRIA, shallow worker notification
L3: DependenciesAI packages, lockfile, licenses, CVEs0.90Unvetted AI framework, missing bias testing lib
L4: Code Patterns40+ AST patterns, SDK wrappers, permissions0.75Bare LLM API call, missing error handling
NHI: Secrets37 secret patterns (API keys, tokens)Exposed API key in source
CROSS: Cross-LayerConsistency rules across layersLogging without retention, kill-switch without tests
GPAI: Systemic RiskGPAI compliance checksSystemic risk indicators
L5: LLMDeep semantic analysis (opt-in, --llm)variesImplicit bias in prompt template

Understanding the output

* Complior v1.0.0  ·  EU AI Act Compliance Scanner
--------------------------------------------------------------------------------
Scanning  .
Files     500 collected
Elapsed   2.1s
Layers    L1 File Presence · L2 Document Structure · L3 Dependencies
          · L4 Code Patterns · NHI Secrets · GPAI Systemic Risk

--------------------------------------------------------------------------------
COMPLIANCE SCORE                                                   40 / 100  D
SECURITY SCORE                                                             N/A
Run `complior eval --security <url>` for security scoring
--------------------------------------------------------------------------------
!! Score capped — critical violations limit maximum achievable score

Layer Results
  L1    File Presence            FAIL   11 issues found
  L2    Document Structure       FAIL   7 issues found
  L3    Dependencies             WARN   1 issues found
  L4    Code Patterns            WARN   35 issues found
  NHI   Secrets                  PASS   1 checks passed
  CROSS Cross-Layer              WARN   2 issues found
  GPAI  Systemic Risk            PASS   2 checks passed
Security Score is only available via complior eval --security <url> against a live endpoint. Scan analyzes code statically — it cannot test runtime behavior.

Understanding findings

Each finding has a severity, layer, EU AI Act article, and a suggested fix: 
F-001  !  HIGH  [L1]  Art. 26(4) · Agent Passport
   No Agent Passport found — AI SDK detected but no
   .complior/agents/*-manifest.json (Art. 26(4))
   Fix:  Run `complior agent init` to generate an Agent Passport

F-002  !  HIGH  [L1]  Art. 6(2) · High-Risk Domain: Finance
   Code matches Finance / Credit patterns (Annex III §5(b)).
   AI system is likely high-risk under EU AI Act Art. 6(2).
   File:  src/data/industry-patterns.ts:43

F-020  *  MEDIUM  [L4]  Art. 50(1) · Bare LLM API Call
   WARNING: OpenAI bare API call — eu-ai-act-OBL-015 Art. 50(1)
   File:  src/data/eval/remediation/owasp-llm05.ts:12
   Fix:  Wrap LLM calls with complior.wrap() or add AI disclosure
Critical caps: If prohibited practices score = 0, maximum overall is capped at 29. If transparency = 0, capped at 49.

Scan tiers

Add flags for deeper analysis. Each tier builds on the previous: 
complior scan
Coverage: 60–70% · Time: 2–5 sec · Dependencies: NoneL1–L4 checks plus Rust-native secret detection (37 patterns). Works completely offline.

CI/CD integration

complior scan --ci --json --threshold 70
Exits with code 1 if compliance score falls below threshold. Outputs JSON or SARIF for GitHub Actions, GitLab CI, etc.

Next steps

Your First Passport

Generate identity cards for your AI agents.

Scan Tiers Deep Dive

Detailed comparison of all 6 scan tiers.