> ## Documentation Index
> Fetch the complete documentation index at: https://docs.complior.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Your First Scan

> Understand what complior scan does, how the layers work, and what the output means.

`complior scan` analyzes your code through multiple deterministic layers — from file presence checks to deep AST pattern matching. Result: a compliance score and actionable findings.

```bash theme={null}
complior scan
```

<Warning>
  **Principle:** LLM **never** makes compliance decisions. Layers L1–L4 are fully deterministic (AST + rules). Layer L5 is opt-in and only clarifies uncertain findings.
</Warning>

## Analysis layers

| Layer                      | What it checks                              | Weight | Example findings                                     |
| -------------------------- | ------------------------------------------- | ------ | ---------------------------------------------------- |
| **L1: File Presence**      | Key files (README, LICENSE, .env, passport) | 1.00   | Missing privacy policy, no Agent Passport            |
| **L2: Document Structure** | Required sections in compliance docs        | 0.95   | Incomplete FRIA, shallow worker notification         |
| **L3: Dependencies**       | AI packages, lockfile, licenses, CVEs       | 0.90   | Unvetted AI framework, missing bias testing lib      |
| **L4: Code Patterns**      | 40+ AST patterns, disclosure, permissions   | 0.75   | Missing error handling, no disclosure marker         |
| **NHI: Secrets**           | 37 secret patterns (API keys, tokens)       | —      | Exposed API key in source                            |
| **CROSS: Cross-Layer**     | 6 consistency rules across layers           | —      | Logging without retention, kill-switch without tests |
| **GPAI: Systemic Risk**    | GPAI compliance checks                      | —      | Systemic risk indicators                             |
| **L5: LLM**                | Deep semantic analysis (opt-in, `--llm`)    | varies | Implicit bias in prompt template                     |

## Understanding the output

```
* Complior v1.0.0  ·  EU AI Act Compliance Scanner
--------------------------------------------------------------------------------
Scanning  .
Files     500 collected
Elapsed   2.1s
Layers    L1 File Presence · L2 Document Structure · L3 Dependencies
          · L4 Code Patterns · NHI Secrets · GPAI Systemic Risk

--------------------------------------------------------------------------------
COMPLIANCE SCORE                                                   40 / 100  D
SECURITY SCORE                                                             N/A
Run `complior eval --security <url>` for security scoring
--------------------------------------------------------------------------------
!! Score capped — critical violations limit maximum achievable score

Layer Results
  L1    File Presence            FAIL   11 issues found
  L2    Document Structure       FAIL   7 issues found
  L3    Dependencies             WARN   1 issues found
  L4    Code Patterns            WARN   35 issues found
  NHI   Secrets                  PASS   1 checks passed
  CROSS Cross-Layer              WARN   2 issues found
  GPAI  Systemic Risk            PASS   2 checks passed
```

<Info>
  **Security Score** is only available via `complior eval --security <url>` against a live endpoint. Scan analyzes code statically — it cannot test runtime behavior.
</Info>

## Understanding findings

Each finding has a severity, layer, EU AI Act article, and a suggested fix:

```
F-001  !  HIGH  [L1]  Art. 26(4) · Agent Passport
   No Agent Passport found — AI SDK detected but no
   .complior/agents/*-manifest.json (Art. 26(4))
   Fix:  Run `complior agent init` to generate an Agent Passport

F-002  !  HIGH  [L1]  Art. 6(2) · High-Risk Domain: Finance
   Code matches Finance / Credit patterns (Annex III §5(b)).
   AI system is likely high-risk under EU AI Act Art. 6(2).
   File:  src/data/industry-patterns.ts:43

F-020  ℹ  INFO  [L4]  Art. 50(1) · Bare LLM API Call
   Bare LLM API call detected. Consider @complior/sdk for runtime compliance.
   File:  src/data/eval/remediation/owasp-llm05.ts:12
   Fix:  Optional: wrap with @complior/sdk for runtime Art. 50/12/14 enforcement
```

<Warning>
  **Critical caps:** If prohibited practices score = 0, maximum overall is capped at 29. If transparency = 0, capped at 49.
</Warning>

## Scan tiers

Add flags for deeper analysis. Each tier builds on the previous:

<Tabs>
  <Tab title="Tier 1: Offline">
    ```bash theme={null}
    complior scan
    ```

    **Coverage:** 60–70% · **Time:** 2–5 sec · **Dependencies:** None

    L1–L4 checks plus Rust-native secret detection (37 patterns). Works completely offline.
  </Tab>

  <Tab title="Tier 1+: LLM">
    ```bash theme={null}
    complior scan --llm
    ```

    **Coverage:** 70–80% · **Time:** +5–15 sec · **Dependencies:** BYOK API key

    Adds L5 LLM deep analysis. Findings in the 50–80% confidence zone get confirmed or rejected by LLM.
  </Tab>

  <Tab title="Tier 2: Deep">
    ```bash theme={null}
    complior scan --deep
    ```

    **Coverage:** 80–85% · **Time:** 10–30 sec · **Dependencies:** Auto-download \~150 MB (one-time)

    Adds Semgrep (AST rules), Bandit (Python security), ModelScan (model backdoor detection). Cached in `~/.complior/tools/`.
  </Tab>

  <Tab title="Tier 2+: Deep + LLM">
    ```bash theme={null}
    complior scan --deep --llm
    ```

    **Coverage:** 85–90% · **Dependencies:** Auto-download + BYOK API key

    Full offline analysis: L1–L5 + Semgrep/Bandit/ModelScan. Maximum local depth without cloud.
  </Tab>

  <Tab title="Tier 3: Cloud">
    ```bash theme={null}
    complior scan --cloud
    ```

    **Coverage:** 90–95% · **Dependencies:** Cloud account

    Adds AI SBOM + CycloneDX, Presidio PII detection (50+ EU types), vendor Art.25 assessment.
  </Tab>

  <Tab title="Full">
    ```bash theme={null}
    complior scan --deep --llm --cloud
    ```

    **Coverage:** 95%+ · All flags combined for maximum analysis depth.
  </Tab>
</Tabs>

## CI/CD integration

```bash theme={null}
complior scan --ci --json --threshold 70
```

Exits with code 1 if compliance score falls below threshold. Outputs JSON or SARIF for GitHub Actions, GitLab CI, etc.

## Next steps

<CardGroup cols={2}>
  <Card title="Your First Passport" icon="id-card" href="/getting-started/first-passport">
    Generate identity cards for your AI agents.
  </Card>

  <Card title="Scan Tiers Deep Dive" icon="layer-group" href="/scan/scan-tiers">
    Detailed comparison of all 6 scan tiers.
  </Card>
</CardGroup>
