complior scan is a deterministic, 5-layer compliance analysis engine. It evaluates your project against the EU AI Act and produces actionable findings with confidence scoring, obligation mapping, and fix suggestions.
complior scan [path] [--deep] [--llm] [--cloud] [--ci] [--json] [--sarif]
[--threshold N] [--fail-on SEVERITY] [--diff BRANCH]
[--fail-on-regression] [--comment] [--quiet] [--agent NAME]
Design principle: LLM never makes compliance determinations. Layers L1–L4 are fully deterministic (AST + rules). Layer L5 (LLM) is opt-in and only clarifies findings in the uncertain zone (50–80% confidence).
The 5 layers
| Layer | Weight | What it checks | Checks |
|---|---|---|---|
| L1 File Presence | 1.00 | README, LICENSE, .env, privacy policy, passport | 14 |
| L2 Document Structure | 0.95 | Required sections, FRIA presence, section depth | 8 |
| L3 Dependencies | 0.90 | AI packages (45 frameworks), lockfile, licenses, CVEs | 12 |
| L4 Code Patterns | 0.75 | 40+ AST patterns, disclosure, logging, permissions | 33 |
| L5 LLM Analysis | 0.70 | Targeted analysis for uncertain findings (opt-in, BYOK) | dynamic |
| Cross-Layer | — | 6 consistency rules (doc-code mismatch, logging without retention, etc.) | 6 |
What gets scanned
| Capability | Details |
|---|---|
| AI Frameworks | 57+ detected: LangChain, CrewAI, OpenAI, Anthropic, Vercel AI, HuggingFace, LlamaIndex |
| Languages | TypeScript/JavaScript, Python, Go, Rust, Java |
| Secrets | 37 patterns: API keys, tokens, passwords (Rust-native detection) |
| Git History | 21 compliance-relevant documents traced through commit history |
| Import Graph | 45 AI packages + transitive dependencies mapped |
| File Limit | 500 files max, 1 MB each |
Example output
◆ Complior v1.0.0 · EU AI Act Compliance Scanner
────────────────────────────────────────────────────────────────────────────────
Scanning acme-ai-support
Files 57 collected
Elapsed 82ms
Layers L1 File Presence · L2 Document Structure · L3 Dependencies
· L4 Code Patterns · NHI Secrets · GPAI Systemic Risk
────────────────────────────────────────────────────────────────────────────────
COMPLIANCE SCORE 33 / 100 F
SECURITY SCORE N/A
Run `complior eval --security <url>` for security scoring
────────────────────────────────────────────────────────────────────────────────
!! Score capped — critical violations limit maximum achievable score
Framework Breakdown
EU AI Act 33 / 100 ███████░░░░░░░░░░░░░
Layer Results
L1 File Presence FAIL 13 issues found
L3 Dependencies FAIL 3 issues found
L4 Code Patterns WARN 46 issues found
NHI Secrets FAIL 7 issues found
CROSS Cross-Layer WARN 3 issues found
GPAI Systemic Risk PASS 1 checks passed
────────────────────────────────────────────────────────────────────────────────
FINDINGS (72 total · 6 critical · 8 high · 55 medium)
────────────────────────────────────────────────────────────────────────────────
acme-ai-support-anthropic · AI System (4 findings)
L4 Code Patterns
F-001 ● MEDIUM [L4] Art. 15(4) · Security Vulnerability
WARNING: Hardcoded API key in source code
File: src/agents/autonomous-agent.ts:12
Fix: Move API keys to environment variables or secret management
NHI Secrets
F-028 ✖ CRITICAL [NHI] Art. 15(4) · Secrets: Api_key
Anthropic API key detected: sk-a...34yz
File: src/agents/llm-service.py:12
Fix: Remove or externalize the secret from source code
PROJECT-LEVEL (44 findings)
L1 File Presence
F-029 ▲ HIGH [L1] Art. 26(4) · Agent Passport
No Agent Passport found — AI SDK detected but no
.complior/agents/*-manifest.json (Art. 26(4))
Fix: Run `complior agent init` to generate an Agent Passport
...
PER-AGENT SUMMARY
────────────────────────────────────────────────────────────────────────────────
AGENT FINDINGS CRITICAL HIGH FILES
-------------------------------------------------------
acme-ai-support-anthropic 4 0 0 2
acme-ai-support-autogen 0 0 0 0
acme-ai-support-bedrock 2 0 0 1
acme-ai-support-crewai 0 0 0 0
acme-ai-support-langchain 1 0 0 1
acme-ai-support-openai 20 1 0 9
────────────────────────────────────────────────────────────────────────────────
QUICK ACTIONS
────────────────────────────────────────────────────────────────────────────────
Auto-fix available complior fix
Deep scan complior scan --deep
Full interactive view complior tui
Export JSON complior scan --json > report.json
Next: fix 6 critical issues to improve your score
JSON output
Use--json for structured output in CI/CD pipelines:
{
"score": { "compliance": 33, "security": null },
"frameworks": {
"eu-ai-act": { "score": 33, "grade": "F" }
},
"findings": [
{
"id": "no-disclosure",
"severity": "critical",
"layer": "L4",
"obligation": "OBL-050",
"article": "Art.50",
"message": "No AI disclosure found in agent code",
"file": "src/agents/order-agent.ts",
"line": 42,
"fixable": true
}
]
}
Finding severities
| Severity | Meaning | Example |
|---|---|---|
| Critical | Blocks deployment. Art.5 violation. | Prohibited practice, no disclosure |
| High | Major gap. Required for your risk class. | Missing FRIA, no human oversight |
| Medium | Recommended. Affects score significantly. | Weak logging, incomplete error handling |
| Low | Best practice. Minor score impact. | Missing .gitignore, outdated dependency |
| Info | Informational. Not scored. | Bare LLM API call detected (SDK recommended) |
Info findings are detected patterns that are not compliance violations. They appear in scan output as recommendations but do not affect your score. Example: bare LLM API calls — the EU AI Act requires disclosure, logging, and oversight (separate checks), not SDK wrapping specifically.
All scan flags
| Flag | What it does |
|---|---|
--deep | Tier 2: Run Semgrep, Bandit, ModelScan, detect-secrets |
--llm | L5: AI-powered document quality analysis (requires BYOK API key) |
--cloud | Tier 3: Cloud-based SBOM + PII + vendor assessment |
--ci | CI mode: exit 0 if score >= threshold, else 1 |
--json | Output as JSON |
--sarif | Output as SARIF v2.1.0 (GitHub Code Scanning, VS Code) |
--threshold N | Score threshold for CI pass (default: 50) |
--fail-on SEVERITY | Fail on severity level (critical, high, medium, low) |
--diff BRANCH | Diff mode: compare against base branch (e.g., main) |
--fail-on-regression | Exit 1 if score regressed or new critical findings |
--comment | Post diff as PR comment (requires gh CLI) |
--quiet / -q | Show only critical findings and score |
--agent NAME | Filter scan by agent name (passport source_files) |
--no-tui | Headless human-readable output (no TUI) |
Automatic passport update
After every scan, all Agent Passports auto-updatecomplior_score, last_scan, and re-sign with ed25519.
Scan Tiers
6 tiers from offline to cloud-enriched.
Scoring
Dual scoring across compliance frameworks.