Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.complior.ai/llms.txt

Use this file to discover all available pages before exploring further.

complior scan is a deterministic, 5-layer compliance analysis engine. It evaluates your project against the EU AI Act and produces actionable findings with confidence scoring, obligation mapping, and fix suggestions. 
complior scan [path] [--deep] [--llm] [--cloud] [--ci] [--json] [--sarif]
              [--threshold N] [--fail-on SEVERITY] [--diff BRANCH]
              [--fail-on-regression] [--comment] [--quiet] [--agent NAME]
Design principle: LLM never makes compliance determinations. Layers L1–L4 are fully deterministic (AST + rules). Layer L5 (LLM) is opt-in and only clarifies findings in the uncertain zone (50–80% confidence).

The 5 layers

LayerWeightWhat it checksChecks
L1 File Presence1.00README, LICENSE, .env, privacy policy, passport14
L2 Document Structure0.95Required sections, FRIA presence, section depth8
L3 Dependencies0.90AI packages (45 frameworks), lockfile, licenses, CVEs12
L4 Code Patterns0.7540+ AST patterns, disclosure, logging, permissions33
L5 LLM Analysis0.70Targeted analysis for uncertain findings (opt-in, BYOK)dynamic
Cross-Layer6 consistency rules (doc-code mismatch, logging without retention, etc.)6

What gets scanned

CapabilityDetails
AI Frameworks57+ detected: LangChain, CrewAI, OpenAI, Anthropic, Vercel AI, HuggingFace, LlamaIndex
LanguagesTypeScript/JavaScript, Python, Go, Rust, Java
Secrets37 patterns: API keys, tokens, passwords (Rust-native detection)
Git History21 compliance-relevant documents traced through commit history
Import Graph45 AI packages + transitive dependencies mapped
File Limit500 files max, 1 MB each

Example output

◆ Complior v1.0.0  ·  EU AI Act Compliance Scanner
────────────────────────────────────────────────────────────────────────────────
Scanning  acme-ai-support
Files     57 collected
Elapsed   82ms
Layers    L1 File Presence · L2 Document Structure · L3 Dependencies
          · L4 Code Patterns · NHI Secrets · GPAI Systemic Risk

────────────────────────────────────────────────────────────────────────────────
COMPLIANCE SCORE                                                   33 / 100  F
SECURITY SCORE                                                             N/A
Run `complior eval --security <url>` for security scoring
────────────────────────────────────────────────────────────────────────────────
!! Score capped — critical violations limit maximum achievable score

Framework Breakdown
  EU AI Act                   33 / 100   ███████░░░░░░░░░░░░░

Layer Results
  L1    File Presence            FAIL   13 issues found
  L3    Dependencies             FAIL   3 issues found
  L4    Code Patterns            WARN   46 issues found
  NHI   Secrets                  FAIL   7 issues found
  CROSS Cross-Layer              WARN   3 issues found
  GPAI  Systemic Risk            PASS   1 checks passed

────────────────────────────────────────────────────────────────────────────────
FINDINGS  (72 total · 6 critical · 8 high · 55 medium)
────────────────────────────────────────────────────────────────────────────────

acme-ai-support-anthropic · AI System  (4 findings)

  L4 Code Patterns
    F-001  ●  MEDIUM  [L4]  Art. 15(4) · Security Vulnerability
       WARNING: Hardcoded API key in source code
       File:  src/agents/autonomous-agent.ts:12
       Fix:  Move API keys to environment variables or secret management

  NHI Secrets
    F-028  ✖  CRITICAL  [NHI]  Art. 15(4) · Secrets: Api_key
       Anthropic API key detected: sk-a...34yz
       File:  src/agents/llm-service.py:12
       Fix:  Remove or externalize the secret from source code

PROJECT-LEVEL (44 findings)

  L1 File Presence
    F-029  ▲  HIGH  [L1]  Art. 26(4) · Agent Passport
       No Agent Passport found — AI SDK detected but no
       .complior/agents/*-manifest.json (Art. 26(4))
       Fix:  Run `complior agent init` to generate an Agent Passport

  ...

PER-AGENT SUMMARY
────────────────────────────────────────────────────────────────────────────────

  AGENT                     FINDINGS CRITICAL   HIGH  FILES
  -------------------------------------------------------
  acme-ai-support-anthropic        4        0      0      2
  acme-ai-support-autogen          0        0      0      0
  acme-ai-support-bedrock          2        0      0      1
  acme-ai-support-crewai           0        0      0      0
  acme-ai-support-langchain        1        0      0      1
  acme-ai-support-openai          20        1      0      9

────────────────────────────────────────────────────────────────────────────────
QUICK ACTIONS
────────────────────────────────────────────────────────────────────────────────
Auto-fix available        complior fix
Deep scan                 complior scan --deep
Full interactive view     complior tui
Export JSON               complior scan --json > report.json

Next: fix 6 critical issues to improve your score

JSON output

Use --json for structured output in CI/CD pipelines: 
{
  "score": { "compliance": 33, "security": null },
  "frameworks": {
    "eu-ai-act": { "score": 33, "grade": "F" }
  },
  "findings": [
    {
      "id": "no-disclosure",
      "severity": "critical",
      "layer": "L4",
      "obligation": "OBL-050",
      "article": "Art.50",
      "message": "No AI disclosure found in agent code",
      "file": "src/agents/order-agent.ts",
      "line": 42,
      "fixable": true
    }
  ]
}

Finding severities

SeverityMeaningExample
CriticalBlocks deployment. Art.5 violation.Prohibited practice, no disclosure
HighMajor gap. Required for your risk class.Missing FRIA, no human oversight
MediumRecommended. Affects score significantly.Weak logging, incomplete error handling
LowBest practice. Minor score impact.Missing .gitignore, outdated dependency
InfoInformational. Not scored.Bare LLM API call detected (SDK recommended)
Info findings are detected patterns that are not compliance violations. They appear in scan output as recommendations but do not affect your score. Example: bare LLM API calls — the EU AI Act requires disclosure, logging, and oversight (separate checks), not SDK wrapping specifically.

All scan flags

FlagWhat it does
--deepTier 2: Run Semgrep, Bandit, ModelScan, detect-secrets
--llmL5: AI-powered document quality analysis (requires BYOK API key)
--cloudTier 3: Cloud-based SBOM + PII + vendor assessment
--ciCI mode: exit 0 if score >= threshold, else 1
--jsonOutput as JSON
--sarifOutput as SARIF v2.1.0 (GitHub Code Scanning, VS Code)
--threshold NScore threshold for CI pass (default: 50)
--fail-on SEVERITYFail on severity level (critical, high, medium, low)
--diff BRANCHDiff mode: compare against base branch (e.g., main)
--fail-on-regressionExit 1 if score regressed or new critical findings
--commentPost diff as PR comment (requires gh CLI)
--quiet / -qShow only critical findings and score
--agent NAMEFilter scan by agent name (passport source_files)
--no-tuiHeadless human-readable output (no TUI)

Automatic passport update

After every scan, all Agent Passports auto-update complior_score, last_scan, and re-sign with ed25519.

Scan Tiers

6 tiers from offline to cloud-enriched.

Scoring

Dual scoring across compliance frameworks.