complior scan is a deterministic, 5-layer compliance analysis engine. It evaluates your project against the EU AI Act and produces actionable findings with confidence scoring, obligation mapping, and fix suggestions.complior scan [path] [--deep] [--llm] [--cloud] [--ci] [--json] [--sarif] [--threshold N] [--fail-on SEVERITY] [--diff BRANCH] [--fail-on-regression] [--comment] [--quiet] [--agent NAME]
Design principle: LLM never makes compliance determinations. Layers L1–L4 are fully deterministic (AST + rules). Layer L5 (LLM) is opt-in and only clarifies findings in the uncertain zone (50–80% confidence).
What gets scanned Capability Details AI Frameworks 57+ detected: LangChain, CrewAI, OpenAI, Anthropic, Vercel AI, HuggingFace, LlamaIndex Languages TypeScript/JavaScript, Python, Go, Rust, Java Secrets 37 patterns: API keys, tokens, passwords (Rust-native detection) Git History 21 compliance-relevant documents traced through commit history Import Graph 45 AI packages + transitive dependencies mapped File Limit 500 files max, 1 MB each
Example output ◆ Complior v1.0.0 · EU AI Act Compliance Scanner ──────────────────────────────────────────────────────────────────────────────── Scanning acme-ai-support Files 57 collected Elapsed 82ms Layers L1 File Presence · L2 Document Structure · L3 Dependencies · L4 Code Patterns · NHI Secrets · GPAI Systemic Risk ──────────────────────────────────────────────────────────────────────────────── COMPLIANCE SCORE 33 / 100 F SECURITY SCORE N/A Run `complior eval --security <url>` for security scoring ──────────────────────────────────────────────────────────────────────────────── !! Score capped — critical violations limit maximum achievable score Framework Breakdown EU AI Act 33 / 100 ███████░░░░░░░░░░░░░ Layer Results L1 File Presence FAIL 13 issues found L3 Dependencies FAIL 3 issues found L4 Code Patterns WARN 46 issues found NHI Secrets FAIL 7 issues found CROSS Cross-Layer WARN 3 issues found GPAI Systemic Risk PASS 1 checks passed ──────────────────────────────────────────────────────────────────────────────── FINDINGS (72 total · 6 critical · 8 high · 55 medium) ──────────────────────────────────────────────────────────────────────────────── acme-ai-support-anthropic · AI System (4 findings) L4 Code Patterns F-001 ● MEDIUM [L4] Art. 15(4) · Security Vulnerability WARNING: Hardcoded API key in source code File: src/agents/autonomous-agent.ts:12 Fix: Move API keys to environment variables or secret management NHI Secrets F-028 ✖ CRITICAL [NHI] Art. 15(4) · Secrets: Api_key Anthropic API key detected: sk-a...34yz File: src/agents/llm-service.py:12 Fix: Remove or externalize the secret from source code PROJECT-LEVEL (44 findings) L1 File Presence F-029 ▲ HIGH [L1] Art. 26(4) · Agent Passport No Agent Passport found — AI SDK detected but no .complior/agents/*-manifest.json (Art. 26(4)) Fix: Run `complior agent init` to generate an Agent Passport ... PER-AGENT SUMMARY ──────────────────────────────────────────────────────────────────────────────── AGENT FINDINGS CRITICAL HIGH FILES ------------------------------------------------------- acme-ai-support-anthropic 4 0 0 2 acme-ai-support-autogen 0 0 0 0 acme-ai-support-bedrock 2 0 0 1 acme-ai-support-crewai 0 0 0 0 acme-ai-support-langchain 1 0 0 1 acme-ai-support-openai 20 1 0 9 ──────────────────────────────────────────────────────────────────────────────── QUICK ACTIONS ──────────────────────────────────────────────────────────────────────────────── Auto-fix available complior fix Deep scan complior scan --deep Full interactive view complior tui Export JSON complior scan --json > report.json Next: fix 6 critical issues to improve your score
JSON output Use --json for structured output in CI/CD pipelines:
{ "score" : { "compliance" : 33 , "security" : null }, "frameworks" : { "eu-ai-act" : { "score" : 33 , "grade" : "F" } }, "findings" : [ { "id" : "no-disclosure" , "severity" : "critical" , "layer" : "L4" , "obligation" : "OBL-050" , "article" : "Art.50" , "message" : "No AI disclosure found in agent code" , "file" : "src/agents/order-agent.ts" , "line" : 42 , "fixable" : true } ] }
Finding severities Severity Meaning Example Critical Blocks deployment. Art.5 violation. No SDK wrapper, prohibited practice High Major gap. Required for your risk class. Missing FRIA, no disclosure Medium Recommended. Affects score significantly. Weak logging, incomplete error handling Low Best practice. Minor score impact. Missing .gitignore, outdated dependency
All scan flags Flag What it does --deepTier 2: Run Semgrep, Bandit, ModelScan, detect-secrets --llmL5: AI-powered document quality analysis (requires BYOK API key) --cloudTier 3: Cloud-based SBOM + PII + vendor assessment --ciCI mode: exit 0 if score >= threshold, else 1 --jsonOutput as JSON --sarifOutput as SARIF v2.1.0 (GitHub Code Scanning, VS Code) --threshold NScore threshold for CI pass (default: 50) --fail-on SEVERITYFail on severity level (critical, high, medium, low) --diff BRANCHDiff mode: compare against base branch (e.g., main) --fail-on-regressionExit 1 if score regressed or new critical findings --commentPost diff as PR comment (requires gh CLI) --quiet / -qShow only critical findings and score --agent NAMEFilter scan by agent name (passport source_files) --no-tuiHeadless human-readable output (no TUI)
Automatic passport update After every scan, all Agent Passports auto-update complior_score, last_scan, and re-sign with ed25519.
Scan Tiers 6 tiers from offline to cloud-enriched.
Scoring Dual scoring across compliance frameworks.
