> ## Documentation Index
> Fetch the complete documentation index at: https://docs.complior.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Scan Overview

> 5-layer deterministic static analysis engine. Scans your codebase for EU AI Act compliance gaps in 2–5 seconds.

`complior scan` is a deterministic, 5-layer compliance analysis engine. It evaluates your project against the EU AI Act and produces actionable findings with confidence scoring, obligation mapping, and fix suggestions.

```bash theme={null}
complior scan [path] [--deep] [--llm] [--cloud] [--ci] [--json] [--sarif]
              [--threshold N] [--fail-on SEVERITY] [--diff BRANCH]
              [--fail-on-regression] [--comment] [--quiet] [--agent NAME]
```

<Warning>
  **Design principle:** LLM **never** makes compliance determinations. Layers L1–L4 are fully deterministic (AST + rules). Layer L5 (LLM) is opt-in and only clarifies findings in the uncertain zone (50–80% confidence).
</Warning>

## The 5 layers

| Layer                     | Weight | What it checks                                                           | Checks  |
| ------------------------- | ------ | ------------------------------------------------------------------------ | ------- |
| **L1** File Presence      | 1.00   | README, LICENSE, .env, privacy policy, passport                          | 14      |
| **L2** Document Structure | 0.95   | Required sections, FRIA presence, section depth                          | 8       |
| **L3** Dependencies       | 0.90   | AI packages (45 frameworks), lockfile, licenses, CVEs                    | 12      |
| **L4** Code Patterns      | 0.75   | 40+ AST patterns, disclosure, logging, permissions                       | 33      |
| **L5** LLM Analysis       | 0.70   | Targeted analysis for uncertain findings (opt-in, BYOK)                  | dynamic |
| **Cross-Layer**           | —      | 6 consistency rules (doc-code mismatch, logging without retention, etc.) | 6       |

## What gets scanned

| Capability        | Details                                                                                |
| ----------------- | -------------------------------------------------------------------------------------- |
| **AI Frameworks** | 57+ detected: LangChain, CrewAI, OpenAI, Anthropic, Vercel AI, HuggingFace, LlamaIndex |
| **Languages**     | TypeScript/JavaScript, Python, Go, Rust, Java                                          |
| **Secrets**       | 37 patterns: API keys, tokens, passwords (Rust-native detection)                       |
| **Git History**   | 21 compliance-relevant documents traced through commit history                         |
| **Import Graph**  | 45 AI packages + transitive dependencies mapped                                        |
| **File Limit**    | 500 files max, 1 MB each                                                               |

## Example output

```
◆ Complior v1.0.0  ·  EU AI Act Compliance Scanner
────────────────────────────────────────────────────────────────────────────────
Scanning  acme-ai-support
Files     57 collected
Elapsed   82ms
Layers    L1 File Presence · L2 Document Structure · L3 Dependencies
          · L4 Code Patterns · NHI Secrets · GPAI Systemic Risk

────────────────────────────────────────────────────────────────────────────────
COMPLIANCE SCORE                                                   33 / 100  F
SECURITY SCORE                                                             N/A
Run `complior eval --security <url>` for security scoring
────────────────────────────────────────────────────────────────────────────────
!! Score capped — critical violations limit maximum achievable score

Framework Breakdown
  EU AI Act                   33 / 100   ███████░░░░░░░░░░░░░

Layer Results
  L1    File Presence            FAIL   13 issues found
  L3    Dependencies             FAIL   3 issues found
  L4    Code Patterns            WARN   46 issues found
  NHI   Secrets                  FAIL   7 issues found
  CROSS Cross-Layer              WARN   3 issues found
  GPAI  Systemic Risk            PASS   1 checks passed

────────────────────────────────────────────────────────────────────────────────
FINDINGS  (72 total · 6 critical · 8 high · 55 medium)
────────────────────────────────────────────────────────────────────────────────

acme-ai-support-anthropic · AI System  (4 findings)

  L4 Code Patterns
    F-001  ●  MEDIUM  [L4]  Art. 15(4) · Security Vulnerability
       WARNING: Hardcoded API key in source code
       File:  src/agents/autonomous-agent.ts:12
       Fix:  Move API keys to environment variables or secret management

  NHI Secrets
    F-028  ✖  CRITICAL  [NHI]  Art. 15(4) · Secrets: Api_key
       Anthropic API key detected: sk-a...34yz
       File:  src/agents/llm-service.py:12
       Fix:  Remove or externalize the secret from source code

PROJECT-LEVEL (44 findings)

  L1 File Presence
    F-029  ▲  HIGH  [L1]  Art. 26(4) · Agent Passport
       No Agent Passport found — AI SDK detected but no
       .complior/agents/*-manifest.json (Art. 26(4))
       Fix:  Run `complior agent init` to generate an Agent Passport

  ...

PER-AGENT SUMMARY
────────────────────────────────────────────────────────────────────────────────

  AGENT                     FINDINGS CRITICAL   HIGH  FILES
  -------------------------------------------------------
  acme-ai-support-anthropic        4        0      0      2
  acme-ai-support-autogen          0        0      0      0
  acme-ai-support-bedrock          2        0      0      1
  acme-ai-support-crewai           0        0      0      0
  acme-ai-support-langchain        1        0      0      1
  acme-ai-support-openai          20        1      0      9

────────────────────────────────────────────────────────────────────────────────
QUICK ACTIONS
────────────────────────────────────────────────────────────────────────────────
Auto-fix available        complior fix
Deep scan                 complior scan --deep
Full interactive view     complior tui
Export JSON               complior scan --json > report.json

Next: fix 6 critical issues to improve your score
```

## JSON output

Use `--json` for structured output in CI/CD pipelines:

```json theme={null}
{
  "score": { "compliance": 33, "security": null },
  "frameworks": {
    "eu-ai-act": { "score": 33, "grade": "F" }
  },
  "findings": [
    {
      "id": "no-disclosure",
      "severity": "critical",
      "layer": "L4",
      "obligation": "OBL-050",
      "article": "Art.50",
      "message": "No AI disclosure found in agent code",
      "file": "src/agents/order-agent.ts",
      "line": 42,
      "fixable": true
    }
  ]
}
```

## Finding severities

| Severity     | Meaning                                   | Example                                      |
| ------------ | ----------------------------------------- | -------------------------------------------- |
| **Critical** | Blocks deployment. Art.5 violation.       | Prohibited practice, no disclosure           |
| **High**     | Major gap. Required for your risk class.  | Missing FRIA, no human oversight             |
| **Medium**   | Recommended. Affects score significantly. | Weak logging, incomplete error handling      |
| **Low**      | Best practice. Minor score impact.        | Missing .gitignore, outdated dependency      |
| **Info**     | Informational. Not scored.                | Bare LLM API call detected (SDK recommended) |

<Info>
  **Info findings** are detected patterns that are not compliance violations. They appear in scan output as recommendations but do not affect your score. Example: bare LLM API calls — the EU AI Act requires disclosure, logging, and oversight (separate checks), not SDK wrapping specifically.
</Info>

## All scan flags

| Flag                   | What it does                                                     |
| ---------------------- | ---------------------------------------------------------------- |
| `--deep`               | Tier 2: Run Semgrep, Bandit, ModelScan, detect-secrets           |
| `--llm`                | L5: AI-powered document quality analysis (requires BYOK API key) |
| `--cloud`              | Tier 3: Cloud-based SBOM + PII + vendor assessment               |
| `--ci`                 | CI mode: exit 0 if score >= threshold, else 1                    |
| `--json`               | Output as JSON                                                   |
| `--sarif`              | Output as SARIF v2.1.0 (GitHub Code Scanning, VS Code)           |
| `--threshold N`        | Score threshold for CI pass (default: 50)                        |
| `--fail-on SEVERITY`   | Fail on severity level (critical, high, medium, low)             |
| `--diff BRANCH`        | Diff mode: compare against base branch (e.g., main)              |
| `--fail-on-regression` | Exit 1 if score regressed or new critical findings               |
| `--comment`            | Post diff as PR comment (requires `gh` CLI)                      |
| `--quiet` / `-q`       | Show only critical findings and score                            |
| `--agent NAME`         | Filter scan by agent name (passport `source_files`)              |
| `--no-tui`             | Headless human-readable output (no TUI)                          |

## Automatic passport update

After every scan, all Agent Passports auto-update `complior_score`, `last_scan`, and re-sign with ed25519.

<CardGroup cols={2}>
  <Card title="Scan Tiers" icon="layer-group" href="/scan/scan-tiers">
    6 tiers from offline to cloud-enriched.
  </Card>

  <Card title="Scoring" icon="gauge-high" href="/scan/scoring">
    Dual scoring across compliance frameworks.
  </Card>
</CardGroup>
