Scan Tiers

Scan tiers are composable flags. Each tier adds capability while keeping everything below it.

complior scan


Coverage	60–70%
Time	2–5 seconds
Dependencies	None (zero install)
What runs	L1–L4 checks + Rust-native secret detection (37 patterns)

Works completely offline. No internet, no accounts, no API keys.

complior scan --llm


Coverage	70–80%
Time	+5–15 seconds
Dependencies	BYOK API key (OpenAI, Anthropic, OpenRouter, Ollama)
What adds	L5 targeted LLM analysis for uncertain findings (50–80% confidence) + document quality validation

complior scan --deep


Coverage	80–85%
Time	10–30 seconds
Dependencies	Auto-download ~150 MB (one-time, cached in `~/.complior/tools/`)
What adds	Semgrep (multi-lang AST rules), Bandit (Python security), ModelScan (model backdoor detection)

complior scan --deep --llm


Coverage	85–90%
Dependencies	Auto-download ~150 MB + BYOK API key
What runs	L1–L5 + Semgrep/Bandit/ModelScan. Full offline analysis with maximum local depth.

Best option when you want maximum depth without sending any data to the cloud.

complior scan --cloud


Coverage	90–95%
Dependencies	Cloud account
What adds	AI SBOM + CycloneDX, Presidio PII detection (50+ EU types), vendor Art.25 assessment, PDF/DOCX export

Cloud scan sends findings + deps + code snippets to scan.complior.dev. Not full source code. EU data residency (Hetzner, Germany).

complior scan --deep --llm --cloud


Coverage	95%+
What runs	Everything: L1–L5 + Semgrep/Bandit/ModelScan + SBOM/PII/vendor + hosted LLM

Maximum analysis depth. All flags combined.

Deep scan tools

Tools auto-downloaded on first --deep run:

Tool	License	What it does
Semgrep	LGPL-2.1	Multi-language AST rules (20–30 YAML rules)
Bandit	Apache 2.0	Python security analysis (pickle, eval, exec)
ModelScan	Apache 2.0	Model file backdoor detection (.pt/.pkl/.safetensors)

All cached in ~/.complior/tools/. No manual setup needed.