ComplianceAgent: Open-source EU AI Act compliance scanner
ComplianceAgent is an open-source CLI tool that quickly scans AI projects for EU AI Act compliance, providing actionable fixes. One command, about 5 seconds.
Notifications You must be signed in to change notification settings
Fork 0
Star 0
BranchesTags
Open more actions menu
Folders and files
NameName
Last commit message
Last commit date
Latest commit
History
34 Commits
34 Commits
.github
.github
docs
docs
examples
examples
rules
rules
src/compliance_agent
src/compliance_agent
templates
templates
tests
tests
.gitignore
.gitignore
.pre-commit-hooks.yaml
.pre-commit-hooks.yaml
.python-version
.python-version
CHANGELOG.md
CHANGELOG.md
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
CONTRIBUTING.md
CONTRIBUTING.md
LICENSE
LICENSE
README.md
README.md
SECURITY.md
SECURITY.md
pyproject.toml
pyproject.toml
uv.lock
uv.lock
Repository files navigation
Check if your AI project follows EU rules.
The EU has new rules for AI. If you're building with OpenAI, Anthropic, LangChain, or any AI framework, you need to check whether you comply. This tool does it for you — one command, about 5 seconds.
30-Second Start · What It Does · How It Works · Examples · All Commands · FAQ
30-Second Start
Install (isolated CLI tool)
uv tool install compliance-agent
no uv? use: pipx install compliance-agent
Check your project
compliance-agent scan .
Done. Read what it found.
What It Does (Simple Version)
Scans your code — finds where you use AI (OpenAI, LangChain, etc.).
Checks the rules — compares your code against EU AI Act requirements.
Tells you what's missing — shows exactly what you need to fix.
Gives you the code — provides copy-paste fixes for each problem.
What You'll See
When you run compliance-agent scan ., you get a boxed terminal report: a header, a summary strip, per-article coverage, findings, and the gaps to fix. Illustrative shape (real output for the bundled sample is in examples/EXPECTED_OUTPUT.md):
╭─ EU AI Act Compliance Report ──────────────────────────────╮ │ Files scanned 3 │ │ Risk tier LIMITED │ ╰──────────────────────────────────────────── ComplianceAgent ╯
╭─ Scan Summary ─────────────────────────────────────────────╮ │ 3 1 6 9 │ │ FILES AI SYSTEMS FINDINGS GAPS │ ╰────────────────────────────────────────────────────────────╯
╭─ Compliance Gaps ──────────────────────────────────────────╮ │ ✗ MISSING Automated logging of AI events required (Art.12) │ │ Fix: templates/art12/event_logging.py │ │ ✗ MISSING AI transparency disclosure required (Art. 50) │ │ Fix: templates/art50/transparency_notice.py │ │ ✗ MISSING Error handling around AI calls (Art. 15) │ │ Fix: add try/except + fallbacks around model calls │ ╰────────────────────────────────────────────────────────────╯
Next: compliance-agent recommend . --output ./fixes
Prefer a file? scan --format pdf --output report.pdf writes a PDF, and the separate report command writes markdown or PDF to disk. For scan, --format markdown and --format json render to the terminal/stdout — pipe json to a file if you need one (see Command Reference).
Do I Need This?
Yes, if you:
Use OpenAI, Anthropic, Google, or any AI API
Build chatbots or AI assistants
Use LangChain, CrewAI, AutoGen, or LangGraph
Deploy AI in the EU or serve EU users
Want to avoid fines (up to €15M / 3% of turnover for most obligations, and up to €35M / 7% for prohibited practices)
No, if you:
Don't use AI in your project
Only use AI for personal projects (not a business)
Don't operate in, or serve users in, the EU
Installation
ComplianceAgent is a command-line tool, so the cleanest way to install it is with a tool installer that keeps it in its own isolated environment.
Recommended (isolated CLI install)
uv tool install compliance-agent
or, with pipx:
pipx install compliance-agent
No uv or pipx yet? Install one:
brew install uv # or: brew install pipx
Alternative: pip inside a virtual environment
On modern macOS/Linux, a bare pip install into the system Python is blocked (PEP 668, "externally-managed-environment"). Use a virtual environment:
python3 -m venv .venv source .venv/bin/activate # Windows: .venv\Scripts\activate pip install compliance-agent
Latest unreleased version (from GitHub)
uv tool install git+https://github.com/latreon/compliance-agent.git
or: pipx install git+https://github.com/latreon/compliance-agent.git
Verify it worked
compliance-agent version
ComplianceAgent v0.1.7
Trouble installing or running? See the Troubleshooting guide.
How It Works
Step 1: Scan your code
The scanner reads your project files and looks for AI-related patterns:
import openai — you're using OpenAI
from langchain — you're using LangChain
AgentExecutor() — you're running an AI agent
client.chat.completions.create() — you're calling an AI API
Provider and framework detection uses AST parsing (not just text search): they only fire in files that actually import the library, so a comment that mentions "OpenAI" won't trigger a provider finding. Lightweight keyword patterns (e.g. chat-interface wording) additionally scan documentation and config, so a small number of findings can come from .md files.
Step 2: Classify risk
Based on what it finds, the tool assigns a risk level:
Risk Level What It Means Rules That Apply
MINIMAL Basic AI usage, no user interaction Almost none
LIMITED AI interacts with users Transparency rules (Art. 50)
HIGH AI used in an Annex III domain (hiring, credit, biometrics, law enforcement, …) Full compliance required
UNACCEPTABLE Banned AI practices (Art. 5) Cannot be deployed
How the tier is decided. HIGH risk under the EU AI Act comes from the use-case domain (Annex III), not from technical capability. An autonomous agent with tools is not automatically high-risk — a résumé-screening or credit-scoring system is. ComplianceAgent classifies HIGH only when it detects Annex III domain indicators, and UNACCEPTABLE only when it detects a likely Art. 5 prohibited practice (e.g. social scoring, untargeted facial scraping). Domain indicators are matched against file paths and code content (not just file names), but only for projects that actually use AI. Both are keyword-based heuristics and provisional (Art. 6(3) also exempts some narrow-purpose systems), so a match is a prompt to self-assess and consult counsel — not a legal determination. See docs/ARCHITECTURE.md for how tiers are decided.
Step 3: Check compliance
The tool checks 13 specific articles of the EU AI Act:
Article What It Checks When It Matters
Art. 50 "You're talking to AI" notice Any user-facing AI
Art. 12 Logging AI conversations All AI systems
Art. 14 Human oversight for decisions High-risk / agentic AI
Art. 15 Error handling and robustness All AI systems
... see the full list ...
Step 4: Recommend fixes
For each issue found, the tool:
Explains what's wrong
Shows which rule requires the fix
Provides a code template you can copy
Tells you exactly where to put it
ISSUE: No "You're talking to AI" notice RULE: EU AI Act Article 50(1) FIX: Copy templates/art50/transparency_notice.py into your project WHERE: Add it before your chat endpoint
Real Examples
Example 1: Simple chatbot (Limited risk)
A basic chatbot using OpenAI:
chatbot.py
import openai
client = openai.OpenAI()
def chat(user_input): return client.chat.completions.create( model="gpt-4", messages=[{"role": "user", "content": user_input}], ).choices[0].message.content
Scan result (illustrative summary — exact wording/counts come from the scan):
Risk tier: LIMITED — user-facing AI, no Annex III high-risk domain matched Gaps: Art. 12 (record-keeping), Art. 50 (transparency), Art. 15 (robustness) Fix: add a transparency notice + event logging + error handling
Example 2: LangChain agent (Higher risk)
An agent that can search the web and send emails:
agent.py
from langchain.agents import AgentExecutor from langchain.tools import Tool
tools = [ Tool(name="search", func=search_web, description="Search the web"), Tool(name="email", func=send_email, description="Send an email"), ]
executor = AgentExecutor(agent=agent, tools=tools)
Scan result (illustrative — the tier is HIGH only if your code also matches an Annex III high-risk domain; agentic patterns on their own drive the oversight and logging gaps below):
RISK: LIMITED (no Annex III high-risk domain detected) FRAMEWORKS: LangChain (agent, tools) ISSUES: several, including
- No human oversight before tool use (Art. 14)
- No logging of tool calls (Art. 12)
- No error handling for API failures (Art. 15)
- No "You're talking to AI" notice (Art. 50)
FIX: Add human-in-the-loop, logging, error handling, transparency.
Note: tool access raises real Art. 14 oversight and Art. 12 logging gaps, but it does not by itself make the system HIGH risk. The tier becomes HIGH only if the agent operates in an Annex III domain (e.g. hiring, credit, biometrics) — see How the tier is decided.
Example 3: CrewAI multi-agent
A crew of agents researching and writing:
crew.py
from crewai import Agent, Task, Crew
researcher = Agent(role="Researcher", tools=[search]) writer = Agent(role="Writer", tools=[write])
crew = Crew( agents=[researcher, writer], tasks=[Task(description="Research", agent=researcher), Task(description="Write", agent=writer)], ) crew.kickoff()
Scan result (illustrative):
RISK: LIMITED (multi-agent, but no Annex III high-risk domain detected) FRAMEWORKS: CrewAI (agent, crew, task) ISSUES: several, including
- No oversight before crew execution (Art. 14)
- No logging of agent actions (Art. 12)
- No technical documentation (Art. 11)
FIX: Add an approval workflow, logging, and documentation.
A crew researching and writing is not, by itself, an Annex III high-risk use-case, so the tier stays LIMITED. Point the same crew at résumé screening or credit decisions and the tier becomes HIGH.
Command Reference
Scan a folder (. means the current folder)
compliance-agent scan .
Output types
compliance-agent scan . --format markdown # for reading (default), to terminal compliance-agent scan . --format json # for computers / CI, to stdout compliance-agent scan . --format pdf --output report.pdf # PDF file (-o alias)
Only show serious issues (info | warning | high | critical)
compliance-agent scan . --severity high
Skip folders (repeatable)
compliance-agent scan . --exclude "tests/*" --exclude "docs/*"
Only check matching folders (repeatable allow-list)
compliance-agent scan . --include "src/*"
Quieter / plainer output
compliance-agent scan . --quiet # summary only, no per-finding detail compliance-agent scan . --no-color # disable colored output compliance-agent scan . --verbose # show what is scanned + info logs compliance-agent scan . --no-update-check # skip the PyPI version check
Show how to fix each problem
compliance-agent scan . --fix
Copy fix templates into your project
compliance-agent recommend . --output ./fixes compliance-agent recommend . --format json # machine-readable recommendations
Make a shareable report file
compliance-agent report . --output audit-2026.pdf
For CI/CD: plain output, fail the build on serious issues
compliance-agent scan . --ci --fail-on high
Upgrade to the latest (or a specific) version
compliance-agent upgrade compliance-agent upgrade 0.1.2
Show the installed version (and whether an update is available)
compliance-agent version compliance-agent --version # -V: quick version, then exit
Run compliance-agent scan --help to see every option explained.
Staying up to date. After a scan, ComplianceAgent tells you if a newer version is on PyPI, then compliance-agent upgrade updates it in place (auto-detecting whether you installed with uv, pipx, or pip). The check is cached for a day, never blocks a scan, and is skipped in CI and JSON output. Disable it with --no-update-check, COMPLIANCE_AGENT_NO_UPDATE_CHECK=1, or the conventional NO_UPDATE_NOTIFIER=1.
Exit codes: 0 success · 1 --fail-on threshold met · 2 usage error.
[truncated for AI cost control]