AI News HubLIVE
In-site rewrite5 min read

ComplianceAgent: Open-source EU AI Act compliance scanner

ComplianceAgent is an open-source CLI tool that quickly scans AI projects for EU AI Act compliance, providing actionable fixes. One command, about 5 seconds.

SourceHacker News AIAuthor: latreon

Notifications You must be signed in to change notification settings

Fork 0

Star 0

BranchesTags

Open more actions menu

Folders and files

NameName

Last commit message

Last commit date

Latest commit

History

34 Commits

34 Commits

.github

.github

docs

docs

examples

examples

rules

rules

src/compliance_agent

src/compliance_agent

templates

templates

tests

tests

.gitignore

.gitignore

.pre-commit-hooks.yaml

.pre-commit-hooks.yaml

.python-version

.python-version

CHANGELOG.md

CHANGELOG.md

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

CONTRIBUTING.md

CONTRIBUTING.md

LICENSE

LICENSE

README.md

README.md

SECURITY.md

SECURITY.md

pyproject.toml

pyproject.toml

uv.lock

uv.lock

Repository files navigation

Check if your AI project follows EU rules.

The EU has new rules for AI. If you're building with OpenAI, Anthropic, LangChain, or any AI framework, you need to check whether you comply. This tool does it for you — one command, about 5 seconds.

30-Second Start · What It Does · How It Works · Examples · All Commands · FAQ

30-Second Start

Install (isolated CLI tool)

uv tool install compliance-agent

no uv? use: pipx install compliance-agent

Check your project

compliance-agent scan .

Done. Read what it found.

What It Does (Simple Version)

Scans your code — finds where you use AI (OpenAI, LangChain, etc.).

Checks the rules — compares your code against EU AI Act requirements.

Tells you what's missing — shows exactly what you need to fix.

Gives you the code — provides copy-paste fixes for each problem.

What You'll See

When you run compliance-agent scan ., you get a boxed terminal report: a header, a summary strip, per-article coverage, findings, and the gaps to fix. Illustrative shape (real output for the bundled sample is in examples/EXPECTED_OUTPUT.md):

╭─ EU AI Act Compliance Report ──────────────────────────────╮ │ Files scanned 3 │ │ Risk tier LIMITED │ ╰──────────────────────────────────────────── ComplianceAgent ╯

╭─ Scan Summary ─────────────────────────────────────────────╮ │ 3 1 6 9 │ │ FILES AI SYSTEMS FINDINGS GAPS │ ╰────────────────────────────────────────────────────────────╯

╭─ Compliance Gaps ──────────────────────────────────────────╮ │ ✗ MISSING Automated logging of AI events required (Art.12) │ │ Fix: templates/art12/event_logging.py │ │ ✗ MISSING AI transparency disclosure required (Art. 50) │ │ Fix: templates/art50/transparency_notice.py │ │ ✗ MISSING Error handling around AI calls (Art. 15) │ │ Fix: add try/except + fallbacks around model calls │ ╰────────────────────────────────────────────────────────────╯

Next: compliance-agent recommend . --output ./fixes

Prefer a file? scan --format pdf --output report.pdf writes a PDF, and the separate report command writes markdown or PDF to disk. For scan, --format markdown and --format json render to the terminal/stdout — pipe json to a file if you need one (see Command Reference).

Do I Need This?

Yes, if you:

Use OpenAI, Anthropic, Google, or any AI API

Build chatbots or AI assistants

Use LangChain, CrewAI, AutoGen, or LangGraph

Deploy AI in the EU or serve EU users

Want to avoid fines (up to €15M / 3% of turnover for most obligations, and up to €35M / 7% for prohibited practices)

No, if you:

Don't use AI in your project

Only use AI for personal projects (not a business)

Don't operate in, or serve users in, the EU

Installation

ComplianceAgent is a command-line tool, so the cleanest way to install it is with a tool installer that keeps it in its own isolated environment.

Recommended (isolated CLI install)

uv tool install compliance-agent

or, with pipx:

pipx install compliance-agent

No uv or pipx yet? Install one:

brew install uv # or: brew install pipx

Alternative: pip inside a virtual environment

On modern macOS/Linux, a bare pip install into the system Python is blocked (PEP 668, "externally-managed-environment"). Use a virtual environment:

python3 -m venv .venv source .venv/bin/activate # Windows: .venv\Scripts\activate pip install compliance-agent

Latest unreleased version (from GitHub)

uv tool install git+https://github.com/latreon/compliance-agent.git

or: pipx install git+https://github.com/latreon/compliance-agent.git

Verify it worked

compliance-agent version

ComplianceAgent v0.1.7

Trouble installing or running? See the Troubleshooting guide.

How It Works

Step 1: Scan your code

The scanner reads your project files and looks for AI-related patterns:

import openai — you're using OpenAI

from langchain — you're using LangChain

AgentExecutor() — you're running an AI agent

client.chat.completions.create() — you're calling an AI API

Provider and framework detection uses AST parsing (not just text search): they only fire in files that actually import the library, so a comment that mentions "OpenAI" won't trigger a provider finding. Lightweight keyword patterns (e.g. chat-interface wording) additionally scan documentation and config, so a small number of findings can come from .md files.

Step 2: Classify risk

Based on what it finds, the tool assigns a risk level:

Risk Level What It Means Rules That Apply

MINIMAL Basic AI usage, no user interaction Almost none

LIMITED AI interacts with users Transparency rules (Art. 50)

HIGH AI used in an Annex III domain (hiring, credit, biometrics, law enforcement, …) Full compliance required

UNACCEPTABLE Banned AI practices (Art. 5) Cannot be deployed

How the tier is decided. HIGH risk under the EU AI Act comes from the use-case domain (Annex III), not from technical capability. An autonomous agent with tools is not automatically high-risk — a résumé-screening or credit-scoring system is. ComplianceAgent classifies HIGH only when it detects Annex III domain indicators, and UNACCEPTABLE only when it detects a likely Art. 5 prohibited practice (e.g. social scoring, untargeted facial scraping). Domain indicators are matched against file paths and code content (not just file names), but only for projects that actually use AI. Both are keyword-based heuristics and provisional (Art. 6(3) also exempts some narrow-purpose systems), so a match is a prompt to self-assess and consult counsel — not a legal determination. See docs/ARCHITECTURE.md for how tiers are decided.

Step 3: Check compliance

The tool checks 13 specific articles of the EU AI Act:

Article What It Checks When It Matters

Art. 50 "You're talking to AI" notice Any user-facing AI

Art. 12 Logging AI conversations All AI systems

Art. 14 Human oversight for decisions High-risk / agentic AI

Art. 15 Error handling and robustness All AI systems

... see the full list ...

Step 4: Recommend fixes

For each issue found, the tool:

Explains what's wrong

Shows which rule requires the fix

Provides a code template you can copy

Tells you exactly where to put it

ISSUE: No "You're talking to AI" notice RULE: EU AI Act Article 50(1) FIX: Copy templates/art50/transparency_notice.py into your project WHERE: Add it before your chat endpoint

Real Examples

Example 1: Simple chatbot (Limited risk)

A basic chatbot using OpenAI:

chatbot.py

import openai

client = openai.OpenAI()

def chat(user_input): return client.chat.completions.create( model="gpt-4", messages=[{"role": "user", "content": user_input}], ).choices[0].message.content

Scan result (illustrative summary — exact wording/counts come from the scan):

Risk tier: LIMITED — user-facing AI, no Annex III high-risk domain matched Gaps: Art. 12 (record-keeping), Art. 50 (transparency), Art. 15 (robustness) Fix: add a transparency notice + event logging + error handling

Example 2: LangChain agent (Higher risk)

An agent that can search the web and send emails:

agent.py

from langchain.agents import AgentExecutor from langchain.tools import Tool

tools = [ Tool(name="search", func=search_web, description="Search the web"), Tool(name="email", func=send_email, description="Send an email"), ]

executor = AgentExecutor(agent=agent, tools=tools)

Scan result (illustrative — the tier is HIGH only if your code also matches an Annex III high-risk domain; agentic patterns on their own drive the oversight and logging gaps below):

RISK: LIMITED (no Annex III high-risk domain detected) FRAMEWORKS: LangChain (agent, tools) ISSUES: several, including

  1. No human oversight before tool use (Art. 14)
  2. No logging of tool calls (Art. 12)
  3. No error handling for API failures (Art. 15)
  4. No "You're talking to AI" notice (Art. 50)

FIX: Add human-in-the-loop, logging, error handling, transparency.

Note: tool access raises real Art. 14 oversight and Art. 12 logging gaps, but it does not by itself make the system HIGH risk. The tier becomes HIGH only if the agent operates in an Annex III domain (e.g. hiring, credit, biometrics) — see How the tier is decided.

Example 3: CrewAI multi-agent

A crew of agents researching and writing:

crew.py

from crewai import Agent, Task, Crew

researcher = Agent(role="Researcher", tools=[search]) writer = Agent(role="Writer", tools=[write])

crew = Crew( agents=[researcher, writer], tasks=[Task(description="Research", agent=researcher), Task(description="Write", agent=writer)], ) crew.kickoff()

Scan result (illustrative):

RISK: LIMITED (multi-agent, but no Annex III high-risk domain detected) FRAMEWORKS: CrewAI (agent, crew, task) ISSUES: several, including

  1. No oversight before crew execution (Art. 14)
  2. No logging of agent actions (Art. 12)
  3. No technical documentation (Art. 11)

FIX: Add an approval workflow, logging, and documentation.

A crew researching and writing is not, by itself, an Annex III high-risk use-case, so the tier stays LIMITED. Point the same crew at résumé screening or credit decisions and the tier becomes HIGH.

Command Reference

Scan a folder (. means the current folder)

compliance-agent scan .

Output types

compliance-agent scan . --format markdown # for reading (default), to terminal compliance-agent scan . --format json # for computers / CI, to stdout compliance-agent scan . --format pdf --output report.pdf # PDF file (-o alias)

Only show serious issues (info | warning | high | critical)

compliance-agent scan . --severity high

Skip folders (repeatable)

compliance-agent scan . --exclude "tests/*" --exclude "docs/*"

Only check matching folders (repeatable allow-list)

compliance-agent scan . --include "src/*"

Quieter / plainer output

compliance-agent scan . --quiet # summary only, no per-finding detail compliance-agent scan . --no-color # disable colored output compliance-agent scan . --verbose # show what is scanned + info logs compliance-agent scan . --no-update-check # skip the PyPI version check

Show how to fix each problem

compliance-agent scan . --fix

Copy fix templates into your project

compliance-agent recommend . --output ./fixes compliance-agent recommend . --format json # machine-readable recommendations

Make a shareable report file

compliance-agent report . --output audit-2026.pdf

For CI/CD: plain output, fail the build on serious issues

compliance-agent scan . --ci --fail-on high

Upgrade to the latest (or a specific) version

compliance-agent upgrade compliance-agent upgrade 0.1.2

Show the installed version (and whether an update is available)

compliance-agent version compliance-agent --version # -V: quick version, then exit

Run compliance-agent scan --help to see every option explained.

Staying up to date. After a scan, ComplianceAgent tells you if a newer version is on PyPI, then compliance-agent upgrade updates it in place (auto-detecting whether you installed with uv, pipx, or pip). The check is cached for a day, never blocks a scan, and is skipped in CI and JSON output. Disable it with --no-update-check, COMPLIANCE_AGENT_NO_UPDATE_CHECK=1, or the conventional NO_UPDATE_NOTIFIER=1.

Exit codes: 0 success · 1 --fail-on threshold met · 2 usage error.

[truncated for AI cost control]