Scan, attest, and document EU AI Act compliance in your IDE. Code-verifiable checks, AI-assisted evidence collection, and structured attestation gates — all with audit trail. Your code never leaves your machine.
Overview
Repos
EU AI Act compliance overview across 3 repositories
Non-Compliant
of 192 findings
Compliant Repos
of 3 total
Total Scans
all time
Compliance Score
across all repos
AI Chat
CompliantAI Finance
Needs ReviewAI Medical
Non-CompliantCompliance Journey
Findings by Article
Remediation Tasks
Article Coverage
Quick start
Install. Scan. Done. From zero to audit-ready in under five minutes.
One command. Works with Claude Code, Cursor, Windsurf, and all MCP-compatible IDEs.
Your AI reads code locally and checks 247 legal obligations. Zero code uploaded.
“Scan my project for EU AI Act compliance.”
Scanning demo-ai-chat against EU AI Act...
Analyzing 247 obligations across 44 articles
Reading files via Smart Scan...
✓ Scan complete
3 compliant · 85 non-compliant · 103 needs review
Results saved to .compliancelint/local/
Connect your dashboard, sync findings, export audit-ready PDFs.
“Connect to ComplianceLint dashboard.”
✓ Connected
Browser opened — linked to compliancelint.dev
“Sync my compliance results.”
✓ Synced to dashboard
247 results uploaded — view at compliancelint.dev
Your compliance journey
ComplianceLint doesn't just find problems — it helps you fix them.
Ask your AI for an action plan. It generates prioritized steps — what to fix first, what code to change.
“Give me an action plan to fix my compliance issues.”
✓ Generated 12 prioritized steps
Fix risk management first, then data governance...
Make changes, then scan again. ComplianceLint tracks what improved and what's still open.
“Scan my project again.”
✓ 5 issues resolved
80 remaining · score 42% → 58%
The AI verifies your fix, updates the finding, and records who made the change — ready for auditors.
“I've fixed the logging issue. Mark it as resolved.”
✓ Status updated
Evidence recorded — now compliant
Export scan findings, declaration of conformity, and more as PDF from your dashboard.
Scan Findings
✓ compliance-report.pdf downloaded
1.0 Scan
Your AI IDE scans every file locally and checks it against 247 legal obligations. No code is uploaded. Results appear in seconds.
$ Ask your AI to scan
> Scanning demo-ai-chat against EU AI Act...
Analyzing 247 obligations across 44 articles
Reading project files via Smart Scan...
Mapping compliance answers to legal obligations...
✓ Scan complete: 3 compliant, 85 non-compliant, 103 needs review
Results saved to .compliancelint/local/
2.0 Analyze
Every finding traces to a specific obligation with verbatim legal text from EUR-Lex. Not keyword matching — AI maps your code to legal requirements.
Legal requirement:
“A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.”
How to fix: Create docs/risk-management.md covering identified risks and mitigation measures.
Source: Art. 9(1) — EUR-Lex
“Providers shall ensure that AI systems intended to interact directly with natural persons are designed so that the natural person is informed they are interacting with an AI system.”
Source: Art. 50(1) — EUR-Lex
3.0 Tasks
Get a clear remediation plan sorted by severity. Know what to fix first, which articles are affected, and what each fix requires.
4.0 Fix
Your AI adds transparency notices, creates documentation, and updates code — then re-scans to verify. Watch your compliance score climb.
5.0 Track
Sync results to your dashboard. Track compliance over multiple scans. See trends across your whole team.
100%
Current score
+71%
Improvement
8
Total scans
6.0 Report
Three export surfaces tuned for different audiences — daily review, audit interview, and the all-encompassing snapshot when the regulator asks for everything.
Compliance Journey
All tiersScore history line chart + executive summary across every scan. For board reporting and trend reviews.
EU AI Act Art. 9(9)
Human Gates evidence
Pro+Per-article PDFs generated as you complete each Human Gate questionnaire — Declaration of Conformity (Art. 47), Technical Documentation (Art. 11), or per-article evidence packs.
EU AI Act Art. 11, Art. 47, Annex IV/V
Compliance All-in-One Pack
Business+Audit-grade snapshot zip. Pick any historical date — get DoC + Tech Doc + per-article PDFs + evidence files + audit-trail CSV + an embedded HTML viewer your auditor opens directly.
EU AI Act Annex V + Annex IV + audit trail
Not everything can be checked from code. Some EU AI Act obligations require human action — assigning oversight roles, conducting DPIAs, notifying workers.
Human Gates turn these into guided questionnaires. Fill in the form, and the obligation resolves automatically. 71 questionnaire schemas cover every manual obligation across all roles.
The EU AI Act defines six operator roles (Art. 3 plus Product Manufacturer per Art. 25(3)). Select yours — your compliance score, dashboard, and PDF exports only show what applies to you.
Who needs this
Integrate compliance into your development workflow. Scan on every PR, track progress across sprints.
Get started free. One command to scan, instant findings with clear remediation steps.
Dashboard overview across all AI systems. Track compliance trends. Export reports for board meetings.
Audit-ready documentation. Evidence chain. Declaration of Conformity. All traceable to legal text.
Enforcement deadline
EU AI Act high-risk requirements become enforceable. Non-compliance means fines up to 3% of global turnover.
Start Now — It's FreeCoverage
Every obligation traces to exact legal text from the EU AI Act.
All decomposed from the official EUR-Lex text and verified against the source quote. Profiling Wizard (next section ↓) narrows them to what actually applies to your system.
1 obligations
8 obligations
8 obligations
70 obligations
80 obligations
12 obligations
10 obligations
28 obligations
6 obligations
16 obligations
3 obligations
2 obligations
3 obligations
Profiling Wizard · Starter+
The Profiling Wizard asks a series of yes/no questions about your AI system — EU establishment, Annex III high-risk category, training data, GPAI status, value-chain role, Art. 2 carve-outs. Then it narrows the 247 EU AI Act obligations to the subset that actually applies to you.
Your wizard answers are stored as evidence with timestamps. If a regulator asks “why is Art. 49 not in your filing?” — the answer is one click away.
Beyond the scan
Input your organization size and revenue. See exact Art. 99 fine exposure for every non-compliant finding — prohibited use (€35M / 7%), mandatory obligations (€15M / 3%), information requirements (€7.5M / 1%). SMEs see “lower of” caps; large enterprises see “higher of”.
Free tier shows worst-case (€35M default). Configure to your org size on Starter+.
Browse and search the full EU AI Act by scope — Provider, Deployer, Importer, Distributor, Authorised Representative, Product Manufacturer. Verbatim EUR-Lex text, obligations mapped to your role, and direct drill-down to risk classification rules.
/dashboard/regulations/eu-ai-act — included free with every account.
Get notified when EU AI Act amendments, GPAI systemic-risk rulings, or member-state transposition laws affect your compliance profile. Each update lists which articles shifted and what your obligations look like under the new text.
Multi-framework mapping (ISO 42001, NIST AI RMF) included.
ComplianceLint runs entirely in your local AI IDE. Only compliance findings and legal citations — never source code — are sent to the dashboard. The dashboard itself is GDPR-compliant by design.
Your AI reads the code. The scanner runs on your machine. Nothing is uploaded during analysis.
The dashboard receives compliance verdicts and legal citations. Zero lines of source code.
Dashboard sync is optional. You explicitly choose when to share results with your team.
Upload files from the dashboard — bytes commit to .compliancelint/evidence/ in your git repo. We relay transiently, never hold your files.
Dashboard data protection
At rest
LUKS2 disk encryption
SQLite + WAL on AES-XTS-Plain64 with 512-bit key. Volume locked at boot; only unlocks via operator passphrase.
Cookie consent
ePrivacy Art 5(3) compliant
Banner asks before any analytics. PostHog + Sentry browser SDK gated on consent — no decision = no events sent.
User rights
GDPR Art 15/17/18/20/21
One-click data export (Art 15+20), account deletion with full cascade (Art 17), restrict processing (Art 18), object to legitimate interest (Art 21). All audit-logged.
Error tracking
Self-hosted, retention-bounded
Server errors logged to our own DB with 90-day retention. Email/IP scrubbed before storage. Sentry browser SDK is opt-in only.
Pre-executed sub-processor DPAs with Hetzner (hosting), Resend (transactional email), LemonSqueezy (billing), and PostHog EU (consent-gated analytics). Read the full list at /legal/sub-processors.
Pick any past scan date. Click Export. Get a single zip with the Declaration of Conformity, Technical Documentation, every applicable article PDF, the original evidence files, and a complete audit trail — exactly as your AI system was on that day.
Audit-ready structure, not a legal opinion — final review still needs qualified counsel. The All-in-One Pack documents what you declared on the snapshot date; it does not opine on whether that declaration was correct.
Your repository is the primary evidence store — not our SaaS. We never execute git on your behalf, we never lock you into a host, and your audit trail survives history rewrites.
Rewrite history with rebase or filter-repo? The next sync detects the missing evidence file and flags it on the dashboard (broken_link). If the entire repo baseline shifts (force-push to root, filter-branch, migration), a banner asks the repo owner to explicitly acknowledge the new baseline before further syncs continue — preventing silent baseline corruption from accidental forks. The forensic record stays — who uploaded, when, at which sha — even after the bytes are gone from git.
Every scan writes a deterministic hash of findings + evidence state (sort_keys, UTC ISO, fixed-precision floats). Reproducible across machines. Git history isn't your audit trail — this ledger is.
GitHub, GitLab, Bitbucket, Gitea, Azure DevOps, self-hosted, or a purely local repo. No GitHub App, no OAuth tokens, no vendor lock-in.
For your engineers · Pro+
Run ComplianceLint on every PR. Fail the build on new non-compliance. Surface findings inline in PR review and GitHub Code Scanning — not buried in a separate dashboard tab.
Add one job to your .github/workflows/ file. Action runs your AI-IDE scan against your existing AI provider (Claude, OpenAI, etc.), syncs results to the dashboard, fails on regressions.
Composite action published; no Marketplace dependency.
Export compliance findings as SARIF and upload to GitHub Code Scanning. Non-compliance comments appear directly on the diff — reviewer sees them where they already are, no context switch.
3 granularities: status-summary · per-scan · full-finding-detail.
Configure thresholds — e.g. “fail PR if any new NON_COMPLIANT finding on Art. 9 (risk management) or Art. 14 (human oversight)”. Existing findings carry over; only regressions block.
Configurable per article + severity + Annex.
on: [pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ki-sum/compliancelint/.github/actions/sarif-export@v1
with:
api_key: ${{ secrets.CL_API_KEY }}
fail_on: regression # or: any_non_compliant
upload_sarif: true # GitHub Code ScanningDifferent CI vendor or AI driver? The setup guide includes an AI-First prompt that adapts to your stack.
Setup guide →Pricing
The scanner is free and source-available. Pay only for the dashboard features your team needs.
Most Popular | |||||
|---|---|---|---|---|---|
| Included in every plan | |||||
| All 247 obligations visible (worst-case) | |||||
| Penalty display (worst-case Art. 99 caps) | |||||
| Team members | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited |
| Regulation updates timeline (in-app) — email digest is roadmap | |||||
| Plan differentiators | |||||
| Projects | 1 | 2 | 10 | Unlimited | Unlimited |
| Scan history | 7 days | Unlimited | Unlimited | Unlimited | Unlimited |
| PDF reports | Watermarked | Clean | Clean | Clean | Clean |
| Scope narrowing — see only obligations applicable to your AI system (~70% review-time saved) | |||||
| Risk classification picker (Art. 5 / 6 / 50) | |||||
| SME relief (Art. 11 simplified tech-doc per Recommendation 2003/361/EC) | |||||
| Per-obligation questionnaires (anchor AI answers to verbatim legal text) | |||||
| Art. 2 carve-outs (territorial / military / research / open-source) | |||||
| Penalty configuration (precise — based on your headcount + turnover + balance sheet) | |||||
| Evidence — text declarations + git_path pointers (captured: content saved in DB or git) | |||||
| Evidence — URL references (external pointer — content not captured, may link-rot) | |||||
| Evidence — file upload from dashboard (bytes commit to your git repo .compliancelint/evidence/) | |||||
| Human Gates questionnaires | |||||
| SARIF export — via GitHub Action composite (no dashboard button) | |||||
| CI/CD quality gate — any AI driver via MCP, AI-First setup | |||||
| Multi-framework mapping (ISO 42001, NIST AI RMF) — read-only chips, see Q7 docs | |||||
| Compliance All-in-One Pack (audit-grade snapshot zip — DoC + Tech Doc + per-article PDFs + evidence + audit CSV) | |||||
| SSO / SAML / on-prem deployment | |||||
Why ComplianceLint
You can ask any AI to review your code. But here's the difference:
ComplianceLint uses your AI too — Claude, GPT, or any AI reads the code. But instead of relying on general knowledge, your answers go through a verified obligation engine built from the actual legal text. The AI is the eyes. The engine is the brain.
ComplianceLint is designed with human oversight at every stage:
The user can stop any MCP tool call at any time by pressing Stop in their IDE.
247 legal obligations. 44 EU AI Act articles. One scan.
Get Started Free