CI/CD + SARIF Integration
Run EU AI Act compliance scans automatically on every push and pull request — on any CI vendor, with any AI driver. Below: a reference example you can copy verbatim, plus an AI-First prompt that lets your own AI IDE generate a workflow tailored to your stack.
How it works
ComplianceLint exposes an MCP (Model Context Protocol) server. Any AI agent that can call MCP tools — Claude Code, Cursor, OpenAI Assistants, your own LLM runner — drives the scan from inside your CI runner. Your code never leaves the runner; only compliance verdicts (article × obligation × status) sync to the dashboard. If critical non-compliance is found, the build fails.
Push or PR
Workflow triggers on push to main or pull request
Scan
Your AI driver calls ComplianceLint MCP tools against the codebase
Sync
Results are uploaded to your ComplianceLint dashboard
Gate
Build fails if critical non-compliance is detected
⭐ Quick Start — Reference Example
GitHub Actions + Anthropic Claude Code (one example)This is the setup we operate ourselves (GitHub-hosted runner + Anthropic API + Claude Code as the AI driver). It works verbatim if your stack matches. Different CI vendor or different AI driver? Skip to the Adapt to Your AI Platform section below — it gives you a copy-paste prompt that lets your own AI IDE generate the equivalent workflow for your stack.
Copy the reference workflow
Copy the YAML below to .github/workflows/compliancelint.yml in your repository. Or download it directly. If your stack differs (non-GitHub CI, non-Anthropic LLM), use the AI-First prompt below instead — don't edit this file by hand.
# ComplianceLint — EU AI Act Compliance Scanning
# REFERENCE EXAMPLE: GitHub Actions + Anthropic Claude Code.
# Adapt to your platform via the AI-First prompt below.
# Add this file to your repo at .github/workflows/compliancelint.yml
#
# Required secrets:
# ANTHROPIC_API_KEY — your AI driver's API key (this example uses Anthropic)
# COMPLIANCELINT_API_KEY — your ComplianceLint dashboard API key
name: ComplianceLint
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
permissions:
contents: read
jobs:
compliance-scan:
name: EU AI Act Compliance Scan
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install ComplianceLint
run: pip install compliancelint
- name: Install Claude Code CLI
run: npm install -g @anthropic-ai/claude-code
- name: Configure MCP
run: |
mkdir -p ~/.claude
cat > ~/.claude/mcp.json << 'MCPEOF'
{
"mcpServers": {
"compliancelint": {
"command": "python",
"args": ["-m", "scanner.server"],
"env": {
"COMPLIANCELINT_API_KEY": "${{ secrets.COMPLIANCELINT_API_KEY }}"
}
}
}
}
MCPEOF
- name: Run compliance scan
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
claude -p "Run a full EU AI Act compliance scan on this project:
1. Analyze the codebase to understand its structure
2. Scan against all 44 articles in the EU AI Act
3. Sync the results to the ComplianceLint dashboard
4. Report the final compliance summary
If any article has status NON_COMPLIANT, exit with code 1.
If all articles are COMPLIANT or PARTIALLY_COMPLIANT, exit with code 0." \
--output-format json > scan-results.json
# Check for critical non-compliance
if grep -q '"NON_COMPLIANT"' scan-results.json; then
echo "::error::Critical non-compliance findings detected. Check the ComplianceLint dashboard for details."
exit 1
fi
- name: Upload scan results
if: always()
uses: actions/upload-artifact@v4
with:
name: compliancelint-results
path: scan-results.json
retention-days: 90Add your Anthropic API key as a secret
Go to your repository's Settings → Secrets and variables → Actions and add a new secret:
Add your ComplianceLint API key as a secret
Get your API key from the dashboard settings page, then add it as a repository secret:
Push and watch it run
Commit the workflow file and push to your repository. The scan will run automatically on every push to main and on every pull request. Check the Actions tab to see results.
(Optional) Surface findings in PRs and Security tab
We run this against our own scanner daily — see latest runAdd the sarif-export action after your scan to push EU AI Act findings to GitHub Code Scanning. PR reviewers see compliance issues inline (Files changed tab) and in the Security tab — no separate ComplianceLint dashboard login needed for read-only review.
# Add these two steps after your compliancelint-action step:
- id: sarif
uses: ki-sum/compliancelint/.github/actions/sarif-export@master
with:
api-key: ${{ secrets.COMPLIANCELINT_API_KEY }}
level: scan # one alert per article (~30); use "full" for all 247
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.sarif.outputs.sarif-file }}
category: compliancelintRequires Pro plan or higher — the SARIF export endpoint is Pro-gated at the API-key level. (The composite action itself is public; the gate is server-side when the action fetches your scan result via your API key.)
🔧 Adapt to Your AI Platform
Different CI vendor (GitLab / Bitbucket / CircleCI / Jenkins), different AI driver (Cursor / OpenAI / Gemini / local LLM), or non-Python runtime? Copy the prompt below into your own AI IDE (Cursor, Claude Code, ChatGPT, Copilot Chat, your-own). It contains everything ComplianceLint exposes — MCP tool surface, contract, optional SARIF — and asks your AI to generate a workflow that matches your environment.
Why this exists: hardcoding one YAML for one vendor + one AI driver locks out everyone else. Your own AI knows your runtime, secret manager, and CI vendor better than we ever could — let it do the adapting.
# Generate a CI workflow for EU AI Act compliance scanning
I want to add ComplianceLint (https://compliancelint.dev) to my CI
pipeline. Generate a workflow file for my CI vendor and AI driver.
## What ComplianceLint is
ComplianceLint is an EU AI Act compliance scanner. It exposes an MCP
(Model Context Protocol) server with these tools that any LLM agent
can call:
cl_analyze_project() — survey codebase structure + framework
cl_scan_all() — run full scan against all 44 articles
/ 247 obligations
cl_sync() — upload findings to compliancelint.dev
dashboard
cl_explain(article) — fetch verbatim regulation text for one
article (no fabrication, sourced from
EUR-Lex)
cl_action_plan(scan_id) — generate per-finding remediation plan
cl_action_guide(article) — step-by-step compliance guide
Per-finding output statuses: COMPLIANT / PARTIALLY_COMPLIANT /
NON_COMPLIANT / NEEDS_REVIEW / NOT_APPLICABLE.
## CI contract — what the workflow must do
1. Trigger: on push to main + on every pull_request
2. Install: Python 3.11+ and `pip install compliancelint`. Then
install your chosen AI driver (Claude Code CLI, Cursor CLI,
openai-cli, your-own-LLM-runner, etc.) with the corresponding
API key from secrets.
3. Configure MCP: register ComplianceLint MCP server with your AI
driver. Pass COMPLIANCELINT_API_KEY (from compliancelint.dev
dashboard settings) via env.
4. Run scan: invoke your AI driver with a prompt like:
"Analyze this project, scan it for EU AI Act compliance, then
sync the results to the ComplianceLint dashboard. Report the
compliance summary. Exit non-zero if any article is
NON_COMPLIANT."
5. Gate: fail the build if any NON_COMPLIANT verdict.
6. Artifact: upload `scan-results.json` (90-day retention).
7. Optional: SARIF export — call the public composite action
`ki-sum/compliancelint/.github/actions/sarif-export@master`
with COMPLIANCELINT_API_KEY, then upload the SARIF to GitHub
Code Scanning via `github/codeql-action/upload-sarif@v3`.
(GitHub Actions only; for GitLab/Bitbucket use the equivalent
SARIF integration.)
## My environment (FILL IN)
CI vendor: [GitHub Actions / GitLab CI / Bitbucket / CircleCI / Jenkins / other]
Runtime: [Python / Node.js / Go / Rust / Java / mixed]
AI driver: [Anthropic Claude Code / Cursor / OpenAI / Gemini / local LLM]
Secrets manager: [GitHub secrets / GitLab CI variables / 1Password / Vault / other]
## What I want back
A complete, runnable workflow file (correct extension + path for my
CI vendor) plus a brief checklist of secrets I need to add and
post-merge sanity checks.
If anything in my environment is incompatible with ComplianceLint
(e.g. air-gapped runner with no internet, or an AI driver that
doesn't support MCP), say so explicitly and propose the closest
viable alternative.📋 Reference Card — Tell Your AI
Paste this into your AI IDE's context (or the system prompt) so it understands the ComplianceLint MCP surface. Already included verbatim inside the prompt above; isolated here for skim-able reference.
| Tool | Signature | Effect |
|---|---|---|
| cl_analyze_project | () → ProjectSummary | Scans the working dir; reports framework + language stack + AI-relevant file roster. No mutation, no upload. |
| cl_scan_all | (articles?: string[]) → ScanResult | Runs full scan against all 44 articles / 247 obligations (or a subset). Local computation. Writes to ~/.compliancelint/local/. |
| cl_scan | (article: string) → SingleArticleResult | Single-article scan. Same locality as cl_scan_all. |
| cl_sync | () → SyncReceipt | Uploads local scan findings + evidence pointers to the SaaS dashboard. Requires COMPLIANCELINT_API_KEY. |
| cl_explain | (article: string) → ExplanationBundle | Fetches verbatim EUR-Lex text + Three-Locks-verified obligation atoms + related Recitals. Read-only. Free tier. |
| cl_action_plan | (scan_id: string) → ActionPlan | Generates per-finding remediation steps from the latest scan. Read-only. |
| cl_action_guide | (article: string) → StepByStepGuide | Step-by-step compliance guide for one article. Read-only. |
| cl_check_updates | () → UpdateDigest | Lists EU AI Act regulatory updates since last scan (delegated acts, AI Office guidance). |
| cl_report_bug | (description: string, include_logs?: boolean) → TicketId | Privacy-scrubbed bug bundle for GitHub Issue paste. No source code uploaded. |
Optional: SARIF export (GitHub Actions composite)
Append these two steps after your scan step to push EU AI Act findings into GitHub Code Scanning. For non-GitHub CI, ask your AI to swap the upload step for the equivalent SARIF integration in your vendor (GitLab Security Dashboard, Bitbucket SARIF, etc.).
# SARIF export (optional). GitHub Actions composite action; works
# anywhere with GitHub Actions runners. For GitLab CI / other CI
# vendors, swap for the equivalent SARIF upload step.
- id: sarif
uses: ki-sum/compliancelint/.github/actions/sarif-export@master
with:
api-key: ${{ secrets.COMPLIANCELINT_API_KEY }}
level: scan # one alert per article (~30); use "full" for all 247
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.sarif.outputs.sarif-file }}
category: compliancelint✅ Verify Your Workflow
Whether you copied the reference example or had your AI generate one, run these 5 sanity checks before letting the workflow gate real merges.
- 1Push to a test branch. Don't enable branch protection requiring this check yet. Push a no-op commit to a throwaway branch and watch the workflow run end-to-end. Look for “scan completed” in the logs and a non-empty
scan-results.jsonartifact. - 2Confirm the dashboard sync. Visit your dashboard — the test scan should appear in the repo's Scans list within ~30 seconds of the workflow finishing. If it doesn't,
COMPLIANCELINT_API_KEYis missing or wrong. - 3Test the gate. Inject a deliberate non-compliance (e.g. delete a known evidence file referenced by an article you've already scanned, or change the AI driver prompt to force a NON_COMPLIANT verdict). Push, confirm the workflow fails with exit code 1.
- 4No source-code leakage. Inspect the workflow logs (and SARIF output if enabled). You should see verdicts and citations only (article ids, obligation ids, status enums). If you see actual source-code snippets being uploaded somewhere, stop — review the AI-generated workflow.
- 5SARIF visibility (if enabled). Open the PR's Files-changed tab — compliance issues should appear inline. The Security tab should list them under “Code scanning alerts”. If they don't,
level: scanvslevel: fullin the SARIF action will affect alert volume; start withscan(~30 alerts/run) before considering full (247).
Once all 5 pass on a test branch, enable required-status-check on your default branch via your CI vendor's branch protection settings.
Build behavior
Build passes
All articles are COMPLIANT or PARTIALLY_COMPLIANT. Results are synced to your dashboard for tracking.
Build fails
One or more articles are NON_COMPLIANT. Check the ComplianceLint dashboard for details and remediation steps.
FAQ
Does my source code get uploaded anywhere?
No. ComplianceLint runs entirely inside your CI runner. Only compliance findings (verdicts and legal citations) are synced to the dashboard. Zero lines of source code leave your CI environment. This is independent of which AI driver you use — the MCP tools never serialise file bodies into the upload payload.
Can I use this with GitLab CI, Bitbucket Pipelines, CircleCI, Jenkins, or other CI systems?
Yes. The reference example above is GitHub-Actions-specific because GitHub Actions is the most common entry point and we operate it ourselves. For any other CI vendor, use the AI-First prompt in the “Adapt to Your AI Platform” section — your AI IDE will generate the equivalent workflow for your vendor (correct file path, correct secret-injection syntax, correct artifact-upload step). The underlying ComplianceLint commands are platform-agnostic.
Which AI drivers can I use? Does it have to be Anthropic Claude?
Anything that can call MCP tools and run a scripted prompt. We tested the reference example with Anthropic Claude Code CLI; the AI-First prompt explicitly invites you to swap in Cursor, OpenAI Assistants, Gemini, your own LLM runner, or an air-gapped local model. The MCP server itself doesn't care which LLM is on the other end of the protocol.
What plan do I need for CI/CD integration?
The /ci-cd page itself is public — these docs are not tier-gated. Actual CI gating happens at the API-key level: a Free-plan COMPLIANCELINT_API_KEY syncs scans but the optional SARIF export step requires a Pro plan (€99/month) key. You can run the basic scan-and-fail-the-build flow on Free — the gate kicks in only when you add the SARIF upload step.
Ready to automate compliance checks?
Start scanning on every push. Catch compliance gaps before they reach production.