Quick Start — your first scan in 5 minutes

For: all
Tier: free+
Time: ~5 min

Why you'd do this

ComplianceLint is MCP-only — there is no CLI. The first thing you do is pair your IDE with a SaaS account, scan a repo, and see what comes back on the dashboard.

Before you start

• An MCP-enabled IDE (VS Code with Claude Code extension, Cursor, or any MCP host)
• A GitHub account (for the SaaS sign-in)
• A target repo to scan — for this walkthrough we use the sample fixture at private/manual-fixture/, but any local AI/ML codebase works

Step 1

Open https://compliancelint.dev and click Sign in with GitHub. First-time sign-in creates a free account automatically. The dashboard opens to an empty state because no repo is connected yet.

What you'll see: Landing page with the four pricing tiers; the Sign in button in the top-right corner.

Step 2

In your MCP IDE, run cl_connect against your project. The MCP host opens your browser for sign-in (GitHub or Google), then writes a .compliancelintrc to your project root with the API key + dashboard URL.

If you've already paired this project, cl_connect returns already_connected and your config stays unchanged:

{
  "status": "already_connected",
  "email": "you@example.com",
  "dashboard_url": "https://compliancelint.dev/dashboard",
  "message": "Already connected. Run cl_sync() to upload scan results."
}

What you'll see: JSON response with status: connected (first time) or already_connected (re-runs). A new .compliancelintrc appears in the workspace root.

Step 3

Run cl_scan_all — the AI in your IDE reads the project structure, fills compliance answers per article, and the scanner maps those answers to obligations. For the fixture project this produces 226 findings across 44 articles.

The MCP response includes a structured JSON report. The header carries metadata + per-article status; the body's results field has each article's finding_count + top_findings preview (up to 5 per article). Compact-but-real excerpt from an actual scan against the sample fixture:

{
  "report_type": "compliance_scan_summary",
  "project": "<your-project-path>",
  "overall_compliance": "non_compliant",
  "total_modules": 44,
  "regulation": "EU AI Act (Regulation (EU) 2024/1689)",
  "articles_scanned": [
    "Art. 4 (AI Literacy): non_compliant",
    "Art. 5 (Prohibited AI Practices): unable_to_determine",
    "Art. 6 (Classification Rules for High-Risk AI Systems): non_compliant",
    "Art. 9 (Risk Management): non_compliant",
    "Art. 10 (Data Governance): non_compliant",
    "Art. 12 (Record-keeping): non_compliant"
    /* ... 38 more articles ... */
  ],
  "results": {
    "article_4": {
      "overall": "non_compliant",
      "finding_count": 1,
      "top_findings": [
        {
          "obligation_id": "ART04-OBL-1",
          "level": "non_compliant",
          "description": "No AI literacy documentation detected. Art. 4 requires providers and deployers to take measures to ensure a sufficient level of AI literacy of their staff."
        }
      ],
      "note": "Use cl_scan(articles=\"4\") for full findings."
    },
    "article_9": {
      "overall": "non_compliant",
      "finding_count": 17,
      "top_findings": [
        {
          "obligation_id": "ART09-OBL-6",
          "level": "non_compliant",
          "description": "No testing infrastructure detected. Art. 9(6) requires testing to identify appropriate risk management measures and ensure consistent performance."
        },
        {
          "obligation_id": "ART09-OBL-1",
          "level": "partial",
          "description": "Risk management documentation found: docs/risk_assessment.md. Evidence: docs/risk_assessment.md"
        },
        /* ... 3 more top findings ... */
      ],
      "note": "Use cl_scan(articles=\"9\") for full findings."
    }
    /* ... 42 more article result blocks ... */
  },
  "disclaimer": "AI-assisted compliance assessment, not a legal opinion. All findings require human review and legal counsel."
}

Three things to notice in the response:

1. overall: non_compliant doesn't mean every finding is bad. Article 9 above shows 17 findings, but top_findings mixes non_compliant (real gaps) with partial (evidence found but incomplete). The partial entries cite the actual file the scanner relied on (e.g. docs/risk_assessment.md).
2. top_findings is a preview, not the full list. Article 9 has 17 findings total but only the top 5 by severity appear here. Use cl_scan(articles="9") to see all 17 with full evidence context.
3. Use cl_scan(articles="<N>") if cl_scan_all output is too large to read inline in your IDE. A single-article scan returns ~1-3 KB and renders cleanly; the full cl_scan_all report is ~50-60 KB and your IDE may save it to a file rather than displaying inline.

What you'll see: 226 findings: 1 COMPLIANT, 70 NON_COMPLIANT, 118 UNABLE_TO_DETERMINE, 37 NOT_APPLICABLE.

Step 4

Run cl_sync — the local scan results are pushed to your dashboard account. This is the only step that touches the network with your code metadata; bytes of evidence files are only relayed if you explicitly upload them through the dashboard later.

Successful response (the dashboard_url is the most useful part — open it to view the scan in the browser):

{
  "status": "synced",
  "scan_id": "fe06dcbb-5848-4280-99d2-24272a9a061c",
  "repo_id": "1bf043c8-815a-456f-8fcb-12efc143e694",
  "dashboard_url": "https://compliancelint.dev/dashboard/repos/<repo>/scans/<scan>",
  "articles_synced": [/* 44 art ids */],
  "message": "Scan results uploaded.",
  "pending_evidence": { "pulled": 0, "confirmed": 0, "errors": 0 },
  "broken_link_check": { "checked": 0, "broken": 0 }
}

What you'll see: JSON response with status: synced, a scan_id UUID, and a dashboard_url you can click to view the scan.

Step 5

Open the dashboard URL from the cl_sync response. You see the repo card with a compliance score ring, a KPI row showing 70 non-compliant findings, and the latest scan listed under the repo.

What you'll see: Score ring (top-left), four KPI cards (Non-Compliant / Compliant Repos / Total Scans / Compliance Score), and the repo's first scan row beneath.

What can go wrong

• cl_connect fails with unauthorized — The API key from the dashboard is single-use per pairing — if you ran cl_connect once already, generate a fresh key under Settings → API Keys and try again.
• cl_scan returns 0 findings on a project that obviously has AI code — Check that the repo has at least one Python/JS/TS file containing ML imports (torch / tensorflow / sklearn / langchain / etc.). ComplianceLint detects AI projects by import surface, not by filename.
• Dashboard URL from cl_sync shows 404 or empty — The first sync may take 5-10 seconds to populate. Refresh once. If still empty, run cl_sync again — the operation is idempotent.

Related

• concept-primer
• first-evidence-upload
• team-collaboration

Last updated: 2026-04-30