Some context on why I built this:
I kept seeing the same pattern — teams shipping AI agents into production with zero compliance infrastructure. Not because they don't care, but because there's no tooling that makes it easy.
The EU AI Act maps to 6 specific technical areas. Most of them come down to things developers already know how to do — structured logging, input validation, error handling, access control. The problem is nobody's connecting those practices to the regulatory requirements.
A few things I learned from this scan:
Article 11 (Technical Documentation) is the easy win. 98% of files pass because Python developers already write docstrings and type hints. The rest of the articles require intentional infrastructure that almost nobody adds.
The gap isn't capability, it's awareness. LiteLLM's auth module scored 6/6 — it already has access control, structured logging, timestamps, error handling. It wasn't built for EU AI Act compliance. It just happens to have good engineering practices. Most agent code doesn't.
"Example" and "quickstart" code sets the pattern. When OpenAI and CrewAI ship examples with zero compliance patterns, every project built from those examples inherits the gap. The ecosystem needs compliance baked into the templates, not bolted on after.
What I'm working on next: a fine-tuned Llama 3.2 1B model that runs locally and does deeper semantic analysis beyond regex pattern matching. The goal is "your code never leaves your machine" — because if you're worried about compliance, shipping your source code to a cloud API defeats the purpose.
The scanner, the benchmark data, and the full 5,754-file report are all Apache 2.0. Rip it apart, tell me what's wrong, submit PRs.
Some context on why I built this: I kept seeing the same pattern — teams shipping AI agents into production with zero compliance infrastructure. Not because they don't care, but because there's no tooling that makes it easy. The EU AI Act maps to 6 specific technical areas. Most of them come down to things developers already know how to do — structured logging, input validation, error handling, access control. The problem is nobody's connecting those practices to the regulatory requirements. A few things I learned from this scan:
Article 11 (Technical Documentation) is the easy win. 98% of files pass because Python developers already write docstrings and type hints. The rest of the articles require intentional infrastructure that almost nobody adds. The gap isn't capability, it's awareness. LiteLLM's auth module scored 6/6 — it already has access control, structured logging, timestamps, error handling. It wasn't built for EU AI Act compliance. It just happens to have good engineering practices. Most agent code doesn't. "Example" and "quickstart" code sets the pattern. When OpenAI and CrewAI ship examples with zero compliance patterns, every project built from those examples inherits the gap. The ecosystem needs compliance baked into the templates, not bolted on after.
What I'm working on next: a fine-tuned Llama 3.2 1B model that runs locally and does deeper semantic analysis beyond regex pattern matching. The goal is "your code never leaves your machine" — because if you're worried about compliance, shipping your source code to a cloud API defeats the purpose. The scanner, the benchmark data, and the full 5,754-file report are all Apache 2.0. Rip it apart, tell me what's wrong, submit PRs.