The AI Compliance Repository Scanner
Scan a registered GitHub repository for EU AI Act compliance risks, map each finding to the specific article it implicates — Art. 9, 10, 15, Annex IV — and emit a structured risk report with remediation actions, on infrastructure you control.
EU AI Act risk lives in the code — where compliance teams can’t see
Risk management, data governance, and robustness obligations ultimately depend on what the code actually does. But compliance teams can’t read repositories, and engineers don’t map their findings to the EU AI Act — so the regulation and the codebase live in separate worlds.
Two disconnected worlds
Compliance reasons in articles; engineering reasons in code. Nobody translates between them, so risk hides in the gap.
Manual review doesn’t scale
Reading a repository against the EU AI Act by hand is impractical for any real codebase, let alone many.
Findings without context
A raw security or quality finding doesn’t tell a compliance owner which obligation it threatens.
Almost nobody offers this
Repository-level EU AI Act analysis is rare — most tooling stops at generic code scanning.
Bridge the codebase and the regulation
Analyze
Composed Repository Analysis
Security, stack, dependencies, structure.
The scanner composes proven analyzers — security scanning, tech-stack detection, dependency analysis, code-smell detection, architecture inference, and repo mapping — to build a grounded picture of what a registered repository actually contains.
- Security and dependency analysis
- Tech-stack and architecture inference
- Code-smell and quality detection
- Whole-repo mapping
Multiple analyzers
Map
Findings → EU AI Act Articles
The bridge competitors don’t have.
It maps detected issues to specific EU AI Act provisions — Article 9 risk management, Article 10 data governance, Article 15 accuracy/robustness/cybersecurity, and Annex IV documentation — so a code finding becomes a compliance signal a governance owner can act on.
Code to articles
Report
Structured Report + Remediation
Risks and suggested actions, ready to persist.
The agent emits a strict JSON report of risks with suggested remediation actions, ready to persist into your compliance system. It runs on-premise, so your source code never leaves your perimeter to be analyzed.
Risks + remediation
Where the repository scanner pays back
EU AI Act Code Review
Scan a repository behind a high-risk AI system and surface where the code implicates EU AI Act obligations.
Pre-Assessment Triage
Find code-level compliance gaps before a conformity assessment, mapped to the relevant articles.
Risk Register Population
Emit structured risks with remediation actions ready to persist into your compliance risk register.
Dependency & Security Compliance
Connect security and dependency findings to Article 15 robustness and cybersecurity duties.
Data-Governance Checks
Surface code signals relevant to Article 10 data-governance obligations.
Continuous Compliance
Re-scan repositories over time so code-level EU AI Act risk stays visible as systems evolve.
What changes after rollout
Questions about the AI Compliance Repository Scanner
What is an AI compliance repository scanner?
It is an AI governance agent that scans a registered GitHub repository for EU AI Act compliance risks, maps each finding to the specific article it implicates — Article 9, 10, 15, or Annex IV — and emits a structured JSON risk report with suggested remediation. VDF’s scanner runs on your own infrastructure so source code never leaves your perimeter.
Which EU AI Act provisions does it map to?
Article 9 (risk management), Article 10 (data governance), Article 15 (accuracy, robustness, and cybersecurity), and Annex IV (technical documentation) — turning code findings into specific compliance signals.
How does it analyze the code?
It composes proven analyzers — security scanning, tech-stack detection, dependency analysis, code-smell detection, architecture inference, and repo mapping — then maps the results to the regulation. The analysis is grounded in what the repository actually contains.
Why is this capability unusual?
Most tooling stops at generic code scanning and never connects findings to the EU AI Act. Repository-level analysis mapped directly to specific articles is rare — it’s one of the most distinctive agents in VDF’s governance toolkit.
Does my source code leave my environment?
No. Deployed on-premise or in your sovereign cloud, the scan runs inside your perimeter and your code is never sent to a third party. The output is a structured report you can persist into your compliance system.
Agents that work well alongside this one
Related resources
Bridge your codebase and the EU AI Act
See the AI Compliance Repository Scanner map repo findings to specific articles with remediation.