Connect GitHub and instantly see which repositories make you a Provider under the EU AI Act — and the exact documents each one triggers.
A read-only GitHub App reads dependency manifests to identify AI SDKs. Your source code is never read, and no long-lived token is stored.
Each finding becomes an AI system in your inventory, classified with a risk tier — with its required compliance documents generated in one click.
Calling the OpenAI or Anthropic API from your product makes you the provider of the AI system you built — the role with the heaviest EU AI Act duties (technical documentation, risk management, conformity). Usage monitoring and security scanners can't see this. Code Scan is the only way to know, and to know exactly what it obligates.
It reads your repositories' dependency manifests — package.json, requirements.txt, pyproject.toml, go.mod — via a read-only GitHub App. It never reads your source code. From the dependencies (OpenAI, Anthropic, LangChain, transformers, vector stores, and more) it identifies which AI systems you are building.
Under the EU AI Act there are two layers: the model vendor (e.g. OpenAI) is the provider of the model, but when you embed that model into your own product you become the provider of the AI system you built — which carries the heaviest obligations (technical documentation, risk management, conformity). Usage monitoring can't see this; code scanning is the only reliable way to catch it.
Yes. Code Scan connects via a read-only GitHub App and reads only dependency data — never the content of your source files. No long-lived token is stored; access uses short-lived installation tokens minted on demand.
Each finding becomes an AI system in your inventory, classified as provider with a risk tier — and ComplyLayer generates the compliance documents that system requires in one click, using the same engine as the rest of the platform.
Start your 14-day Pro trial today. No credit card required. Setup takes under an hour.