ComplyLayer logoComplyLayer
Pro featureCode Scan

Find the AI you're building — not just the AI you use

Usage monitoring shows what your team uses. Code Scan connects to GitHub and reveals what you build into the product — the provider-side AI systems that carry the heaviest EU AI Act obligations, and that nothing else can see.

Highlights

Built for the work that actually matters

Provider reveal

Connect GitHub and instantly see which repositories make you a Provider under the EU AI Act — and the exact documents each one triggers.

Dependencies only — never your source

A read-only GitHub App reads dependency manifests to identify AI SDKs. Your source code is never read, and no long-lived token is stored.

Straight to documents

Each finding becomes an AI system in your inventory, classified with a risk tier — with its required compliance documents generated in one click.

What's included

Everything in the box

  • One-click GitHub App connect (read-only)
  • Scans package.json, requirements.txt, pyproject.toml, go.mod
  • Detects 30+ AI SDKs, agent frameworks & vector stores
  • Deployer vs provider classification per repo
  • Reads dependencies only — never source code
  • Findings become inventory systems with docs
Why it matters

You became an AI Provider the day you shipped an LLM feature

Calling the OpenAI or Anthropic API from your product makes you the provider of the AI system you built — the role with the heaviest EU AI Act duties (technical documentation, risk management, conformity). Usage monitoring and security scanners can't see this. Code Scan is the only way to know, and to know exactly what it obligates.

Without it
  • Engineers ship AI features nobody in governance reviewed
  • You assume you're "just a deployer" while quietly carrying provider obligations
  • No idea which repos send customer data to a third-party model
  • A regulator or enterprise buyer asks for provider documentation you don't have
With ComplyLayer
  • Every AI integration in your code surfaced, per repository
  • Automatic deployer-vs-provider classification with EU AI Act risk tier
  • The exact document set each provider system requires — generated in one click
  • A defensible, source-linked record of the AI you build

Frequently asked questions

What does Code Scan actually look at?

It reads your repositories' dependency manifests — package.json, requirements.txt, pyproject.toml, go.mod — via a read-only GitHub App. It never reads your source code. From the dependencies (OpenAI, Anthropic, LangChain, transformers, vector stores, and more) it identifies which AI systems you are building.

Why does embedding an LLM make me a "provider"?

Under the EU AI Act there are two layers: the model vendor (e.g. OpenAI) is the provider of the model, but when you embed that model into your own product you become the provider of the AI system you built — which carries the heaviest obligations (technical documentation, risk management, conformity). Usage monitoring can't see this; code scanning is the only reliable way to catch it.

Is my source code safe?

Yes. Code Scan connects via a read-only GitHub App and reads only dependency data — never the content of your source files. No long-lived token is stored; access uses short-lived installation tokens minted on demand.

What happens after it finds an AI integration?

Each finding becomes an AI system in your inventory, classified as provider with a risk tier — and ComplyLayer generates the compliance documents that system requires in one click, using the same engine as the rest of the platform.

Ready to take control of AI compliance?

Start your 14-day Pro trial today. No credit card required. Setup takes under an hour.