Products Comply

Recommended

AI-Guided Setup

The fastest way to use Comply: add it as an MCP server to Claude Code, then scan, remediate, and export using natural language. The web dashboard automatically reflects everything the AI does.

1

Install Comply

pip install bespoketracker-comply

Or use Docker: docker pull ntsalzman/comply

2

Add the MCP server to Claude Code

{
  "mcpServers": {
    "comply": {
      "command": "comply",
      "args": ["mcp"]
    }
  }
}

Add this to your Claude Code MCP config (or ~/.claude/mcp_servers.json). Comply exposes 16 tools -- scan, remediate, compare, export, gate, and more.

3

Ask in natural language

Example prompts you can use:

  • Scan this repo against EU AI Act
  • Show me the remediation priorities
  • Compare my last two scans
  • Export the results as SARIF
  • Which frameworks overlap with SOC 2?
4

Dashboard auto-syncs

comply serve

The web dashboard at localhost:8001 automatically reflects everything the AI does -- scan results, remediation roadmaps, compliance history, and trends.

Requirements: Python 3.9+  |  Claude Code (or any MCP-compatible client)  |  No account needed

Alternative

CLI Quickstart

Prefer the command line? Comply also works as a standalone CLI. Available on PyPI, Docker Hub, and GitHub.

1

Install

pip install bespoketracker-comply

Or use Docker: docker pull ntsalzman/comply

2

Configure

comply config set llm_api_key sk-...

Set your LLM provider API key. Supports Anthropic, OpenAI, Gemini, and Grok.

3

Scan

comply scan https://github.com/your-org/your-repo

Run a compliance gap analysis. Results include per-control evidence, a compliance score, and a remediation roadmap.

4

Dashboard

comply serve

Launch the web dashboard on localhost:8001 to browse scan results, track history, and explore controls visually.

Requirements: Python 3.9+  |  Your own LLM API key (Anthropic, OpenAI, Gemini, or Grok)  |  No account needed

Coverage

10 Frameworks, 117 Controls

Scan against regulatory, industry, and security frameworks. Run multiple frameworks simultaneously or filter by jurisdiction.

Regulation

EU AI Act

eu-ai-act 8 controls
Framework

NIST AI RMF 1.0

nist-ai-rmf 12 controls
Standard

ISO/IEC 42001:2023

iso-42001 10 controls
Standard

SOC 2 (AI)

soc2-ai 6 controls
Security

OWASP LLM Top 10

owasp-llm-top10 34 controls
Security

OWASP Agentic Top 10

owasp-agentic-top10 30 controls
Industry

Insurance AI Attestation

insurance-attestation 5 controls
Regulation

California AB 2013

california-ab-2013 3 controls
Regulation

California SB 942

california-sb-942 4 controls
Regulation

Colorado SB 24-205

colorado-sb-24-205 5 controls

Use comply frameworks to see the full list with control details, or --jurisdiction eu to auto-select applicable frameworks.

Architecture

Three-Layer Evidence

Comply evaluates compliance across three independent evidence layers. Each layer contributes to a composite posture score per framework.

Layer 1

Code

Static analysis of your codebase — 30 evidence functions detect logging, access control, testing, governance, prompt protection, and more.

Layer 2

Process

Development maturity evidence — baselines, regression tracking, CI gates, and scan history demonstrate ongoing compliance practices.

Layer 3

Traffic

Runtime governance via audit log adapters — ingest records from API gateways (Kong, Gravitee), CI systems (GitHub Actions, GitLab CI), and compliance platforms (Vanta).

Reference

CLI Commands

All commands support --help for detailed usage and flags. The full CLI includes 37 commands — here are the ones you'll use most.

Scanning

comply scan <target> Run a compliance gap analysis on a repo, path, or URL
comply frameworks List all 10 supported frameworks and their control counts
comply gate <target> CI/CD compliance gate — pass/fail with configurable thresholds
comply watch <target> Watch a repo and automatically rescan on each commit

Results & Analysis

comply history Show past scans with scores, repos, and timestamps
comply diff <scan1> <scan2> Compare two scans — see which controls improved or regressed
comply remediate <scan-id> Generate a prioritized remediation roadmap with code suggestions
comply overlap Cross-framework control overlap matrix — find efficiency gains
comply forecast Project future compliance scores based on historical trends
comply baseline Set or show the baseline scan for regression tracking

Import & Export

comply export <scan-id> Export results as JSON, SARIF, JUnit, Markdown, or DOCX
comply import <file> Import SARIF, SBOM, or JUnit files for evidence enrichment
comply mapping show Show evidence function to control mapping

Monitoring

comply monitor create Create a continuous compliance monitor with webhook alerts
comply monitor list | start | stop Manage active monitors
comply adapters list List audit log adapters (Gateway, GitHub, GitLab, Kong, etc.)
comply adapters ingest <name> Pull records from an adapter for Layer 3 evidence

Server & Configuration

comply serve Launch the web dashboard on localhost:8001
comply config set <key> <value> Set configuration (llm_api_key, llm_provider, etc.)
comply config show Display current configuration

Configuration

Settings

Managed via comply config set. Configuration is stored at ~/.comply/config.yaml.

llm_api_key API key for semantic analysis (required)
llm_provider Provider selection: anthropic, openai, gemini, grok
llm_model Model identifier (e.g., claude-sonnet-4-20250514, gpt-4o)
default_framework Default framework for scans (e.g., eu-ai-act, soc2-ai)

Import & Export

Formats

Import existing security findings (SARIF, SBOM, JUnit) to enrich evidence. Export scan results in 6 formats, or use --export-formats sarif,junit to generate multiple in a single scan.

JSON Structured report with full evidence details
SARIF SARIF 2.1.0 — integrates with GitHub Code Scanning and VS Code
JUnit JUnit XML — compliance results in your existing CI test dashboard
Markdown Human-readable report for documentation and review
DOCX Word document for stakeholder distribution
ZIP Audit bundle — all formats in a single archive

AppSec Integration

Import findings from tools like Semgrep, Bandit, or Trivy via SARIF. Comply maps 74 CWE identifiers to compliance controls automatically — your existing security toolchain becomes compliance evidence.

CI/CD

Pipeline Integration

Add compliance scanning to your pipeline with a single step. Fail builds on score thresholds or regressions.

GitHub Actions

- uses: bespokeagile/comply@v1
  with:
    framework: eu-ai-act
    fail-below: 70
    llm-key: ${{ secrets.LLM_KEY }}

SARIF upload to Code Scanning, PR comments, artifact upload. See the repository for full options.

GitLab CI

include:
  - remote: comply/ci/gitlab-ci-template.yml

JUnit integration, CI/CD variables for framework, depth, and thresholds.

Any CI System

pip install bespoketracker-comply
comply gate . --framework eu-ai-act \
  --min-score 70 --no-regression

Exit code 0 = pass, 1 = threshold/regression fail. Works with Jenkins, CircleCI, Azure DevOps, and any system that reads exit codes.

Pre-commit Hook

A pre-commit hook is included for local compliance checks before push. See comply/ci/pre-commit-hook.sh in the repository.

Self-Hosted

Docker Deployment

Run Comply as a persistent service with the web dashboard, scan history, and all features included. No account or license key required.

docker run -d \
  -p 8001:8001 \
  -v comply-data:/root/.comply \
  -e COMPLY_LLM_KEY=sk-... \
  ntsalzman/comply

Dashboard at localhost:8001. Scan history and configuration persist in the comply-data volume. Health check at /health.

Resources

Links

GitHub Source code, issues, CI templates PyPI pip install bespoketracker-comply Docker Hub docker pull ntsalzman/comply Live Demo Try Comply without installing