GitHub Integration

EU AI Act compliance
in your CI/CD pipeline

One GitHub Action. Every push scanned. Every high-risk AI system flagged before it reaches production. Gatekeeper mode blocks non-compliant code from merging. Setup takes under 5 minutes.

<5 min
Setup time
23+
AI signatures
100%
Push coverage
v3
Current version
Quick Start

Up and running in 5 minutes

Three steps to add EU AI Act compliance scanning to any GitHub repository.

01

Add Secret

Add your SOVEREIGN_API_KEY to GitHub repository Secrets under Settings → Secrets → Actions.

02

Create Workflow

Copy the workflow YAML below into .github/workflows/ai-compliance.yml in your repository.

03

Push & Scan

Push any commit. The action runs automatically and posts a compliance summary to the PR.

.github/workflows/ai-compliance.ymlyaml
1# .github/workflows/ai-compliance.yml
2name: AI Compliance Scan
3
4on:
5 push:
6 branches: [ main, develop ]
7 pull_request:
8 branches: [ main ]
9
10jobs:
11 compliance-scan:
12 runs-on: ubuntu-latest
13 name: EU AI Act Compliance Check
14
15 steps:
16 - name: Checkout repository
17 uses: actions/checkout@v4
18
19 - name: Run SovereignAudit Compliance Scan
20 uses: sovereign-audit/ai-compliance-action@v3
21 with:
22 path: ./
23 fail-on-high-risk: true
24 api-key: ${{ secrets.SOVEREIGN_API_KEY }}
25
26 - name: Upload compliance report
27 uses: actions/upload-artifact@v4
28 with:
29 name: compliance-report
30 path: |
31 compliance_report.pdf
32 compliance_report.json
33 retention-days: 90
Gatekeeper Mode

Block non-compliant code from merging

Enable gatekeeper mode to automatically block pull requests when HIGH-RISK or PROHIBITED AI systems are detected without corresponding compliance documentation.

Blocks merge on HIGH-RISK findings without Annex IV docs
Always blocks PROHIBITED AI — no override possible
Requires signed .ai-act-exempt file for exceptions
Posts compliance summary as PR check with line-level findings
Tracks compliance score over commit history
gatekeeper-mode.ymlyaml
# Gatekeeper mode — blocks merges on HIGH-RISK findings
- name: Run SovereignAudit Gatekeeper
uses: sovereign-audit/ai-compliance-action@v3
with:
path: ./
fail-on-high-risk: true # Block merge if HIGH-RISK found
fail-on-prohibited: true # Always block PROHIBITED AI
exemption-file: .ai-act-exempt # Allow override with signed exemption
annex-iv-required: true # Require Annex IV before merge
api-key: ${{ secrets.SOVEREIGN_API_KEY }}
output-dir: ./compliance-reports
# Result: PR blocked until compliance documentation exists
deep-scan.ymlyaml
# Deep Scan — full legal analysis + Annex IV generation
- name: SovereignAudit Deep Compliance Scan
uses: sovereign-audit/ai-compliance-action@v3
with:
path: ./
deep-scan: true # Enable Phase 2: Legal RAG + Annex IV
no-rag: false # Include legal justifications
no-annex-iv: false # Generate full Annex IV dossier
fail-on-high-risk: true
api-key: ${{ secrets.SOVEREIGN_API_KEY }}
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
# Outputs:
# - compliance_report.pdf (board-ready PDF)
# - deep_compliance_report.json (full DeepScanResult)
# - compliance_report.md (GitHub-readable)
Deep Scan Mode

Full legal analysis and Annex IV generation

Deep scan mode runs Phase 2 of the compliance engine: Legal RAG analysis + complete Annex IV documentation + board-ready PDF report — all from your CI pipeline.

EU AI Act Legal RAG corpus analysis (30+ annotated sections)
Legal justifications per finding with article references
Automatic Annex IV technical documentation (all 7 sections)
Board-ready PDF compliance report with compliance score gauge
DeepScanResult JSON for programmatic processing
CLI Usage

Direct command-line scanning

Use the SovereignAudit CLI directly in terminal, CI scripts, or pre-commit hooks.

terminal
$sovereignaudit scan --path ./
→ Scanning 47 files...
→ Detecting AI libraries: 23 signatures checked
→ Analysing Annex III intent patterns...
⚠ HIGH-RISK src/hr/screening.py:42
CV scoring model → Annex III §4(a)
⚠ HIGH-RISK src/finance/credit.py:18
Credit assessment AI → Annex III §5(b)
✓ MINIMAL src/utils/spam_filter.py:3
Spam classification → Recital 43
Compliance Score: 72/100 Grade: C
Files: 47 · Findings: 2 · Report: ./compliance_report.pdf
$sovereignaudit scan --path ./ --deep-scan --api-key $KEY
→ Running Phase 2 deep audit...
→ Querying EU AI Act Legal RAG corpus...
→ Generating Annex IV documentation...
→ Generating PDF report...
✅ Deep compliance report: ./deep_compliance_report.json
✅ PDF report: ./compliance_report.pdf
Compliance Exemptions

Declare reviewed and accepted systems

The .ai-act-exempt file allows your compliance team to formally accept risk after review — with a full audit trail of who approved what and when.

.ai-act-exemptyaml
# .ai-act-exempt — compliance exemption declaration
# ================================================
# This file declares systems reviewed and accepted
# by the compliance team. Required for gatekeeper bypass.
[exemption]
reviewed_by = "Jane Smith, Head of AI Compliance"
reviewed_date = "2026-01-15"
review_expires = "2026-07-15"
ticket = "COMPLIANCE-1234"
[system.hr_screening]
rule_id = "EMP-001"
risk_tier = "HIGH-RISK"
justification = "Annex IV documentation complete. Human oversight implemented per Art. 14. EU DB registration: AI-2026-1234."
annex_iv_ref = "./docs/annex_iv_hr_screening.pdf"
Best Practices

Enterprise deployment patterns

Protect main branch

Require the compliance check to pass before merging to main. Enable gatekeeper mode for production deployments.

Schedule deep scans

Run deep scan mode weekly on schedule triggers to keep Annex IV documentation current as your codebase evolves.

Artifact retention

Upload compliance reports as workflow artifacts with 90-day retention. Store long-term in S3/GCS for audit trail.

Pre-commit hooks

Add the CLI as a pre-commit hook to catch violations before they reach the remote. Fast standard scan, no API key needed.

Branch strategies

Run standard scan on feature branches, deep scan on release branches. Fail-on-high-risk only on main protection.

Exemption workflow

Create a COMPLIANCE ticket for each exemption. Link the ticket in .ai-act-exempt. Auto-expire after 6 months.

EU AI Act Enforcement: 2 August 2026

Know your AI systems.
Govern your risk.

Join the enterprises building defensible, auditable AI compliance infrastructure. Full visibility into every AI system — from first commit to live inference.

No source code retention SOC2 architecture ISO 42001 aligned Dedicated enterprise support