EU AI Act compliance
in your CI/CD pipeline
One GitHub Action. Every push scanned. Every high-risk AI system flagged before it reaches production. Gatekeeper mode blocks non-compliant code from merging. Setup takes under 5 minutes.
Up and running in 5 minutes
Three steps to add EU AI Act compliance scanning to any GitHub repository.
Add Secret
Add your SOVEREIGN_API_KEY to GitHub repository Secrets under Settings → Secrets → Actions.
Create Workflow
Copy the workflow YAML below into .github/workflows/ai-compliance.yml in your repository.
Push & Scan
Push any commit. The action runs automatically and posts a compliance summary to the PR.
| 1 | # .github/workflows/ai-compliance.yml |
| 2 | name: AI Compliance Scan |
| 3 | |
| 4 | on: |
| 5 | push: |
| 6 | branches: [ main, develop ] |
| 7 | pull_request: |
| 8 | branches: [ main ] |
| 9 | |
| 10 | jobs: |
| 11 | compliance-scan: |
| 12 | runs-on: ubuntu-latest |
| 13 | name: EU AI Act Compliance Check |
| 14 | |
| 15 | steps: |
| 16 | - name: Checkout repository |
| 17 | uses: actions/checkout@v4 |
| 18 | |
| 19 | - name: Run SovereignAudit Compliance Scan |
| 20 | uses: sovereign-audit/ai-compliance-action@v3 |
| 21 | with: |
| 22 | path: ./ |
| 23 | fail-on-high-risk: true |
| 24 | api-key: ${{ secrets.SOVEREIGN_API_KEY }} |
| 25 | |
| 26 | - name: Upload compliance report |
| 27 | uses: actions/upload-artifact@v4 |
| 28 | with: |
| 29 | name: compliance-report |
| 30 | path: | |
| 31 | compliance_report.pdf |
| 32 | compliance_report.json |
| 33 | retention-days: 90 |
Block non-compliant code from merging
Enable gatekeeper mode to automatically block pull requests when HIGH-RISK or PROHIBITED AI systems are detected without corresponding compliance documentation.
# Gatekeeper mode — blocks merges on HIGH-RISK findings- name: Run SovereignAudit Gatekeeperuses: sovereign-audit/ai-compliance-action@v3with:path: ./fail-on-high-risk: true # Block merge if HIGH-RISK foundfail-on-prohibited: true # Always block PROHIBITED AIexemption-file: .ai-act-exempt # Allow override with signed exemptionannex-iv-required: true # Require Annex IV before mergeapi-key: ${{ secrets.SOVEREIGN_API_KEY }}output-dir: ./compliance-reports# Result: PR blocked until compliance documentation exists
# Deep Scan — full legal analysis + Annex IV generation- name: SovereignAudit Deep Compliance Scanuses: sovereign-audit/ai-compliance-action@v3with:path: ./deep-scan: true # Enable Phase 2: Legal RAG + Annex IVno-rag: false # Include legal justificationsno-annex-iv: false # Generate full Annex IV dossierfail-on-high-risk: trueapi-key: ${{ secrets.SOVEREIGN_API_KEY }}anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}# Outputs:# - compliance_report.pdf (board-ready PDF)# - deep_compliance_report.json (full DeepScanResult)# - compliance_report.md (GitHub-readable)
Full legal analysis and Annex IV generation
Deep scan mode runs Phase 2 of the compliance engine: Legal RAG analysis + complete Annex IV documentation + board-ready PDF report — all from your CI pipeline.
Direct command-line scanning
Use the SovereignAudit CLI directly in terminal, CI scripts, or pre-commit hooks.
$sovereignaudit scan --path ./→ Scanning 47 files...→ Detecting AI libraries: 23 signatures checked→ Analysing Annex III intent patterns...⚠ HIGH-RISK src/hr/screening.py:42CV scoring model → Annex III §4(a)⚠ HIGH-RISK src/finance/credit.py:18Credit assessment AI → Annex III §5(b)✓ MINIMAL src/utils/spam_filter.py:3Spam classification → Recital 43Compliance Score: 72/100 Grade: CFiles: 47 · Findings: 2 · Report: ./compliance_report.pdf$sovereignaudit scan --path ./ --deep-scan --api-key $KEY→ Running Phase 2 deep audit...→ Querying EU AI Act Legal RAG corpus...→ Generating Annex IV documentation...→ Generating PDF report...✅ Deep compliance report: ./deep_compliance_report.json✅ PDF report: ./compliance_report.pdf
Declare reviewed and accepted systems
The .ai-act-exempt file allows your compliance team to formally accept risk after review — with a full audit trail of who approved what and when.
# .ai-act-exempt — compliance exemption declaration# ================================================# This file declares systems reviewed and accepted# by the compliance team. Required for gatekeeper bypass.[exemption]reviewed_by = "Jane Smith, Head of AI Compliance"reviewed_date = "2026-01-15"review_expires = "2026-07-15"ticket = "COMPLIANCE-1234"[system.hr_screening]rule_id = "EMP-001"risk_tier = "HIGH-RISK"justification = "Annex IV documentation complete. Human oversight implemented per Art. 14. EU DB registration: AI-2026-1234."annex_iv_ref = "./docs/annex_iv_hr_screening.pdf"
Enterprise deployment patterns
Protect main branch
Require the compliance check to pass before merging to main. Enable gatekeeper mode for production deployments.
Schedule deep scans
Run deep scan mode weekly on schedule triggers to keep Annex IV documentation current as your codebase evolves.
Artifact retention
Upload compliance reports as workflow artifacts with 90-day retention. Store long-term in S3/GCS for audit trail.
Pre-commit hooks
Add the CLI as a pre-commit hook to catch violations before they reach the remote. Fast standard scan, no API key needed.
Branch strategies
Run standard scan on feature branches, deep scan on release branches. Fail-on-high-risk only on main protection.
Exemption workflow
Create a COMPLIANCE ticket for each exemption. Link the ticket in .ai-act-exempt. Auto-expire after 6 months.
Know your AI systems.
Govern your risk.
Join the enterprises building defensible, auditable AI compliance infrastructure. Full visibility into every AI system — from first commit to live inference.