On This Page
1. GitHub Actions 2. Pre-Commit Hook 3. GitLab CI 4. Configuration Options 5. What Gets CheckedEvery Push
Compliance scans run automatically on every push and PR - no manual steps.
Block Violations
Fail the build when HIGH-severity gaps are detected. Catch issues before merge.
Audit Trail
Every scan generates .air.json records with HMAC-SHA256 chain hashes.
Fast
Scans complete in under 30 seconds. Runs locally - no code leaves your environment.
GitHub Actions Recommended
Drop this file into your repo and every push + PR gets a compliance scan automatically.
name: EU AI Act Compliance
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
compliance-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install AIR Compliance Scanner
run: pip install air-blackbox
- name: Run compliance scan
run: air-blackbox comply --scan . --format json --output compliance-report.json
- name: Check for HIGH severity gaps
run: |
HIGH_COUNT=$(python3 -c "
import json
with open('compliance-report.json') as f:
report = json.load(f)
highs = [g for g in report.get('gaps', []) if g.get('severity') == 'HIGH']
print(len(highs))
")
echo "HIGH severity gaps found: $HIGH_COUNT"
if [ "$HIGH_COUNT" -gt 0 ]; then
echo "::error::Found $HIGH_COUNT HIGH severity compliance gaps"
exit 1
fi
- name: Upload compliance report
if: always()
uses: actions/upload-artifact@v4
with:
name: compliance-report
path: compliance-report.json
What This Does
On every push to main or develop (and every PR into main), this workflow installs the scanner, runs 51 gap analysis checks against your Python AI code, and fails the build if any HIGH-severity issues are found. The full report is uploaded as a build artifact you can download anytime.
PR Status Check (Optional)
To require compliance scans to pass before merging, go to your repo's Settings โ Branches โ Branch protection rules โ Require status checks, and add "EU AI Act Compliance" as a required check.
Pre-Commit Hook
Scan before the code even leaves your machine. Uses the pre-commit framework.
repos:
- repo: local
hooks:
- id: air-blackbox
name: EU AI Act Compliance Scan
entry: air-blackbox comply --scan
language: system
types: [python]
pass_filenames: true
always_run: false
Setup
# Install pre-commit and the scanner
pip install pre-commit air-blackbox
# Install the hooks into your repo
pre-commit install
# Test it manually
pre-commit run air-blackbox --all-files
Now every git commit that touches Python files will run the compliance scan first. If HIGH-severity gaps are found, the commit is blocked until you fix them.
GitLab CI
compliance-scan:
stage: test
image: python:3.11-slim
script:
- pip install air-blackbox
- air-blackbox comply --scan . --format json --output compliance-report.json
- |
HIGH_COUNT=$(python3 -c "
import json
with open('compliance-report.json') as f:
report = json.load(f)
highs = [g for g in report.get('gaps', []) if g.get('severity') == 'HIGH']
print(len(highs))
")
echo "HIGH severity gaps: $HIGH_COUNT"
if [ "$HIGH_COUNT" -gt 0 ]; then
echo "FAILED: $HIGH_COUNT HIGH severity compliance gaps"
exit 1
fi
artifacts:
paths:
- compliance-report.json
when: always
only:
- main
- merge_requests
Configuration Options
# Scan entire project
air-blackbox comply --scan .
# Scan specific files
air-blackbox comply --scan agent.py pipeline.py
# JSON output for CI parsing
air-blackbox comply --scan . --format json --output report.json
# Only fail on HIGH severity (skip MEDIUM/LOW)
air-blackbox comply --scan . --min-severity HIGH
# Include GDPR and bias checks
air-blackbox comply --scan . --gdpr --bias
# Scan with trust layer verification
air-blackbox comply --scan . --verify-trust-layers
Environment Variables
# Custom audit chain signing key (for tamper-evident logs)
TRUST_SIGNING_KEY=your-secret-key
# Custom output directory for .air.json audit records
AIR_RUNS_DIR=./audit-logs
# Skip specific checks
AIR_SKIP_CHECKS=art9_risk_categorization,art15_prompt_injection
What Gets Checked
Every scan runs 51 automated gap analysis checks across 6 EU AI Act articles + GDPR:
Article 9 - Risk Management
Risk categorization, mitigation measures, residual risk documentation
Article 10 - Data Governance
Training data documentation, PII detection, data quality measures
Article 11 - Technical Docs
Model cards, system architecture, performance metrics documentation
Article 12 - Record-Keeping
Audit trail presence, HMAC chain verification, log completeness
Article 14 - Human Oversight
Human-in-the-loop checkpoints, override mechanisms, delegation logging
Article 15 - Robustness
Prompt injection scanning, error handling, fallback mechanisms
Plus optional GDPR data flow scanning, bias/fairness checks, and ISO 42001 + NIST AI RMF crosswalk mapping.