Skip to main content

Scan your codebase locally for EU AI Act compliance risk. Your code never leaves your machine.

Project description

conformis

Scan your codebase locally for EU AI Act compliance risk.

Your code never leaves your machine. conformis runs its AI/ML-usage detector entirely on your filesystem and only ever transmits the findings it produces (a file path, a line number, a library name, a one-line snippet, and a short description) — never full source files, never your .env, never git history or metadata.

Install

pip install conformis

Or from a local checkout:

pip install ./cli

Quickstart

# Set your Conformis user id once
export CONFORMIS_USER_ID=user_xxxxxxxx

# Scan the current directory
conformis scan

# Scan a specific path
conformis scan ./my-project

# See exactly what would be sent, without sending anything
conformis scan --dry-run

# Strip all code snippets before anything is transmitted
conformis scan --privacy-mode

Instead of an env var, you can persist your user id in ~/.conformis/config:

{ "user_id": "user_xxxxxxxx" }

The CONFORMIS_USER_ID environment variable always takes precedence over this file. If neither is set, the CLI exits with a clear error before scanning anything.

What is (and isn't) transmitted

The scanner walks your codebase locally (Python, JS/TS, package.json) and produces a list of findings. Before anything is sent over the network, the CLI filters every finding down to exactly these fields:

Field Description
file Path relative to the scan root (never absolute)
line Line number of the match
library Detected AI/ML library or framework
description Human-readable description of the finding
context Enclosing function/class name, if any
snippet The single matched line — empty in --privacy-mode

Nothing else ever leaves the machine: no absolute paths, no environment variables, no .git metadata, no file contents beyond the one matched line per finding. This is enforced in code (conformis/payload.py), not just documented — every finding is passed through a field allowlist and a path-sanitizer before it is serialized, and --privacy-mode empties every snippet client-side before the payload is even built.

Sample payload

This is the exact JSON body POSTed to /api/scans/local for a project with a single OpenAI call in chatbot.py (also viewable yourself, with nothing sent, via conformis scan --dry-run):

{
  "project_name": "my-project",
  "files_scanned": 1,
  "files_with_ai": 1,
  "findings": [
    {
      "file": "chatbot.py",
      "line": 4,
      "library": "openai",
      "description": "Imports OpenAI API",
      "context": "",
      "snippet": "import openai"
    },
    {
      "file": "chatbot.py",
      "line": 9,
      "library": "openai",
      "description": "Possible model inference call: .create()",
      "context": "function ask",
      "snippet": "response = client.chat.completions.create(model=\"gpt-4\", messages=messages)"
    }
  ],
  "privacy_mode": false
}

With --privacy-mode, every snippet field above becomes "".

Findings are capped at 500 and each snippet at 2000 characters client-side (matching the backend's own limits), so a very large repo truncates predictably with a clear message instead of failing on the server.

Command reference

conformis scan [PATH]

Scans PATH (default: current directory) and submits findings to Conformis.

Flag Description
--privacy-mode Strip all snippets client-side before sending
--project-name NAME Project name to record (default: directory name)
--dry-run Print the exact JSON payload that would be sent; send nothing
--json Machine-readable output on stdout (for CI)
--no-wait Submit and exit immediately without polling for results
--fail-under N Exit 1 if the compliance score is below N (default: 0)

Progress/status messages (the scanning spinner, submission confirmation, polling status) are written to stderr, so stdout stays clean JSON when --json or --dry-run is used — safe to pipe or redirect in CI.

conformis --version

Prints the installed CLI version.

CI usage

- name: Conformis compliance scan
  env:
    CONFORMIS_USER_ID: ${{ secrets.CONFORMIS_USER_ID }}
  run: |
    pip install conformis
    conformis scan --json --fail-under 70

Exit codes

Code Meaning
0 Scan completed and compliance score >= --fail-under
1 Scan completed but compliance score < --fail-under
2 Error (bad path, missing auth, network/API failure, or analysis timed out after 3 minutes)

How it works

  1. Scanconformis walks the target directory locally using the same AST-based detector as the Conformis backend (vendored, not imported, so the CLI installs standalone with no dependency on the backend package).
  2. Sanitize — findings are filtered to the allowlisted fields above, paths are forced relative to the scan root, and size limits are enforced.
  3. Submit — the findings-only payload is POSTed to POST /api/scans/local, which starts the same classification pipeline used for full ZIP uploads, just without ever receiving your source code.
  4. Poll — the CLI polls GET /api/scans/{id}/readiness every 3 seconds (3 minute timeout) until the classification finishes.
  5. Report — a compliance score, risk tier summary, and the top 3 recommended actions are printed, along with a link to the full dashboard at https://conformis.tech/readiness/{scan_id}.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

conformis-0.1.0.tar.gz (17.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

conformis-0.1.0-py3-none-any.whl (16.7 kB view details)

Uploaded Python 3

File details

Details for the file conformis-0.1.0.tar.gz.

File metadata

  • Download URL: conformis-0.1.0.tar.gz
  • Upload date:
  • Size: 17.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.4

File hashes

Hashes for conformis-0.1.0.tar.gz
Algorithm Hash digest
SHA256 5f17091728c7e23074fe0cd11858b6c8f882cf3014aff8ef0ccc3c262356ade8
MD5 e545fb58f9294b62c25ac8587a345071
BLAKE2b-256 c2813a9e383073c00a8478d9c0179affbdfa49328c07355a94530ba8ccc0d45c

See more details on using hashes here.

File details

Details for the file conformis-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: conformis-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 16.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.4

File hashes

Hashes for conformis-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 bcb0ffb9e76fc1f38aff497c7e8f3347233c23bf480d3cda1222be159d6db127
MD5 47e4ff1e7a2810dd98d71705b208206c
BLAKE2b-256 5de7f21a4b726aa5d4294da217b3029b2e1ed700b6d7048694260d0a05cbbe05

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page