Comply

Frameworks

Eight Standards, One Scanner

Comply evaluates your codebase against 8 compliance frameworks and 53 controls. Jurisdiction profiles activate the frameworks that apply to you — EU, US, healthcare, financial services — so you're only measured against what matters.

EU AI Act

8 controls

Risk classification, transparency, human oversight, data governance

SOC 2

7 controls

Security, availability, processing integrity, confidentiality, privacy

ISO 27001

7 controls

Information security management, access control, cryptography

NIST AI RMF

7 controls

AI risk management, governance, mapping, measurement, management

GDPR

6 controls

Data protection, consent, retention, right to erasure, DPIAs

HIPAA

6 controls

Protected health information, access controls, audit trails

PCI DSS

6 controls

Cardholder data protection, encryption, access management

FDA SaMD

6 controls

Software as a Medical Device lifecycle, validation, risk management

Evidence

Three Layers of Proof

Compliance posture isn't a checklist — it's a composite score built from code, process, and runtime evidence. Each layer contributes independently, and the combined posture reflects your actual compliance state.

L1: Code Analysis

Static analysis of your codebase — architecture patterns, security controls, documentation coverage, test presence. The foundation layer.

L2: Process Evaluation

Git history, review workflows, CI/CD configuration, approval gates. Evidence that your process matches your policy.

L3: API Traffic

Live traffic analysis via gateway adapters — Kong, Gravitee, AWS API Gateway, or log files. Runtime evidence of compliance in production.

Integration

Fits Your Pipeline

CI/CD Output Formats

SARIF for GitHub Advanced Security, JUnit for test runners, Markdown for pull request comments. Compliance results in the format your tools expect.

Pipeline Templates

GitHub Actions, GitLab CI, and Jenkins templates ship with Comply. Add compliance scanning to your pipeline in minutes, not days.

Regression Detection

Track compliance over time. When a commit degrades a control, Comply flags it before it reaches production. History is stored locally in SQLite.

Web Dashboard

A built-in SPA shows your compliance posture, framework coverage, control details, and trend history. No external analytics required.