vibed-lab / plugins

Peaky8linders/eu-ai-act-scanner

3 stars · Last commit 2026-06-04

Scan any codebase for EU AI Act (Regulation 2024/1689) compliance evidence and gaps. 14 analyzers, Claude Code plugin + library + CLI. Local-only static analysis.

Workflow & AutomationTDD & TestingDocumentationDesign & UIDevOps & InfraProductivityAI & PromptingData & MLSecurity

README preview

# EU AI Act Scanner

> Scan any codebase for EU AI Act (Regulation 2024/1689) compliance evidence and gaps — directly from Claude Code or a Python script.

[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![Python 3.11+](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/downloads/)
![Status: alpha](https://img.shields.io/badge/status-alpha-orange)
![100 days](https://img.shields.io/badge/T--100%20days-Aug%202%2C%202026-red)

**Ships as three things in one repo:**
1. A **Claude Code plugin** with four commands (`/ai-act-scan`, `/ai-act-scan-fix`, `/ai-act-article`, `/ai-act-incidents`) and **13 article-grounded skills** covering classification, obligations, deployer duties, GPAI, Annex IV, timeline, penalties, and real-world incident grounding
2. A **Python library** (`from scanner import scan_project`) with **21 analyzers**, including 7 agent-aware analyzers grounded in Nannini et al. (2026), *AI Agents under EU Law* — covering the four compound-risk axes (cascading, emergent, attribution, temporal), AEPD lethal-trifecta detection, runtime drift, regulatory perimeter classification, and tool-permission minimization
3. An **MCP server** (`eu-ai-act-scan-mcp`) so non-Claude-Code agents can call the scanner and query the incident corpus over the Model Context Protocol

Every finding is **grounded in real-world incidents** (new in v0.4): the scanner crosswalks its gaps to a vendored, reviewed-tier subset of the open [GenAI & Agentic AI Security Incidents dataset](https://huggingface.co/datasets/emmanuelgjr/genai-incidents) (CC-BY-4.0, 7,725+ incidents mapped to OWASP LLM Top 10 2025, OWASP Agentic (ASI) Top 10, NIST AI RMF, and MITRE ATLAS). A gap stops being "you have no prompt-injection defence" and becomes "...and here are the documented incidents where exactly that gap was exploited, with the published mitigations." See [Incident grounding](#incident-grounding).

The skills are written to the same standard: every regulatory claim cites an article (and paragraph where relevant), every skill names its audience (engineer / compliance officer / legal counsel / deployer), every skill has a Common Rationalizations table that heads off the most common mistakes, and every skill ends with a citation to the Official Journal. See [`skills/authoring-eu-ai-act-skills.md`](skills/authoring-eu-ai-act-skills.md) for the authoring standard — new skills must meet it.

---

View full repository on GitHub →