ComplyTest
Open Source MIT License v0.9.x

Scan any website for compliance issues in 60 seconds

69 rules across GDPR, WCAG 2.2, security, and DSA transparency. One command, deterministic output, and reports in HTML, JSON, SARIF, CSV, and PDF. Built to run in CI.

$ npx complytest scan https://your-site.com
No account · no telemetry · Node ≥ 18 · macOS, Linux, Windows
Get Started View on GitHub
§ Coverage

69 rules across 4 categories

Every rule includes regulation reference, evidence collection, and remediation hints. Each scan is deterministic — same URL, same result.

19
rules

Consent & Privacy

GDPR Article 7 consent, cookie enforcement, banner validation, Google Consent Mode v2, granular tiers, DSA dark-pattern detection.

GDPR ePrivacy EDPB TCF 2.2
21
rules

Accessibility

All 9 WCAG 2.2 new success criteria, color contrast, ARIA, keyboard navigation, focus management, target size, accessible authentication.

WCAG 2.2 EAA ADA
23
rules

Security

CSP, HSTS, HTTPS, secure cookies, SRI, COOP/COEP, Permissions-Policy, CORS, TLS version, certificate expiry, payment-page integrity.

OWASP PCI DSS CSP
6
rules

Transparency

Privacy policy presence, terms of service, data controller identification, contact information, complaint mechanism, ad disclosure.

DSA GDPR Art 13 FTC
69 total | See the full rule reference →
critical major minor
§ Output

Reports in every format you need

Generate compliance reports for your team, CI/CD pipeline, or regulatory filings.

HTML --format=html

Interactive dashboard with charts and drill-downs

JSON --format=json

Machine-readable for CI/CD and API integrations

CSV --format=csv

Spreadsheet-ready for compliance teams

SARIF --format=sarif

GitHub Security tab and code-scanning alerts

PDF --format=pdf

Shareable reports for stakeholders and auditors

$ complytest scan https://example.com --format=html,json,sarif --fail-on=critical --out=reports/
§ Workflow

Install. Scan. Report.

One command in your terminal or CI runner. No agents, no SDK injection, no runtime overhead on the site being scanned.

1

Install

No configuration needed. Run directly with npx, or install globally with npm. Zero runtime dependencies on the scanned site.

npx complytest scan <url>
2

Scan

Real browser via Playwright. Walks DOM, replays consent flows, inspects headers, and records evidence for every rule.

--fail-on=critical
3

Report

Deterministic compliance score by category, with failing-rule diffs, evidence, and remediation hints. Exit code reflects severity.

--format=html,sarif
~/projects/example
$ npx complytest scan https://example.com --fail-on=critical
Scanning with Playwright... done (4.2s)
Results for https://example.com
Score 72% (50/69 rules passed)
consent WARN 14/19
accessibility PASS 19/21
security FAIL 11/23
transparency PASS 6/6
3 critical failures:
FAIL security.hsts Missing Strict-Transport-Security
FAIL security.csp_present No Content-Security-Policy header
FAIL consent.cookies_before_consent 8 non-essential cookies set
Report written to reports/run-2026-05-21.html
exit 2 (critical failures present)
Real output. Exit code 2 fails the build on critical issues.
§ CI/CD

Gate every pull request

ComplyTest writes SARIF for the GitHub Security tab and exits non-zero on configurable severity. Drop it in a workflow — block regressions before they ship to production.

  • Exit codes
    Distinct codes for warn vs critical failures
  • SARIF output
    Inline annotations on the diff
  • --fail-on flag
    Gate by severity, category, or specific rule IDs
  • Deterministic
    Same URL → same result, no flaky scans
Read CI/CD docs
.github/workflows/compliance.yml YAML 
name: Compliance
on: [pull_request]

jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          npx complytest scan \
            ${{ env.PREVIEW_URL }} \
            --format=sarif \
            --out=compliance.sarif \
            --fail-on=critical
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: compliance.sarif
Separate product

Need continuous monitoring?

Complicer is the managed platform built on ComplyTest. Daily scheduled scans, team routing, SLO monitoring, Jira integration, and legal-grade audit trails.

Visit Complicer Read the Docs
What Complicer adds
  • Scheduled scans across staging and prod
  • Diff vs. last green run
  • Slack, Jira, and PagerDuty routing
  • Per-environment SLOs and alerts
  • Signed evidence bundles for auditors