CRP Scan¶
GitHub Action for AI governance scanning. Add one workflow step and every pull request is checked for AI-system patterns that need CRP coverage: unaudited LLM calls, missing safety policies, ungoverned context construction, and regulatory mapping gaps.
Specified in SPEC-013.
What It Catches¶
| Finding | Severity | What to do |
|---|---|---|
| LLM call without provenance attachment | HIGH | Wrap call in CRP client or route via gateway |
Missing CRP-Safety-Policy on production code path |
MEDIUM | Add a policy directive |
| EU AI Act high-risk pattern without classifier | CRITICAL | Add classify-eu-ai-act MANDATORY |
| Hard-coded provider API keys | CRITICAL | Move to secrets manager |
| Context truncation risk (large prompt without windowing) | MEDIUM | Use CRP envelope packing |
| Multi-agent chain without budget header | HIGH | Add CRP-Chain-Budget |
| Missing audit log destination | MEDIUM | Configure CRP-Audit-Sink |
Usage¶
# .github/workflows/crp-scan.yml
name: CRP Governance Scan
on: [pull_request]
jobs:
crp-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: crprotocol/crp-scan-action@v1
with:
fail-on: HIGH
policy: .crp/policy.yml
Output¶
- Pull-request summary comment with all findings.
- SARIF upload to the GitHub code-scanning tab.
- JSON report for downstream pipelines (e.g. CRP Comply ingestion).
Conformance¶
CRP Scan emits findings tied to specific specs and regulatory controls. Each
finding includes a crp.spec, crp.control, and crp.severity for
programmatic triage.
Pricing¶
Free for public repositories. Paid plans for private repos, enterprise SSO, and CRP Comply integration. See scan@crprotocol.io.