Autonomous AI-powered compliance assessment platform. Get audit-ready reports for SOC2, GDPR, HIPAA, ISO 27001, and PCI DSS in minutes, not months.
The project is deployed and running live.
- 5 Specialized AI Agents working in parallel:
- Planning Agent: Creates comprehensive assessment plans
- Regulation RAG Agent: Fetches latest compliance requirements
- Intelligent Extraction Agent: Autonomously scans your tech stack
- Gap Analysis Agent: Identifies compliance gaps with evidence
- Report Generation Agent: Creates auditor-grade reports
- Autonomous Decision Making: Agents decide what to scan based on framework requirements
- Iterative Refinement: Agents re-scan until confidence threshold is achieved
Connect to 14+ services via Model Context Protocol (MCP):
| Category | Services |
|---|---|
| Cloud Infrastructure | AWS, Azure, Google Cloud, Cloudflare |
| Code & DevOps | GitHub, GitLab, Jenkins, ArgoCD |
| Monitoring & Observability | Instana, DataDog, Grafana, Sentry |
| Communication & Collaboration | Atlassian (JIRA, Confluence), Notion |
| Code Quality | SonarQube |
Authentication Options:
- π OAuth 2.0 (One-click secure connection)
- π BYOK (Bring Your Own Key - API tokens)
- Persistent Memory: Agents remember context between scans
- Cross-Agent Learning: Knowledge sharing across agent swarm
- Reduced Hallucinations: Context-aware responses
- 12-Hour TTL: Automatic memory cleanup
- Vector Search: Supabase pgvector for semantic search
- Real-Time Research: Perplexity AI, Firecrawl, Browserbase integration
- Latest Regulations: Always up-to-date compliance requirements
- Evidence-Based: Every finding includes source citations
- Compliance Scores: Overall + category breakdowns
- Detailed Findings: Severity ratings, evidence, recommendations
- Remediation Plans: Step-by-step implementation guidance
- Multiple Formats: PDF, Markdown, JSON exports
- Evidence Citations: Source, location, code snippets
- Framework-Specific: SOC2, GDPR, HIPAA, ISO 27001, PCI DSS
- Tool-Specific Scans: Analyze just infrastructure, just code, or specific services
- Historical Tracking: Compare compliance scores over time
- Real-Time Dashboard: Live progress and agent activity
Compliance Copilot uses a Multi-Agent Swarm architecture powered by the Model Context Protocol (MCP) to securely access your tools, research regulations, and generate evidence-backed reports.
graph TD
User[π€ User] -->|Selects Framework| Dashboard[π Dashboard]
Dashboard -->|Initiates Analysis| Orchestrator[π― Swarm Orchestrator]
subgraph "π MCP Integration Layer"
AWS[βοΈ AWS]
GH[π» GitHub]
Azure[βοΈ Azure]
Jira[π Atlassian]
Sonar[π SonarQube]
Sentry[π¨ Sentry]
end
subgraph "π€ Agent Swarm"
Orchestrator -->|Delegates| Manager[π¨βπΌ Manager Agent]
Manager -->|Parallel Execution| Planning[π Planning Agent]
Manager -->|Parallel Execution| Extraction[π Extraction Agent]
Manager -->|Parallel Execution| Research[π¬ Research Agent]
Manager -->|Parallel Execution| GapAnalysis[π Gap Analysis Agent]
Manager -->|Parallel Execution| Reporting[π Report Agent]
Extraction <-->|Fetch Data| MCP[MCP Servers]
Research <-->|Perplexity/Firecrawl/Browserbase| Web[π Web Research]
Research -->|Requirements| RAG[(π Vector DB)]
Extraction -->|Findings| Memory[(π§ Mem0/Redis)]
RAG & Memory --> GapAnalysis
GapAnalysis --> Reporting
end
Reporting -->|Audit Report| Dashboard
Dashboard -->|Download| User
- Swarm Orchestrator: Coordinates all agents using LangGraph
- MCP Client Manager: Handles connections to external services
- Vector Store: Supabase pgvector for RAG (Retrieval-Augmented Generation)
- Agent Memory: Redis-backed Mem0 for persistent context
- Research Tools: Perplexity AI, Firecrawl, Browserbase for web research
| Category | Technologies |
|---|---|
| Frontend | Next.js 14+ (App Router), React, TypeScript, Tailwind CSS, HeroUI |
| Backend | Next.js API Routes, Prisma ORM |
| Orchestration | LangGraph, LangChain |
| AI & LLM | OpenAI GPT-4o, GPT-4 Turbo |
| RAG & Vector | Supabase pgvector, OpenAI Embeddings |
| Integration | Model Context Protocol (MCP) |
| Memory | Redis (Mem0), PostgreSQL (Prisma) |
| Auth | Supabase Auth (OAuth 2.0) |
| Storage | Supabase Storage, PostgreSQL |
| Research Tools | Perplexity AI, Firecrawl, Browserbase |
- Node.js 18+ and npm/yarn
- PostgreSQL database (Supabase recommended)
- Redis instance (for agent memory)
- Supabase account (for database, storage, and auth)
- OpenAI API key (GPT-4o recommended)
-
Clone the repository
git clone <your-repo-url> cd compliance-copilot
-
Install dependencies
npm install
-
Configure environment variables
cp env.template .env
Update
.envwith your credentials:# Core DATABASE_URL="postgresql://user:password@host:5432/database" OPENAI_API_KEY="sk-..." OPENAI_CHAT_MODEL="gpt-4o" # Supabase NEXT_PUBLIC_SUPABASE_URL="https://your-project.supabase.co" NEXT_PUBLIC_SUPABASE_ANON_KEY="eyJ..." SUPABASE_SERVICE_ROLE_KEY="eyJ..." # Agent Memory (Redis) REDIS_URL="redis://localhost:6379" # Optional: Research Tools PERPLEXITY_API_KEY="pplx-..." # For web research FIRECRAWL_API_KEY="fc-..." # For web scraping BROWSERBASE_API_KEY="bb-..." # For browser automation # MCP OAuth (Optional - for OAuth connections) GITHUB_CLIENT_ID="..." GITHUB_CLIENT_SECRET="..."
-
Set up Redis (for Mem0 agent memory)
Option 1: Docker (Recommended for development)
docker run -d --name redis-stack -p 6379:6379 -p 8001:8001 redis/redis-stack:latest
Option 2: Redis Cloud
- Sign up at Redis Cloud
- Get connection URL and add to
REDIS_URL
-
Initialize database
# Generate Prisma Client npm run db:generate # Push schema (use db:push for pgvector compatibility) npm run db:push
-
Set up Vector Store
- Open Supabase SQL Editor
- Run the SQL from
docs/setup_vectors.sqlto enable pgvector extension
-
Run development server
npm run dev
Navigate to Dashboard β MCP Connections
OAuth Connection (Recommended):
- Click "OAuth" button for GitHub, Atlassian, or Cloudflare
- Authorize the application
- Connection established automatically
BYOK Connection:
- Click "BYOK" button
- Enter API keys/tokens
- For SSE/HTTP servers (like Instana), provide server URL
- Click "Connect"
Required Connections:
- β GitHub (required)
- β At least one Cloud Service (AWS, Azure, Cloudflare, or Google Cloud)
- Select a compliance framework (SOC2, GDPR, HIPAA, ISO, PCI)
- Choose a project (or create new)
- Click "Run Swarm Analysis"
- Watch the magic happen:
- π¬ Research agents fetch latest compliance requirements
- π Extraction agents scan your infrastructure and code
- π Gap analysis identifies compliance gaps
- π Report generation creates detailed audit report
- Dashboard: Overview of compliance scores and findings
- Findings Tab: Filter by severity, framework, or tool
- Remediation Tab: Step-by-step remediation plans
- Reports Tab: Download PDF, Markdown, or JSON reports
Run focused analysis on specific tools:
- Infrastructure Only: AWS, Azure, Google Cloud
- Code Only: GitHub repositories
- Communication: Atlassian (JIRA, Confluence)
- Monitoring: Instana, DataDog, Grafana
- MCP Connection Guide - Detailed guide for connecting services
- Agent Swarm Architecture - Multi-agent system overview
- Web Research Integration - Perplexity, Firecrawl, Browserbase usage
- Deployment Guide - Production deployment instructions
- Prisma Setup - Database configuration
| Framework | Description | Key Focus Areas |
|---|---|---|
| SOC2 | Service Organization Control 2 | Security, Availability, Processing Integrity |
| GDPR | General Data Protection Regulation | Data Privacy, Consent Management, Right to Erasure |
| HIPAA | Health Insurance Portability Act | PHI Protection, Access Controls, Audit Logs |
| ISO 27001 | Information Security Management | ISMS, Risk Management, Security Controls |
| PCI DSS | Payment Card Industry Data Security | Cardholder Data Protection, Network Security |
- βοΈ AWS (IAM, EC2, S3, RDS, Lambda, CloudWatch)
- βοΈ Azure (Active Directory, Storage, Compute)
- βοΈ Google Cloud (IAM, Compute, Storage)
- βοΈ Cloudflare (Workers, Pages, Security)
- π» GitHub (Repositories, Code, Secrets, Actions)
- π§ Jenkins (Pipelines, Jobs, Builds)
- π ArgoCD (Applications, Deployments)
- π Instana (APM, Infrastructure Monitoring)
- π DataDog (Metrics, Logs, APM)
- π Grafana (Dashboards, Alerts)
- π¨ Sentry (Error Tracking, Performance)
- π Atlassian (JIRA, Confluence)
- π Notion (Pages, Databases)
- π SonarQube (Code Quality, Security, Coverage)
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- OpenAI for GPT-4o and embeddings
- LangChain/LangGraph for agent orchestration
- Model Context Protocol for service integration
- Supabase for database and storage
- Mem0 for agentic memory
For questions, issues, or feature requests:
- π§ Open an issue on GitHub
- π Check the documentation
- π Visit the live demo
Built with β€οΈ for the compliance community
β Star this repo if you find it helpful!