Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt

Use this file to discover all available pages before exploring further.

CodeAnt AI — AI-Assisted Code Review and Security Platform

1. Purpose

This document sets out CodeAnt AI’s position on compliance with Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act (“AI Act”) — as it applies to the CodeAnt platform. It is intended to support enterprise customers, in particular those operating in or deploying CodeAnt within the European Union, in completing their own due-diligence and AI impact assessments.

2. Product overview

CodeAnt AI is a developer-assistance platform that integrates into source-code repositories (GitHub, GitLab, Bitbucket, Azure DevOps) to provide:
  • AI Code Review — natural-language and pattern-based feedback on pull requests, covering code quality, likely bugs, and improvement suggestions.
  • Code Security — static application security testing (SAST), secret scanning, infrastructure-as-code analysis, and software composition analysis.
All findings are surfaced as advisory suggestions on pull requests, code-review interfaces, or developer dashboards. CodeAnt does not autonomously modify, merge, or deploy code; a human developer reviews every suggestion and decides whether to accept, modify, or reject it.

3. AI components

CodeAnt combines:
  • Deterministic / rule-based engines for static analysis, secret detection, dependency scanning, and policy enforcement. These are not AI systems within the meaning of Art. 3(1) AI Act.
  • AI components used for natural-language code review, summarisation, and suggestion generation, including the use of third-party general-purpose AI (GPAI) foundation models accessed via [confirm provider(s) — e.g., OpenAI, Anthropic, Azure OpenAI, self-hosted open-weights models] depending on deployment mode and customer configuration.

4. Risk classification under the AI Act

CodeAnt has assessed the platform against the AI Act’s risk framework.

4.1 Not a prohibited practice (Art. 5)

CodeAnt does not perform any of the practices prohibited under Art. 5 (subliminal manipulation, social scoring, untargeted facial-image scraping, real-time remote biometric identification, emotion recognition in workplace/education, etc.).

4.2 Not a high-risk AI system (Art. 6 / Annex III)

CodeAnt has reviewed each of the Annex III categories and concluded the platform does not fall within any of them:
Annex III categoryApplies to CodeAnt?Reasoning
BiometricsNoNo biometric processing.
Critical infrastructureNoNot used to manage or operate critical infrastructure (energy, water, transport, digital infrastructure as defined).
Education and vocational trainingNoNot used to determine access, assess learners, or detect prohibited behaviour.
Employment, worker management, access to self-employmentNoNot used for recruitment, performance evaluation, promotion, termination, or task allocation. Any developer-productivity metrics surfaced are advisory and do not constitute automated employment decisions.
Access to essential servicesNoNo role in credit scoring, benefits eligibility, emergency-services triage, or similar.
Law enforcementNoNot deployed to law-enforcement authorities for any covered purpose.
Migration, asylum, border controlNoNot applicable.
Administration of justice & democratic processesNoNot applicable.
CodeAnt is therefore not subject to the high-risk obligations of Chapter III of the Act.

4.3 Limited-risk / transparency obligations (Art. 50)

Where CodeAnt’s AI generates text-based output that interacts with developers (e.g., AI code-review comments), CodeAnt complies with the Art. 50 transparency obligation by clearly labelling AI-generated content as such within the developer interface.

4.4 General-purpose AI model considerations (Chapter V)

Where CodeAnt integrates third-party GPAI foundation models, the model provider carries the GPAI obligations under Chapter V (technical documentation, training-data summary, copyright policy, and — for models with systemic risk — additional obligations). CodeAnt acts as a downstream provider/deployer and selects model suppliers who are themselves compliant with, or actively working toward, these obligations.

5. Compliance measures in place

Although CodeAnt is not classified as a high-risk AI system, the following measures — many of which mirror the high-risk obligations of Arts. 9–15 — are implemented as a matter of responsible AI engineering and to support customers in regulated industries.

5.1 Risk management

  • Documented AI risk assessment covering intended purpose, reasonably foreseeable misuse, residual risks, and mitigations.
  • Reviewed and updated at least annually and on any material model or feature change.

5.2 Data governance

  • CodeAnt does not train its proprietary models on customer source code, pull-request content, or repository metadata.
  • For third-party GPAI inference, CodeAnt selects providers and configurations that contractually exclude customer content from being used to train the underlying foundation models.
  • Data minimisation at inference: only the code context strictly required for the requested review is submitted to the model.
  • Configurable redaction of secrets and identifiable personal data before inference.

5.3 Human oversight

  • All AI output is advisory. Developers retain full discretion to accept, modify, or reject suggestions.
  • CodeAnt does not auto-merge, auto-deploy, or otherwise act autonomously on production systems.
  • The accepting reviewer is clearly identified in the audit trail as the responsible decision-maker for any change merged on the basis of an AI suggestion.

5.4 Logging and traceability

For every AI-generated suggestion, CodeAnt records:
  • Timestamp and triggering event (e.g., pull request opened, manual rerun).
  • Model identifier and version.
  • File path and line reference of the affected code.
  • The suggestion content.
  • The reviewer’s decision (accepted / dismissed / modified) and timestamp.
Logs are retained according to the customer’s retention policy and are exportable for audit purposes.

5.5 Technical documentation

CodeAnt maintains internal technical documentation covering system architecture, model selection rationale, evaluation methodology, known limitations, and change history. Customer-facing summaries are available under NDA on request.

5.6 Transparency to end users (Art. 50)

  • Developers are informed at first use that they are interacting with an AI system.
  • AI-generated comments and suggestions are clearly labelled (e.g., “CodeAnt AI”) in the review interface so that they are distinguishable from human reviewer input.
  • Public-facing product documentation describes the capabilities and known limitations of the AI components.

5.7 Accuracy, robustness, cybersecurity

  • Pre-release evaluation of new model versions against internal benchmark suites covering correctness, false-positive rate, and prompt-injection resistance.
  • Standard application-security controls under SOC 2 Type II — report available under NDA.
  • Vulnerability management, third-party penetration testing, and secure SDLC practices in place and documented separately.

5.8 Non-discrimination

CodeAnt operates on source code and code-adjacent text. The system does not make decisions about natural persons based on protected characteristics. Author and committer identifiers are not used as features influencing model output.

6. AI literacy (Art. 4)

CodeAnt provides product documentation, in-product guidance, and onboarding materials so that customer personnel using the platform can develop a sufficient level of AI literacy in the context of their use of the system. Customers remain responsible for ensuring that their own staff complete appropriate AI-literacy training as required under Art. 4.

7. AI Act implementation timeline

The AI Act entered into force on 1 August 2024 and applies in phases:
  • 2 February 2025 — Prohibitions under Art. 5 and AI-literacy obligations under Art. 4 became applicable.
  • 2 August 2025 — GPAI provider obligations and governance provisions became applicable.
  • 2 August 2026 — General application of the Act, including most high-risk and transparency obligations.
  • 2 August 2027 — Remaining obligations for high-risk systems embedded in regulated products.
CodeAnt continues to monitor implementing acts, delegated acts, harmonised standards, and guidance issued by the European AI Office, and will update this statement accordingly.

8. Roles under the AI Act

For the CodeAnt platform:
  • Provider: CodeAnt AI, Inc.
  • Deployer: The customer organisation using CodeAnt in the course of its professional activity within the EU.
  • GPAI model providers: The third-party foundation-model providers referenced in §3, each carrying its own GPAI obligations under Chapter V.

9. Supporting documentation available

The following may be provided under NDA to support customer due diligence:
  • AI risk assessment summary.
  • Data flows description (per deployment mode).
  • Model documentation summary / model card.
  • SOC 2 Type II report.
  • Data Processing Agreement (Art. 28 GDPR) and Standard Contractual Clauses, as applicable.