Posted on
Artificial Intelligence

Artificial Intelligence Compliance Automation

Author
  • User
    linuxbash
    Posts by this author
    Posts by this author

Automate AI Compliance on Linux with Bash: From Policy to Pipelines

AI features are shipping faster than ever—but regulators, customers, and your own risk teams expect provable governance. Manual checklists don’t scale. The good news: on Linux, a few command-line tools and Bash glue can automate a big chunk of Artificial Intelligence compliance, turning policy into code and creating auditable gates in your dev workflow and CI.

In this guide, you’ll:

  • See why AI compliance automation matters

  • Install a small, reliable toolchain via apt, dnf, or zypper

  • Implement a manifest-driven compliance check in Bash

  • Optionally add policy-as-code using Open Policy Agent (OPA)

  • Wire everything into pre-commit and CI

Note: This article is informational and not legal advice. Always consult your compliance/legal teams.


Why automate AI compliance?

  • Scale and speed: As models, datasets, and prompts evolve daily, manual review is a bottleneck. Automation enforces rules at commit-time and in CI.

  • Consistency: Policy-as-code means the same rules everywhere—developer laptop, CI, and prod gates.

  • Auditability: Logs and artifacts from automated checks provide a trail for external audits (GDPR, ISO 42001, SOC 2, HIPAA, etc.).

  • Shift-left risk control: Catch license issues, missing consent, or PII exposure before it ships.


Prerequisites: Install the toolchain

We’ll use:

  • jq and yq for JSON/YAML parsing

  • shellcheck to lint Bash

  • ripgrep for simple secret/PII scans (optional but handy)

  • pre-commit to enforce checks locally

  • OPA (optional) for policy-as-code

Install with your package manager. If a package isn’t found in your distro, see the provided fallback.

Ubuntu/Debian (apt)

sudo apt update
sudo apt install -y jq yq shellcheck ripgrep pre-commit

Fedora/RHEL/CentOS (dnf)

sudo dnf install -y jq yq ShellCheck ripgrep pre-commit

Note: On some RHEL family systems, you may need EPEL for certain packages.

openSUSE/SLE (zypper)

sudo zypper refresh
sudo zypper install -y jq yq ShellCheck ripgrep pre-commit

Optional: Install OPA (Open Policy Agent) cross-distro

# Detect arch and install a static binary to /usr/local/bin
VER="0.64.1"
curl -L -o opa https://openpolicyagent.org/downloads/v${VER}/opa_linux_amd64
echo "5c785f087a3a613e3b478b9d8111a116bfab31ccf6a144ab9d9d31c45f9f2c9e  opa" | sha256sum -c - || { echo "Checksum mismatch"; exit 1; }
chmod +x opa
sudo mv opa /usr/local/bin/opa
opa version

If your distro provides an “opa” package, you can also install it via your package manager.


Step 1 — Describe your AI system with a lightweight manifest

Start by making compliance explicit. Put a machine-readable manifest in the repo root so bash and policy tools can reason about it.

Create ai_manifest.yaml:

project: "support-bot"
owner: "ml-platform"
model:
  name: "distilbert-support"
  source: "https://huggingface.co/org/distilbert-support"
  license: "Apache-2.0"
data:
  sources:
    - name: "support_tickets_2025q1"
      consent: true
      pii: "minimal"
      dpa_signed: true
    - name: "faq_public"
      consent: true
      pii: "none"
      dpa_signed: false
  retention_days: 365
evaluation:
  bias_audited: true
  metrics:
    - name: "accuracy"
      value: 0.92
security:
  collects_user_data: false
compliance:
  dpia_done: true
  policy_version: "v1.2"
  privacy_policy_url: "https://example.com/privacy"

Tip: Keep fields aligned with your internal and regulatory requirements (e.g., consent flags, DPA status, retention, DPIA).


Step 2 — Bash-based checks with yq/jq

This self-contained Bash script enforces a few foundational rules:

  • Model license must be from an allowlist

  • Each dataset must have consent

  • DPIA must be completed

  • Optional: run a simple repo scan for secrets/PII strings (ripgrep)

Create scripts/compliance.sh:

#!/usr/bin/env bash
set -euo pipefail

MANIFEST="${1:-ai_manifest.yaml}"

need() {
  command -v "$1" >/dev/null 2>&1 || { echo "ERROR: missing dependency: $1"; exit 127; }
}
need yq
need jq

if [[ ! -f "$MANIFEST" ]]; then
  echo "ERROR: Manifest not found: $MANIFEST"
  exit 2
fi

# 1) License allowlist
license="$(yq -r '.model.license // ""' "$MANIFEST")"
allowed_licenses=("Apache-2.0" "MIT" "BSD-3-Clause" "BSD-2-Clause" "MPL-2.0")
if [[ -z "$license" ]]; then
  echo "DENY: model.license missing"
  exit 10
fi
if [[ ! " ${allowed_licenses[*]} " =~ " ${license} " ]]; then
  echo "DENY: model.license '$license' not allowed (${allowed_licenses[*]})"
  exit 11
fi

# 2) Dataset consent checks
consent_violations="$(yq -r '.data.sources[]? | select(.consent != true) | .name' "$MANIFEST" || true)"
if [[ -n "${consent_violations:-}" ]]; then
  echo "DENY: data sources missing consent:"
  echo "$consent_violations" | sed 's/^/  - /'
  exit 12
fi

# 3) DPIA completed
dpia_done="$(yq -r '.compliance.dpia_done // false' "$MANIFEST")"
if [[ "$dpia_done" != "true" ]]; then
  echo "DENY: compliance.dpia_done must be true"
  exit 13
fi

# 4) Optional lightweight PII/secrets scan (warnings)
if command -v rg >/dev/null 2>&1; then
  echo "INFO: running lightweight PII/secret scan (ripgrep)..."
  if rg -n --hidden --ignore-case \
    -g '!*.png' -g '!*.jpg' -g '!*.jpeg' -g '!*.gif' \
    -e 'aws_secret_access_key' \
    -e '-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----' \
    -e '\bssn\b|\bsocial.?security\b' \
    -e '\bcredit.?card\b|\bccn\b' \
    .; then
      echo "WARN: Potential secrets/PII patterns found (see lines above)."
      if [[ "${FAIL_ON_WARNINGS:-0}" == "1" ]]; then
        echo "FAIL_ON_WARNINGS=1 set; failing build."
        exit 20
      fi
  else
    echo "INFO: No obvious PII/secret patterns detected."
  fi
else
  echo "INFO: ripgrep not installed; skipping PII/secret scan."
fi

echo "OK: Manifest and basic checks passed."

Make it executable:

chmod +x scripts/compliance.sh

Run it:

bash scripts/compliance.sh ai_manifest.yaml

Real-world example: If someone switches the model to an SSPL-1.0 model, the script will fail on the license allowlist gate before it ever reaches staging.


Step 3 — Optional: Policy-as-code with OPA (Rego)

For more complex rules and clearer denial reasons, use OPA. Keep Bash as the orchestrator, let Rego express policy logic.

Create policy.rego:

package ai.compliance

default allow = false
allowed_licenses = {"Apache-2.0","MIT","BSD-3-Clause","BSD-2-Clause","MPL-2.0"}

deny[msg] {
  not input.model.license
  msg := "model.license missing"
}

deny[msg] {
  license := input.model.license
  not allowed_licenses[license]
  msg := sprintf("model.license %q not allowed", [license])
}

deny[msg] {
  some i
  src := input.data.sources[i]
  not src.consent
  msg := sprintf("data source missing consent: %q", [src.name])
}

deny[msg] {
  not input.compliance.dpia_done
  msg := "DPIA not completed"
}

allow {
  count(deny) == 0
}

Evaluate the policy:

# Convert manifest to JSON (OPA consumes JSON natively)
yq -o=json ai_manifest.yaml > manifest.json

# Show any denials
opa eval -f pretty -d policy.rego -i manifest.json 'data.ai.compliance.deny'

# Gate on allow == true
result="$(opa eval -f json -d policy.rego -i manifest.json 'data.ai.compliance.allow' \
  | jq -r '.result[0].expressions[0].value')"
test "$result" = "true" || { echo "DENY: OPA policy failed"; exit 1; }

Tip: Keep policy files versioned and reviewed like code. Store a policy_version field in the manifest and assert compatibility in Rego if needed.


Step 4 — Put it in developers’ hands with pre-commit

Prevent non-compliant changes from ever landing in a branch.

Create .pre-commit-config.yaml:

repos:
  - repo: local
    hooks:
      - id: ai-compliance
        name: AI Compliance (manifest + basic scans)
        entry: bash scripts/compliance.sh ai_manifest.yaml
        language: system
        pass_filenames: false
        files: ^(ai_manifest\.ya?ml|data/|models/)

      - id: shellcheck
        name: ShellCheck (lint compliance scripts)
        entry: shellcheck
        language: system
        files: ^scripts/.*\.sh$

Install and activate:

pre-commit install
pre-commit run --all-files

Now every commit runs the compliance gate locally.


Step 5 — Enforce in CI across distros

Here’s a distro-agnostic snippet for CI to install deps and run the gate:

#!/usr/bin/env bash
set -euo pipefail

if command -v apt >/dev/null 2>&1; then
  sudo apt update
  sudo apt install -y jq yq ripgrep
elif command -v dnf >/dev/null 2>&1; then
  sudo dnf install -y jq yq ripgrep
elif command -v zypper >/dev/null 2>&1; then
  sudo zypper refresh
  sudo zypper install -y jq yq ripgrep
else
  echo "Unknown package manager; please install jq/yq/ripgrep manually."
fi

bash scripts/compliance.sh ai_manifest.yaml

Add OPA if you’re using Rego:

VER="0.64.1"
curl -L -o opa https://openpolicyagent.org/downloads/v${VER}/opa_linux_amd64
chmod +x opa && sudo mv opa /usr/local/bin/opa

Export artifacts (e.g., manifest.json, policy decision logs) for auditability.


Extras and extensions

  • License policy depth: Map permissive/weak copyleft/strong copyleft/SSPL and enforce by deployment type (SaaS vs on-prem).

  • Data lineage: Require dataset hashes and storage locations in the manifest; verify with checksums.

  • Evaluation thresholds: Fail builds if fairness or accuracy metrics regress.

  • Secrets scanning: Replace the lightweight ripgrep step with a dedicated scanner in CI if needed.

  • Evidence bundle: Zip the manifest, policy results, and git commit SHA as an audit artifact each release.


Conclusion and next step

Compliance doesn’t have to slow down AI delivery. With a simple Linux toolchain and Bash, you can:

  • Express expectations in a manifest

  • Enforce them deterministically in dev and CI

  • Prove it with artifacts and logs

Start small: 1) Add ai_manifest.yaml to your repo. 2) Drop in scripts/compliance.sh and the pre-commit hook. 3) Optionally layer in OPA for richer policies.

Your next step: copy the manifest and script templates above into a test repo, run the checks, and evolve the policy with your governance team. Shift compliance left—and keep shipping with confidence.