>_ DOCS
Anaya Developer Documentation
Anaya Scan is a compliance-as-code engine for Python codebases. It reads your models, endpoints, and data flows and maps them against India's DPDP Act — section by section.
This documentation covers the CLI, the GitHub App, CI/CD integration, and the rule pack format.
If you're running Anaya for the first time:
→ Installation
→ Quickstart
→ How Anaya reads code
Installation
Requirements
Python 3.8 or higher. pip. That's it.
pip install anaya
Verify:
anaya --version # anaya 0.9.1
Supported frameworks
Django 3.2+
FastAPI 0.68+
Flask and other Python frameworks are on the roadmap. Runanaya --helpto see available commands.
Quickstart
1. Install pip install anaya 2. Navigate to your project root cd my-fintech-app 3. Run the DPDP compliance scan anaya compliance .
Anaya will:
- Index your models, endpoints, and data flows
- Classify PII fields using LLM analysis
- Check 8 DPDP sections against your codebase
- Print a section-by-section findings report
4. Generate a shareable PDF report anaya report --pdf
The report is saved as report_dpdp.pdf in your current directory.
What to expect
A full scan of a medium Django project (100+ models) takes 3–5 minutes. The majority of that time is LLM classification of model fields. The AST indexing step takes under 5 seconds regardless of codebase size.
If you want a faster run during development:
anaya compliance . --no-llm
This skips LLM classification and runs heuristic PII detection only. Coverage is lower but runtime is under 10 seconds.
How Anaya reads code
Anaya uses static analysis — no code is executed, no server is contacted during the indexing phase.
Step 1: Indexing (AST + grep)
Anaya parses your Python files using the ast module. It extracts:
- Django model definitions and their fields
- FastAPI route handlers and their request/response schemas
- Foreign key relationships and on_delete behaviors
- Import graphs for dependency analysis
This step runs locally. Output: a structured map of your codebase.
Step 2: PII classification (LLM)
Anaya sends field names and model schemas to the classification API. Field values, source code, and business logic are never sent. The API call contains only:
ModelName.field_name (FieldType)
Example:
User.aadhaar_number (CharField) Payment.billing_email (EmailField)
The model classifies each field as PII, sensitive PII, financial PII, or non-PII.
You can inspect exactly what is sent with the--verboseflag:
anaya compliance . --verbose
Step 3: Section analysis
Each DPDP section has a targeted analyser that checks your codebase structure for compliance. Analysers use the output of steps 1 and 2 — they do not make additional LLM calls.
The analysers are deterministic. Given the same codebase structure and the same PII classification output, they will always produce the same findings.
Step 4: Report generation
Findings are printed to stdout in section order. Each finding includes:
- DPDP section number and name
- Status: COMPLIANT / PARTIAL / NON_COMPLIANT
- Evidence: what was found (or not found)
- Blockers: specific violations
- Remediation: what to do
Run anaya report --pdf to generate a formatted PDF from the last scan.
CLI Reference - anaya compliance
anaya compliance [PATH] [OPTIONS]
Run a full DPDP compliance analysis on a Python codebase.
Arguments
PATH Path to the project root directory.
Defaults to current directory (.).
--no-llm Skip LLM PII classification.
Uses heuristic detection only.
Faster but lower coverage.
--framework Force framework detection.
Values: django, fastapi
Default: auto-detect
--sections Comma-separated list of DPDP
sections to check.
Example: --sections 4,7,8
Default: all sections
--output Output format.
Values: text, json
Default: text
--verbose Show LLM API calls and
intermediate analysis output.
--help Show this message.Exit codes
0 All sections compliant 1 One or more NON_COMPLIANT sections 2 Scan error (check --verbose for details)
The exit code is designed for CI/CD use. A non-zero exit code fails the pipeline.
Examples
# Basic scan anaya compliance . # Scan a specific directory anaya compliance ./src # Fast scan, no LLM anaya compliance . --no-llm # Check only encryption and consent sections anaya compliance . --sections 4,8 # JSON output for pipeline consumption anaya compliance . --output json > findings.json
anaya scan
Alias command for targeted scanning flows in upcoming rule packs. Useanaya --helpto view availability in your installed version.
anaya report
anaya report --pdf
Generates a shareable PDF from your most recent findings run.
anaya init
Bootstraps local configuration and rule defaults for your repository.
anaya ci
anaya ci .
Anaya ships a CI-optimized command that outputs compact results, writes a SARIF file, and exits with the right code for your pipeline.
CI/CD setup
GitHub Actions
Add this to your workflow file:
- name: Anaya DPDP Check
run: |
pip install anaya
anaya ci .The step will fail if any DPDP section is NON_COMPLIANT. The SARIF output file (anaya-results.sarif) can be uploaded to GitHub Code Scanning:
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: anaya-results.sarifBaseline mode
If you're adding Anaya to an existing codebase with known violations, create a baseline first:
anaya baseline .
This saves your current violation state. Subsequent anaya ci runs will only fail on new violations introduced since the baseline. Existing violations are tracked but don't block the pipeline.
This lets you ship today while fixing violations incrementally.
GitHub App
The GitHub App runs anaya ci on every pull request automatically. No workflow file needed. Violations appear inline in the PR check, with the model name, field name, and file path.
GitHub App is currently in early access.
Backend hosted on Azure.
GitHub Marketplace listing: Q2 2026.
- Join early access
JIRA / Linear
Ticket integrations are in progress for 2026 roadmap releases. Findings will map directly to issue templates with section, model, and remediation details.