Themida GitHub
OPEN SOURCE · AGPL-3.0 · ALPHA

Compliance findings
at line-level.

Themida reads your code and tells you which line triggers a GDPR or EU AI Act issue — with the legal article, severity, and a working fix you can paste into a PR.

Star on GitHub See the quickstart
Self-host in minutes
No signup
Bring your own LLM key
Critical src/auth/login.ts:41

Password hashed with broken MD5 algorithm 

var passwordHash = crypto
  .createHash('md5')
  .update(userPassword)
  .digest('hex');

← MD5 has been broken since 2004. Collisions take seconds.

Legal reference
GDPR Art. 5(1)(f), 32(1)(a)
Maximum fine
€20M or 4% revenue

Suggested fix 

import bcrypt from 'bcrypt';
const passwordHash = await bcrypt.hash(userPassword, 12);
// or Argon2id
6
Frameworks shipped
30
Rules across packs
4
Pipeline stages

How it works

Four stages, one report.

Point Themida at a repository or a local clone and pick your frameworks. It loads your code, narrows to the files that actually matter, has an LLM read those line by line against the rule packs, then verifies the results — so what you get back is file, line, the legal article, a severity, and a paste-ready fix. Export any run as a SARIF report for GitHub Code Scanning or a PDF.

01

Fetch

Loads the repository — through the GitHub API or straight from a local directory tree, no cloud round-trip required.

02

Filter

Drops noise and scores each file against the frameworks you selected, so the expensive pass only reads what's relevant.

03

Analyse

An LLM does a recon pass, then a deep scan — reading the relevant chunks line by line with the rule packs in context.

04

Verify

Drops hallucinated paths and findings already mitigated nearby in the same file — cutting false positives before you see them.

FetchFilterAnalyse (recon → deep scan)Verify

Bring your own LLM

Any model. Any provider.

Themida ships adapters for Anthropic and any OpenAI-compatible endpoint, so you can plug in whatever backend you trust — including a local model. One env var switches the whole stack. 

export LLM_PROVIDER=openai
export OPENAI_API_KEY=sk-…
export OPENAI_BASE_URL=https://openrouter.ai/api/v1
# done.
Anthropic
Native adapter
OpenAI
Native adapter
OpenRouter
OpenAI-compatible
Groq
OpenAI-compatible
Together
OpenAI-compatible
Local models
vLLM · llama.cpp · Ollama

Rule packs

Six frameworks. Thirty rules.

Each rule pack maps a concrete code pattern to a legal article, a severity, and a paste-ready fix. Six ship today; SOC 2 and ISO 27001 are open for contribution. Every pack is plain TypeScript.

See all frameworks

Shipped · alpha

  • GDPR
  • EU AI Act
  • MiCA
  • HIPAA
  • OWASP Top 10
  • PCI DSS

Planned · contributions welcome

  • SOC 2
  • ISO 27001

Run it yourself

Minutes to your first finding.

The fastest path is a CLI scan of a local directory — only an LLM key needed, no Supabase or GitHub App. You bring your own key and keep the findings; only the scanned files reach your provider.

Full quickstart Read the docs 
# 1. clone + install
git clone https://github.com/Nikolaospet/themida
cd themida
pnpm install

# 2. set your LLM provider + key
cp .env.example .env.local
# Anthropic, OpenAI, or any
# OpenAI-compatible endpoint

# 3. scan a local directory
pnpm dev:scan --path .

One more thing

A personal project, built in the open.

Themida isn't a company — no funding, no managed cloud, no waitlist. It's a project built in the open because compliance tools that don't actually read code are tiring. Contributions — especially rule packs and bug reports — are warmly welcomed.

Star on GitHub Open an issue Contributing guide