Everything you need to set up Complint and start getting HIPAA compliance reviews on your pull requests.
Sign up
Create an account at complint.dev/signup. You can use email/password or GitHub OAuth.
Install the GitHub App
Go to Settings > GitHub and click “Connect GitHub.” This installs the Complint GitHub App on your organization. Choose which repositories to grant access to.
Enable repositories
Go to the Repositories page and toggle on the repos you want Complint to review. Only enabled repos will be analyzed.
Open a pull request
The next time someone opens or updates a PR on an enabled repo, Complint automatically analyzes the diff and posts inline review comments with HIPAA compliance findings.
Complint works out of the box, but you can customize its behavior by adding a complint.yaml file to the root of your repository.
# complint.yaml — optional per-repo configuration
# Define which tables and fields contain ePHI
# Helps Complint understand your data model
ephi:
patients:
- ssn
- diagnosis
- medications
medical_records:
- notes
- lab_results
# Libraries your team has approved for encryption and audit
# Findings won't flag these as violations
approved_libraries:
encryption:
- "@node-rs/argon2"
- "crypto"
audit:
- "winston"
- "pino"
# Glob patterns to exclude from analysis
exclude_paths:
- "**/*.test.ts"
- "**/*.spec.ts"
- "migrations/**"
- "seeds/**"
# Override severity for specific HIPAA sections
severity_overrides:
"164.312(e)(1)": "medium" # Transmission security
# Analysis sensitivity (conservative | balanced | lenient)
sensitivity: balancedDefine which database tables and fields contain ePHI. Supports a simple list format or grouped-by-table format. When provided, Complint uses this to understand your data model and produce more accurate findings.
Encryption and audit logging libraries your team has approved. Complint won't flag code that uses these libraries for encryption or logging as a violation.
Glob patterns for files to skip during analysis. Useful for test fixtures, migrations, and seed data that intentionally contain ePHI-like patterns.
Override the default severity level for specific HIPAA sections. Use this if your team has accepted certain risks and wants to reduce noise from specific finding types.
Controls how aggressively Complint flags potential violations. conservative flags more, with higher false positive rate. lenient flags only high-confidence violations. Default is balanced.
Each finding Complint posts on a PR includes:
Critical
Direct ePHI exposure or complete absence of required safeguards. Requires immediate attention before merge.
High
Significant compliance gap that could lead to ePHI exposure under certain conditions.
Medium
Partial safeguard implementation or configuration weakness. Should be addressed but may not block the PR.
Low
Minor improvement opportunity or best-practice recommendation. Address when convenient.
Info
Informational note about code that touches ePHI-related areas. No action required.
If Complint flags code that you've determined is not a real violation, you can suppress the finding inline:
// complint:ignore Encryption handled by infrastructure layer
const data = db.query("SELECT ssn FROM patients");Suppressed findings are still tracked in the database with resolution: suppressed and the suppression reason, so your compliance team has a complete audit trail of what was flagged and why it was suppressed.
For most findings, Complint generates a GitHub-native suggested change that you can apply with a single click. Look for the “Commit suggestion” button below the finding comment in the PR review UI. Clicking it commits the fix directly to your PR branch — GitHub handles the commit on your behalf. Complint then re-analyzes the updated code and marks the finding as resolved if the fix addressed the violation.
Complint is advisory only — it never pushes commits or modifies your code without your explicit action. The “Commit suggestion” button is a standard GitHub feature, not a Complint feature.