Compliance, traced to the standards.
826 tests across six opt-in categories — i18n, SEO, accessibility, security, performance, privacy. Every test cites the standard behind it: WCAG 2.2 success criteria, OWASP ASVS §, web.dev Core Web Vitals, Google Search Central, RFCs. The rulebook is under continuous development — new tests ship whenever standards update or new attack patterns emerge.
- Categories
- 6
- Tests shipping
- 826
- Authoritative sources
- 12+
Six categories. One runner.
Each category is its own opt-in module — every rule cites the authoritative standard or enforcement precedent behind it.
Internationalization
26 tests56 locales. Zero raw keys.
Catches untranslated strings shipped to production, hardcoded dates and numerals, RTL breakage, hreflang cluster inconsistency, and pluralization drift across 56 target locales.
SEO
168 testsRank like the web wants you to.
Canonicals, sitemaps, robots, Core Web Vitals, 15+ structured-data rich-result types, hreflang, Open Graph, Twitter Cards — every rule cites its Google Search Central reference.
Accessibility
173 testsWCAG 2.2 AA, measured.
Every success criterion across Level A / AA / AAA — contrast, focus order, landmark structure, live regions, captions, motion, cognitive load. Each test links back to its specific WCAG SC.
Security
284 testsOWASP, plus the stuff OWASP misses.
OWASP ASVS 4.0.3, API Top 10, 100+ secret-leak detectors, 40+ CVE-vulnerable library fingerprints, CSP strictness, CORP/COOP/COEP, session flags. Each rule cites its ASVS § or CVE.
Performance
148 testsLCP, INP, CLS — and p95, not p50.
Core Web Vitals budgets, render-blocking detection, image format + srcset coverage, bundle budgets, hydration cost, caching hygiene. Every rule links its web.dev article.
Privacy
27 testsGDPR, CCPA, COPPA — in that order.
Consent banners, DSAR endpoints, data minimization, cookie scoping, child-safe defaults, tracker load timing. Built against the CNIL / ICO / EDPB enforcement record, not just the regulation text.
What a finding looks like.
Every finding cites the field expert whose rule it is. Reviewers can open the source file, read the reasoning, and sign off — or push back — with full context.
12 pages are missing canonical URLs.
Google can't pick a canonical among your duplicates. Affected routes include /guides/ios-xcuitest-automation,/vs/maesto, and 10 others — full list in the JSON export.
Flagged by an international SEO lead we consulted
expert: International SEO · SaaS growth · 12 yrs
“Canonical tags are the single most-neglected on-page signal. Missing them on a dozen high-traffic pages is enough to split link equity and drop your own site below your syndication partners in the SERP.”
Evidence
12 / 187 pages
First seen
run 4,112 · 3d ago
Fix cost
~45 min
Continuously developed. New tests every release.
WCAG publishes an erratum → new rule. A fresh CVE lands against a library you depend on → new detector. Google Search Central rolls out a rich-result format → the schema test is live on the next release. The rulebook moves with the web, not with your audit calendar.
- 1
Standards intake
Each test starts from a specific authoritative source — WCAG SC, OWASP §, web.dev article, RFC, Google Search Central doc.
- 2
Rule authoring
The claim becomes a YAML spec + TypeScript evaluator, grouped by category, versioned in the repo with its citation.
- 3
AI-driven runner
`anvil compliance run` executes the specs against your repo + live URLs, headless.
- 4
Traceable report
Findings ship as JUnit + SARIF + a rendered HTML report. Every finding links to the standard that produced it.
Anvil vs the audit toolbox.
Manual audits, Lighthouse, Pa11y, OWASP ZAP — each excellent at their slice. Anvil Compliance is the slice that ties them together.
| Axis | Anvil Compliance | Manual audit | Lighthouse / Pa11y / ZAP |
|---|---|---|---|
| Category coverage | 6 categories, one runner | Depends on auditor | 1 per tool (Lighthouse = perf+SEO, ZAP = security, …) |
| Standards-traceable findings | Every finding cites the WCAG SC / OWASP § / RFC / web.dev article behind it | Yes, but not re-runnable | No — anonymous rule IDs |
| Opt-in per category | `--category=seo,a11y` granular | All-or-nothing SOW | Yes (per tool) |
| CI/CD gating | Exit code + JUnit + SARIF out of the box | No | Varies — mostly manual wiring |
| Historical diff | Per-run delta in the dashboard | Reports in PDF — good luck diffing | Rarely |
| Expandability | New standards publish → rules shipped in the next release | Hire another auditor | Wait for upstream vendor |
Cited from the standards that actually matter.
Each finding links to the authoritative source behind it — no anonymous rule IDs, no vendor-opaque numbering. A sampler:
“Canonical URLs MUST be absolute, consistent, and point at the preferred version of the page.”
Google Search Central
Consolidate duplicate URLs
“Content should be presentable in different ways without losing information or structure.”
WCAG 2.2 · Perceivable
W3C Web Content Accessibility Guidelines
“Secrets must never be included in source code, configuration files, or logs.”
OWASP ASVS 4.0.3
§14.3.3 — Configuration
Audited against 826 expert-attributed rules across 6 categories — and growing.
Run it on your repo in 60 seconds.
No signup. Local first. Reads your repo, pings your deployed URL, and writes a report to ./runs/.
$ npm install -g @koydo/anvil-cli && anvil compliance run --category=allReading: specs/compliance/_framework/README.md