Blog
c2pa-scanner: finding AI-generated images on your own website
The EU AI Act (Regulation (EU) 2024/1689) introduces transparency obligations from August 2, 2026: Article 50 requires AI-generated content to be labeled as such. If you run a website with hundreds or thousands of images, that raises a very practical question: which of my images are actually AI-generated?
That is exactly what I built c2pa-scanner for: a Python tool with a graphical terminal UI (Textual) that crawls an entire website via its sitemap and checks every image for AI provenance.
How it works
Detection is layered and deliberately tuned for few false positives:
- C2PA manifest (primary signal): the official
c2palibrary reads the signed manifest that e.g. Adobe Firefly embeds automatically. ThedigitalSourceTypedecides:trainedAlgorithmicMedia= AI-generated,compositeWithTrainedAlgorithmicMedia= AI-edited. - XMP/EXIF
digitalSourceType(secondary signal): the same IPTC marker is also read from XMP when there is no valid C2PA — this catches images that lost their signature on resize but kept the XMP. - Generating tool (fallback): if there is no
digitalSourceTypeat all, theSoftware/CreatorTooltag is matched against a curated list of unambiguous generative-AI tools (Midjourney, DALL-E, Stable Diffusion, Adobe Firefly, …). Ambiguous editors like Photoshop or GIMP are deliberately not on that list.
The crawler fetches all pages from the sitemap and extracts image URLs via regex over the raw HTML — so it also finds images in web-component attributes and shadow DOM, not just classic <img src>. If no direct sitemap URL is given, it is discovered automatically (robots.txt, then common paths).
# Launch the TUI (default when no command is given)
c2pa-scanner
c2pa-scanner tui https://www.example.com/sitemap.xml
# Crawl a sitemap and check every image
c2pa-scanner scan https://www.example.com/sitemap.xml
# Create a signed C2PA test image (positive test fixture)
c2pa-scanner make-testimage ./test-ai.jpg
Honest about the limits
A provenance scan is an indicator, not proof. Images with no provenance signal at all (no C2PA, no XMP/EXIF) cannot be flagged as AI — metadata can be stripped, and screenshots as well as many platforms remove it on upload. A hit is a solid indication for AI; its absence is not proof against it. And: any resize/crop breaks the C2PA signature, so scan the original master where possible.
Alternatives like invisible watermarks (SynthID), ML classifiers or forensic analysis are deliberately not built in — the reasons are laid out in the README. The guiding principle: prefer a few solid signals (provenance) over many uncertain ones.
What it is for — and what it is not
The tool checks your own images and pages so you can label them in line with the AI Act. It is explicitly not meant to scan third-party websites and turn findings into cease-and-desist letters. It is not legal advice and not proof of a violation.
For a more complete sitemap than the official one, the companion tool sitemap-tracker is worth a look — its XML output can be loaded directly as a local file.
Links: GitHub repo · Project page · Article 50 full text