Compliance Evidence Mapping

Automatically map security findings to compliance controls and generate audit-ready evidence packs.

Supported Frameworks

SOC 2 Type II

Trust Services Criteria

CC6.1 - Logical Access Security
CC6.6 - System Boundaries
CC7.1 - Vulnerability Management
+ 3 more controls

ISO/IEC 27001:2022

Information Security Management

A.5.15 - Access Control
A.8.8 - Technical Vulnerabilities
A.8.28 - Secure Coding
+ 4 more controls

PCI DSS v4.0

Payment Card Industry

6.2 - Secure Development
6.3 - Vulnerability Management
11.3 - Vulnerability Scanning
+ 5 more controls

HIPAA Security Rule

Healthcare Data Protection

164.308 - Administrative Safeguards
164.312 - Technical Safeguards
Access, Audit, Transmission
9 controls total

NIST CSF 2.0

Cybersecurity Framework

ID - Identify (Asset, Risk)
PR - Protect (Access, Data)
DE - Detect (Monitoring)
10 controls total

GDPR

EU Data Protection

Art.25 - Privacy by Design
Art.32 - Security of Processing
Art.33 - Breach Notification
7 controls total

Framework Details

SOC 2 Type II

What it is: SOC 2 (Service Organization Control 2) is an auditing standard developed by AICPA that evaluates how service providers manage customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Who needs it: SaaS companies, cloud service providers, data centers, and any organization that stores or processes customer data. Required by enterprise customers before signing contracts.

CodePhreak maps: CC6.1 (Access), CC6.6 (Boundaries), CC6.7 (Transmission), CC7.1 (Vulnerabilities), CC7.2 (Monitoring), CC8.1 (Change Management)

ISO/IEC 27001:2022

What it is: ISO 27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive information through risk assessment and security controls.

Who needs it: Organizations seeking international recognition of their security practices, especially those operating globally or serving government/enterprise clients. Often required for EU contracts.

CodePhreak maps: A.5.15 (Access), A.5.33 (Records), A.8.8 (Vulnerabilities), A.8.9 (Configuration), A.8.12 (Data Leakage), A.8.16 (Monitoring), A.8.28 (Secure Coding)

PCI DSS v4.0

What it is: Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for organizations that handle credit card data. Version 4.0 introduces more flexibility and outcome-based requirements.

Who needs it: Any organization that accepts, processes, stores, or transmits credit card information. Mandatory for merchants, payment processors, and service providers in the payment ecosystem.

CodePhreak maps: Req 1.3 (Network), 2.2 (Config), 3.4 (Encryption), 4.2 (Transmission), 6.2-6.3 (Development), 10.2 (Logging), 11.3 (Scanning)

HIPAA Security Rule

What it is: The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes national standards for protecting electronic Protected Health Information (ePHI). It requires administrative, physical, and technical safeguards.

Who needs it: Healthcare providers, health plans, healthcare clearinghouses, and their business associates. Any organization handling patient health data in the United States.

CodePhreak maps: 164.308 (Administrative: Security Management, Workforce, Access Management), 164.312 (Technical: Access Control, Audit, Integrity, Authentication, Transmission Security)

NIST Cybersecurity Framework 2.0

What it is: The NIST Cybersecurity Framework is a voluntary framework developed by the National Institute of Standards and Technology. It organizes cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, and Recover.

Who needs it: US federal agencies (mandatory), critical infrastructure operators, and organizations seeking a comprehensive cybersecurity program. Widely adopted as a best-practice framework globally.

CodePhreak maps: ID.AM (Assets), ID.RA (Risk), PR.AC (Access), PR.DS (Data Security), PR.IP (Protection), PR.PT (Technology), DE.AE (Anomalies), DE.CM (Monitoring), RS.AN (Analysis), RC.RP (Recovery)

GDPR (General Data Protection Regulation)

What it is: The General Data Protection Regulation is a comprehensive EU law on data protection and privacy. It gives individuals control over their personal data and requires organizations to implement appropriate technical and organizational measures to protect that data.

Who needs it: Any organization that processes personal data of EU residents, regardless of where the organization is located. Applies to companies offering goods/services to EU residents or monitoring their behavior.

CodePhreak maps: Art.5 (Processing Principles), Art.25 (Privacy by Design), Art.30 (Records of Processing), Art.32 (Security of Processing), Art.33 (Breach Notification), Art.35 (Impact Assessment), Art.44 (Cross-Border Transfer)

How It Works

📊

Scan Results

SAST, CSPM, DAST, Runtime

→

🔗

Control Mapping

Rule → Framework Control

→

📋

Evidence Pack

JSON, HTML Reports

CLI Commands

List Frameworks

$ codephreak compliance --list-frameworks

┏━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━┓
┃ ID        ┃ Name                      ┃ Version ┃ Controls ┃
┡━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━┩
│ soc2      │ SOC 2 Type II             │ 2017    │ 6        │
│ iso27001  │ ISO/IEC 27001:2022        │ 2022    │ 7        │
│ pci-dss   │ PCI DSS v4.0              │ 4.0     │ 8        │
│ hipaa     │ HIPAA Security Rule       │ 2013    │ 9        │
│ nist-csf  │ NIST Cybersecurity Frmwk  │ 2.0     │ 10       │
│ gdpr      │ GDPR                      │ 2018    │ 7        │
└───────────┴───────────────────────────┴─────────┴──────────┘

Generate Compliance Report

# SOC 2 report from multiple scan sources
$ codephreak compliance \
    --framework soc2 \
    --sast-file scan_results.json \
    --cspm-file cspm_results.json \
    --output ./evidence

📄 Loaded 47 SAST findings
☁️ Loaded 23 CSPM findings

📋 Generating SOC2 compliance report...

┏━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┓
┃ Status           ┃ Controls ┃
┡━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━┩
│ ✅ Compliant     │        3 │
│ ❌ Non-Compliant │        2 │
│ ⚠️ Partial       │        1 │
│ ❓ Not Assessed  │        0 │
│ Total            │        6 │
└──────────────────┴──────────┘

📊 Compliance Score: 50.0%
🔴 Critical/High Findings: 12

📁 Evidence pack saved to: ./evidence
   • compliance_soc2_20260101_120000.json
   • compliance_soc2_20260101_120000.html

SARIF Consolidation

Merge findings from all scan types into a unified SARIF 2.1.0 document for integration with GitHub Code Scanning, Defect Dojo, or other SARIF-compatible tools.

$ codephreak consolidate \
    --sast-file sast.json \
    --cspm-file cspm.json \
    --dast-file dast.json \
    --runtime-file runtime.json \
    --output all_findings.sarif

📄 Added 47 SAST findings
☁️ Added 23 CSPM findings
🔍 Added 15 DAST findings
🛡️ Added 8 runtime alerts

✅ Consolidated 93 findings into: all_findings.sarif

Control Mapping Examples

Finding Type	SOC 2 Control	ISO 27001	PCI DSS
Hardcoded credentials	CC6.1	A.5.15	2.2
SQL injection	CC6.6	A.8.28	6.2
Vulnerable dependency (CVE)	CC7.1	A.8.8	6.3
Missing encryption	CC6.7	A.5.33	3.4
Runtime anomaly	CC7.2	A.8.16	10.2

Evidence Pack Format

The JSON evidence pack contains structured data suitable for auditor review:

{
  "framework": "soc2",
  "framework_name": "SOC 2 Type II",
  "generated_at": "2026-01-01T12:00:00",
  "summary": {
    "total_controls": 6,
    "compliant": 3,
    "non_compliant": 2,
    "partial": 1,
    "compliance_score": 50.0,
    "critical_findings": 12
  },
  "controls": [
    {
      "control_id": "CC6.1",
      "title": "Logical Access Security",
      "status": "non_compliant",
      "finding_count": 5,
      "findings": [
        {
          "rule_id": "hardcoded-credentials",
          "severity": "high",
          "file": "config/database.py"
        }
      ]
    }
  ]
}

CI/CD Integration

# .github/workflows/compliance.yml
name: Compliance Check

on:
  schedule:
    - cron: '0 0 * * 0'  # Weekly

jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run security scans
        run: |
          codephreak scan -t . -f json -o sast.json
          codephreak cspm scan --output cspm.json
      
      - name: Generate compliance report
        run: |
          codephreak compliance \
            --framework soc2 \
            --sast-file sast.json \
            --cspm-file cspm.json \
            --output compliance_evidence
      
      - name: Upload evidence pack
        uses: actions/upload-artifact@v4
        with:
          name: compliance-evidence
          path: compliance_evidence/

Compliance Evidence Mapping

Supported Frameworks

SOC 2 Type II

ISO/IEC 27001:2022

PCI DSS v4.0

HIPAA Security Rule

NIST CSF 2.0

GDPR

Framework Details

SOC 2 Type II

ISO/IEC 27001:2022

PCI DSS v4.0

HIPAA Security Rule

NIST Cybersecurity Framework 2.0

GDPR (General Data Protection Regulation)

How It Works

CLI Commands

List Frameworks

Generate Compliance Report

SARIF Consolidation

Control Mapping Examples

Evidence Pack Format

CI/CD Integration

Related Documentation