-
-
Notifications
You must be signed in to change notification settings - Fork 11
Compliance Audit
CKB maps every code finding to the regulatory frameworks it violates. Run ckb review --format=compliance and get a report that maps secrets, breaking changes, bug patterns, and health issues to 20 regulations — GDPR, PCI DSS, HIPAA, SOC 2, ISO 27001, and more.
Key idea: One finding, many regulations. A hardcoded credential violates PCI DSS Req 2.1, HIPAA 164.312(d), SOC 2 CC6.1, ISO 27001 A.9.2.4, and NIST 800-53 IA-5 — all surfaced automatically from a single
secretscheck.
# 1. Run compliance review
ckb review --format=compliance
# 2. Filter to specific frameworks
ckb review --format=compliance --compliance-frameworks=pci-dss,hipaa
# 3. Gate CI on compliance violations
ckb review --format=compliance --fail-on=critical --ci
# 4. Export for auditors
ckb review --format=compliance --output=audit-report.jsonCKB ships with mappings for 20 regulatory frameworks across data privacy, financial, healthcare, government, security best practices, and safety-critical domains.
| Framework | Scope | What CKB Checks |
|---|---|---|
| GDPR | Data privacy (EU) | PII handling, consent, data retention, right-to-erasure |
| PCI DSS | Payment card data | Cardholder data exposure, encryption, access control |
| HIPAA | Healthcare (US) | PHI access, audit trails, encryption at rest/transit |
| SOC 2 | Service organizations | Access control, change management, monitoring |
| ISO 27001 | Information security | Asset management, access control, cryptography |
| NIST 800-53 | Federal systems (US) | Security controls, continuous monitoring |
| NIST CSF | Cybersecurity framework | Identify, protect, detect, respond, recover |
| FedRAMP | Cloud services (US Gov) | Inherited controls, boundary protection |
| CCPA | Consumer privacy (CA) | Data collection, opt-out, deletion requests |
| SOX | Financial reporting | Change controls, audit logging, segregation of duties |
| DORA | Financial services (EU) | ICT risk, incident reporting, resilience testing |
| NIS2 | Critical infrastructure (EU) | Risk management, incident handling, supply chain |
| FISMA | Federal agencies (US) | Risk assessment, security authorization |
| CIS Controls | Security best practices | Inventory, secure config, vulnerability mgmt |
| OWASP Top 10 | Web application security | Injection, auth, XSS, SSRF, misconfig |
| IEC 62443 | Industrial automation | Zone segmentation, access control, patch mgmt |
| ISO 21434 | Automotive cybersecurity | Threat analysis, risk treatment, validation |
| DO-178C | Aviation software | Traceability, coverage, verification |
| IEC 61508 | Functional safety | SIL classification, V-model lifecycle, diagnostics |
| MISRA C | Safety-critical C code | Coding rules, static analysis, deviations |
Each of CKB's 20 review checks is tagged with the regulations it relates to. When a check fires, the compliance report lists every applicable regulation with its specific clause reference.
Finding: Hardcoded database credentials in config/db.go:42
Check: secrets (critical)
| Framework | Clause |
|---|---|
| PCI DSS | Req 2.1 — Do not use vendor-supplied defaults |
| HIPAA | 164.312(d) — Authentication mechanism |
| SOC 2 | CC6.1 — Logical access security |
| ISO 27001 | A.9.2.4 — Secret authentication management |
| NIST 800-53 | IA-5 — Authenticator management |
Finding: User email logged without redaction in api/handler.go:118
Check: bug-patterns (high)
| Framework | Clause |
|---|---|
| GDPR | Art. 5(1)(f) — Integrity and confidentiality |
| CCPA | 1798.150 — Personal information safeguards |
| HIPAA | 164.312(b) — Audit controls |
| SOC 2 | CC6.1 — Logical access security |
Finding: Public function ProcessPayment() removed from api/v2
Check: breaking (critical)
| Framework | Clause |
|---|---|
| PCI DSS | Req 6.4 — Change control processes |
| SOX | Section 404 — Internal controls over financial reporting |
| DORA | Art. 9 — ICT change management |
CKB detects GDPR-relevant findings through these checks:
| Check | What It Catches |
|---|---|
secrets |
Exposed PII or credentials containing personal data |
bug-patterns |
Unredacted personal data in logs, error messages |
health |
Poor code quality in data-handling modules |
test-gaps |
Untested data processing paths |
blast-radius |
Changes to data-processing code with wide impact |
| Check | What It Catches |
|---|---|
secrets |
Hardcoded credentials, cardholder data exposure |
breaking |
Changes to payment processing APIs without controls |
complexity |
Overly complex payment logic prone to errors |
health |
Degraded code quality in cardholder data environment |
coupling |
Tight coupling between payment and non-payment code |
| Check | What It Catches |
|---|---|
secrets |
Exposed PHI, unprotected health records |
bug-patterns |
PHI in logs, missing audit trail patterns |
test-gaps |
Untested access control paths |
dead-code |
Orphaned code with PHI handling logic |
critical-path |
Changes to authentication/authorization code |
| Check | What It Catches |
|---|---|
secrets |
Credential management violations |
breaking |
Unauthorized API changes (change management) |
health |
Code quality degradation (monitoring) |
independence |
Reviewer conflict detection (segregation of duties) |
coupling |
Hidden dependencies affecting availability |
| Check | What It Catches |
|---|---|
traceability |
Requirements-to-code traceability gaps |
test-gaps |
Missing test coverage for safety functions |
complexity |
Excessive complexity in safety-critical paths |
dead-code |
Unreachable code violating coding standards |
format-consistency |
Style violations in safety-critical code |
By default, all 20 frameworks are active. Restrict to specific frameworks in .ckb/config.json:
{
"compliance": {
"frameworks": ["gdpr", "pci-dss", "hipaa", "soc-2"],
"failOn": "high",
"outputPath": "compliance-reports/"
}
}Add your own regulation mappings in .ckb/compliance.json:
{
"customFrameworks": [
{
"id": "internal-policy",
"name": "Internal Security Policy",
"mappings": {
"secrets": { "ref": "ISP-4.2", "description": "Credential management" },
"breaking": { "ref": "ISP-6.1", "description": "Change control" }
}
}
]
}Configure which severity levels trigger compliance failures:
{
"compliance": {
"failOn": "high",
"severityOverrides": {
"pci-dss": "medium",
"hipaa": "medium"
}
}
}name: Compliance Gate
on: [pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install CKB
run: npm install -g @tastehub/ckb
- name: Index
run: ckb index
- name: Compliance Review
run: ckb review --format=compliance --fail-on=high --ci
- name: Upload Report
if: always()
uses: actions/upload-artifact@v4
with:
name: compliance-report
path: compliance-reports/compliance:
stage: test
script:
- npm install -g @tastehub/ckb
- ckb index
- ckb review --format=compliance --fail-on=high --ci
artifacts:
paths:
- compliance-reports/
when: always#!/bin/sh
ckb review --format=compliance --fail-on=critical --checks=secrets,breaking# Full compliance review (all 20 frameworks)
ckb review --format=compliance
# Specific frameworks only
ckb review --format=compliance --compliance-frameworks=gdpr,pci-dss,hipaa
# Specific checks only
ckb review --format=compliance --checks=secrets,breaking,bug-patterns
# CI mode (exit code reflects pass/fail)
ckb review --format=compliance --ci
# Fail on severity threshold
ckb review --format=compliance --fail-on=high
# Custom base branch
ckb review --format=compliance --base=develop
# JSON output for tooling
ckb review --format=compliance --output=report.json
# Markdown output for PR comments
ckb review --format=compliance --output=report.md --format=markdownThe reviewPR MCP tool supports compliance output:
{
"tool": "reviewPR",
"params": {
"format": "compliance",
"complianceFrameworks": ["gdpr", "pci-dss", "hipaa"],
"failOn": "high"
}
}The compliance JSON output includes:
{
"summary": {
"score": 34,
"verdict": "FAIL",
"totalFindings": 7,
"frameworkSummary": {
"pci-dss": { "critical": 2, "high": 1 },
"hipaa": { "critical": 1, "high": 1 },
"gdpr": { "high": 2 },
"soc-2": { "high": 1, "medium": 1 }
}
},
"findings": [
{
"id": "f-1",
"file": "config/db.go",
"line": 42,
"check": "secrets",
"severity": "critical",
"message": "Hardcoded database credentials",
"regulations": [
{ "framework": "pci-dss", "ref": "Req 2.1", "description": "Do not use vendor-supplied defaults" },
{ "framework": "hipaa", "ref": "164.312(d)", "description": "Authentication mechanism" }
]
}
]
}See also: Code Review, Security, Features#code-quality--risk, CI-CD-Integration