Skip to content

Compliance Audit

Lisa edited this page Mar 25, 2026 · 5 revisions

Compliance Audit

CKB maps every code finding to the regulatory frameworks it violates. Run ckb review --format=compliance and get a report that maps secrets, breaking changes, bug patterns, and health issues to 20 regulations — GDPR, PCI DSS, HIPAA, SOC 2, ISO 27001, and more.

Key idea: One finding, many regulations. A hardcoded credential violates PCI DSS Req 2.1, HIPAA 164.312(d), SOC 2 CC6.1, ISO 27001 A.9.2.4, and NIST 800-53 IA-5 — all surfaced automatically from a single secrets check.


Quick Start

# 1. Run compliance review
ckb review --format=compliance

# 2. Filter to specific frameworks
ckb review --format=compliance --compliance-frameworks=pci-dss,hipaa

# 3. Gate CI on compliance violations
ckb review --format=compliance --fail-on=critical --ci

# 4. Export for auditors
ckb review --format=compliance --output=audit-report.json

Supported Frameworks

CKB ships with mappings for 20 regulatory frameworks across data privacy, financial, healthcare, government, security best practices, and safety-critical domains.

Framework Scope What CKB Checks
GDPR Data privacy (EU) PII handling, consent, data retention, right-to-erasure
PCI DSS Payment card data Cardholder data exposure, encryption, access control
HIPAA Healthcare (US) PHI access, audit trails, encryption at rest/transit
SOC 2 Service organizations Access control, change management, monitoring
ISO 27001 Information security Asset management, access control, cryptography
NIST 800-53 Federal systems (US) Security controls, continuous monitoring
NIST CSF Cybersecurity framework Identify, protect, detect, respond, recover
FedRAMP Cloud services (US Gov) Inherited controls, boundary protection
CCPA Consumer privacy (CA) Data collection, opt-out, deletion requests
SOX Financial reporting Change controls, audit logging, segregation of duties
DORA Financial services (EU) ICT risk, incident reporting, resilience testing
NIS2 Critical infrastructure (EU) Risk management, incident handling, supply chain
FISMA Federal agencies (US) Risk assessment, security authorization
CIS Controls Security best practices Inventory, secure config, vulnerability mgmt
OWASP Top 10 Web application security Injection, auth, XSS, SSRF, misconfig
IEC 62443 Industrial automation Zone segmentation, access control, patch mgmt
ISO 21434 Automotive cybersecurity Threat analysis, risk treatment, validation
DO-178C Aviation software Traceability, coverage, verification
IEC 61508 Functional safety SIL classification, V-model lifecycle, diagnostics
MISRA C Safety-critical C code Coding rules, static analysis, deviations

Cross-Framework Mapping

Each of CKB's 20 review checks is tagged with the regulations it relates to. When a check fires, the compliance report lists every applicable regulation with its specific clause reference.

Example: Hardcoded Credentials

Finding: Hardcoded database credentials in config/db.go:42 Check: secrets (critical)

Framework Clause
PCI DSS Req 2.1 — Do not use vendor-supplied defaults
HIPAA 164.312(d) — Authentication mechanism
SOC 2 CC6.1 — Logical access security
ISO 27001 A.9.2.4 — Secret authentication management
NIST 800-53 IA-5 — Authenticator management

Example: PII in Logs

Finding: User email logged without redaction in api/handler.go:118 Check: bug-patterns (high)

Framework Clause
GDPR Art. 5(1)(f) — Integrity and confidentiality
CCPA 1798.150 — Personal information safeguards
HIPAA 164.312(b) — Audit controls
SOC 2 CC6.1 — Logical access security

Example: Breaking API Change

Finding: Public function ProcessPayment() removed from api/v2 Check: breaking (critical)

Framework Clause
PCI DSS Req 6.4 — Change control processes
SOX Section 404 — Internal controls over financial reporting
DORA Art. 9 — ICT change management

Check Details by Framework

GDPR

CKB detects GDPR-relevant findings through these checks:

Check What It Catches
secrets Exposed PII or credentials containing personal data
bug-patterns Unredacted personal data in logs, error messages
health Poor code quality in data-handling modules
test-gaps Untested data processing paths
blast-radius Changes to data-processing code with wide impact

PCI DSS

Check What It Catches
secrets Hardcoded credentials, cardholder data exposure
breaking Changes to payment processing APIs without controls
complexity Overly complex payment logic prone to errors
health Degraded code quality in cardholder data environment
coupling Tight coupling between payment and non-payment code

HIPAA

Check What It Catches
secrets Exposed PHI, unprotected health records
bug-patterns PHI in logs, missing audit trail patterns
test-gaps Untested access control paths
dead-code Orphaned code with PHI handling logic
critical-path Changes to authentication/authorization code

SOC 2

Check What It Catches
secrets Credential management violations
breaking Unauthorized API changes (change management)
health Code quality degradation (monitoring)
independence Reviewer conflict detection (segregation of duties)
coupling Hidden dependencies affecting availability

Safety-Critical (DO-178C, IEC 61508, MISRA C)

Check What It Catches
traceability Requirements-to-code traceability gaps
test-gaps Missing test coverage for safety functions
complexity Excessive complexity in safety-critical paths
dead-code Unreachable code violating coding standards
format-consistency Style violations in safety-critical code

Configuration

Selecting Frameworks

By default, all 20 frameworks are active. Restrict to specific frameworks in .ckb/config.json:

{
  "compliance": {
    "frameworks": ["gdpr", "pci-dss", "hipaa", "soc-2"],
    "failOn": "high",
    "outputPath": "compliance-reports/"
  }
}

Custom Framework Mappings

Add your own regulation mappings in .ckb/compliance.json:

{
  "customFrameworks": [
    {
      "id": "internal-policy",
      "name": "Internal Security Policy",
      "mappings": {
        "secrets": { "ref": "ISP-4.2", "description": "Credential management" },
        "breaking": { "ref": "ISP-6.1", "description": "Change control" }
      }
    }
  ]
}

Severity Thresholds

Configure which severity levels trigger compliance failures:

{
  "compliance": {
    "failOn": "high",
    "severityOverrides": {
      "pci-dss": "medium",
      "hipaa": "medium"
    }
  }
}

CI/CD Integration

GitHub Actions

name: Compliance Gate
on: [pull_request]

jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install CKB
        run: npm install -g @tastehub/ckb

      - name: Index
        run: ckb index

      - name: Compliance Review
        run: ckb review --format=compliance --fail-on=high --ci

      - name: Upload Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: compliance-report
          path: compliance-reports/

GitLab CI

compliance:
  stage: test
  script:
    - npm install -g @tastehub/ckb
    - ckb index
    - ckb review --format=compliance --fail-on=high --ci
  artifacts:
    paths:
      - compliance-reports/
    when: always

Pre-commit Hook

#!/bin/sh
ckb review --format=compliance --fail-on=critical --checks=secrets,breaking

CLI Reference

# Full compliance review (all 20 frameworks)
ckb review --format=compliance

# Specific frameworks only
ckb review --format=compliance --compliance-frameworks=gdpr,pci-dss,hipaa

# Specific checks only
ckb review --format=compliance --checks=secrets,breaking,bug-patterns

# CI mode (exit code reflects pass/fail)
ckb review --format=compliance --ci

# Fail on severity threshold
ckb review --format=compliance --fail-on=high

# Custom base branch
ckb review --format=compliance --base=develop

# JSON output for tooling
ckb review --format=compliance --output=report.json

# Markdown output for PR comments
ckb review --format=compliance --output=report.md --format=markdown

MCP Tool

The reviewPR MCP tool supports compliance output:

{
  "tool": "reviewPR",
  "params": {
    "format": "compliance",
    "complianceFrameworks": ["gdpr", "pci-dss", "hipaa"],
    "failOn": "high"
  }
}

Output Format

The compliance JSON output includes:

{
  "summary": {
    "score": 34,
    "verdict": "FAIL",
    "totalFindings": 7,
    "frameworkSummary": {
      "pci-dss": { "critical": 2, "high": 1 },
      "hipaa": { "critical": 1, "high": 1 },
      "gdpr": { "high": 2 },
      "soc-2": { "high": 1, "medium": 1 }
    }
  },
  "findings": [
    {
      "id": "f-1",
      "file": "config/db.go",
      "line": 42,
      "check": "secrets",
      "severity": "critical",
      "message": "Hardcoded database credentials",
      "regulations": [
        { "framework": "pci-dss", "ref": "Req 2.1", "description": "Do not use vendor-supplied defaults" },
        { "framework": "hipaa", "ref": "164.312(d)", "description": "Authentication mechanism" }
      ]
    }
  ]
}

See also: Code Review, Security, Features#code-quality--risk, CI-CD-Integration

Clone this wiki locally