-
-
Notifications
You must be signed in to change notification settings - Fork 11
Compliance Audit
Martyna Kwiecien edited this page May 9, 2026
·
5 revisions
CKB audits your codebase against regulatory compliance frameworks. Run ckb audit compliance --framework=gdpr and get a structured report mapping findings to specific regulation articles, with severity scores, confidence levels, and CWE references.
Key idea: One finding, many regulations. A hardcoded credential violates PCI DSS 8.6.2, NIST 800-53 IA-5, SOC 2 CC6.1, OWASP ASVS V2.10.4, ISO 27001 A.8.4, and more — all surfaced automatically via cross-framework mapping.
# Audit against a specific framework
ckb audit compliance --framework=gdpr
# Multiple frameworks
ckb audit compliance --framework=gdpr,iso27001,pci-dss
# All 20 frameworks at once
ckb audit compliance --framework=all
# CI mode — exit code 1 on failure
ckb audit compliance --framework=gdpr --ci --fail-on=error
# Machine-readable output
ckb audit compliance --framework=all --format=json
ckb audit compliance --framework=all --format=sarif
ckb audit compliance --framework=all --format=markdownCKB ships with 20 regulatory frameworks across data privacy, security, financial services, healthcare, AI governance, supply chain, and safety-critical domains.
| Framework | ID | What CKB Checks |
|---|---|---|
| GDPR | gdpr |
PII handling, consent, data retention, right-to-erasure, encryption |
| CCPA | ccpa |
Consumer data rights, do-not-sell opt-out, data sharing, sensitive PI |
| ISO 27701 | iso27701 |
Privacy processing, data subject rights, privacy by design |
| Framework | ID | What CKB Checks |
|---|---|---|
| ISO 27001 | iso27001 |
Cryptography, secure development, config management, data leakage |
| NIST 800-53 | nist-800-53 |
Access control, audit logging, input validation, crypto |
| OWASP ASVS | owasp-asvs |
Authentication, session mgmt, validation, crypto, communications |
| SOC 2 | soc2 |
Access control, change management, monitoring |
| Framework | ID | What CKB Checks |
|---|---|---|
| PCI DSS | pci-dss |
PAN detection, secure coding, authentication |
| HIPAA | hipaa |
PHI detection, access control, audit trails |
| DORA | dora |
Change management, anomaly detection, resilience testing |
| NIS2 | nis2 |
Supply chain security, vulnerability management, crypto |
| FDA 21 CFR Part 11 | fda-21cfr11 |
Audit trails, electronic signatures, validation |
| Framework | ID | What CKB Checks |
|---|---|---|
| EU AI Act | eu-ai-act |
Human oversight, logging, risk classification |
| EU Cyber Resilience Act | eu-cra |
Vulnerability handling, SBOM, secure defaults |
| Framework | ID | What CKB Checks |
|---|---|---|
| SBOM/SLSA | sbom-slsa |
SBOM presence, provenance attestation, dependency tracking |
| Framework | ID | What CKB Checks |
|---|---|---|
| DO-178C | do-178c |
Requirements traceability, structural coverage, dead code |
| IEC 61508 | iec61508 |
SIL classification, defensive programming, structural coverage |
| ISO 26262 | iso26262 |
ASIL checks, defensive programming, coding standards |
| MISRA C | misra |
Control flow rules, type safety, memory safety |
| IEC 62443 | iec62443 |
Authentication, integrity verification, secure development |
Each finding is enriched with cross-references to every regulation it violates. This is powered by CKB's cross-mapping engine, which maps 16 finding categories (with CWE IDs) across all applicable frameworks.
A single hardcoded credential finding triggers references to:
| Framework | Clause |
|---|---|
| PCI DSS | Req 8.6.2 PCI DSS 4.0 |
| NIST 800-53 | IA-5(1) |
| SOC 2 | CC6.1 |
| OWASP ASVS | V2.10.4 |
| ISO 27001 | A.8.4 |
| NIS2 | Art. 21(2)(g) |
| DORA | Art. 9(2) |
| EU CRA | Art. 13 |
| IEC 62443 | CR 1.1 |
| Category | CWE | Frameworks Covered |
|---|---|---|
| Hardcoded credentials | CWE-798 | 9 frameworks |
| Weak cryptography | CWE-327 | 8 frameworks |
| SQL injection | CWE-89 | 6 frameworks |
| XSS | CWE-79 | 5 frameworks |
| PII in logs | CWE-532 | 7 frameworks |
| Missing TLS | CWE-319 | 8 frameworks |
| Insecure random | CWE-338 | 4 frameworks |
| Path traversal | CWE-22 | 4 frameworks |
| Unsafe deserialization | CWE-502 | 4 frameworks |
| Missing authentication | CWE-306 | 7 frameworks |
| Missing audit trail | — | 8 frameworks |
| Missing data deletion | — | 3 frameworks |
| Missing consent | — | 3 frameworks |
| goto usage | — | 4 frameworks |
| Recursion | — | 3 frameworks |
| Excessive complexity | — | 3 frameworks |
ckb audit compliance [flags]
Flags:
--framework=FRAMEWORKS Frameworks to audit (comma-separated or 'all')
--recommend Analyze codebase and recommend applicable frameworks
--format=FORMAT Output format: human, json, markdown, sarif (default: human)
--scope=PATH Path prefix filter
--ci CI mode: exit code 1 on failure
--fail-on=SEVERITY Severity threshold: error, warning, none (default: error)
--min-confidence=FLOAT Minimum confidence to include findings, 0.0-1.0 (default: 0.5)
--sil-level=INT SIL level for IEC 61508 checks, 1-4 (default: 2)
--checks=IDS Filter to specific check IDs (comma-separated)# Quick GDPR scan
ckb audit compliance --framework=gdpr
# Full regulatory scan with high confidence
ckb audit compliance --framework=all --min-confidence=0.7
# Safety-critical audit at SIL 3
ckb audit compliance --framework=iec61508 --sil-level=3
# SARIF output for IDE integration
ckb audit compliance --framework=iso27001 --format=sarif
# Scope to specific directory
ckb audit compliance --framework=hipaa --scope=internal/patient/
# CI gate: fail on errors only
ckb audit compliance --framework=gdpr,pci-dss --ci --fail-on=errorname: Compliance Gate
on: [pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install CKB
run: npm install -g @tastehub/ckb
- name: Index
run: ckb index
- name: Compliance Audit
run: ckb audit compliance --framework=gdpr,pci-dss --ci --fail-on=error --format=markdown
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: compliance.sarifcompliance:
stage: test
script:
- npm install -g @tastehub/ckb
- ckb index
- ckb audit compliance --framework=all --ci --fail-on=error| Code | Meaning |
|---|---|
| 0 | Pass — no findings at or above --fail-on threshold |
| 1 | Fail — findings at or above --fail-on threshold |
======================================================================
CKB COMPLIANCE AUDIT REPORT
======================================================================
Repository: myapp
Generated: 2026-03-25T14:30:00Z
Verdict: WARN
Score: 72/100
Files: 245 scanned, 12 with issues
Findings: 18 total (3 errors, 8 warnings)
FRAMEWORK COVERAGE
----------------------------------------------------------------------
FRAMEWORK CHECKS PASS WARN FAIL SCORE
GDPR (Regulation (EU) 2016/679) 12 9 2 1 75%
ISO 27001:2022 15 12 2 1 80%
{
"repo": "myapp",
"analyzedAt": "2026-03-25T14:30:00Z",
"frameworks": ["gdpr", "iso27001"],
"verdict": "warn",
"score": 72,
"checks": [
{
"name": "gdpr/pii-in-logs",
"status": "warn",
"severity": "warning",
"summary": "PII detected in 3 log statements"
}
],
"findings": [
{
"check": "gdpr/pii-in-logs",
"severity": "warning",
"file": "api/handler.go",
"startLine": 118,
"message": "User email logged without redaction",
"ruleId": "gdpr/pii-in-logs",
"hint": "Also violates: HIPAA §164.312, ISO 27001 A.8.12, CCPA §1798.100",
"confidence": 0.85
}
],
"coverage": [
{
"framework": "gdpr",
"name": "GDPR (Regulation (EU) 2016/679)",
"totalChecks": 12,
"passed": 9,
"warned": 2,
"failed": 1,
"score": 75
}
],
"summary": {
"totalFindings": 18,
"bySeverity": { "error": 3, "warning": 8, "info": 7 },
"filesScanned": 245,
"filesWithIssues": 12
}
}ckb audit compliance and ckb review are separate commands with different purposes:
ckb review |
ckb audit compliance |
|
|---|---|---|
| Focus | PR quality (20 checks) | Regulatory compliance |
| Scope | Changed files (diff) | Entire codebase |
| Output | Score, verdict, findings | Framework coverage, regulation mapping |
| Use case | Every PR | Periodic audits, CI gates, audit prep |
The ckb review --format=compliance flag exists but generates compliance evidence from the PR review (traceability, independence) — it does not run framework-specific checks.
See also: Code Review, CI-CD-Integration, Features#compliance-audit, Quality-Gates