Compliance, Governance & DevSecOps Maturity
Compliance Automation (SOC2, HIPAA, PCI-DSS)
4 min read
Compliance isn't a checkbox—it's a continuous process. DevSecOps enables continuous compliance by automating evidence collection, control validation, and audit trails throughout the SDLC.
Compliance Framework Overview
| Framework | Focus | Key Requirements |
|---|---|---|
| SOC 2 | Service organizations | Security, availability, processing integrity, confidentiality, privacy |
| HIPAA | Healthcare data | PHI protection, access controls, audit logs |
| PCI-DSS | Payment card data | Encryption, access control, vulnerability management |
| ISO 27001 | Information security | Risk management, security controls |
| GDPR | EU data protection | Data privacy, consent, right to erasure |
Continuous Compliance Architecture
┌─────────────────────────────────────────────────────────┐
│ Continuous Compliance Pipeline │
├─────────────────────────────────────────────────────────┤
│ │
│ Code ──▶ Build ──▶ Test ──▶ Deploy ──▶ Monitor │
│ │ │ │ │ │ │
│ ▼ ▼ ▼ ▼ ▼ │
│ SAST Artifact Compliance Config Runtime │
│ Scan Signing Checks Audit Monitoring │
│ │ │ │ │ │ │
│ └────────┴────────┴─────────┴──────────┘ │
│ │ │
│ ▼ │
│ Evidence Collection │
│ & Audit Trail │
│ │
└─────────────────────────────────────────────────────────┘
SOC 2 Compliance Automation
Trust Service Criteria Mapping
| Criteria | DevSecOps Control | Tool/Implementation |
|---|---|---|
| CC6.1 Access Control | RBAC, MFA | GitHub Teams, Vault |
| CC6.6 Logging | Audit logs | CloudWatch, ELK |
| CC7.1 Vulnerability Management | Scanning | Snyk, Trivy |
| CC7.2 Change Management | Code review | GitHub PRs |
| CC8.1 Incident Response | Alerting | PagerDuty, SIEM |
Automated Control Validation
# .github/workflows/soc2-controls.yml
name: SOC 2 Control Validation
on:
schedule:
- cron: '0 0 * * *' # Daily
workflow_dispatch:
jobs:
access-control-audit:
runs-on: ubuntu-latest
steps:
- name: Audit GitHub Permissions
uses: actions/github-script@v7
with:
script: |
const collaborators = await github.rest.repos.listCollaborators({
owner: context.repo.owner,
repo: context.repo.repo
});
const admins = collaborators.data.filter(c =>
c.permissions.admin
);
console.log(`Admin users: ${admins.length}`);
// Alert if too many admins
if (admins.length > 3) {
core.setFailed('Too many admin users - review access');
}
- name: Verify Branch Protection
uses: actions/github-script@v7
with:
script: |
const protection = await github.rest.repos.getBranchProtection({
owner: context.repo.owner,
repo: context.repo.repo,
branch: 'main'
});
const required = protection.data.required_pull_request_reviews;
if (!required || required.required_approving_review_count < 1) {
core.setFailed('Branch protection requires at least 1 reviewer');
}
vulnerability-management:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Security Scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
format: spdx-json
output-file: sbom.json
- name: Upload Evidence
uses: actions/upload-artifact@v4
with:
name: compliance-evidence-${{ github.run_id }}
path: |
sbom.json
snyk-results.json
HIPAA Compliance Controls
PHI Protection Checklist
# hipaa-controls.yaml
controls:
access_control:
- name: "Unique User Identification"
requirement: "164.312(a)(2)(i)"
implementation: "Individual user accounts with SSO"
evidence: "User provisioning logs"
- name: "Automatic Logoff"
requirement: "164.312(a)(2)(iii)"
implementation: "Session timeout after 15 minutes"
evidence: "Application configuration"
audit_controls:
- name: "Audit Logs"
requirement: "164.312(b)"
implementation: "Comprehensive logging of PHI access"
evidence: "Log aggregation dashboard"
encryption:
- name: "Encryption at Rest"
requirement: "164.312(a)(2)(iv)"
implementation: "AES-256 encryption for databases"
evidence: "Database configuration audit"
- name: "Encryption in Transit"
requirement: "164.312(e)(1)"
implementation: "TLS 1.3 for all connections"
evidence: "SSL certificate scan"
Automated PHI Detection
# Scan for PHI in code/logs
- name: PHI Detection Scan
run: |
# Patterns for common PHI
patterns=(
'[0-9]{3}-[0-9]{2}-[0-9]{4}' # SSN
'[0-9]{3}-[0-9]{3}-[0-9]{4}' # Phone
'[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}' # Email
)
for pattern in "${patterns[@]}"; do
if grep -rE "$pattern" --include="*.log" --include="*.txt" .; then
echo "::error::Potential PHI detected in logs"
exit 1
fi
done
PCI-DSS Automation
Requirement Mapping
| Requirement | Description | Automation |
|---|---|---|
| 1.x | Firewall configuration | IaC scanning (tfsec) |
| 2.x | Secure configurations | CIS benchmarks |
| 3.x | Protect stored data | Encryption validation |
| 6.x | Secure development | SAST/DAST scanning |
| 10.x | Track access | Audit logging |
| 11.x | Test security | Vulnerability scanning |
Automated PCI Controls
# .github/workflows/pci-compliance.yml
name: PCI-DSS Compliance
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
pci-requirement-6:
name: "Secure Development (Req 6)"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Req 6.3.2 - Code review
- name: Verify Code Review
uses: actions/github-script@v7
with:
script: |
const prs = await github.rest.pulls.list({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'closed',
base: 'main',
per_page: 50
});
const unreviewed = prs.data.filter(pr =>
pr.merged_at && !pr.requested_reviewers?.length
);
if (unreviewed.length > 0) {
console.log(`Unreviewed PRs: ${unreviewed.length}`);
}
# Req 6.5 - Vulnerability scanning
- name: SAST Scan
uses: github/codeql-action/analyze@v3
# Req 6.6 - Web application security
- name: DAST Scan
uses: zaproxy/action-baseline@v0.12.0
with:
target: 'https://staging.example.com'
pci-requirement-11:
name: "Vulnerability Management (Req 11)"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Container Vulnerability Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: 'myapp:latest'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Infrastructure Scan
run: |
checkov -d . --framework terraform \
--output-file-path checkov-report.json \
--output json
Evidence Collection & Reporting
Centralized Evidence Repository
# evidence-collector.yml
name: Collect Compliance Evidence
on:
schedule:
- cron: '0 0 1 * *' # Monthly
jobs:
collect-evidence:
runs-on: ubuntu-latest
steps:
- name: Collect Access Logs
run: |
aws cloudtrail lookup-events \
--start-time $(date -d '30 days ago' --iso-8601) \
--end-time $(date --iso-8601) \
> access-logs.json
- name: Collect Vulnerability Reports
run: |
snyk monitor --json > snyk-report.json
trivy image --format json myapp:latest > trivy-report.json
- name: Generate Compliance Report
run: |
python scripts/generate_compliance_report.py \
--framework soc2 \
--output compliance-report.pdf
- name: Upload to Evidence Store
uses: actions/upload-artifact@v4
with:
name: monthly-compliance-${{ github.run_id }}
path: |
access-logs.json
snyk-report.json
trivy-report.json
compliance-report.pdf
retention-days: 365 # Keep for audit
Compliance Dashboard Integration
# Send metrics to compliance dashboard
- name: Report Compliance Status
run: |
curl -X POST https://compliance-dashboard.example.com/api/v1/report \
-H "Authorization: Bearer ${{ secrets.DASHBOARD_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{
"framework": "SOC2",
"date": "'$(date --iso-8601)'",
"controls": {
"CC6.1": {"status": "compliant", "evidence": "access-audit.json"},
"CC7.1": {"status": "compliant", "evidence": "vuln-scan.json"},
"CC7.2": {"status": "compliant", "evidence": "pr-reviews.json"}
}
}'
Key Takeaways
| Practice | Benefit |
|---|---|
| Automate evidence collection | Reduces audit preparation time |
| Continuous control validation | Catch violations early |
| Version-controlled policies | Audit trail for changes |
| Integrated scanning | Security + compliance in one pipeline |
Next, we'll explore security dashboards and vulnerability management. :::