Automated Compliance Scanning
Continuously scan infrastructure and code for compliance violations. Covers policy-as-code, CIS benchmarks, automated remediation, audit evidence generation, and the patterns that shift compliance from periodic audits to continuous verification.
Manual compliance audits are snapshots — they tell you whether you were compliant at one moment in time. Automated compliance scanning is a movie — it continuously verifies that your infrastructure, code, and configurations meet regulatory and organizational requirements. The shift from periodic to continuous compliance reduces both risk and audit preparation time.
Compliance Scanning Architecture
Continuous Compliance Pipeline:
Source Code Infrastructure Configuration Runtime
│ │ │ │
▼ ▼ ▼ ▼
┌────────┐ ┌───────────┐ ┌──────────────┐ ┌──────────┐
│ SAST │ │ IaC Scan │ │ Config Audit │ │ Runtime │
│ SCA │ │ Checkov │ │ AWS Config │ │ Falco │
│ Secrets│ │ tfsec │ │ Azure Policy │ │ Sysdig │
└────┬───┘ └─────┬─────┘ └──────┬───────┘ └────┬─────┘
│ │ │ │
▼ ▼ ▼ ▼
┌──────────────────────────────────────────────────────────┐
│ Compliance Dashboard │
│ │
│ CIS Benchmark: 87% compliant (134/154 controls) │
│ SOC 2: 94% compliant (72/77 controls) │
│ PCI DSS: 91% compliant (289/318 requirements) │
│ HIPAA: 88% compliant (45/51 safeguards) │
│ │
│ Critical violations: 3 │
│ Open remediation tickets: 12 │
│ Average time to remediate: 4.2 days │
└──────────────────────────────────────────────────────────┘Policy-as-Code
# Open Policy Agent (OPA) — Rego policy
# Enforce: All S3 buckets must have encryption enabled
# policy/s3_encryption.rego
"""
package aws.s3
deny[msg] {
bucket := input.resource.aws_s3_bucket[name]
not bucket.server_side_encryption_configuration
msg := sprintf("S3 bucket '%s' does not have encryption enabled", [name])
}
deny[msg] {
bucket := input.resource.aws_s3_bucket[name]
bucket.acl == "public-read"
msg := sprintf("S3 bucket '%s' has public read access", [name])
}
deny[msg] {
bucket := input.resource.aws_s3_bucket[name]
not bucket.versioning[_].enabled == true
msg := sprintf("S3 bucket '%s' does not have versioning enabled", [name])
}
"""
class ComplianceScanner:
"""Automated compliance scanning against multiple frameworks."""
def scan_infrastructure(self):
"""Scan all infrastructure against compliance policies."""
results = []
# CIS AWS Foundations Benchmark
results.extend(self.cis_checks())
# Framework-specific controls
results.extend(self.soc2_checks())
results.extend(self.pci_dss_checks())
violations = [r for r in results if r["status"] == "fail"]
if violations:
critical = [v for v in violations if v["severity"] == "critical"]
if critical:
self.alert_security_team(critical)
for violation in violations:
self.create_remediation_ticket(violation)
return {
"total_controls": len(results),
"passing": len([r for r in results if r["status"] == "pass"]),
"failing": len(violations),
"compliance_pct": len([r for r in results if r["status"] == "pass"]) / len(results) * 100,
}Anti-Patterns
| Anti-Pattern | Consequence | Fix |
|---|---|---|
| Scan only before audits | Non-compliant 364 days a year | Continuous scanning, daily reports |
| No auto-remediation | Violations pile up, overwhelm team | Auto-remediate low-risk violations |
| Scan code but not runtime | Config drift creates compliance gaps | Runtime scanning with Falco, AWS Config |
| Same priority for all violations | Critical violations lost in noise | Severity-based triage, SLA per severity |
| No exception process | Either block everything or ignore everything | Documented exceptions with expiration dates |
Compliance scanning is the automation of trust. When your infrastructure continuously proves it meets requirements, audits become formalities and security posture becomes measurable.
