Compliance Audit
CKB audits your codebase against regulatory compliance frameworks. Run ckb audit compliance --framework=gdpr and get a structured report mapping findings to specific regulation articles, with severity scores, confidence levels, and CWE references.
Key idea: One finding, many regulations. A hardcoded credential violates PCI DSS 8.6.2, NIST 800-53 IA-5, SOC 2 CC6.1, OWASP ASVS V2.10.4, ISO 27001 A.8.4, and more — all surfaced automatically via cross-framework mapping.
Quick Start
# Audit against a specific framework
ckb audit compliance --framework=gdpr
# Multiple frameworks
ckb audit compliance --framework=gdpr,iso27001,pci-dss
# All 20 frameworks at once
ckb audit compliance --framework=all
# CI mode — exit code 1 on failure
ckb audit compliance --framework=gdpr --ci --fail-on=error
# Machine-readable output
ckb audit compliance --framework=all --format=json
ckb audit compliance --framework=all --format=sarif
ckb audit compliance --framework=all --format=markdown
Supported Frameworks
CKB ships with 20 regulatory frameworks across data privacy, security, financial services, healthcare, AI governance, supply chain, and safety-critical domains.
Privacy & Data Protection
| Framework |
ID |
What CKB Checks |
| GDPR |
gdpr |
PII handling, consent, data retention, right-to-erasure, encryption |
| CCPA |
ccpa |
Consumer data rights, do-not-sell opt-out, data sharing, sensitive PI |
| ISO 27701 |
iso27701 |
Privacy processing, data subject rights, privacy by design |
Security Standards
| Framework |
ID |
What CKB Checks |
| ISO 27001 |
iso27001 |
Cryptography, secure development, config management, data leakage |
| NIST 800-53 |
nist-800-53 |
Access control, audit logging, input validation, crypto |
| OWASP ASVS |
owasp-asvs |
Authentication, session mgmt, validation, crypto, communications |
| SOC 2 |
soc2 |
Access control, change management, monitoring |
Industry Regulations
| Framework |
ID |
What CKB Checks |
| PCI DSS |
pci-dss |
PAN detection, secure coding, authentication |
| HIPAA |
hipaa |
PHI detection, access control, audit trails |
| DORA |
dora |
Change management, anomaly detection, resilience testing |
| NIS2 |
nis2 |
Supply chain security, vulnerability management, crypto |
| FDA 21 CFR Part 11 |
fda-21cfr11 |
Audit trails, electronic signatures, validation |
AI & Product Regulations
| Framework |
ID |
What CKB Checks |
| EU AI Act |
eu-ai-act |
Human oversight, logging, risk classification |
| EU Cyber Resilience Act |
eu-cra |
Vulnerability handling, SBOM, secure defaults |
Supply Chain
| Framework |
ID |
What CKB Checks |
| SBOM/SLSA |
sbom-slsa |
SBOM presence, provenance attestation, dependency tracking |
Safety-Critical
| Framework |
ID |
What CKB Checks |
| DO-178C |
do-178c |
Requirements traceability, structural coverage, dead code |
| IEC 61508 |
iec61508 |
SIL classification, defensive programming, structural coverage |
| ISO 26262 |
iso26262 |
ASIL checks, defensive programming, coding standards |
| MISRA C |
misra |
Control flow rules, type safety, memory safety |
| IEC 62443 |
iec62443 |
Authentication, integrity verification, secure development |
Cross-Framework Mapping
Each finding is enriched with cross-references to every regulation it violates. This is powered by CKB's cross-mapping engine, which maps 16 finding categories (with CWE IDs) across all applicable frameworks.
Example: Hardcoded Credential (CWE-798)
A single hardcoded credential finding triggers references to:
| Framework |
Clause |
| PCI DSS |
Req 8.6.2 PCI DSS 4.0 |
| NIST 800-53 |
IA-5(1) |
| SOC 2 |
CC6.1 |
| OWASP ASVS |
V2.10.4 |
| ISO 27001 |
A.8.4 |
| NIS2 |
Art. 21(2)(g) |
| DORA |
Art. 9(2) |
| EU CRA |
Art. 13 |
| IEC 62443 |
CR 1.1 |
Mapped Finding Categories
| Category |
CWE |
Frameworks Covered |
| Hardcoded credentials |
CWE-798 |
9 frameworks |
| Weak cryptography |
CWE-327 |
8 frameworks |
| SQL injection |
CWE-89 |
6 frameworks |
| XSS |
CWE-79 |
5 frameworks |
| PII in logs |
CWE-532 |
7 frameworks |
| Missing TLS |
CWE-319 |
8 frameworks |
| Insecure random |
CWE-338 |
4 frameworks |
| Path traversal |
CWE-22 |
4 frameworks |
| Unsafe deserialization |
CWE-502 |
4 frameworks |
| Missing authentication |
CWE-306 |
7 frameworks |
| Missing audit trail |
— |
8 frameworks |
| Missing data deletion |
— |
3 frameworks |
| Missing consent |
— |
3 frameworks |
| goto usage |
— |
4 frameworks |
| Recursion |
— |
3 frameworks |
| Excessive complexity |
— |
3 frameworks |
CLI Reference
ckb audit compliance [flags]
Flags:
--framework=FRAMEWORKS Frameworks to audit (comma-separated or 'all')
--recommend Analyze codebase and recommend applicable frameworks
--format=FORMAT Output format: human, json, markdown, sarif (default: human)
--scope=PATH Path prefix filter
--ci CI mode: exit code 1 on failure
--fail-on=SEVERITY Severity threshold: error, warning, none (default: error)
--min-confidence=FLOAT Minimum confidence to include findings, 0.0-1.0 (default: 0.5)
--sil-level=INT SIL level for IEC 61508 checks, 1-4 (default: 2)
--checks=IDS Filter to specific check IDs (comma-separated)
Examples
# Quick GDPR scan
ckb audit compliance --framework=gdpr
# Full regulatory scan with high confidence
ckb audit compliance --framework=all --min-confidence=0.7
# Safety-critical audit at SIL 3
ckb audit compliance --framework=iec61508 --sil-level=3
# SARIF output for IDE integration
ckb audit compliance --framework=iso27001 --format=sarif
# Scope to specific directory
ckb audit compliance --framework=hipaa --scope=internal/patient/
# CI gate: fail on errors only
ckb audit compliance --framework=gdpr,pci-dss --ci --fail-on=error
CI/CD Integration
GitHub Actions
name: Compliance Gate
on: [pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install CKB
run: npm install -g @tastehub/ckb
- name: Index
run: ckb index
- name: Compliance Audit
run: ckb audit compliance --framework=gdpr,pci-dss --ci --fail-on=error --format=markdown
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: compliance.sarif
GitLab CI
compliance:
stage: test
script:
- npm install -g @tastehub/ckb
- ckb index
- ckb audit compliance --framework=all --ci --fail-on=error
Exit Codes
| Code |
Meaning |
| 0 |
Pass — no findings at or above --fail-on threshold |
| 1 |
Fail — findings at or above --fail-on threshold |
Human Output (default)
======================================================================
CKB COMPLIANCE AUDIT REPORT
======================================================================
Repository: myapp
Generated: 2026-03-25T14:30:00Z
Verdict: WARN
Score: 72/100
Files: 245 scanned, 12 with issues
Findings: 18 total (3 errors, 8 warnings)
FRAMEWORK COVERAGE
----------------------------------------------------------------------
FRAMEWORK CHECKS PASS WARN FAIL SCORE
GDPR (Regulation (EU) 2016/679) 12 9 2 1 75%
ISO 27001:2022 15 12 2 1 80%
JSON Output
{
"repo": "myapp",
"analyzedAt": "2026-03-25T14:30:00Z",
"frameworks": ["gdpr", "iso27001"],
"verdict": "warn",
"score": 72,
"checks": [
{
"name": "gdpr/pii-in-logs",
"status": "warn",
"severity": "warning",
"summary": "PII detected in 3 log statements"
}
],
"findings": [
{
"check": "gdpr/pii-in-logs",
"severity": "warning",
"file": "api/handler.go",
"startLine": 118,
"message": "User email logged without redaction",
"ruleId": "gdpr/pii-in-logs",
"hint": "Also violates: HIPAA §164.312, ISO 27001 A.8.12, CCPA §1798.100",
"confidence": 0.85
}
],
"coverage": [
{
"framework": "gdpr",
"name": "GDPR (Regulation (EU) 2016/679)",
"totalChecks": 12,
"passed": 9,
"warned": 2,
"failed": 1,
"score": 75
}
],
"summary": {
"totalFindings": 18,
"bySeverity": { "error": 3, "warning": 8, "info": 7 },
"filesScanned": 245,
"filesWithIssues": 12
}
}
Relationship to ckb review
ckb audit compliance and ckb review are separate commands with different purposes:
|
ckb review |
ckb audit compliance |
| Focus |
PR quality (20 checks) |
Regulatory compliance |
| Scope |
Changed files (diff) |
Entire codebase |
| Output |
Score, verdict, findings |
Framework coverage, regulation mapping |
| Use case |
Every PR |
Periodic audits, CI gates, audit prep |
The ckb review --format=compliance flag exists but generates compliance evidence from the PR review (traceability, independence) — it does not run framework-specific checks.
See also: Code Review, CI-CD-Integration, Features#compliance-audit, Quality-Gates