Skip to main content

Compliance overview

Vulkro maps every finding to controls across a range of compliance frameworks. Run vulkro compliance . --profile <name> to evaluate, or attach a profile inline during a scan with --profile.

Frameworks supported

ProfileFrameworkCoverage
owasp-asvsOWASP Application Security Verification StandardL1 + L2, V1-V14
pciPCI-DSS 4.0Req 6 (Develop and Maintain Secure Systems), Req 11 (Test Security)
soc2SOC 2 Trust Services CriteriaCC6 (Logical Access), CC7 (System Operations)
hipaaHIPAA Security RuleSec.164.312
nist-ssdfNIST SP 800-218 SSDFPS, PW, RV practice groups
nist-800-53NIST SP 800-53Selected control families
staterampStateRAMPSelected control baseline
iso27001ISO/IEC 27001:2022Annex A.5, A.8, A.14
cisCIS Critical Security Controls v8All 18 controls
cwe-top25CWE Top 25 Most DangerousFull list
gdprGDPR (data-protection controls)Article 32 security-of-processing controls

GDPR also has two dedicated output formats for Article 30 Records of Processing: vulkro compliance . --profile gdpr --format ropa-md (Markdown) and --format ropa-html (HTML). These generate a Records-of-Processing template rather than a pass/fail control evaluation.

How mapping works

Each finding category emits a compliance_controls list. The same finding typically satisfies multiple frameworks - e.g. a CSRF detection maps to ASVS V13, OWASP A05:2021, PCI 6.5.9, and CIS 16.10 simultaneously.

The mapping table is curated by hand because mechanical mappings (e.g. CWE -> control) don't reflect the intent of each framework. We accept the maintenance cost in exchange for citations auditors can defend.

Reading the output

vulkro compliance . --profile soc2
Profile: SOC 2 Trust Services Criteria
Status: 17 controls passed | 4 controls failed | 2 controls partial

CC6.1 Restrict access to information assets FAIL
Citation: API1 - BrokenObjectLevelAuth (115 findings)
Citation: API5 - BrokenFunctionLevelAuth (12 findings)

CC6.6 Implement logical access controls PASS
CC6.7 Restrict transmission to authorised users PASS
CC7.1 Detect security events FAIL
Citation: SecurityMisconfiguration - auditing disabled (47 findings)
...

Pass / fail / partial status is computed by:

  • PASS - no findings against any of the controls' mapped categories.
  • FAIL - at least one Critical or High finding against a mapped category.
  • PARTIAL - only Medium / Low findings against mapped categories.

In the desktop console

The Compliance tab visualises pass / fail per control with direct links to the underlying findings. An auditor can ask "show me how you meet PCI 6.5.7" and you can answer in one click.

Per-framework deep dives