Compliance overview
vulkro-sf emits findings that map into the published compliance
frameworks Salesforce-deployed apps are usually audited against. This
page is the entry point. Each framework gets its own page below with
the control-by-control mapping.
The mapping is a property of every finding. A single Apex CRUD/FLS gap, for example, surfaces as evidence under SOC 2 CC6.1, HIPAA § 164.312(a)(1), and GDPR Art. 25 in the same scan. CI consumers can filter or surface findings by framework, then hand the resulting SARIF file to an auditor.
The four frameworks this section covers
Across the consultancy and ISV deployments we ship into, these four frameworks account for the overwhelming majority of audit asks for Salesforce-deployed apps:
| Framework | When it applies |
|---|---|
| SOC 2 | Most common. Any SaaS / managed-service vendor with enterprise customers. |
| HIPAA | Health Cloud deployments, regulated SIs, any app that touches PHI. |
| GDPR | Any EU-resident data subject, processor, or sub-processor. |
| PCI-DSS | Any deployment that stores, processes, or transmits cardholder data, or sits adjacent to a system that does. |
The general Vulkro scanner already documents nine frameworks total
(ASVS, OWASP API Top 10, PCI-DSS 4.0, SOC 2, HIPAA, GDPR Art. 30, NIST
SSDF, ISO 27001, CIS Controls v8). The four pages in this section cover
the Salesforce-specific half of the most-requested four. For the
non-SF half (web app, API, mobile), link out to the general-scanner
pages under /docs/compliance/.
How findings carry framework tags
Every finding Vulkro emits carries a compliance tag per applicable
framework. The tag is compliance.<framework>.<control>, for example:
compliance.soc2.cc6.1
compliance.hipaa.164.312.a.1
compliance.gdpr.art.25
compliance.pci.req.6.2.4
A CI pipeline can grep for compliance.soc2. to surface only SOC
2-relevant findings, or pivot a dashboard by tag to track readiness
per framework.
The --compliance flag
vulkro-sf scan accepts a --compliance <framework> flag that filters
findings to only those that carry the requested framework tag. Useful
when you want a SOC 2 scoped scan handed to an audit team without
drowning them in the full finding set.
vulkro-sf scan ./force-app --compliance soc2
vulkro-sf scan ./force-app --compliance hipaa
vulkro-sf scan ./force-app --compliance gdpr
vulkro-sf scan ./force-app --compliance pci
The flag accepts framework aliases (soc2, soc-2, hipaa,
gdpr, pci, pci-dss).
The --compliance-pack report
vulkro-sf scan --compliance-pack <framework> renders a
compliance-readiness HTML report scoped to one framework. It groups
findings by control family, lists what was checked, marks every
control as PASS, FAIL, or NOT EVALUATED, and pins the framework
version at the top of the report so the result is reproducible.
vulkro-sf scan ./force-app --compliance-pack soc2 -o soc2-readiness.html
The browser's File - Save as PDF turns the HTML into a deliverable an auditor can attach to evidence.
Framework summary table
| Framework | Salesforce control families Vulkro covers | Detail page |
|---|---|---|
| SOC 2 | CC6 Logical access, CC7 System operations, CC8 Change management, CC9 Risk mitigation, C1 Confidentiality | SOC 2 -> |
| HIPAA | § 164.312(a) Access Control, (b) Audit Controls, (c) Integrity, (d) Authentication, (e) Transmission Security | HIPAA -> |
| GDPR | Art. 5 Principles, Art. 25 Privacy by design, Art. 30 RoPA, Art. 32 Security of processing, Art. 33 Breach notification, Art. 35 DPIA | GDPR -> |
| PCI-DSS | Covered in the master mapping table | PCI-DSS row |
The full per-detector mapping (every Salesforce detector, every framework in one place) lives on the master compliance mapping page.
What compliance is, and what it isn't
A scanner produces evidence for a control. A person still owns the control. The honest framing:
- What Vulkro can do: generate reproducible, timestamped evidence that the technical surface of your Salesforce deployment meets a named control on a named date. The SARIF output is the artifact you hand to an auditor.
- What Vulkro cannot do: sign your BAA, run your access reviews, draft your Statement of Applicability, manage your change-control board, or own your incident-response runbook. The organizational controls (CC1 through CC5, HIPAA administrative safeguards, GDPR controller obligations, PCI organizational requirements) need human process, written policy, and signed contracts. A scanner does not produce those.
We do not ship a "Vulkro makes you SOC 2 compliant" claim, ever. The right framing for buyers and auditors is "Vulkro emits the technical evidence; the audit is yours to pass."
Related
- Master compliance mapping table
- SOC 2 mapping ->
- HIPAA mapping ->
- GDPR mapping ->
- General-scanner compliance docs: /docs/compliance/