Skip to content

Compliance standards

Every finding produced by the scanner carries a list of ControlRef objects. References to controls in registered compliance standards. The same check

can evidence controls in multiple standards at once.

flagship · 10/10

OWASP Top 10 CI/CD

The reference framework for CI/CD security risks. Full coverage across every supported provider.

10 controls · 489 checks evidenced

CIS AWS Foundations

CI/CD-relevant subset of the CIS AWS benchmark. IAM, S3, CloudTrail, KMS hardening.

14 controls · 40 checks evidenced

CIS Kubernetes

CIS Kubernetes Benchmark, Section 5 (Policies). RBAC, Pod Security Standards, NetworkPolicy, Secrets, namespaces.

24 controls · 31 checks evidenced

CIS Supply Chain

CIS Software Supply Chain Security Guide. Source, build, dependency, and artifact controls.

25 controls · 197 checks evidenced

NIST SSDF

Secure Software Development Framework, the federal SSDLC reference (SP 800-218).

13 controls · 144 checks evidenced

NIST 800-53

Federal control catalog (CI/CD subset). Maps findings to AC, AU, CM, IA, SI, SR families.

26 controls · 245 checks evidenced

NIST CSF 2.0

Cybersecurity Framework. Govern, Identify, Protect, Detect, Respond, Recover.

23 controls · 320 checks evidenced

NIST 800-190

Application Container Security Guide, image, registry, runtime, host hardening.

12 controls · 210 checks evidenced

SLSA Build Track

Supply-chain Levels for Software Artifacts. Provenance, hermeticity, signing posture.

7 controls · 200 checks evidenced

PCI DSS v4.0

Payment Card Industry Data Security Standard, CI/CD subset (logging, secret management, change control).

13 controls · 154 checks evidenced

NSA/CISA ESF

Enduring Security Framework. Securing the Software Supply Chain (developer, customer, supplier).

22 controls · 300 checks evidenced

OpenSSF Scorecard

Open-source project security health metrics. Pinned-deps, branch-protection, signing-keys, dangerous workflows.

10 controls · 282 checks evidenced

S2C2F

Secure Supply Chain Consumption Framework, ingest, inventory, scan, rebuild, fix.

11 controls · 134 checks evidenced

SOC 2

Trust Services Criteria. Audit-friendly mappings for Security, Confidentiality, and Availability.

11 controls · 231 checks evidenced

Using standards at runtime

pipeline_check --list-standards                                                 # list registered standards
pipeline_check --pipeline aws --standard owasp_cicd_top_10                      # filter to one
pipeline_check --pipeline aws --standard owasp_cicd_top_10 --standard nist_ssdf # multiple

Omit --standard to include every registered standard.

Architecture

A standard is pure data, no code. Each one is a Python module in pipeline_check/core/standards/data/ that defines a module-level STANDARD object:

from ..base import Standard

STANDARD = Standard(
    name="my_standard",
    title="My Compliance Standard",
    version="1.0",
    url="https://example.com",
    controls={
        "CTRL-1": "First control",
        ...
    },
    mappings={
        # check_id → list of control_ids it evidences
        "IAM-001": ["CTRL-1"],
        ...
    },
)

Register it in pipeline_check/core/standards/__init__.py and the scanner, CLI (--standard, --list-standards), and reporters pick it up automatically.

Why data, not code

  • Re-use across checks: a single check like S3-002 can evidence multiple standards (OWASP CICD-SEC-9 and CIS 2.1.1) without the check itself knowing about any standard.
  • Easy to audit: the mapping table lives in one file, not scattered across Finding constructor calls.
  • Easy to extend: adding ISO 27001 or a bespoke internal policy is one new Python module.