Skip to main content

Compliance

The One Code's Govern module automates the collection of compliance evidence from your clients' GitHub organizations and maps it to controls in SOC 2 and ISO 27001. Rather than manually gathering screenshots and spreadsheets for an audit, you generate a compliance report in minutes.

Supported Frameworks

FrameworkControls Covered
SOC 2Access control, change management, availability, confidentiality, system operations
ISO 27001Access control (A.9), cryptography (A.10), operations security (A.12), information security incident management (A.16)

Additional frameworks are planned. The underlying evidence types (access audits, secret scans, backup verifications, branch protection) map to multiple frameworks, so adding HIPAA or PCI-DSS requires only a mapping layer on top of existing evidence.

Evidence Types

The One Code collects six types of evidence that map across both frameworks:

Evidence TypeWhat It Proves
access_auditWho has access to code, their permission levels, 2FA compliance, external collaborators
secret_scanActive detection and remediation of leaked credentials in code
backup_verificationRegular, verified backups of critical systems — proven by integrity check results
branch_protectionChange management controls — code requires review before merging
2fa_complianceMulti-factor authentication enforced for org members
dependency_scanVulnerability management — known CVEs tracked and remediated

Each evidence item records:

  • The framework it maps to
  • The specific control ID and control name
  • The evidence type
  • Pass, fail, partial, or not applicable
  • When it was collected
  • The raw data that supports the finding

Generating a Compliance Report

Generate a SOC 2 report:

  1. Navigate to Compliance from the left sidebar
  2. Click Generate Report
  3. Select SOC 2
  4. Click Generate

The report is computed from evidence already collected in your tenant — access audit results, secret scan results, backup verification records, and org settings. It runs in seconds.

Generate an ISO 27001 report:

Repeat the above with ISO 27001 selected.

ℹ️Compliance reports reflect the current state of your evidence at the time of generation. Run access audits and secret scans immediately before generating a report to ensure the evidence is current.

Understanding the Compliance Report

Each report contains:

Summary metrics:

  • Total controls covered
  • Passing controls
  • Failing controls
  • Partial controls
  • Not applicable controls
  • Overall compliance percentage

Per-control evidence: Each control includes:

  • Control ID and name
  • Status (pass/fail/partial/not_applicable)
  • When evidence was collected
  • The underlying data (e.g., for 2FA compliance: how many members have 2FA enabled, how many don't, the list of non-compliant members)
  • Notes (optional — you can add annotations before sharing)

Common Control Statuses

Pass — Evidence exists and meets the control requirement. Example: 2fa_compliance passes when the org has 2FA enabled and all members comply.

Fail — Evidence exists and shows the control is not met. Example: secret_scan fails if there are active (unremediated) secrets in the default branch.

Partial — Some aspects of the control are met but not all. Example: branch_protection is partial if some repos have protection rules and others don't.

Not Applicable — The control doesn't apply to this type of organization or repository setup.

Real-Time Compliance Posture

The Compliance Posture view gives you a live view across all frameworks without generating a formal report:

Navigate to Compliance → Posture to see:

  • Current pass/fail/partial status for each control
  • Which evidence was last collected and when
  • Gaps — controls where evidence is missing or outdated

Use this view during day-to-day operations to stay ahead of compliance issues. Before generating a formal report for an audit, review the posture view and address any failing controls.

Evidence Gaps

Navigate to Compliance → Evidence Gaps to see a list of controls where evidence is missing or stale:

  • Missing — No evidence has ever been collected for this control
  • Stale — Evidence was collected more than 90 days ago and may no longer reflect current state
  • Failing — Evidence exists but shows non-compliance

For each gap, The One Code shows exactly what action would close it (run an access audit, run a secret scan, configure branch protection, etc.).

Regulatory Classification

Beyond SOC 2 and ISO 27001, The One Code can classify repositories against regulatory frameworks to help you understand which compliance requirements apply to which codebases.

Supported regulatory frameworks:

FrameworkWhat It Covers
HIPAAHealthcare data — Protected Health Information (PHI) handling
PCI-DSSPayment card data — cardholder data processing, storage, or transmission
GDPREU personal data processing
SOXFinancial reporting controls for public companies
CMMCControlled Unclassified Information for US defense contractors

How classification works:

The AI analyzes the repository's file tree, configuration files, dependencies, and README content for indicators of regulatory applicability. For example:

  • Imports of healthcare data processing libraries suggest HIPAA
  • Stripe/payment gateway integrations suggest PCI-DSS
  • EU data residency configurations suggest GDPR
  • FedRAMP or ITAR keywords suggest CMMC

Each classification includes:

  • Detected frameworks
  • Confidence score (0–1)
  • Specific indicators found (file path, pattern, context)
  • Whether the classification was AI-confirmed

Triggering classification:

  1. Navigate to Regulatory from the left sidebar
  2. Click Classify All Repos for bulk classification, or navigate to a repo and click Classify
  3. Results appear within 30–60 seconds per repo

Using the regulatory map:

Navigate to Regulatory → Map to see a grid of all repositories × detected frameworks. This gives you immediate visibility into which repos may require additional compliance controls.

Identifying gaps:

Navigate to Regulatory → Gaps to see repositories that have regulatory indicators but where compliance evidence is missing or failing. These are your highest-priority items — code that likely needs to comply with a regulation but doesn't have evidence that it does.

⚠️Regulatory classification is an AI-assisted tool to help identify potential compliance requirements. It is not a legal determination. Always have your clients consult with a compliance professional or attorney for definitive regulatory guidance.

Exporting Compliance Evidence

For audits, you may need to provide evidence documentation to auditors. From the compliance report:

  1. Click Export Report
  2. The report downloads as a JSON file containing all evidence data
  3. Share the file with your auditor, or upload it to your GRC (Governance, Risk, Compliance) platform

The evidence JSON includes timestamps, raw data, and control mappings that auditors can verify.

Scheduling Compliance Reports

To ensure compliance evidence is always current, consider scheduling:

  • Monthly access audits — Run for each connected org at the beginning of every month
  • Weekly secret scans — The background scanner runs automatically, but you can trigger manual scans after any major merge or deployment
  • Quarterly compliance reports — Generate a formal SOC 2 and ISO 27001 report each quarter, even outside of formal audit periods

When combined with the QBR Reports feature, you can include compliance posture in your quarterly business review presentation to clients.