Compliance Control Report (SOC2 / ISO 27001)
AutoControl already ships the controls an auditor cares about — a network
egress allowlist, just-in-time credential leases, maker-checker approval, a
secrets scanner, audit logging, a CycloneDX SBOM. build_compliance_report()
turns “are those controls in place?” into an auditor-readable control evidence
report: you supply a flat evidence mapping of observed facts, and each
catalogued control is marked satisfied / gap / not_assessed.
It is a reporting aid, not a certification — it records the evidence you
assert, it does not itself verify the controls. Pure standard library; imports
no PySide6.
Mapped controls
Framework |
Control |
Title |
Evidence key |
|---|---|---|---|
SOC2 |
CC6.1 |
Logical access restricted to authorized hosts |
|
SOC2 |
CC6.3 |
Least-privilege, time-boxed credentials |
|
SOC2 |
CC6.8 |
Secrets not hardcoded and scanned |
|
SOC2 |
CC7.3 |
Security events logged for review |
|
SOC2 |
CC8.1 |
Changes require segregated (maker-checker) approval |
|
ISO 27001 |
A.5.23 |
Information security for cloud/network egress |
|
ISO 27001 |
A.8.16 |
Monitoring activities / audit trail |
|
ISO 27001 |
A.8.30 |
Software bill of materials maintained |
|
Headless API
from je_auto_control import build_compliance_report, write_compliance_report
report = build_compliance_report({
"egress_allowlist_enforced": True,
"jit_credentials_used": True,
"secrets_scanned": True,
"audit_logging_enabled": True,
"change_approval_required": True,
"sbom_generated": True,
}, frameworks=["SOC2"]) # frameworks is optional
print(report["summary"]) # {satisfied, gap, not_assessed, total}
write_compliance_report(report, "build/compliance.html", fmt="html")
A control is satisfied when its evidence key is truthy, gap when
explicitly falsy, and not_assessed when the key is absent — so a partial
evidence dict produces an honest gap analysis. render_compliance_html returns
a standalone HTML table; write_compliance_report writes json or html.
Executor command
AC_compliance_report takes evidence (a JSON object, or JSON string from
the visual builder), an optional frameworks list/comma-string, and optional
path + fmt to write a file; it returns {summary, controls, path?}.
The same operation is exposed as the MCP tool ac_compliance_report and as a
Script Builder command under Report.