Compliance

One Scan. Twenty Regulations.

Audit your codebase against 20 regulatory frameworks with a single command. GDPR, PCI DSS, HIPAA, ISO 27001, OWASP ASVS — with cross-framework mapping and --recommend to auto-detect what applies.

20 Regulatory Frameworks

Every finding from CKB's 20 review checks is automatically mapped to the regulations it violates. No manual tagging, no external databases.

Framework	Scope	What CKB Checks
GDPR	Data privacy (EU)	PII handling, consent, data retention, right-to-erasure, encryption
CCPA	Consumer privacy (CA)	Do-not-sell opt-out, data sharing, sensitive PI, deletion rights
ISO 27701	Privacy extension	Data subject rights, privacy processing, data portability
EU AI Act	AI governance (EU)	Human oversight, logging, risk classification, bias testing
ISO 27001	Information security	Cryptography, secure development, config management, data leakage
NIST 800-53	Security controls (US)	Access control, audit logging, input validation, crypto
OWASP ASVS	App security verification	Authentication, session mgmt, validation, crypto, communications
SOC 2	Service organizations	Access control, change management, monitoring, error handling
PCI DSS	Payment card data	PAN detection, secure coding, authentication, SQL injection
HIPAA	Healthcare (US)	PHI detection, access control, audit trails, encryption
DORA	Financial services (EU)	Change management, anomaly detection, resilience testing
NIS2	Critical infrastructure (EU)	Supply chain security, vulnerability management, crypto
FDA 21 CFR 11	Electronic records (US)	Audit trails, electronic signatures, validation
EU CRA	Cyber resilience (EU)	Vulnerability handling, SBOM, secure defaults
SBOM/SLSA	Supply chain	SBOM generation, provenance attestation, dependency pinning
DO-178C	Aviation software	Requirements traceability, structural coverage, dead code
IEC 61508	Functional safety	SIL classification, defensive programming, complexity limits
ISO 26262	Automotive safety	ASIL checks, defensive programming, coding standards
MISRA C	Safety-critical C/C++	Control flow, type safety, memory safety rules
IEC 62443	Industrial automation	Authentication, integrity verification, secure development

Cross-Framework Mapping

A single finding can violate multiple regulations. CKB maps each finding to every framework it applies to — so one scan replaces separate audits.

Hardcoded credential detected (CWE-798)

check: hardcoded-credential

PCI DSS

Req 8.6.2 PCI DSS 4.0

NIST 800-53

IA-5(1) — Authenticator management

SOC 2

CC6.1 — Logical access security

ISO 27001

A.8.4 — Secret authentication management

OWASP ASVS

V2.10.4 — Credential storage

NIS2

Art. 21(2)(g) — Cryptographic controls

DORA

Art. 9(2) — ICT change management

EU CRA

Art. 13 — Product security

IEC 62443

CR 1.1 — Access control

PII in log statements (CWE-532)

check: pii-in-logs

GDPR

Art. 25, 32 — Data protection by design

CCPA

§1798.100 — Consumer rights

HIPAA

§164.312(b) — Audit controls

ISO 27001

A.8.12 — Data leakage prevention

ISO 27701

A.7.4.5 — PII processing

OWASP ASVS

V7.1.1 — Logging

NIS2

Art. 21(2)(g) — Information handling

Weak cryptographic algorithm MD5 (CWE-327)

check: weak-crypto

ISO 27001

A.8.24 — Cryptographic controls

NIST 800-53

SC-13 — Cryptographic protection

PCI DSS

Req 4.2.1 — Strong cryptography

OWASP ASVS

V6.2.5 — Algorithm verification

GDPR

Art. 32 — Security of processing

HIPAA

§164.312(a)(2)(iv) — Encryption

FDA 21 CFR 11

§11.10(a) — System controls

How CKB Compares

Most tools check for vulnerabilities. CKB maps findings to the regulatory language auditors actually ask about.

Feature	CKB	Snyk	SonarQube	Semgrep
Regulatory frameworks	20 frameworks, 131 checks	3-5	5-8	10-12
Cross-framework mapping	Automatic	Manual	Manual	Partial
Structural code analysis	Full (SCIP + call graph)	Pattern matching	AST-based	Pattern matching
One finding, many regs	Yes	No	No	Partial
CI/CD integration	Native (SARIF, JSON, compliance)	Native	Native	Native
Runs locally (no cloud)	Yes	No	Server required	Yes
Cost	Free (personal)	Freemium	Freemium	Freemium

Quick Start

Run ckb audit compliance with the frameworks you need. Use --recommend to auto-detect which frameworks apply to your codebase.

Auto-detect frameworks

ckb audit compliance --recommend

Run compliance audit

ckb audit compliance --framework=gdpr,iso27001,owasp-asvs

Gate CI on compliance

ckb audit compliance --framework=gdpr,pci-dss --ci --fail-on=error

Export for auditors

ckb audit compliance --framework=all --format=sarif

$ ckb audit compliance --framework=gdpr,iso27001,owasp-asvs

======================================================
  CKB COMPLIANCE AUDIT REPORT
======================================================

  Repository:   myapp
  Verdict:      WARN
  Score:        72/100
  Files:        245 scanned, 12 with issues
  Findings:     18 total (3 errors, 8 warnings)

FRAMEWORK COVERAGE
------------------------------------------------------
  GDPR                    12 checks  score=75%
  ISO 27001:2022          15 checks  score=80%
  OWASP ASVS 4.0          13 checks  score=76%

CHECK RESULTS
------------------------------------------------------
  gdpr/weak-pii-crypto   FAIL  Art. 32 GDPR
    Also violates: ISO 27001 A.8.24, NIST SC-13,
    PCI DSS 4.2.1, ASVS V6.2.5 (CWE-327)

Finding 2/7: PII logged without redaction
  File: api/handler.go:118
  Check: bug-patterns (high)
  Regulations:
    GDPR     Art. 5(1)(f)
    CCPA     1798.150
    HIPAA    164.312(b)

Summary by Framework:
  PCI DSS    3 findings
  HIPAA      2 findings
  GDPR       2 findings
  SOC 2      2 findings
  SOX        1 finding

Score: 34/100  Verdict: FAIL

Ship compliant code by default

Add compliance checks to your existing review workflow in one flag. Free for personal use.

Compliance Documentation Get Started