Compliance Dashboard

CodeStax maps your scan results to industry compliance framework controls, so a single security posture score reflects multiple audit requirements at once. The dashboard is at Dashboard → Compliance.

Frameworks Supported

You can also define custom frameworks for internal policies.

How Scoring Works

Each control has a pass_condition that’s evaluated against your latest scan. Possible states:

• Pass — no findings against this control
• Partial — minor findings (1–2)
• Fail — multiple findings or a critical finding

A framework score is (pass + 0.5 × partial) ÷ total_controls × 100. Disabled controls are excluded from both numerator and denominator.

The overall score on the dashboard header is the average of enabled frameworks’ scores.

Configuring Frameworks for Your Organization

Step 1 — choose which frameworks apply

Most organizations are in scope for only a subset of the supported frameworks. A SaaS company likely cares about SOC 2 + OWASP; a fintech adds PCI-DSS; a healthcare app adds HIPAA. Showing every framework on the dashboard creates noise and false-failure alerts for controls that don’t apply to you.

1. Open Settings → Policies → Compliance Frameworks (the section is collapsed by default — click to expand)
2. Click Manage enabled frameworks to open the picker
3. Check the frameworks that apply to your organization
4. (Optional) Click Reset to default (all) to re-enable every framework
5. Click Save

The dashboard, scoring, scan results, and digest emails will all immediately reflect your selection.

Default behavior: a brand-new organization has every built-in framework enabled. The selection only kicks in once you save an explicit choice.

Step 2 — mark individual controls “Not Applicable”

Even within a relevant framework, some controls may not apply. For example:

• CC8.1 (Change Management) is only meaningful if you have a PR-review workflow
• HIPAA 164.312(e)(1) Transmission Security doesn’t apply to a code review tool that never handles ePHI

To trim individual controls:

1. From the framework picker, click Controls next to any framework
2. The page shows every control with a recommendation badge:
   • Required (red) — baseline expectation, you should keep it enabled
   • Recommended (blue) — keep enabled if your tech stack matches
   • Optional (gray) — niche; safe to mark N/A unless your auditor asks for it
3. Uncheck any control to mark it not applicable
4. Click Apply recommendations to bulk-disable all Optional controls in one step
5. Click Save

Disabled controls are skipped by scoring entirely — they don’t count as pass, partial, or fail.

Recommendation reasons

Each control’s recommendation badge includes a reason like “Your latest scan has findings against this control — keep enabled” or “Required if you ship infrastructure-as-code; optional otherwise.” The engine uses your repository’s actual scan data when available, so recommendations refine over time.

Custom Frameworks

If your industry has a framework not on the built-in list (e.g. CIS Benchmarks, FedRAMP, internal policy), define it on the compliance dashboard:

1. Dashboard → Compliance → Custom Frameworks → Add Framework
2. Provide a name, key (alphanumeric + underscores), and a JSON array of controls
3. Each control needs id, name, check_type, and pass_condition. Valid check types: secrets, sast_security, sast_crypto, sast_auth, scan_recency, quality_gates, pr_reviews, sca_vulns, code_quality, iac_issues

Custom frameworks appear alongside built-ins in the picker and on the dashboard.

Manual Evidence & Status Overrides

Compliance is rarely 100% automated. To attach manual evidence (links, files, notes) or override a control’s status (e.g. mark a failing control “accepted_risk” with a documented justification):

1. Expand the framework on the dashboard
2. Click the failing/partial control row to expand findings
3. Add Evidence — attach context (note + file URL + owner)
4. Override Status — set to pass, accepted_risk, or compensating with a reason

Overrides are reflected in the score and shown on the audit timeline.

Audit Timeline

Every change to compliance configuration is logged for traceability. The timeline (on the compliance dashboard, per-repo) shows:

• Override events — when a control’s status was manually overridden
• Evidence events — when documentation was attached
• Evaluation events — score changes between scans

Org-level configuration changes (enabling/disabling frameworks, marking controls N/A, creating/deleting custom frameworks) appear on Dashboard → Audit Logs, with the actor email, IP, and timestamp.

Exporting for Auditors

From the dashboard header:

• JSON — raw structured data for GRC tool imports
• CSV — for spreadsheet analysis
• HTML — print-ready, use browser Print → Save as PDF

The export reflects your current framework + control selection — disabled controls are excluded.

Compliance Digest Email

Send a weekly compliance posture summary to compliance officers:

1. From the dashboard, click Send Digest
2. Enter recipient email addresses (comma-separated)
3. The email includes overall score, posture rating, pass/partial/fail breakdown, and a deep-link to the dashboard

Permissions

SCA Compliance Consistency

The SCA module has its own compliance view (Dashboard → SCA → Policy & Compliance). Framework selection on the main compliance dashboard automatically applies there too — if you’ve disabled HIPAA at the org level, it won’t show on the SCA compliance view either.

The mapping handles slight key differences across modules (e.g. PCI-DSS appears as pcidss on the main dashboard and pci_dss_4 on the SCA view; they refer to the same framework).

Related

• Audit Logging — full audit trail of org-level changes
• Policies — broader org-wide policy configuration
• Compliance Reports — PR-review-level export for audit packages
• Quality Gates — block PRs that violate compliance-relevant policies