Configure Compliance Frameworks
By default, CodeStax shows every supported compliance framework on your dashboard: SOC 2, ISO 27001, OWASP Top 10, PCI-DSS, HIPAA, and NIST CSF. Most organizations are in scope for only a subset — and even within those, some specific controls don’t apply (e.g. HIPAA Transmission Security if you don’t transmit ePHI).
This guide walks through tailoring the dashboard to only the frameworks and controls relevant to your organization so the score reflects real posture, not false failures from controls you’re not in scope for.
Who Should Do This
Step 1 — Decide which frameworks apply
Before touching the UI, write down the answer to: what compliance frameworks is my organization in scope for?
Common combinations:
| Org Type | Typical Selection |
|---|---|
| SaaS B2B | SOC 2 + OWASP Top 10 |
| Fintech / Payment | SOC 2 + PCI-DSS + OWASP |
| Healthcare / HealthTech | SOC 2 + HIPAA + OWASP |
| Government / Public sector | NIST CSF + ISO 27001 + OWASP |
| Internal-only tools (no audit) | OWASP Top 10 |
If your auditor or compliance officer has given you a specific list, use that.
Step 2 — Open the framework picker
Step 3 — Toggle the frameworks
The picker shows every supported framework as a checkbox row, plus any custom frameworks defined for your org.
Step 4 — Trim individual controls within each framework
Even within a relevant framework, some controls may not apply. CodeStax classifies each control with one of three recommendation badges:
Configuring controls — step by step
Step 5 — Verify on the dashboard
Custom Frameworks
If your industry has a framework not on the built-in list (e.g. CIS Benchmarks, FedRAMP, internal company policy):
Common Configurations
Configuration 1 — SaaS B2B targeting SOC 2
Enabled frameworks: SOC 2 + OWASP Top 10
Disabled controls: none (use defaults)Why: SOC 2 is the audit baseline; OWASP Top 10 ensures secure-coding hygiene.
Configuration 2 — Healthcare app
Enabled frameworks: SOC 2 + HIPAA + OWASP Top 10
Disabled controls (SOC 2): CC8.1 Change Management (no PR review process yet)
Disabled controls (HIPAA): 164.308(a)(5) Security Awareness (out of scope for code-level scanning)Configuration 3 — Internal tooling, audit-light
Enabled frameworks: OWASP Top 10
Disabled controls (OWASP): A04 Insecure Design (too broad), A09 Logging (covered separately)Use Apply recommendations on each remaining framework to auto-disable optional controls.
Permissions
| Action | Required Role |
|---|---|
| View framework picker | Any role |
| View control list | Any role |
| Enable/disable frameworks | Org Admin or Owner |
| Mark controls Not Applicable | Org Admin or Owner |
| Create custom framework | Member or higher |
If you save without admin role, the request returns 403 and surfaces as a toast — your selection isn’t lost, just not persisted. Get an admin to save it.
Troubleshooting
”Save” button stays disabled
You haven’t made any changes. The button enables when you toggle at least one framework or control.
Compliance dashboard shows “No Frameworks Enabled”
You saved an empty selection. Click “Configure in Settings” on the empty state, then either pick frameworks or click “Reset to default (all)”.
SCA → Policy & Compliance still shows a disabled framework
The SCA module respects your org-level selection automatically. If a framework still appears, hard-refresh the page (browser cache).
Recommendation reasons feel generic
The recommendation engine uses your latest scan findings to refine reasons. Run a fresh scan on a representative repository, then reload the controls page — recommendations now reference your actual findings.
What Gets Audited
Every change you save creates an audit-log entry with:
- Action —
compliance.frameworks.enabled.update,compliance.controls.update,compliance.custom_framework.created,compliance.custom_framework.deleted - Actor — your email
- IP + User Agent — captured automatically
- Metadata — structured JSON with old/new values
View at /dashboard/audit-logs, filter by category “Compliance”.
Related
- Compliance Dashboard reference — full feature reference
- Generate Compliance Reports — export for auditors
- Audit Logging — audit trail
- Set Up Quality Gates — enforce compliance via PR gates