Generate Compliance Reports
CodeStax maps your scan results to compliance frameworks, generating audit-ready reports that demonstrate your organization’s security posture. Reports include vulnerability trends, remediation progress, and policy enforcement evidence.
Available Frameworks
Generating a Report
What’s Included in Each Report
SOC 2 Report
| Section | Coverage |
|---|---|
| Vulnerability Management | Open issues by severity, remediation timelines, trend analysis |
| Access Controls | Team roles, permissions, audit log of configuration changes |
| Change Management | PR review coverage, quality gate enforcement history |
| Risk Assessment | Security score trends, CVSS/EPSS analysis, dependency risk |
| Monitoring | Scan frequency, notification configuration, webhook activity |
ISO 27001 Report
| Section | Coverage |
|---|---|
| A.12 Operations Security | Scan automation, scheduled scans, change detection |
| A.14 System Development | SAST/SCA findings, secure coding evidence, PR review history |
| A.18 Compliance | License compliance, SBOM generation, policy enforcement |
PCI-DSS Report
| Section | Coverage |
|---|---|
| Requirement 6 | Secure development practices, vulnerability scanning results |
| Requirement 11 | Regular testing evidence, scan history, remediation timelines |
| Secret Detection | Credential exposure analysis, leaked key detection |
Best Practices for Compliance
- Scan regularly — Weekly or daily scans provide better trend data for auditors
- Enable quality gates — Demonstrates enforcement of minimum security standards
- Use PR reviews — Shows that code changes are reviewed before deployment
- Document triage decisions — When accepting risk or marking false positives, add notes explaining why
- Keep policies configured — Auditors want to see that security policies are actively managed
Scheduling Recurring Reports
For ongoing compliance, you can configure automatic report generation:
- Navigate to Dashboard → Compliance → Schedule
- Select the framework and reporting frequency (weekly, monthly, quarterly)
- Choose the recipient email addresses
- Reports are generated and emailed automatically on schedule
Related Guides
- Set Up Quality Gates — Enforce standards that auditors look for
- Your First Day with CodeStax — Get scanning set up before generating reports
- Manage Team Access — Configure roles and permissions for compliance