Security And Compliance Reference
Reference for handling security-relevant data, retention posture, evidence trails, and common control mappings.
Data Classes
- Metadata: repository, commit, policy, and runtime event metadata.
- Finding Artifacts: rule hit context and remediation metadata.
- Evidence Records: policy decisions, exemptions, and runtime verification outcomes.
- Operational Telemetry: integration and service health signals.
Retention And Evidence Posture
- Evidence should be retained long enough to satisfy audit and internal review periods.
- Retention windows should be explicit and environment-aware.
- Deletion or archival events should be auditable.
- Exception and override records should be retained alongside policy outcomes.
Control Mapping Guidance
SOC 2
Use policy decision and evidence trails to support change management and control operation attestations.
ISO 27001
Map scanner, policy, and runtime checks to secure development and operational control domains.
NIST CSF / 800-53
Align detection, protection, and continuous monitoring outputs with governance requirements.
FIPS 140-3 Programs
Use migration and evidence artifacts to support module transition planning and validation workflows.
Operational Security Considerations
- Use least-privilege access for integration identities.
- Separate customer policy administration from platform operation roles.
- Protect evidence and event stores with strict access controls.
- Treat drift and policy-bypass events as high-value security signals.