Compliance overview
Vulkro maps every finding to controls in nine compliance frameworks. Run
vulkro compliance . --profile <name> to evaluate, or attach a profile
inline during a scan with --profile.
Frameworks supported
| Profile | Framework | Coverage |
|---|---|---|
owasp-asvs | OWASP Application Security Verification Standard | L1 + L2, V1-V14 |
owasp-top10 | OWASP Top 10:2021 | A01-A10 |
pci | PCI-DSS 4.0 | Req 6 (Develop and Maintain Secure Systems), Req 11 (Test Security) |
soc2 | SOC 2 Trust Services Criteria | CC6 (Logical Access), CC7 (System Operations) |
hipaa | HIPAA Security Rule | Sec.164.312 |
nist-ssdf | NIST SP 800-218 SSDF | PS, PW, RV practice groups |
iso27001 | ISO/IEC 27001:2022 | Annex A.5, A.8, A.14 |
cis | CIS Critical Security Controls v8 | All 18 controls |
cwe-top25 | CWE Top 25 Most Dangerous | Full list |
How mapping works
Each finding category emits a compliance_controls list. The same
finding typically satisfies multiple frameworks - e.g. a CSRF detection
maps to ASVS V13, OWASP A05:2021, PCI 6.5.9, and CIS 16.10
simultaneously.
The mapping table is curated by hand because mechanical mappings (e.g. CWE -> control) don't reflect the intent of each framework. We accept the maintenance cost in exchange for citations auditors can defend.
Reading the output
vulkro compliance . --profile soc2
Profile: SOC 2 Trust Services Criteria
Status: 17 controls passed | 4 controls failed | 2 controls partial
CC6.1 Restrict access to information assets FAIL
Citation: API1 - BrokenObjectLevelAuth (115 findings)
Citation: API5 - BrokenFunctionLevelAuth (12 findings)
CC6.6 Implement logical access controls PASS
CC6.7 Restrict transmission to authorised users PASS
CC7.1 Detect security events FAIL
Citation: SecurityMisconfiguration - auditing disabled (47 findings)
...
Pass / fail / partial status is computed by:
- PASS - no findings against any of the controls' mapped categories.
- FAIL - at least one Critical or High finding against a mapped category.
- PARTIAL - only Medium / Low findings against mapped categories.
In the desktop console
The Compliance tab visualises pass / fail per control with direct links to the underlying findings. An auditor can ask "show me how you meet PCI 6.5.7" and you can answer in one click.