Skip to main content

Compliance overview

vulkro-sf emits findings that map into the published compliance frameworks Salesforce-deployed apps are usually audited against. This page is the entry point. Each framework gets its own page below with the control-by-control mapping.

The mapping is a property of every finding. A single Apex CRUD/FLS gap, for example, surfaces as evidence under SOC 2 CC6.1, HIPAA § 164.312(a)(1), and GDPR Art. 25 in the same scan. CI consumers can filter or surface findings by framework, then hand the resulting SARIF file to an auditor.

The four frameworks this section covers

Across the consultancy and ISV deployments we ship into, these four frameworks account for the overwhelming majority of audit asks for Salesforce-deployed apps:

FrameworkWhen it applies
SOC 2Most common. Any SaaS / managed-service vendor with enterprise customers.
HIPAAHealth Cloud deployments, regulated SIs, any app that touches PHI.
GDPRAny EU-resident data subject, processor, or sub-processor.
PCI-DSSAny deployment that stores, processes, or transmits cardholder data, or sits adjacent to a system that does.

The general Vulkro scanner already documents nine frameworks total (ASVS, OWASP API Top 10, PCI-DSS 4.0, SOC 2, HIPAA, GDPR Art. 30, NIST SSDF, ISO 27001, CIS Controls v8). The four pages in this section cover the Salesforce-specific half of the most-requested four. For the non-SF half (web app, API, mobile), link out to the general-scanner pages under /docs/compliance/.

How findings carry framework tags

Every finding Vulkro emits carries a compliance tag per applicable framework. The tag is compliance.<framework>.<control>, for example:

compliance.soc2.cc6.1
compliance.hipaa.164.312.a.1
compliance.gdpr.art.25
compliance.pci.req.6.2.4

A CI pipeline can grep for compliance.soc2. to surface only SOC 2-relevant findings, or pivot a dashboard by tag to track readiness per framework.

The --compliance flag

vulkro-sf scan accepts a --compliance <framework> flag that filters findings to only those that carry the requested framework tag. Useful when you want a SOC 2 scoped scan handed to an audit team without drowning them in the full finding set.

vulkro-sf scan ./force-app --compliance soc2
vulkro-sf scan ./force-app --compliance hipaa
vulkro-sf scan ./force-app --compliance gdpr
vulkro-sf scan ./force-app --compliance pci

The flag accepts framework aliases (soc2, soc-2, hipaa, gdpr, pci, pci-dss).

The --compliance-pack report

vulkro-sf scan --compliance-pack <framework> renders a compliance-readiness HTML report scoped to one framework. It groups findings by control family, lists what was checked, marks every control as PASS, FAIL, or NOT EVALUATED, and pins the framework version at the top of the report so the result is reproducible.

vulkro-sf scan ./force-app --compliance-pack soc2 -o soc2-readiness.html

The browser's File - Save as PDF turns the HTML into a deliverable an auditor can attach to evidence.

Framework summary table

FrameworkSalesforce control families Vulkro coversDetail page
SOC 2CC6 Logical access, CC7 System operations, CC8 Change management, CC9 Risk mitigation, C1 ConfidentialitySOC 2 ->
HIPAA§ 164.312(a) Access Control, (b) Audit Controls, (c) Integrity, (d) Authentication, (e) Transmission SecurityHIPAA ->
GDPRArt. 5 Principles, Art. 25 Privacy by design, Art. 30 RoPA, Art. 32 Security of processing, Art. 33 Breach notification, Art. 35 DPIAGDPR ->
PCI-DSSCovered in the master mapping tablePCI-DSS row

The full per-detector mapping (every Salesforce detector, every framework in one place) lives on the master compliance mapping page.

What compliance is, and what it isn't

A scanner produces evidence for a control. A person still owns the control. The honest framing:

  • What Vulkro can do: generate reproducible, timestamped evidence that the technical surface of your Salesforce deployment meets a named control on a named date. The SARIF output is the artifact you hand to an auditor.
  • What Vulkro cannot do: sign your BAA, run your access reviews, draft your Statement of Applicability, manage your change-control board, or own your incident-response runbook. The organizational controls (CC1 through CC5, HIPAA administrative safeguards, GDPR controller obligations, PCI organizational requirements) need human process, written policy, and signed contracts. A scanner does not produce those.

We do not ship a "Vulkro makes you SOC 2 compliant" claim, ever. The right framing for buyers and auditors is "Vulkro emits the technical evidence; the audit is yours to pass."