Skip to content

Compliance Mapping

Maps penetration test findings to regulatory and industry compliance frameworks. Given an engagement's findings (with their CWEs), this feature identifies which framework requirements are violated and produces a gap report.

Supported frameworks

ID Framework Focus
PCI-DSS-4.0 Payment Card Industry DSS 4.0 Cardholder data protection
SOC2 SOC 2 Type II Trust services criteria
ISO-27001 ISO/IEC 27001:2022 Information security management
GDPR EU General Data Protection Regulation Personal data processing
NIS2 EU NIS2 Directive Network and information security
DORA Digital Operational Resilience Act Financial sector ICT resilience
OWASP-ASVS OWASP ASVS 4.0 Application security verification

How it works

  1. The mapper reads all FINDING-*.md files from the engagement directory
  2. Each finding's CWE is matched against a mapping table that links CWEs to framework requirements
  3. For each framework requested, the report shows which requirements have gaps (i.e., at least one finding maps to that requirement)
  4. Unmapped CWEs (findings with CWEs not present in any framework) are listed separately

The mapping is static and deterministic -- no AI inference is involved. Adding a new framework means adding a new mapping file.

API endpoints

List frameworks

GET /api/v1/compliance/frameworks

Returns all supported frameworks with their IDs and requirement counts.

Generate gap report

GET /api/v1/compliance/engagements/{engagement_name}
Parameter Type Required Description
engagement_name path yes Name of the engagement directory
frameworks query no Comma-separated framework IDs (e.g. PCI-DSS-4.0,SOC2). Omit to run all

Response (ComplianceOverview):

{
  "engagement_name": "acme-2026-q1",
  "finding_count": 14,
  "unmapped_cwes": ["CWE-1234"],
  "frameworks": [
    {
      "framework": "PCI-DSS-4.0",
      "framework_name": "PCI DSS 4.0",
      "total_requirements": 264,
      "gaps_found": 8,
      "coverage_pct": 96.97,
      "gaps": [
        {
          "requirement_id": "6.2.4",
          "requirement_desc": "Software engineering techniques prevent common vulnerabilities",
          "finding_ids": ["FINDING-003", "FINDING-007"],
          "severity": "High",
          "status": "non_compliant"
        }
      ]
    }
  ]
}

Export evidence package

GET /api/v1/compliance/engagements/{engagement_name}/export?framework=PCI-DSS-4.0
Parameter Type Required Description
framework query yes Single framework ID

Returns the same gap data in a flat JSON structure suitable for import into GRC tools.

CLI equivalent

The /pentest report phase (--hwg flag) generates an Italian-language compliance report in HWG format that includes ASVS category mapping. The dashboard API provides the same data programmatically and supports all 7 frameworks.

Connections to other features

  • Remediation Generator: after identifying a compliance gap, use the Remediation Generator to produce fix code for the underlying finding
  • Webhooks: compliance reports can trigger report_ready webhook events, notifying external systems when a new gap analysis is available