Compliance as Code

Verifying Compliance

Query the compliance graph via GraphQL or generate OSCAL and Markdown artifacts to verify your security posture.

Edit this page on GitHub

Verifying Compliance

Auditing the Graph

After the importer runs, you can verify your compliance posture interactively using GraphQL, or automatically generate standard audit artifacts like OSCAL documents and Markdown reports using Output modules.

1. Auditing with GraphQL

You can use GraphQL to instantly check if specific controls were applied to your architecture. To check if the database encryption control was applied to billing-api, you can query its database relation:

query VerifyComplianceEnrichment {
  application(filter: {name: "billing-api"}) {
    name
    database {
      properties {
        relation
        controls {
          control_id
          min_tls_version
          status
        }
      }
      node { name }
    }
  }
}

Example: CCM Reporting

If you are using frameworks like the Cloud Security Alliance’s Cloud Controls Matrix (CCM), the compliance engine automatically aggregates evidence onto the control nodes. You can query the control nodes to extract the evidence_summary and see exactly which resources validate each control:

query CCMComplianceReport {
  control {
    name
    description
    evidence_summary
    validated_by {
      properties {
        target_description
        evidence_type
        governed_resource
      }
      node {
        __typename
      }
    }
  }
}