Compliance as Code

Merging Behavior

Understand how compliance properties are aggregated across multiple sources without overwriting existing values.

Edit this page on GitHub

Merging Behavior in Compliance

During Compliance Application, when [[control]] rules add properties to resources or relationships, those properties are always aggregated (merged). This is designed to accumulate controls and requirements from multiple sources without overwrites.

The aggregation logic is as follows:

  • If the existing property is not an array, it is converted into an array containing just that value.
  • The new value (or values, if it is an array) is added to this array.
  • Duplicate values in the final array are removed.
  • If the final array contains only one item, it is stored as a single scalar value rather than an array.

For example, if two different compliance files add control metadata to the same database connection:

  • iso27001.toml adds a controls property with [{ "control_id": "A.5.14" }].
  • dora.toml adds a controls property with [{ "control_id": "dora-rmf-std-encryption" }].

The final relation will have a controls property containing an array with both control objects, providing a complete view of all governance applied to that connection.