End-User Guide

Continuous Auditing

Automate compliance checks and generate audit artifacts using GraphQL queries against your infrastructure graph.

Edit this page on GitHub

Continuous Auditing

Automated Compliance Checks and Governance via the Graph

The graph transforms auditing from a periodic, manual task into a continuous, automated process. Compliance rules are no longer just documents; they are queryable facts within your infrastructure’s model.

Automated Compliance Checks

Schedule scripts to run GraphQL queries that check for policy violations. The compliance enrichment applied during the compliance phase becomes your living audit trail.

Example GraphQL Query for Auditing:

query FindUnencryptedConnections {
  # Find all application-to-database connections...
  application {
    database {
      properties {
        # ...that are MISSING the mandatory security control.
        # A sophisticated client would check for the absence of the "SEC-DB-01" control ID
        # within the 'controls' array. This simplified query checks if the array is missing.
        controls
      }
      node { name }
      sourceNode: parent { name } # 'parent' gets the source application
    }
  }
}

Running this query daily immediately identifies any database connections that have not been properly enriched by your security.toml compliance file, giving you a real-time view of your security posture. Furthermore, the compliance-as-code model enables you to define your entire security posture, such as an OSCAL System Security Plan (SSP), in code and ensure it is distributed to all responsible parties for implementation.

CCM Compliance Reporting

If you are using frameworks like the Cloud Security Alliance’s Cloud Controls Matrix (CCM), the compliance engine automatically aggregates evidence onto the control nodes. You can query the control nodes to extract the evidence_summary and see exactly which resources validate each control:

query CCMComplianceReport {
  control {
    name
    description
    evidence_summary
    validated_by {
      properties {
        target_description
        evidence_type
        governed_resource
      }
      node {
        __typename
      }
    }
  }
}

For a complete reference on generating static audit artifacts (Markdown reports and OSCAL documents), see Generating Audit Artifacts in the Compliance Developer Guide.

For interactive compliance queries with detailed examples, see Auditing with GraphQL.