Skip to main content

docs/compliance.md

Imported Content

SOC 2-Ready Controls Baseline

Identity and access

  • SSO via OIDC/SAML at gateway ingress.
  • Mandatory MFA policy for operator access.
  • RBAC + attribute policies by workspace.
  • Approval workflow for privileged operations.

Data and cryptography

  • TLS external traffic and mTLS internal service mesh.
  • Envelope encryption for sensitive metadata (CredentialRef payloads in psa_resources).
  • Credential references only (no raw secret storage).
  • Backup and restore validation cadence.

Audit and supply chain

  • Signed execution evidence for workflows.
  • Immutable logs shipped to long-term store.
  • SBOM generation in CI pipelines.
  • Container image signing (Cosign keyless) and verification gates.
  • Trivy vulnerability scanning in CI with SARIF upload.
  • Dependency review gate on pull requests (fail-on-severity: high).
  • TruffleHog secret exposure scanning on pull requests and main branch.
  • Placeholder/fallback detector gate for production paths (scripts/ci/no-placeholders.sh).
  • CI guard prevents zeroed worker replicas/autoscaling floors in staging/prod overlays.
  • Documentation synchronization gate (scripts/ci/docs-verify.sh).
  • Webhook signature verification plus replay protection receipts (webhook_receipts).
  • Platform/workspace settings changes are versioned and attributable (updated_by, updated_at).