Skip to content

Compliance

Cloud Security evaluates compliance frameworks continuously against the live estate: each control maps to detection rules, and a control fails when open findings prove the violation — so the compliance report is always as fresh as the last sweep, with finding-level evidence per control.

The report

# Whole-estate assessment against a framework (default: cis-gcp).
limacharlie cloudsec compliance report --framework cis-gcp

# Which frameworks are available?
limacharlie cloudsec compliance frameworks

The report is per-control pass/fail with the proving finding ids as evidence, plus a summary score. The frameworks list carries id, name, version, and control counts — treat it as the source of truth for valid --framework values.

For auditors, the same report exports as CSV — one row per control including the evidence finding ids — via the API's ?format=csv (see Automation & IaC).

Scoped assignments

A whole-estate score is often the wrong altitude: production must meet the bar, the sandbox does not. A compliance-typed cloudsec_policy record creates a named, scoped assignment — a framework evaluated over a subset of the estate:

cat > prod-cis.json <<EOF
{
  "policy_type": "compliance",
  "compliance": {
    "framework_id": "cis-gcp",
    "description": "Production accounts only",
    "scope": [
      {"account_glob": ["proj-prod-*"]}
    ]
  }
}
EOF

limacharlie hive set --hive-name cloudsec_policy --key prod-cis \
  --oid $OID --input-file prod-cis.json --enabled

Scope matchers support account_contains, account_glob, name_contains, and name_glob; an empty scope means the whole estate.

List assignments (each with its own scoped score) and evaluate one:

limacharlie cloudsec compliance assignments
limacharlie cloudsec compliance report --assignment prod-cis

When --assignment is set, its framework is used and --framework is ignored.

Permissions

Reading compliance requires cloudsec.get. Assignments are Hive policy records, so creating them follows the cloudsec_policy hive permissions.