Automate multi-cloud compliance (AWS, Azure, GCP, K8s) with executable CIS Benchmarks, supporting 165+ checks, 33 auto-remediations, and AI analysis.

Compliy provides automated compliance checking for AWS, Azure, GCP, Kubernetes, and Docker environments. It supports multiple compliance frameworks including CIS Benchmarks with 165+ automated checks and 33 remediation actions.

• Multi-Cloud Support: AWS, Azure, GCP, Kubernetes, Docker
• 200+ Compliance Checks: CIS Benchmarks + SOC 2 Type II across all providers
• SOC 2 Type II Support: 40+ automated Security (Common Criteria) checks ✨ NEW
• 33 Automated Remediation Actions: Safe, reversible fixes with dry-run mode
• Optimized Docker Agent: 60-70% smaller, 30-50% faster on-premises scanning ✨ NEW
• Vulnerability Scanning: Integrated Trivy and Nuclei scanners
• AI-Powered Analysis: OpenAI/Anthropic integration for enhanced insights
• REST API: 30+ endpoints with authentication and rate limiting
• CLI: 15+ commands for all operations
• Enterprise Security: RBAC, audit logging, data encryption, TLS/mTLS
• Real-time Dashboard: Interactive compliance visualization
• Comprehensive Reporting: HTML, JSON, trend analysis

compliy/
├── src/compliance_engine/
│   ├── core/              # Base classes, exceptions, logging
│   ├── standards/         # Compliance standard definitions
│   ├── db/                # Database models and session management
│   ├── parser/            # YAML standard parser
│   ├── collectors/        # Cloud resource collectors (AWS, Azure, GCP, K8s, Docker)
│   ├── scanner/           # Compliance scanning engine
│   ├── remediation/       # Automated remediation actions
│   ├── scanners/          # Vulnerability scanners (Trivy, Nuclei)
│   ├── ai/                # AI-powered analysis
│   ├── reporting/         # Report generators (HTML, JSON, trends)
│   ├── api/               # REST API (FastAPI)
│   ├── cli/               # Command-line interface
│   ├── dashboard/         # Web dashboard (Dash/Plotly)
│   ├── security/          # RBAC, encryption, certificates
│   ├── mapping/           # Cross-framework control mapping
│   └── config/            # Configuration management
├── data/standards/        # YAML compliance standard definitions
├── tests/                 # Comprehensive test suite (651 tests)
├── docs/                  # Documentation
└── examples/              # Usage examples

• Python 3.11+
• Poetry (package manager)
• Cloud provider credentials (AWS, Azure, GCP)
• Optional: Redis (for caching), PostgreSQL (for production)

# Clone the repository
git clone https://github.com/your-org/compliy.git
cd compliy

# Install dependencies
poetry install

# Initialize database
poetry run compliance init

# Configure cloud providers
export AWS_PROFILE=your-profile
export AZURE_SUBSCRIPTION_ID=your-subscription-id
export GCP_PROJECT_ID=your-project-id

# Run a compliance scan
poetry run compliance scan aws --standard cis-aws-foundations

# Generate a report
poetry run compliance report <scan-id> --format html --output report.html

# Run remediation (dry-run first)
poetry run compliance remediate <scan-id> --dry-run

# Start API server
poetry run compliance api --host 0.0.0.0 --port 8000

# Start dashboard
poetry run compliance dashboard --host 0.0.0.0 --port 8050

• Security (Common Criteria) (40+ checks)
  • CC6: Logical and Physical Access Controls (15 checks)
  • CC7: System Operations (10 checks)
  • CC8: Change Management (2 checks)
  • CC9: Risk Mitigation (2 checks)
  • Docker/On-Premises (11 checks)
• Platforms: AWS, Docker/On-Premises (Azure, GCP, Kubernetes coming soon)
• Automation Rate: 90%+ (58 of 64 controls automated)

• AWS Foundations Benchmark (50+ checks)
• Azure Foundations Benchmark (40+ checks)
• GCP Foundations Benchmark (35+ checks)
• Kubernetes Benchmark (20+ checks)
• Docker Benchmark (20+ checks)

• EC2, S3, RDS, IAM, VPC, CloudTrail, CloudWatch, KMS, Lambda, EBS, Security Groups, etc.

• Virtual Machines, Storage Accounts, SQL Databases, Key Vaults, Network Security Groups, etc.

• Compute Instances, Cloud Storage, Cloud SQL, Firewall Rules, IAM, etc.

• Pods, Deployments, Services, ConfigMaps, Secrets, RBAC, Network Policies, etc.

• Container scanning, Image scanning, Network inspection, Volume inspection

• Enable S3 bucket encryption
• Enable S3 bucket versioning
• Block S3 public access
• Enable CloudTrail multi-region logging
• Enable CloudTrail log file validation
• Remove security group public access (SSH/RDP)
• Enforce IAM password policy
• Enable VPC flow logs

• Enable storage account secure transfer (HTTPS)
• Enable storage account encryption
• Remove NSG public access
• Enable SQL database TDE
• Enable Key Vault soft delete
• Enable Key Vault purge protection

• Enable storage bucket versioning
• Enable storage bucket uniform access
• Remove public SSH access from firewall
• Remove public RDP access from firewall
• Enable OS Login
• Enable Compute Instance Shielded VM

• Enable Pod security context
• Add resource limits
• Create default deny network policy
• Remove cluster admin binding

• POST /api/v1/auth/api-keys - Create API key
• GET /api/v1/auth/api-keys - List API keys
• DELETE /api/v1/auth/api-keys/{key_id} - Revoke API key

• POST /api/v1/scans - Create scan
• GET /api/v1/scans - List scans
• GET /api/v1/scans/{scan_id} - Get scan details
• DELETE /api/v1/scans/{scan_id} - Delete scan

• GET /api/v1/reports/{scan_id} - Get report
• GET /api/v1/reports/{scan_id}/html - Get HTML report
• GET /api/v1/reports/{scan_id}/json - Get JSON report

• POST /api/v1/remediation/plan - Create remediation plan
• POST /api/v1/remediation/execute - Execute remediation
• GET /api/v1/remediation/actions - List available actions

• POST /api/v1/vulnerabilities/scan - Scan for vulnerabilities
• GET /api/v1/vulnerabilities/scans/{scan_id} - Get scan results

• POST /api/v1/ai/enrich - Enrich findings with AI context
• POST /api/v1/ai/recommend - Get AI remediation recommendations

compliance scan <provider>              # Scan infrastructure
compliance report <scan-id>             # Generate report
compliance remediate <scan-id>          # Run remediation
compliance remediate-list               # List remediation actions
compliance remediate-plan <scan-id>     # Show remediation plan
compliance trends                       # View compliance trends
compliance api                          # Start API server
compliance dashboard                    # Start dashboard
compliance init                         # Initialize database
compliance configure                    # Configure settings
compliance standards                    # Manage standards
compliance vulnerability                # Vulnerability scanning
compliance mapping                      # Framework mapping
compliance ai                           # AI enrichment

• API key authentication with SHA-256 hashing
• Role-based access control (RBAC) with 4 roles: admin, analyst, auditor, viewer
• Rate limiting (100 requests/minute per API key)
• Session management with secure tokens

• Fernet encryption for sensitive data at rest
• TLS/mTLS support for data in transit
• Secure credential storage
• Audit logging with tamper detection

• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• X-XSS-Protection: 1; mode=block
• Strict-Transport-Security: max-age=31536000
• Content-Security-Policy: default-src 'self'

• OWASP API Security Top 10 compliant
• CIS Security Best Practices
• SOC 2 Type II controls
• GDPR data protection

The optimized Docker agent provides significant performance improvements for on-premises and containerized deployments:

• 60-70% smaller image size (500MB → 150-200MB)
• 30-50% faster collection (parallel execution)
• 50-60% smaller payloads (Zstandard compression)
• 40-50% less memory usage (80-120MB vs 150-250MB)
• 100% reliability (offline queue with retry)

# Build optimized image
cd docker/scanner
./build.sh optimized

# Run optimized agent
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v $(pwd)/data:/data \
  -e DOCKER_AGENT_OPTIMIZED=true \
  -e DOCKER_PARALLEL_COLLECTION=true \
  -e DOCKER_COMPRESSION_ALGORITHM=zstd \
  compliy/scanner:optimized \
  --agent-id my-agent \
  --receiver-url http://receiver:8080

• Parallel Collection: AsyncIO-based concurrent resource collection
• Enhanced Compression: Zstandard (zstd) for 50-60% smaller payloads
• Fast Serialization: orjson for 2-3x faster JSON processing
• Offline Queue: SQLite-based queue with automatic retry
• Minimal Dependencies: No cloud SDKs, only essential packages

See docker/scanner/README.md for detailed documentation.

# Database
DB_URL=postgresql://user:pass@localhost/compliance_db

# Cloud Providers
AWS_PROFILE=default
AWS_REGION=us-east-1
AZURE_SUBSCRIPTION_ID=your-subscription-id
GCP_PROJECT_ID=your-project-id

# API
API_HOST=0.0.0.0
API_PORT=8000
API_KEY_SALT=your-secret-salt

# AI (Optional)
OPENAI_API_KEY=your-openai-key
ANTHROPIC_API_KEY=your-anthropic-key

# Security
ENCRYPTION_KEY=your-encryption-key
TLS_CERT_PATH=/path/to/cert.pem
TLS_KEY_PATH=/path/to/key.pem

# Optimized Docker Agent (NEW)
DOCKER_AGENT_OPTIMIZED=true
DOCKER_PARALLEL_COLLECTION=true
DOCKER_COMPRESSION_ALGORITHM=zstd
DOCKER_ENABLE_OFFLINE_QUEUE=true
DOCKER_QUEUE_STORAGE=/data/queue.db
DOCKER_MAX_QUEUE_SIZE_MB=500

# Run all tests
poetry run pytest

# Run specific test suite
poetry run pytest tests/unit/
poetry run pytest tests/integration/
poetry run pytest tests/security/

# Run with coverage
poetry run pytest --cov=compliance_engine --cov-report=html

# Format code
poetry run black src/ tests/

# Lint code
poetry run flake8 src/ tests/

# Type checking
poetry run mypy src/

For detailed documentation, see:

• docs/SETUP.md - Complete setup and deployment guide
• API Documentation: http://localhost:8000/docs (when API is running)
• ReDoc: http://localhost:8000/redoc (when API is running)