SOC 2

Pencheff maps findings to SOC 2 Trust Services Criteria (primarily Security / Common Criteria CC6–CC7 and Availability A1).

TSCExample controlsCoverage
CC6.1 — Logical access controlsCC6.1, CC6.2, CC6.3scan_auth, scan_authz, scan_oauth, scan_mfa_bypass
CC6.6 — Boundary protectionCC6.6CORS, SSRF, clickjacking, WebSocket security
CC6.7 — EncryptionCC6.7scan_infrastructure (TLS)
CC7.1 — Detection / monitoringCC7.1Passive scanner, change detection via ASM
CC7.2 / CC7.3 — Anomaly handlingCC7.2, CC7.3Continuous profile + retest automation
CC8.1 — Change managementCC8.1SBOM + dep scan in CI/CD gate
A1.1 — Availability / capacityA1.1scan_business_logic (rate limiting, race), cloud misconfig

Policy example

apiVersion: pencheff/v1
kind: ScanPolicy
metadata: { name: soc2 }
spec:
  targets: [{ url: "${TARGET_URL}" }]
  modules:
    - { name: scan_infrastructure, depth: standard }
    - { name: scan_auth,           depth: standard }
    - { name: scan_authz,          depth: standard }
    - { name: scan_cloud,          depth: standard }
    - { name: scan_dependencies,   params: { path: "./" } }
    - { name: generate_sbom,       params: { path: "./", format: spdx } }
  thresholds: { fail_on: high }
  reports:
    - { format: docx, path: "./reports/soc2/" }

Evidence packet

The DOCX report has a SOC 2 Control Mapping appendix with one row per CC control, showing findings and remediation status — suitable for submission to your auditor as Type II evidence.