Quickstart: Compliance mapping
Every Pencheff scan — URL, Repo, or LLM — carries a compliance rollup that fans every active finding out across the frameworks that match the target’s asset class. The rollup is deterministic, recomputed on read, and consumable from the web UI, the JSON / CSV / DOCX / Markdown exports, and the public REST API.
1. Pick the target kind
| Target kind | Frameworks emitted |
|---|---|
| URL (DAST) | OWASP Top 10 (2021) · PCI-DSS 4.0 · NIST 800-53 Rev 5 · SOC 2 · ISO 27001:2022 · HIPAA |
| Repo (SAST · SCA · IaC · secrets) | Same six. RepoFinding rows infer a category from scanner + rule_id. |
| LLM (red team) | OWASP LLM Top 10 (2025) · MITRE ATLAS · NIST AI Risk Management Framework · EU AI Act |
The framework set is fixed per target kind — the API does not let a caller request HIPAA controls for an LLM endpoint, since none of the LLM finding categories map onto HIPAA controls.
2. Open the rollup
- Open the assessment page at
/scans/{id}. - Scroll to the § Compliance mapping card.
- Click View compliance mapping →.
The page mirrors the layout of /scans/{id}/threat-model:
- A summary strip (
Findings,Controls touched,Frameworks,Target). - A horizontal framework picker that switches between the six (or four, for LLM) frameworks without a page reload.
- A control table with finding counts and a severity ribbon (C / H / M / L / I).
- A per-finding mapping table for auditors who want to see the
forward direction (
finding → controls) instead of the reverse (control → findings).
3. Ship it as audit evidence
- DOCX / Markdown report — the compliance rollup is rendered
into a
Complianceappendix between the executive summary and the findings register, listing every control that fired with its severity breakdown. - JSON / CSV exports — every finding carries a
compliancekey ({ "OWASP Top 10": ["A03: Injection"], "PCI-DSS": ["6.5.1"], … }) so a downstream pipeline can ingest mappings without re-running the categoriser. - SBOM attachment — for SOC 2 / ISO 27001 / NIST 800-53 attestations, attach the generated SBOM as source-of-record evidence for SR-3 / SC-12 / A.5.21 controls.
Same shape, three target kinds. The two endpoints
(/scans/{id}/compliance and /repos/scans/{id}/compliance) return
the identical JSON envelope so the same web component, JSON
exporter, and report appendix can consume any scan id without
branching by target kind.
Next
- Compliance mapping feature reference — full output shape, mapping algorithm, CLI parity.
- Compliance overview — per-framework deep dives.
- Tutorial: audit-ready bundle — ship a customer-facing PDF + JSON evidence pack.