QuickstartCompliance mapping

Quickstart: Compliance mapping

Every Pencheff scan — URL, Repo, or LLM — carries a compliance rollup that fans every active finding out across the frameworks that match the target’s asset class. The rollup is deterministic, recomputed on read, and consumable from the web UI, the JSON / CSV / DOCX / Markdown exports, and the public REST API.

1. Pick the target kind

Target kindFrameworks emitted
URL (DAST)OWASP Top 10 (2021) · PCI-DSS 4.0 · NIST 800-53 Rev 5 · SOC 2 · ISO 27001:2022 · HIPAA
Repo (SAST · SCA · IaC · secrets)Same six. RepoFinding rows infer a category from scanner + rule_id.
LLM (red team)OWASP LLM Top 10 (2025) · MITRE ATLAS · NIST AI Risk Management Framework · EU AI Act

The framework set is fixed per target kind — the API does not let a caller request HIPAA controls for an LLM endpoint, since none of the LLM finding categories map onto HIPAA controls.

2. Open the rollup

  1. Open the assessment page at /scans/{id}.
  2. Scroll to the § Compliance mapping card.
  3. Click View compliance mapping →.

The page mirrors the layout of /scans/{id}/threat-model:

  • A summary strip (Findings, Controls touched, Frameworks, Target).
  • A horizontal framework picker that switches between the six (or four, for LLM) frameworks without a page reload.
  • A control table with finding counts and a severity ribbon (C / H / M / L / I).
  • A per-finding mapping table for auditors who want to see the forward direction (finding → controls) instead of the reverse (control → findings).

3. Ship it as audit evidence

  • DOCX / Markdown report — the compliance rollup is rendered into a Compliance appendix between the executive summary and the findings register, listing every control that fired with its severity breakdown.
  • JSON / CSV exports — every finding carries a compliance key ({ "OWASP Top 10": ["A03: Injection"], "PCI-DSS": ["6.5.1"], … }) so a downstream pipeline can ingest mappings without re-running the categoriser.
  • SBOM attachment — for SOC 2 / ISO 27001 / NIST 800-53 attestations, attach the generated SBOM as source-of-record evidence for SR-3 / SC-12 / A.5.21 controls.

Same shape, three target kinds. The two endpoints (/scans/{id}/compliance and /repos/scans/{id}/compliance) return the identical JSON envelope so the same web component, JSON exporter, and report appendix can consume any scan id without branching by target kind.

Next