AI-Powered SOC 2 Readiness Agent
Automatically scan your codebase for security vulnerabilities and SOC 2 compliance gaps. Get instant, actionable insights powered by Google Gemini AI. Learn more
CompliantByDefault is a comprehensive compliance analysis tool that combines static code analysis, dependency scanning, and AI-powered insights to help organizations achieve SOC 2 readiness.
- π Multi-Layer Scanning: Secret detection, static analysis, dependency checks, and IaC security
- π€ AI-Powered Analysis: Gemini LLM intelligently maps findings to SOC 2 controls
- π Readiness Scoring: Get a compliance score (0-100) with detailed breakdown
- π Flexible Sources: Scan local directories or GitHub repositories
- π Rich Reports: Export as JSON or Markdown with detailed recommendations
- π Multiple Interfaces: Web dashboard, REST API, or CLI tool
- Secrets: Hardcoded API keys, passwords, tokens, private keys
- Code Security: SQL injection, weak crypto, insecure configurations
- Dependencies: Vulnerable packages, loose version constraints
- Infrastructure: Terraform, Docker, Kubernetes misconfigurations
- Compliance: Maps findings to SOC 2 Trust Service Criteria
- Backend: Python 3.9+, pip
- Frontend: Node.js 18+, npm/yarn
- API Key: Google Gemini API key (Get one here)
- Clone the repository
git clone https://github.com/yourusername/CompliantByDefault.git
cd CompliantByDefault- Set up the backend
cd backend
pip install -r requirements.txt
# Create .env file
echo "GEMINI_API_KEY=your_api_key_here" > .env- Set up the frontend
cd ../frontend
npm install
# Create .env.local file
echo "NEXT_PUBLIC_API_URL=http://localhost:8000" > .env.localTerminal 1 - Backend:
cd backend
python -m uvicorn src.api:app --reload --host 0.0.0.0 --port 8000Terminal 2 - Frontend:
cd frontend
npm run devOpen http://localhost:3000 in your browser.
- Navigate to http://localhost:3000
- Click "Start Scanning"
- Choose GitHub repository or local directory
- View your compliance report with:
- Overall readiness score
- Severity breakdown
- AI-generated insights
- Detailed findings by control
- Actionable recommendations
# Scan a local directory
python -m backend.src.cli scan-local /path/to/project
# Scan a GitHub repository
python -m backend.src.cli scan-github https://github.com/user/repo
# With GitHub token for private repos
python -m backend.src.cli scan-github https://github.com/user/repo -t ghp_token
# View a specific report
python -m backend.src.cli report <job-id>
# List all reports
python -m backend.src.cli list# Start a scan
curl -X POST http://localhost:8000/scan/github \
-H "Content-Type: application/json" \
-d '{"repo_url": "https://github.com/user/repo"}'
# Get report
curl http://localhost:8000/report/<job-id>
# List all reports
curl http://localhost:8000/reportsSee API Documentation for complete endpoint reference.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frontend (Next.js) β
β Web UI + API Client β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β HTTP/REST
ββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββ
β Backend (FastAPI) β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Scan Orchestration Engine β β
β ββββββ¬βββββββββββββ¬βββββββββββββ¬ββββββββββββ¬βββββββ β
β β β β β β
β ββββββΌβββββ βββββΌβββββ βββββΌββββββ ββββΌβββββββ β
β β Secret β β Static β β Deps β β IaC β β
β β Scanner β βScanner β β Scanner β β Scanner β β
β βββββββββββ ββββββββββ βββββββββββ βββββββββββ β
β ββββββββββββββββ¬βββββββββββββββ β
β βββββββΌβββββββ β
β β LLM β β
β β Analyzer ββββββββ β
β βββββββ¬βββββββ β β
β βββββββΌβββββββ βββββΌβββββ β
β β Scoring β β Report β β
β β Engine β β Gen β β
β ββββββββββββββ ββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββΌβββββββ
β Gemini β
β API β
ββββββββββββββ
See Architecture Documentation for detailed design.
CompliantByDefault/
βββ backend/
β βββ src/
β β βββ main.py # Orchestration engine
β β βββ api.py # FastAPI endpoints
β β βββ cli.py # CLI tool
β β βββ config/
β β β βββ soc2_controls.yaml # Controls & patterns
β β βββ scanners/
β β β βββ secret_scanner.py
β β β βββ static_scanner.py
β β β βββ dependency_scanner.py
β β β βββ iac_scanner.py
β β βββ analyzers/
β β β βββ llm_analyzer.py # Gemini integration
β β β βββ scoring.py
β β βββ integrations/
β β β βββ github_loader.py
β β βββ utils/
β β βββ reports/
β βββ tests/
β βββ requirements.txt
β βββ README.md
βββ frontend/
β βββ src/
β β βββ pages/
β β β βββ index.tsx # Landing page
β β β βββ scan.tsx # Scan page
β β β βββ report/[id].tsx # Report page
β β βββ components/
β β β βββ Navbar.tsx
β β β βββ RepoSelector.tsx
β β β βββ ScanProgress.tsx
β β β βββ ReportCard.tsx
β β β βββ FindingsTable.tsx
β β βββ lib/
β β β βββ api.ts # API client
β β βββ types/
β β βββ index.ts # TypeScript types
β βββ package.json
β βββ tsconfig.json
β βββ README.md
βββ docs/
β βββ architecture.md
β βββ api_spec.md
β βββ frontend_design.md
βββ README.md
cd backend
pytest # Run all tests
pytest --cov=src tests/ # With coverage
pytest tests/test_api.py # Specific test filecd frontend
npm test # Run tests
npm run test:watch # Watch mode| Control | Name | Description |
|---|---|---|
| CC1 | Control Environment | Organizational integrity and ethics |
| CC2 | Communication & Information | Security information flow |
| CC3 | Risk Assessment | Vulnerability management |
| CC4 | Monitoring Activities | Continuous oversight |
| CC5 | Control Activities | Security implementation |
| CC6 | Access Controls | Authentication & authorization |
| CC7 | System Operations | Operational management |
| CC8 | Change Management | Version control & code review |
| CC9 | Risk Mitigation | Secrets management & encryption |
This tool scans for security issues but is itself not hardened for production use without additional security measures:
- API Keys: Store in environment variables, never commit
- GitHub Tokens: Used only for cloning, not persisted
- Reports: Contains sensitive data, protect access
- CORS: Configure for your production domain
GEMINI_API_KEY=your_gemini_api_key_here
GITHUB_TOKEN=optional_github_tokenNEXT_PUBLIC_API_URL=http://localhost:8000Edit backend/src/config/soc2_controls.yaml to:
- Add new controls
- Modify security patterns
- Adjust severity weights
- Define custom checks
- File-based report storage (no database)
- Single-server deployment
- Limited to pattern-based detection
- Manual trigger (no CI/CD integration)
- Database integration (PostgreSQL)
- CI/CD pipeline integration (GitHub Actions, GitLab CI)
- Scheduled scans
- Historical trend analysis
- Multi-tenant support
- Custom rule creation UI
- Webhook notifications
- PDF report export
- Team collaboration features
- SAML/SSO authentication
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow PEP 8 for Python code
- Use TypeScript for frontend code
- Add tests for new features
- Update documentation
- Run linters before committing
This project is licensed under the MIT License - see the LICENSE file for details.
- Google Gemini for AI-powered analysis
- FastAPI for the excellent Python web framework
- Next.js for the React framework
- Tailwind CSS for styling
- SOC 2 Trust Service Criteria documentation
- Documentation: See
/docsfolder - Issues: GitHub Issues
- Discussions: GitHub Discussions
Built with β€οΈ for the Open Source AI Hackathon
Making SOC 2 compliance accessible to everyone