Docs/Platform/Compliance & GRC

Compliance & GRC

Compliance reporting, audit readiness, and SBOM generation.

Compliance and Audit Readiness

Overview

DryRun Security provides the evidence trail that compliance and audit workflows require. Every PR review, finding, remediation, and policy enforcement action is tracked and accessible through the platform's reporting capabilities.

SOC2 Type II Certification

DryRun Security is SOC2 Type II certified. This means the platform itself has been independently audited for security, availability, and confidentiality controls. Your data is handled according to the same standards your organization is working to meet.

Audit Evidence Generation

The platform automatically generates evidence that auditors and regulators commonly request:

  • Findings history - complete record of every vulnerability found, when it was found, and when it was resolved
  • Remediation timelines - time-to-fix metrics for each finding, broken down by severity and category
  • Policy enforcement records - which Custom Code Policies were evaluated, what they found, and how findings were resolved
  • Scan coverage - which repositories were scanned, how frequently, and what percentage of PRs received security review
  • DeepScan reports - point-in-time full-repository security assessments for baseline evidence

Dashboard and Reporting

The Security Dashboard provides real-time metrics that map to common compliance requirements:

  • Vulnerability trends over time (are things getting better or worse?)
  • Open findings by severity and category
  • Mean time to remediation
  • Policy compliance rates across repositories
  • Coverage gaps (repositories not yet connected)

Use the intelligence index to generate custom audit-ready reports by asking natural language questions like "show me a chart of risky alerts by repo for last quarter."

Risk Register as Audit Trail

The Risk Register serves as the central audit trail for all findings. Every finding includes:

  • The specific code change that introduced the vulnerability
  • Which analyzer detected it and why
  • The remediation status and any associated PR that fixed it
  • Triage records with notes explaining why a finding was marked as acceptable risk

This level of traceability satisfies auditors who need to understand not just what vulnerabilities exist, but how the organization identified and responded to them.

SBOM and AI-BOM

DryRun Security generates Software Bills of Materials (SBOM) that document the third-party components in your codebase. SBOMs are increasingly required by regulation (Executive Order 14028, EU Cyber Resilience Act) and by enterprise customers who need supply chain transparency.

DeepScan for Compliance Assessments

Run a DeepScan to generate a point-in-time security assessment of an entire repository. This is useful for:

  • Initial onboarding - establishing a security baseline when connecting a repository
  • Pre-audit preparation - generating comprehensive findings reports ahead of an audit
  • Regulatory submissions - providing evidence of security review for compliance certifications
  • Periodic assessments - quarterly or annual full-repository reviews beyond continuous PR scanning

SBOM Generation

What Is an SBOM?

A Software Bill of Materials (SBOM) is a formal inventory of all the components in a software product - every library, package, framework, and dependency, along with version information and provenance data. SBOMs have become an important tool for supply chain security, enabling organizations to quickly determine whether they're affected when a new vulnerability is disclosed in a widely-used library.

Regulatory frameworks and government procurement requirements increasingly mandate SBOM production. Executive Order 14028 in the United States requires SBOM from software vendors selling to the federal government. Similar requirements are emerging in the EU and other jurisdictions. Even organizations not subject to regulatory mandates benefit from the visibility SBOMs provide into their software supply chain.

SBOM with DryRun Security

DryRun Security generates SBOMs as a natural output of its dependency scanning capability. Because DryRun Security already analyzes your dependency manifests and lock files on every scan, the data needed for SBOM production is continuously maintained and up to date.

SBOMs can be exported in industry-standard formats, enabling integration with vulnerability management platforms, procurement systems, and compliance tools that consume SBOM data.

AI-BOM: Bill of Materials for AI Components

As AI-generated code and AI-powered libraries become prevalent in modern software, a new challenge emerges: understanding what AI components are present in your software and what their provenance is. DryRun Security generates AI-BOMs - bills of materials specifically tracking AI-originated components and AI library dependencies.

An AI-BOM captures:

  • AI and ML libraries present in the codebase and their versions
  • Model dependencies and third-party AI service integrations
  • Sections of code identified as AI-generated (via DryRun's AI coding visibility capability)

Compliance and Audit Readiness

SBOM and AI-BOM data produced by DryRun Security can be provided directly to auditors, customers, or regulators as evidence of supply chain visibility and control. Combined with DryRun Security's continuous vulnerability scanning and risk trending, this provides the documented, traceable security program that compliance frameworks require.