Traditional: spreadsheets, screenshots, annual audits. Compliance as Code: continuous automated verification.
Why
| Traditional | As Code |
|---|---|
| Annual audit | Continuous |
| Screenshots | Automated tests |
| Drift detected next audit | Drift detected in minutes |
Common frameworks
SOC 2: Access control, change management, encryption, logging, incident response.
ISO 27001: Configuration management, cryptography, secure development.
PCI DSS: Secure configs, vulnerability management, MFA, audit trails.
Implementation
OPA policies:
deny[msg] {
bucket := input.resource.aws_s3_bucket[name]
not bucket.server_side_encryption_configuration
msg := sprintf("S3 bucket '%s' not encrypted", [name])
}
Checkov: Runs hundreds of IaC checks; many are tagged with the compliance frameworks they map to (SOC 2, CIS, NIST).
checkov -d . --framework terraform
Kyverno: Enforce policies at K8s admission.
Branch protection: PRs required, approvals, status checks.
Evidence collection
Generate automatically with scheduled CI:
- run: aws iam generate-credential-report > evidence/iam.json
- run: aws s3 cp evidence/ s3://compliance-evidence/$(date +%Y-%m-%d)/
Store immutably with Object Lock.
Drift detection
terraform plan -detailed-exitcode # Exit 2 = drift
Schedule every 6 hours. Alert on changes.
Getting started
- Automate evidence for top 5 failing controls
- Add compliance checks to CI
- Build dashboard, set up drift detection
- Achieve continuous compliance
The takeaway
OPA, Checkov, Kyverno for policies. Generate evidence automatically. Store immutably. Detect drift continuously.
Start with your most painful controls. Expand incrementally.
The goal isn't eliminating audits. It's making them trivial - because evidence is always current and always available.