Compliance Dashboard
The Compliance Dashboard maps your security findings to industry compliance frameworks. Configure frameworks that apply to your organization, view remediation progress per control, and generate compliance reports.
Compliance is available on Starter plan and above. Each framework may have additional plan-tier requirements:
- NIS2 / DORA — Starter+
- CRA, ENS, FedRAMP — Enterprise (contact sales)
- SOC2, PCI DSS — Varies by plan
Source: /Users/jpalanco/Projects/platform/fastapi/routes/compliance_dashboard.py:43-52
Configuring Frameworks
- Go to Compliance Dashboard
- If no frameworks are configured, you'll see: "No compliance frameworks configured"
- Click Configure frameworks (or the settings icon)
- Select which regulations apply to your organization:
Supported Frameworks:
- NIS2 (EU Directive 2022/2555) — Critical infrastructure and essential services
- DORA (Digital Operational Resilience Act) — Financial services resilience
- CRA (Cyber Resilience Act) — Product security liability in EU
- SOC2 (AICPA) — Cloud service security
- PCI DSS (Payment Card Industry) — Cardholder data protection
- ENS (EU Esquema Nacional de Seguridad) — Spanish critical infrastructure
- FedRAMP (US Federal Risk and Authorization Management) — US government cloud
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:44-48
Once configured, findings are automatically mapped to controls in each selected framework.
Dashboard Overview
The main dashboard shows KPIs per framework:
| Metric | Meaning |
|---|---|
| Open Findings | Unresolved issues mapped to this framework's controls |
| Fixed | Issues remediated or marked as not-affected (VEX) |
| Affected Assets | Repositories/cloud accounts with findings in this framework |
| Controls | How many compliance controls have findings |
| Critical / High | Count of critical- and high-severity issues |
Frameworks with no findings show "No findings · mapping pending" (scan results haven't been processed yet).
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:25-31, fastapi/routes/compliance_dashboard.py:72-77
Click a framework card to drill into detailed findings for that framework.
Filtering Findings
Narrow the view using:
- Repository — Specific repo or all repos
- Asset type — Code (findings from SAST/SCA/IaC), Cloud (cloud account scans), SCM (supply chain), or All
- Severity — Critical, High, Medium, Low (multi-select)
- Framework — Which compliance framework(s) to view
- Trend window — Last 30/90/180 days or last year
Click Refresh to re-fetch latest findings.
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:9-18
Compliance Charts
Risk Flow (Sankey Diagram)
Shows how findings flow through remediation:
Total Findings → [Fixed] → Resolved
→ [Remaining] → Open
Use this to:
- See remediation velocity (how many findings are being fixed)
- Track "fixed" vs "remaining" ratio
- Identify if backlog is growing or shrinking
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:39-42
Compliance Findings (Heatmap)
Matrix view: repositories (rows) × frameworks (columns), with color intensity representing finding density.
Color coding:
- 🟢 Green: Few/no findings
- 🟡 Yellow: Medium finding count
- 🔴 Red: High finding count
Click a cell to see which controls are violated in that repo under that framework.
Framework Risk Quadrant
Plots frameworks by:
- X-axis: Remediation rate (left = slow, right = fast)
- Y-axis: Finding count (bottom = few, top = many)
Helps prioritize: frameworks in top-left (high findings, slow remediation) need attention.
Top Violated Controls
Lists the compliance controls with the most findings across all frameworks:
| Control | Framework | Category | Severity Breakdown | Assets | Findings |
|---|---|---|---|---|---|
| CRA.4.1 | EU CRA | Crypto | 1 Critical, 3 High, 5 Medium | 2 repos | 9 |
| NIS2.2.3 | NIS2 | Access Control | 0 Critical, 2 High, 1 Medium | 3 repos | 3 |
Click a control to see all findings mapped to it and remediation recommendations.
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:33-37
Findings Trend
Line chart over time (30/90/180/365 days):
- Open findings — Issues not yet fixed
- Fixed findings — Issues remediated this period
Use to:
- Demonstrate security improvements to auditors
- Track trends before/after security initiatives
- Forecast remediation timeline
Control Remediation
Finding-to-Control Mapping
When you run scanners (SAST, IaC, secrets, etc.), findings are automatically categorized:
Example mapping:
- Hardcoded credentials (gitleaks) → NIS2.3.2 (Cryptographic Key Management), CRA.4.3 (Secrets Management)
- Weak encryption (cbom) → CRA.4.1 (Cryptographic Algorithms), ENS.OP.2 (Crypto Policy)
- Insecure RBAC (cloud scan) → SOC2 CC6 (Logical Access Control)
- Outdated TLS (dast) → PCI DSS 4.1 (Encryption Protocol)
Mapping is based on:
- Finding severity and type
- Framework control definitions
- Your organization's risk profile
Source: /Users/jpalanco/Projects/platform/fastapi/routes/compliance_dashboard.py:25-36
Remediation Options
For each mapped finding:
-
Fix — Patch code, update config, rotate credentials
- Generate PR via plexicus remediation (if supported)
- Manual remediation with provided guidance
- Track via audit log
-
VEX Statement — Declare the finding not-affected
- Mark in xBOM as "Not Affected" with justification
- Audit proof that you assessed and decided
- Counts as remediated for compliance purposes
-
Accept Risk — Document why you're not fixing
- Store risk acceptance in Plexicus
- Justification visible to auditors
- Tracks decision date, approver, expiration
Pick the right option per control requirement:
- NIS2 requires documented risk acceptance for any open findings
- PCI DSS requires quarterly evidence of progress
- CRA requires cryptographic risk assessment (VEX for crypto tools)
Compliance by Plan
Not all frameworks are available on all plans. Your plan determines:
- Which frameworks you can select
- How many controls you can map
- Export format options (PDF, audit trail)
- Whether VEX statements count toward compliance
Current plan entitlement mapping:
| Framework | Free | Starter | Scale | Enterprise |
|---|---|---|---|---|
| NIS2 | — | ✓ | ✓ | ✓ |
| DORA | — | ✓ | ✓ | ✓ |
| CRA | — | — | — | ✓ |
| SOC2 | — | — | ✓ | ✓ |
| PCI DSS | — | — | ✓ | ✓ |
| ENS | — | — | — | ✓ |
| FedRAMP | — | — | — | ✓ |
Source: /Users/jpalanco/Projects/platform/fastapi/routes/compliance_dashboard.py:57-79
To see which frameworks you have access to, check Settings → Organization → Plan.
Audit & Export
Dashboard Screenshots
All charts are downloadable as PNG for presentations and audit reports.
- Click the chart
- Look for download icon (if available)
- Save as image for auditor deck
Compliance Report Export
For certified compliance proof:
-
Go to xBOM → Export (or Compliance Dashboard settings)
-
Select PDF Attestation
-
Choose Compliance Profile:
- EU CRA → Cryptographic risk attestation
- CISA 2025 → Supply chain transparency
- PCI DSS → Payment security audit
- EU AI Act → AI governance proof
-
Download PDF — legally signed attestation of compliance posture
Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/xbom.yml:81-87
Audit Trail
Every framework configuration change and VEX statement is logged:
- Go to Organization → Audit Log (if available)
- Filter to compliance-related events
- Export audit trail for external auditors
- Shows: what changed, who changed it, when, reason
Mapping Findings to Controls
Understanding Control Categories
Compliance controls fall into categories:
| Category | Controls | Findings That Map |
|---|---|---|
| Access Control | Authentication, MFA, RBAC | Weak auth, missing 2FA, overpermissive roles |
| Encryption | Data in transit, at rest | Weak crypto, unencrypted storage, exposed TLS |
| Secrets Management | Key rotation, credential storage | Hardcoded secrets, exposed API keys |
| Code Quality | SAST, dependency scanning | Code vulns, outdated dependencies |
| IaC & Config | Infrastructure security | Misconfigured cloud, insecure k8s |
| Incident Response | Audit logging, alerting | Missing logs, disabled monitoring |
| Supply Chain | SBOM, vendor risk | Vulnerable deps, compromised packages |
Example: NIS2 Compliance
NIS2.3.2 — Cryptographic Key Management
Maps to: CRA findings with weak crypto, CBOM findings with deprecated algorithms
Remediation:
- Audit current cryptography (view CBOM)
- Plan crypto migration (schedule RSA upgrade, SHA-1 sunset, etc.)
- Record decision in VEX statements
- Export CBOM + PDF attestation for regulator
NIS2.2.1 — Access Control
Maps to: Cloud findings with overpermissive IAM, auth findings with weak MFA
Remediation:
- Review cloud access (plexicus-cloud findings)
- Enforce MFA (settings)
- Update RBAC (organization roles)
- Document approval in audit log
Troubleshooting
"No frameworks configured"
Click Configure frameworks and select at least one framework that applies to your organization.
"No findings · mapping pending"
Run a scan with compliance-relevant tools (SAST, IaC, cloud, secrets). Give the backend 5-10 seconds to process findings and map them to controls.
"Why is my finding not mapped?"
Some findings may not map to any framework (e.g., informational-level issues). Try filtering to high/critical severity or running a focused scan on a control area.
"VEX statements not counting toward compliance"
Confirm you've saved the VEX statement in xBOM. Only "Not Affected" statuses with justification reduce open findings count.
"My plan doesn't include this framework"
Upgrade your plan in Settings → Organization → Billing, or contact sales for enterprise frameworks (CRA, ENS, FedRAMP).
See Also
- xBOM (Bill of Materials) — VEX statements and SBOM export for compliance proof
- Security Scanners — Enable compliance-relevant tools
- Findings Remediation — Track and fix mapped findings