Saltar al contenido principal

Compliance Dashboard

The Compliance Dashboard maps your security findings to industry compliance frameworks. Configure frameworks that apply to your organization, view remediation progress per control, and generate compliance reports.

info

Compliance is available on Starter plan and above. Each framework may have additional plan-tier requirements:

  • NIS2 / DORA — Starter+
  • CRA, ENS, FedRAMP — Enterprise (contact sales)
  • SOC2, PCI DSS — Varies by plan

Source: /Users/jpalanco/Projects/platform/fastapi/routes/compliance_dashboard.py:43-52

Configuring Frameworks

  1. Go to Compliance Dashboard
  2. If no frameworks are configured, you'll see: "No compliance frameworks configured"
  3. Click Configure frameworks (or the settings icon)
  4. Select which regulations apply to your organization:

Supported Frameworks:

  • NIS2 (EU Directive 2022/2555) — Critical infrastructure and essential services
  • DORA (Digital Operational Resilience Act) — Financial services resilience
  • CRA (Cyber Resilience Act) — Product security liability in EU
  • SOC2 (AICPA) — Cloud service security
  • PCI DSS (Payment Card Industry) — Cardholder data protection
  • ENS (EU Esquema Nacional de Seguridad) — Spanish critical infrastructure
  • FedRAMP (US Federal Risk and Authorization Management) — US government cloud

Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:44-48

Once configured, findings are automatically mapped to controls in each selected framework.

Dashboard Overview

The main dashboard shows KPIs per framework:

MetricMeaning
Open FindingsUnresolved issues mapped to this framework's controls
FixedIssues remediated or marked as not-affected (VEX)
Affected AssetsRepositories/cloud accounts with findings in this framework
ControlsHow many compliance controls have findings
Critical / HighCount of critical- and high-severity issues

Frameworks with no findings show "No findings · mapping pending" (scan results haven't been processed yet).

Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:25-31, fastapi/routes/compliance_dashboard.py:72-77

Click a framework card to drill into detailed findings for that framework.

Filtering Findings

Narrow the view using:

  • Repository — Specific repo or all repos
  • Asset type — Code (findings from SAST/SCA/IaC), Cloud (cloud account scans), SCM (supply chain), or All
  • Severity — Critical, High, Medium, Low (multi-select)
  • Framework — Which compliance framework(s) to view
  • Trend window — Last 30/90/180 days or last year

Click Refresh to re-fetch latest findings.

Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:9-18

Compliance Charts

Risk Flow (Sankey Diagram)

Shows how findings flow through remediation:

Total Findings → [Fixed] → Resolved
→ [Remaining] → Open

Use this to:

  • See remediation velocity (how many findings are being fixed)
  • Track "fixed" vs "remaining" ratio
  • Identify if backlog is growing or shrinking

Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:39-42

Compliance Findings (Heatmap)

Matrix view: repositories (rows) × frameworks (columns), with color intensity representing finding density.

Color coding:

  • 🟢 Green: Few/no findings
  • 🟡 Yellow: Medium finding count
  • 🔴 Red: High finding count

Click a cell to see which controls are violated in that repo under that framework.

Framework Risk Quadrant

Plots frameworks by:

  • X-axis: Remediation rate (left = slow, right = fast)
  • Y-axis: Finding count (bottom = few, top = many)

Helps prioritize: frameworks in top-left (high findings, slow remediation) need attention.

Top Violated Controls

Lists the compliance controls with the most findings across all frameworks:

ControlFrameworkCategorySeverity BreakdownAssetsFindings
CRA.4.1EU CRACrypto1 Critical, 3 High, 5 Medium2 repos9
NIS2.2.3NIS2Access Control0 Critical, 2 High, 1 Medium3 repos3

Click a control to see all findings mapped to it and remediation recommendations.

Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/compliance.yml:33-37

Findings Trend

Line chart over time (30/90/180/365 days):

  • Open findings — Issues not yet fixed
  • Fixed findings — Issues remediated this period

Use to:

  • Demonstrate security improvements to auditors
  • Track trends before/after security initiatives
  • Forecast remediation timeline

Control Remediation

Finding-to-Control Mapping

When you run scanners (SAST, IaC, secrets, etc.), findings are automatically categorized:

Example mapping:

  • Hardcoded credentials (gitleaks) → NIS2.3.2 (Cryptographic Key Management), CRA.4.3 (Secrets Management)
  • Weak encryption (cbom) → CRA.4.1 (Cryptographic Algorithms), ENS.OP.2 (Crypto Policy)
  • Insecure RBAC (cloud scan) → SOC2 CC6 (Logical Access Control)
  • Outdated TLS (dast) → PCI DSS 4.1 (Encryption Protocol)

Mapping is based on:

  • Finding severity and type
  • Framework control definitions
  • Your organization's risk profile

Source: /Users/jpalanco/Projects/platform/fastapi/routes/compliance_dashboard.py:25-36

Remediation Options

For each mapped finding:

  1. Fix — Patch code, update config, rotate credentials

    • Generate PR via plexicus remediation (if supported)
    • Manual remediation with provided guidance
    • Track via audit log
  2. VEX Statement — Declare the finding not-affected

    • Mark in xBOM as "Not Affected" with justification
    • Audit proof that you assessed and decided
    • Counts as remediated for compliance purposes
  3. Accept Risk — Document why you're not fixing

    • Store risk acceptance in Plexicus
    • Justification visible to auditors
    • Tracks decision date, approver, expiration

Pick the right option per control requirement:

  • NIS2 requires documented risk acceptance for any open findings
  • PCI DSS requires quarterly evidence of progress
  • CRA requires cryptographic risk assessment (VEX for crypto tools)

Compliance by Plan

Not all frameworks are available on all plans. Your plan determines:

  • Which frameworks you can select
  • How many controls you can map
  • Export format options (PDF, audit trail)
  • Whether VEX statements count toward compliance

Current plan entitlement mapping:

FrameworkFreeStarterScaleEnterprise
NIS2
DORA
CRA
SOC2
PCI DSS
ENS
FedRAMP

Source: /Users/jpalanco/Projects/platform/fastapi/routes/compliance_dashboard.py:57-79

To see which frameworks you have access to, check Settings → Organization → Plan.

Audit & Export

Dashboard Screenshots

All charts are downloadable as PNG for presentations and audit reports.

  1. Click the chart
  2. Look for download icon (if available)
  3. Save as image for auditor deck

Compliance Report Export

For certified compliance proof:

  1. Go to xBOM → Export (or Compliance Dashboard settings)

  2. Select PDF Attestation

  3. Choose Compliance Profile:

    • EU CRA → Cryptographic risk attestation
    • CISA 2025 → Supply chain transparency
    • PCI DSS → Payment security audit
    • EU AI Act → AI governance proof
  4. Download PDF — legally signed attestation of compliance posture

Source: /Users/jpalanco/Projects/platform/frontend/i18n/locales/en/xbom.yml:81-87

Audit Trail

Every framework configuration change and VEX statement is logged:

  1. Go to Organization → Audit Log (if available)
  2. Filter to compliance-related events
  3. Export audit trail for external auditors
  4. Shows: what changed, who changed it, when, reason

Mapping Findings to Controls

Understanding Control Categories

Compliance controls fall into categories:

CategoryControlsFindings That Map
Access ControlAuthentication, MFA, RBACWeak auth, missing 2FA, overpermissive roles
EncryptionData in transit, at restWeak crypto, unencrypted storage, exposed TLS
Secrets ManagementKey rotation, credential storageHardcoded secrets, exposed API keys
Code QualitySAST, dependency scanningCode vulns, outdated dependencies
IaC & ConfigInfrastructure securityMisconfigured cloud, insecure k8s
Incident ResponseAudit logging, alertingMissing logs, disabled monitoring
Supply ChainSBOM, vendor riskVulnerable deps, compromised packages

Example: NIS2 Compliance

NIS2.3.2 — Cryptographic Key Management
Maps to: CRA findings with weak crypto, CBOM findings with deprecated algorithms

Remediation:

  • Audit current cryptography (view CBOM)
  • Plan crypto migration (schedule RSA upgrade, SHA-1 sunset, etc.)
  • Record decision in VEX statements
  • Export CBOM + PDF attestation for regulator

NIS2.2.1 — Access Control
Maps to: Cloud findings with overpermissive IAM, auth findings with weak MFA

Remediation:

  • Review cloud access (plexicus-cloud findings)
  • Enforce MFA (settings)
  • Update RBAC (organization roles)
  • Document approval in audit log

Troubleshooting

"No frameworks configured"
Click Configure frameworks and select at least one framework that applies to your organization.

"No findings · mapping pending"
Run a scan with compliance-relevant tools (SAST, IaC, cloud, secrets). Give the backend 5-10 seconds to process findings and map them to controls.

"Why is my finding not mapped?"
Some findings may not map to any framework (e.g., informational-level issues). Try filtering to high/critical severity or running a focused scan on a control area.

"VEX statements not counting toward compliance"
Confirm you've saved the VEX statement in xBOM. Only "Not Affected" statuses with justification reduce open findings count.

"My plan doesn't include this framework"
Upgrade your plan in Settings → Organization → Billing, or contact sales for enterprise frameworks (CRA, ENS, FedRAMP).

See Also