> ## Documentation Index
> Fetch the complete documentation index at: https://docs.krait.io/llms.txt
> Use this file to discover all available pages before exploring further.

> Krait helps organizations prepare for security and compliance certifications by continuously assessing their application code and container configurations against widely adopted security frameworks.

# Compliance Reports

## How Krait Supports Compliance

Krait performs automated security analysis across:

* Application source code
* Container images and configurations
* Infrastructure and configuration settings

All detected security findings are **mapped to relevant compliance controls**, producing a clear **pass / fail status** for each control based on observed technical evidence.

This enables teams to:

* Understand their current compliance posture
* Identify control gaps early
* Prioritize remediation work
* Track progress toward certification readiness
* Share structured technical evidence with auditors

***

## Supported Compliance Frameworks

Krait currently supports the following compliance and security standards.

### ISO 27001

Krait evaluates technical security controls aligned with ISO 27001 requirements, including:

* Identity and access control
* Logging, monitoring, and auditability
* Secure configuration and asset protection
* Encryption and data protection
* Infrastructure and network security

Generated reports show which controls **pass, fail, or require remediation**, helping teams prepare for ISO 27001 audits.

***

### SOC 2 (Trust Services Criteria)

Krait maps findings to SOC 2 Trust Services Criteria, including:

* Security
* Availability
* Confidentiality
* Processing integrity (where applicable)

Each SOC 2 report provides:

* Control-level pass/fail status
* Evidence derived from code, container, and configuration analysis
* Clear visibility into high-risk gaps affecting audit readiness

***

### OWASP Top 10 (2021)

Krait assesses application security risks against the OWASP Top 10 (2021), including:

* Broken Access Control
* Injection vulnerabilities
* Cryptographic failures
* Security misconfigurations
* Identification and authentication failures

This framework helps teams measure exposure to the most critical and commonly exploited application security risks.

### CIS Benchmarks

Krait evaluates system and application security against **CIS Benchmark controls**, including:

* System and network configuration
* User account and privilege management
* Audit and logging settings
* Malware defenses and vulnerability management
* Secure service and application configurations
* Data protection and encryption controls

***

### OWASP ASVS (Application Security Verification Standard)

Krait maps findings against the OWASP ASVS, a framework that defines security requirements for designing, developing, and testing secure web applications. Coverage includes:

* Authentication and session management
* Access control
* Input validation and sanitization
* Cryptography practices
* API and web service security

ASVS reports help teams validate that their application meets a defined level of security assurance, making it particularly useful for organizations building software to a specific security maturity target.

***

### NIST SP 800-53A

Krait evaluates controls aligned with NIST SP 800-53A, the assessment procedures framework for federal information systems and organizations. This includes controls across:

* Access control and identity management
* Risk assessment and vulnerability management
* System and communications protection
* Audit and accountability
* Configuration management and secure development practices

NIST SP 800-53A reports are commonly used by organizations working toward FedRAMP readiness or those operating in regulated industries that require alignment with NIST standards.

***

## What Pass / Fail Means

* **Pass**: No relevant security issues were detected that violate the control within the scanned scope.
* **Fail**: One or more findings indicate the control is not met and requires remediation.

All results are based solely on **observable technical evidence** from the scanned environments.

***

## What Krait Does Not Do

To ensure clarity and transparency:

* Krait does **not** issue compliance certificates
* Krait does **not** replace external auditors
* Krait evaluates **technical controls only**, not organizational or procedural policies

Krait is designed to **support audit readiness**, not act as a certifying authority.

***

## Using Krait for Audit Readiness

Krait compliance reports are commonly used to:

* Prepare for ISO 27001, SOC 2, and NIST SP 800-53A audits
* Validate application security maturity against OWASP ASVS
* Identify control gaps early in the development lifecycle
* Provide supporting technical evidence to auditors
* Track remediation progress over time

Each compliance report is generated **per framework and per scan**, ensuring clear separation between standards and accurate historical tracking.

***

## Continuous Compliance

Because Krait continuously scans code and containers, teams can move beyond point-in-time assessments toward **continuous compliance monitoring**, reducing security drift and minimizing audit surprises.
