> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance & GRC

> Turn continuous security scanning into continuous compliance with automated evidence collection, control mapping, and GRC platform integrations

## Overview

ZeroPath turns every scan into audit-ready evidence. Findings are automatically mapped to compliance framework controls, evidence is collected continuously, and reports can be exported or synced to your GRC platform.

## Why It Matters

<Columns cols={3}>
  <Card title="Continuous evidence" icon="clock">
    Every scan generates fresh compliance evidence automatically.
  </Card>

  <Card title="Control-aligned findings" icon="map">
    Each vulnerability maps to exact control clauses across SOC 2, ISO 27001, PCI DSS, and NIST
    frameworks.
  </Card>

  <Card title="GRC platform sync" icon="arrows-rotate">
    Export evidence and findings to ServiceNow, Vanta, Drata, and other GRC platforms on a schedule.
  </Card>
</Columns>

## Supported Frameworks

ZeroPath maps findings to controls in the following compliance frameworks:

| Framework             | Coverage                                                             |
| --------------------- | -------------------------------------------------------------------- |
| **SOC 2**             | Trust Service Criteria: security, availability, processing integrity |
| **ISO 27001**         | Annex A controls                                                     |
| **PCI DSS 4.0**       | Requirement 6.x (secure development) and related controls            |
| **NIST**              | Relevant security and risk management controls                       |
| **Custom frameworks** | Map findings to your organization's own control structure            |

## How It Works

<Steps>
  <Step title="Scan">
    SAST, SCA, secrets, and IaC scans run against your repositories. Each finding is tagged with the
    compliance controls it relates to.
  </Step>

  <Step title="Track">
    Dashboards show control coverage, compliance gaps, MTTR trends, and SLA status.
  </Step>

  <Step title="Evidence">
    ZeroPath automatically collects evidence packs including scan logs, signed SBOMs, and fix
    verification records.
  </Step>

  <Step title="Export">
    Generate auditor-ready reports on demand, or schedule recurring syncs to your GRC platform.
  </Step>
</Steps>

## Control-Aligned Analytics

### Framework Mapping

Every finding is mapped to the specific sub-controls it relates to. This means your compliance team can:

* See exactly which controls are covered by active scanning
* Identify gaps where controls lack automated evidence
* Filter findings by framework to focus on what matters for a specific audit
* Slice risk views by department, team, or repository

### Gap Analysis

ZeroPath identifies where your current scanning coverage leaves compliance gaps. This lets you prioritize scanning configuration changes that close compliance gaps.

## Evidence Collection

### Immutable Audit Trail

Every action in ZeroPath is recorded in a tamper-proof audit trail:

* **Scan execution** — when scans ran, what was scanned, what was found
* **Finding lifecycle** — when issues were discovered, triaged, patched, or accepted
* **Suppression accountability** — who suppressed a finding and why
* **Remediation verification** — automated verify-after-patch checks that prove fixes were effective

### Signed SBOMs

ZeroPath generates signed Software Bills of Materials in [CycloneDX format](/sca/sbom-exports) that demonstrate supply chain due diligence.

### Fix Verification

When a vulnerability is patched, ZeroPath automatically verifies the fix on the next scan and records the remediation timeline. This creates end-to-end proof that issues were identified, prioritized, fixed, and confirmed.

## GRC Platform Integrations

Export compliance data to the platforms where your GRC team already works.

| Platform       | What Syncs                                        |
| -------------- | ------------------------------------------------- |
| **ServiceNow** | Findings, evidence packs, control coverage status |
| **Vanta**      | Scan evidence, remediation records, SBOM data     |
| **Drata**      | Automated evidence for relevant controls          |

Exports can be configured as:

* **On-demand** — generate and download from the dashboard
* **Scheduled** — recurring exports on a cadence you define (e.g., weekly)

For details on report formats and generation, see [Reports](/platform/reports).

## Data Privacy Compliance

ZeroPath helps detect data privacy issues in your codebase using [custom rules](/platform/custom-rules):

* **PHI/PII detection** — natural language rules identify sensitive data patterns like social security numbers, health records, or personal identifiers being logged or exposed
* **GDPR compliance** — detect personal data processing in code that may violate data protection requirements
* **Cross-repository enforcement** — deploy privacy rules once and they apply consistently across your entire organization

## Best Practices

1. **Map to your primary framework first** — start with the framework your next audit targets (e.g., SOC 2) and expand to others incrementally.
2. **Schedule recurring exports** — set up weekly or bi-weekly syncs to your GRC platform so evidence stays current without manual effort.
3. **Use custom rules for policy gaps** — if a compliance control is not covered by built-in scanning, write a [custom rule](/platform/custom-rules) in natural language to fill the gap.
4. **Leverage SBOMs for supply chain audits** — enable [SBOM generation](/sca/sbom-exports) to satisfy software composition requirements in SOC 2, ISO 27001, and regulatory frameworks.
5. **Review the gap analysis regularly** — as frameworks are updated (e.g., PCI DSS 4.0 transition), revisit gap analysis to ensure new controls are covered.