Audit Evidence Collection¶

Automated evidence capture, retention strategies, and compliance reporting for SDLC audits. What to collect, how to store it, and how to retrieve it when auditors come calling.

Automation is Key

Manual evidence collection doesn't scale. Automate capture in CI/CD workflows. Store evidence in immutable S3 buckets. Retrieve with cryptographic verification. Auditors ask questions. You provide signed, tamper-proof answers.

Overview¶

Evidence collection for compliance audits requires:

Evidence Types: What to collect (branch protection, workflow logs, SBOMs, security scans, approvals, deployments)
Collection Strategies: How to capture it (real-time vs batch, automated CI/CD)
Compliance Reporting: How to retrieve and present it to auditors
Implementation: Complete workflow examples and S3 configuration

Evidence Types¶

The Evidence Types guide covers six categories:

Branch Protection Configurations - Repository security settings
Workflow Run Logs and Artifacts - CI/CD execution records
SBOM Archives - Software Bill of Materials for supply chain transparency
Security Scan Results - Trivy, Scorecard, CodeQL, Snyk outputs
Approval Records - Pull request reviews and CODEOWNERS approvals
Deployment Attestations - SLSA provenance and production deployment records

Each type includes:

What to collect and why it matters
How to capture it in GitHub Actions
Retention policies and storage classes
Compliance framework requirements

View Evidence Types →

Collection Strategies¶

The Collection Strategies guide covers:

Automated Capture in CI/CD - Evidence generation in workflows
Retention Policies - S3 lifecycle management and storage classes
Evidence Aggregation - Bundling evidence for releases
Real-Time vs Batch - When to use each approach

View Collection Strategies →

Compliance Reporting¶

The Compliance Reporting guide covers:

Evidence Retrieval - Querying by date range, artifact type, or version
Compliance Dashboards - Grafana and custom dashboards
Audit Trail Reconstruction - Proving release compliance with evidence chains
Tamper-Proof Storage - S3 Object Lock and cryptographic verification

View Compliance Reporting →

Implementation¶

The Implementation guide provides:

Complete Evidence Collection Workflow - Production-ready GitHub Actions workflow
S3 Bucket Setup - Versioning, object lock, lifecycle policies
Evidence Lifecycle Management - Automated transitions and cleanup

View Implementation →

Related Patterns¶

Audit & Compliance:

Blog: Harden Your SDLC Before the Audit Comes - Initial patterns and audit context
SLSA Provenance Implementation - Build attestations for audit trail
SBOM Generation - Dependency evidence

Branch Protection Evidence:

Branch Protection - Access control evidence
Branch Protection Audit Evidence - Specialized branch protection evidence collection
Branch Protection Compliance Reporting - Framework-specific branch protection reports
Verification Scripts - Continuous compliance monitoring

Evidence collection is enforcement archaeology. Every workflow run, every scan, every approval is a data point. Capture it. Store it. Prove it. Auditors come with questions. You come with cryptographically signed answers.