Skip to content

Compliance Reporting and Evidence Retrieval

Evidence retrieval, compliance dashboards, audit trail reconstruction, and tamper-proof storage. How to answer auditor questions with cryptographically signed evidence.

Audit Readiness

Auditors ask questions. You provide evidence chains. Query by date range, artifact type, or release version. Verify with cryptographic signatures. Prove compliance with immutable records.

Evidence Retrieval for Audits

Pattern: Query evidence by date range, artifact type, or release version.

# Retrieve all evidence for Q1 2025 audit
aws s3 ls s3://audit-evidence/ --recursive | \
  awk '$1 >= "2025-01-01" && $1 <= "2025-03-31"' > q1-evidence-manifest.txt

# Download specific evidence bundle
aws s3 cp s3://audit-evidence/bundles/evidence-v1.7.0.tar.gz .
tar -xzf evidence-v1.7.0.tar.gz

# Verify bundle signature
cosign verify-blob --bundle evidence-v1.7.0.tar.gz.sig evidence-v1.7.0.tar.gz

Compliance Dashboard Patterns

Grafana + GitHub API

# Dashboard query: PR approval rate
def get_pr_approval_rate(start_date, end_date):
    prs = gh_api(f"/repos/{repo}/pulls?state=closed&since={start_date}")
    approved = [pr for pr in prs if pr['review_decision'] == 'APPROVED']
    return len(approved) / len(prs) * 100

Custom Dashboard with S3 Evidence

# Query evidence from S3
import boto3
import json

s3 = boto3.client('s3')

def get_security_scan_summary(month):
    prefix = f"scans/{month}"
    objects = s3.list_objects_v2(Bucket='audit-evidence', Prefix=prefix)

    scans = []
    for obj in objects['Contents']:
        data = s3.get_object(Bucket='audit-evidence', Key=obj['Key'])
        scans.append(json.loads(data['Body'].read()))

    return {
        'total_scans': len(scans),
        'critical_vulns': sum(s['critical_count'] for s in scans),
        'compliance_rate': calculate_compliance(scans)
    }

Audit Trail Reconstruction

Scenario: Auditor asks "How do you prove release v1.7.0 passed security scans?"

Evidence Chain:

  1. Workflow run log: Proves workflow executed

  2. s3://audit-evidence/workflow-logs/run-123456/log.txt

  3. Security scan results: Proves scans passed

  4. s3://audit-evidence/scans/2025-01-15/trivy.json

  5. s3://audit-evidence/scans/2025-01-15/scorecard.json

  6. SLSA provenance: Proves artifact built from specific commit

  7. s3://audit-evidence/sboms/v1.7.0/multiple.intoto.jsonl

  8. PR approval: Proves code review occurred

  9. s3://audit-evidence/pr-approvals/pr-456-approvals.json

  10. Deployment attestation: Proves artifact deployed to production

  11. s3://audit-evidence/deployments/production/v1.7.0/attestation.json

Verification Command:

# Verify SLSA provenance
slsa-verifier verify-artifact readability_linux_amd64 \
  --provenance-path multiple.intoto.jsonl \
  --source-uri github.com/adaptive-enforcement-lab/readability

# Verify signature
cosign verify-blob --bundle evidence-v1.7.0.tar.gz.sig evidence-v1.7.0.tar.gz

Tamper-Proof Evidence Storage

S3 Bucket Configuration:

{
  "VersioningConfiguration": {
    "Status": "Enabled"
  },
  "ObjectLockConfiguration": {
    "ObjectLockEnabled": "Enabled",
    "Rule": {
      "DefaultRetention": {
        "Mode": "COMPLIANCE",
        "Years": 7
      }
    }
  }
}

Why Object Lock:

  • COMPLIANCE mode: Cannot be deleted, even by root user
  • Versioning: All changes retained, immutable audit trail
  • WORM (Write Once Read Many): Evidence cannot be tampered with after upload

Cryptographic Verification:

# Generate SHA256 hash of evidence at upload time
sha256sum evidence-v1.7.0.tar.gz > evidence-v1.7.0.tar.gz.sha256

# Verify integrity during audit
sha256sum -c evidence-v1.7.0.tar.gz.sha256

Audit Evidence:

Branch Protection Compliance:

Auditors ask questions. You provide evidence chains. Query by date. Filter by type. Verify with cryptography. S3 Object Lock ensures immutability. Evidence cannot be tampered with. Compliance is provable.

Comments