Skip to content

Audit Framework

The audit system provides structured evidence collection across 19 domains with 80 canonical controls. Every audit run produces control results, findings, and metrics — all stored in SQLite and queryable from CLI or MCP tools.

DomainWhat it covers
inventoryRepo metadata, ownership, classification
code_qualityLinting, formatting, complexity
security_sastStatic analysis, injection, auth patterns
dependencies_scaVulnerability scanning, dependency currency
licensesLicense compliance, compatibility
secretsSecret detection, rotation practices
config_iacInfrastructure-as-code hygiene
containersImage security, scanning
runtimeError handling, resilience
performanceProfiling, optimization
observabilityLogging, tracing, metrics
testingCoverage, test types, CI integration
cicdPipeline security, gates
deploymentRelease process, rollback
backup_drBackup plans, recovery
monitoringAlerting, uptime
compliance_privacyData handling, GDPR
supply_chainSBOM, provenance
integrationsAPI contracts, versioning

Each control produces one of:

ResultMeaning
passControl requirement is met
failControl requirement is not met
warnPartial compliance or minor concern
not_applicableControl does not apply to this repo
not_runControl was not evaluated
errorEvaluation failed

Posture is derived automatically from control results and findings:

  • healthy — no critical/high findings, pass rate above threshold
  • needs_attention — some high findings or moderate pass rate
  • critical — critical findings present or very low pass rate
{
"run": {
"slug": "my-org/my-repo",
"overall_status": "pass_with_findings",
"overall_posture": "needs_attention",
"domains_checked": ["code_quality", "testing", "security_sast"]
},
"controls": [
{ "control_id": "QUA-001", "result": "pass" },
{ "control_id": "TST-001", "result": "fail", "notes": "No tests found" }
],
"findings": [
{
"domain": "testing",
"title": "No test suite",
"severity": "high",
"remediation": "Add vitest with basic coverage"
}
]
}

Place JSON files in a directory following the audit contract schema:

Terminal window
rk audit import /path/to/audit-results/

Required files: run.json, controls.json. Optional: findings.json, metrics.json.

Terminal window
# Portfolio posture overview
rk audit posture
# Single repo audit detail
rk audit posture my-org/my-repo
# All critical findings
rk audit findings --severity critical
# Repos failing a domain
rk audit failing testing
# Repos never audited
rk audit unaudited