SOC2¶
The soc2 pack enforces rules for SOC2 Trust Services Criteria — Security, Availability, and Confidentiality.
Enable¶
Rules¶
The pack includes 16 rules across code enforcement and documentation obligations:
Code rules (7)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| SOC2-CC6-001 | Access Control | high | No hardcoded credentials |
| SOC2-CC6-002 | Access Control | high | Enforce authentication checks |
| SOC2-CC6-003 | Access Control | medium | No overly permissive file permissions |
| SOC2-CC7-001 | System Operations | medium | Require structured logging |
| SOC2-CC7-002 | System Operations | high | No unhandled exceptions in critical paths |
| SOC2-CC8-001 | Change Management | medium | Require code review markers |
| SOC2-CC8-002 | Change Management | low | No TODO/FIXME in production code |
Documentation obligations (9)¶
| ID | TSC Criteria | Description |
|---|---|---|
| SOC2-CC1-DOC | CC1 | Control environment documentation |
| SOC2-CC2-DOC | CC2 | Communication and information policies |
| SOC2-CC3-DOC | CC3 | Risk assessment documentation |
| SOC2-CC4-DOC | CC4 | Monitoring activities documentation |
| SOC2-CC5-DOC | CC5 | Control activities documentation |
| SOC2-CC6-DOC | CC6 | Logical and physical access controls |
| SOC2-CC7-DOC | CC7 | System operations documentation |
| SOC2-CC8-DOC | CC8 | Change management procedures |
| SOC2-CC9-DOC | CC9 | Risk mitigation documentation |
Use case¶
SaaS companies and fintech organizations undergoing SOC2 audits. The pack provides:
- Automated code checks — Catches common SOC2 control gaps (hardcoded credentials, missing logging, unhandled exceptions)
- Audit evidence — Documentation obligations appear in HTML/SARIF reports, providing auditors with traceable compliance status
- Continuous compliance — Run in CI/CD to catch regressions before they reach production