Fintech & Financial Services (SOC2 + OWASP)¶
sentrik enforces SOC2 Trust Services Criteria and OWASP Top 10 compliance for fintech teams using AI coding tools.
The Challenge¶
Financial services teams operate under intense regulatory pressure:
- SOC2 audits require evidence of security controls, access management, and change management
- OWASP Top 10 vulnerabilities in production code lead to breaches, fines, and loss of customer trust
- AI coding agents generate code faster than security teams can review it
- Auditors expect documentation — "we use Copilot" is not an acceptable control statement
sentrik provides the automated evidence trail that satisfies auditors while letting your team ship with AI assistance.
How sentrik Helps¶
1. SOC2 Standards Pack¶
Enable the built-in soc2 pack to enforce 16 Trust Services Criteria rules:
| Category | Rules | What They Check |
|---|---|---|
| Security | 5 rules | No hardcoded secrets, input validation, auth checks, encryption, secure headers |
| Availability | 3 rules | Error handling, timeout configuration, health checks |
| Confidentiality | 4 rules | Data classification, PII handling, logging redaction, encryption at rest |
| Processing Integrity | 2 rules | Input/output validation, data transformation correctness |
| Privacy | 2 rules | Consent tracking, data retention policies |
2. OWASP Top 10 Standards Pack¶
Layer OWASP security rules on top of SOC2:
The owasp-top-10 pack includes 22 rules covering:
- A01 Broken Access Control — Missing auth checks, IDOR patterns
- A02 Cryptographic Failures — Weak hashing (MD5/SHA1), hardcoded keys
- A03 Injection — SQL injection, command injection, XSS patterns
- A04 Insecure Design — Missing input validation, unsafe deserialization
- A05 Security Misconfiguration — Debug mode, default credentials
- A06 Vulnerable Components — Known-vulnerable import patterns
- A07 Auth Failures — Weak password handling, session management
- A08 Data Integrity Failures — Unsafe deserialization, unsigned updates
- A09 Logging Failures — Missing security event logging
- A10 SSRF — Server-side request forgery patterns
3. Audit Evidence for SOC2¶
Every sentrik scan generates machine-readable audit evidence:
sentra scan
# Generates:
# out/findings.json — All findings with severity, rule, file, line
# out/report.html — Human-readable compliance report
# out/report.sarif — SARIF for GitHub Advanced Security
# out/agent_audit.jsonl — Full audit trail
# out/scan_metrics.json — Scan performance metrics
During a SOC2 audit, point auditors to:
| SOC2 Criteria | sentrik Evidence |
|---|---|
| CC6.1 — Logical access | RBAC roles + API key enforcement |
| CC7.1 — System monitoring | Scan metrics + audit log |
| CC7.2 — Anomaly detection | Findings by severity over time (trends API) |
| CC8.1 — Change management | Gate pass/fail on every PR |
4. CI/CD Gate for Every PR¶
No code reaches production without passing security checks:
# .github/workflows/sentra-gate.yml
name: Security Gate
on: [pull_request]
jobs:
gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm install -g sentra
- run: sentra gate --git-range "origin/main...HEAD" --status-check
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out/report.sarif
if: always()
SARIF upload integrates findings directly into GitHub's Security tab.
Example: Catching a Vulnerability¶
An AI agent generates a database query function:
# src/transactions.py (generated by AI)
def get_transactions(user_id, start_date):
query = f"SELECT * FROM transactions WHERE user_id = '{user_id}' AND date > '{start_date}'"
return db.execute(query)
sentrik catches this in CI:
CRITICAL owasp-a03-injection src/transactions.py:3
SQL injection via string formatting in database query.
Use parameterized queries instead.
HIGH soc2-cc6-input-validation src/transactions.py:2
Function parameters not validated before use in query.
The gate blocks the PR. The developer (or AI agent) fixes it:
def get_transactions(user_id: str, start_date: str):
if not user_id or not isinstance(user_id, str):
raise ValueError("Invalid user_id")
query = "SELECT * FROM transactions WHERE user_id = %s AND date > %s"
return db.execute(query, (user_id, start_date))
Gate passes. Audit trail records the fix. Auditor is happy.
Governance Configuration¶
Recommended configuration for fintech teams:
# .guard.yaml
standards_packs:
- soc2
- owasp-top-10
governance:
profile: strict
human_review_required:
on_critical_finding: true
on_requirement_change: true
gate:
fail_on: [critical, high]
block_merge_on_obligations: true
audit:
enabled: true
log_file: out/agent_audit.jsonl
ML Severity Estimation¶
For non-deterministic findings (e.g., from AI-assisted scanners), sentrik's ML severity estimator provides consistent risk scoring:
The estimator uses code context, pattern risk, file risk, and finding density to score findings — reducing false positives and ensuring critical issues surface first.
Getting Started¶
npm install -g sentra
sentra init # Select: Standard governance
sentra scan # View findings
sentra serve # Dashboard at localhost:8000/dashboard
See the CLI Reference for all available commands and options.