Compliance frameworks
SARC ships with 48 pre-loaded controls across 7 frameworks, seeded globally so every freshly-installed tenant has them on day one. Customers can also add tenant-specific overrides for any control.
Shipped frameworks
Section titled “Shipped frameworks”| Framework | Source | Controls in seed | Notes |
|---|---|---|---|
| SOX | Sarbanes-Oxley ITGC | 6 | US-focused; baseline change-management controls |
| PCI-DSS | PCI-DSS v4.0 | 7 | Payment Card Industry data security |
| PSD2 | EU 2015/2366 + RTS on SCA & CSC | 7 | Banking + payment-services-specific (Banking pack) |
| DORA | EU 2022/2554 | 7 | EU operational resilience for financial sector |
| ISO 27001 | ISO 27001:2022 | 7 | International information security baseline |
| NIST 800-53 | NIST SP 800-53 Rev 5 | 7 | US Federal information systems baseline |
| SOC 2 | Trust Service Criteria (CC + A) | 7 | Vendor-side baseline for SaaS providers (Banking pack) |
PSD2 + SOC 2 were added in #415 as part of the banking industry pack.
Control structure
Section titled “Control structure”Each control is a row in ComplianceControl:
{ id: string // cuid tenantId: string | null // null = global; set = tenant-specific override framework: string // one of: SOX | PCI_DSS | PSD2 | DORA | ISO27001 | NIST_800_53 | SOC2 controlId: string // e.g. "SOX-CM-3", "PCI-6.3.3", "DORA-Art9-1", "PSD2-Art97-1", "SOC2-CC6.1" controlName: string // human-readable name description: string // what the control requires pipelineGate: string // sast_scan | peer_review | cr_approved | dast_scan | sca_scan | secret_scan | iac_scan | container_scan | sbom_generated | audit_logged | rollback_plan | sod_check evidence: string // human-readable description of evidence produced mandatory: boolean // false for "should" controls (e.g. recovery testing)}The pipelineGate field is the binding between a control and the customer’s CI pipeline. When SARC computes per-framework compliance status, it looks up each control’s gate, finds the corresponding scan stage in the customer’s pipeline, and reports pass / fail / unknown.
Adding a new framework
Section titled “Adding a new framework”The framework field is a free-form string but conventional valid values are listed in:
karc-portal/prisma/schema.prisma— comment onComplianceControl.frameworkkarc-portal/src/lib/compliance/framework-meta.ts—FRAMEWORK_META+FRAMEWORK_ORDERkarc-portal/src/lib/compliance/status.ts—KNOWN_FRAMEWORKS
All three should agree. To add a new framework:
- Add to
KNOWN_FRAMEWORKS - Add entry to
FRAMEWORK_META(label + colour) +FRAMEWORK_ORDER - Add controls to
karc-portal/prisma/seed-controls.ts - Run the seed:
cd karc-portal && npx prisma db seed
Adding tenant-specific controls
Section titled “Adding tenant-specific controls”Tenant-specific controls are upserts with tenantId set. They override global controls with the same (framework, controlId) or add net-new controls for that tenant only. UI to manage these is on the roadmap (not yet shipped); for now they’re inserted via the seed-controls.ts pattern.
See also
Section titled “See also”- Evidence export — how the controls are packaged for an auditor
docs/DEMO-BANKING-PACK.md— 5-min walkthrough of the banking packprisma/seed-controls.ts— full control catalogue source