CodeCargo logo

Core Concepts

Workflow Compliance

CodeCargo has a dedicated workflow compliance module to help ensure that your automations meet corporate security, compliance, and governance standards. There are 2 distinct views that provide actionable intelligence to both developers and leadership.

Compliance Guardrails

Compliance Guardrails are individual rules that are used to evaluate whether or not a given GitHub Actions Workflow is compliance with organizational standards. These rules are generally evaluated based on the source code of the workflow, but can also include other information including dependabot configurations. Here is an example rule:

Every GitHub Actions Workflow must explicitly define minimum required permissions for GITHUB_TOKEN at the workflow job level. Default permissions or "write-all" violate least privilege principle.

Individual GitHub Actions Workflows can be scored against a centralized list of these rules to determine their compliance score. This is useful information that serves 2 purposes:

  1. Developers - see which rules a workflow failed so they can implement fixes
  2. Administrators - see aggregated compliance scores to gain a strategic view of the organization's automations

Developers - Compliance Scores in Projects

Individual developers can see compliance scores in their project dashboard, under the "Guardrails" section. If a workflow has a compliance score, it will be populated on that dashboard. If a workflow does not have a compliance score, you can click the "Run Evaluation" button to calculate the score which takes about a minute to execute. Developers can click on each workflow to see which rules pass/failed, then enter the GenAI Editor to implement fixes.

<< insert picture of compliance guardrails dashboard >>

Automatic Issue and PR Creation

Future releases of the compliance guardrails feature will include the ability to automatically remediate all failed compliance guardrail rules and open a Pull Request in GitHub. Alternatively, the platform can create an issue for your GenAI coding tool of choice to implement.

Administrators - Aggregated Compliance Scores

Administrators can access the Compliance Center on the left-navbar of the application to view a high-level status of the organization's workflow compliance scores. The dashboard shows score over time, the current score, and major violations. CodeCargo comes built-in with about 30 industry-standard recommendations for GitHub Actions Workflow compliance.

<< insert picture of compliance center screen >>

Custom Compliance Guardrail Rules

Future releases of the compliance guardrails feature will include the ability to upload your organization's compliance documents. CodeCargo will then parse the document, extract applicable rules, then work with you via genAI chat to fine-tune the rules so the Expert Compliance Agent can effectively evaluate the rules.

Configurable Score Triggers

Future releases of the compliance guardrails feature will include the ability to customize when CodeCargo evaluates your GitHub Actions Workflows for compliance scores. As an example, this might include every time a workflow runs, or anytime a workflow is updated via a pull request.

Previous
Service Catalog