Core Concepts
Workflow Compliance
What is the Compliance Center?
The Compliance Center helps you ensure your CI/CD workflows follow your organization's best practices and compliance requirements. Using AI-powered analysis, it automatically evaluates your workflows against configurable rules and provides detailed reports with actionable recommendations.
Key Benefits
- Automated Compliance Checking: Instantly evaluate workflows against your organization's standards
- Multi-Level Visibility: Monitor compliance across your entire organization, individual projects, repositories, and workflows
- Real-Time Monitoring: Track evaluation progress with automatic updates
- Actionable Insights: Get specific recommendations for improving compliance
- Prioritized Issues: Focus on critical issues first with importance-based categorization
Getting Started
Accessing the Compliance Center
Navigate to the Compliance Center from your organization settings:
- Go to your Organization Settings
- Select Compliance from the navigation menu
- You'll see two main tabs:
- Dashboard: View compliance scores and evaluation results
- Settings: Manage compliance rules and categories
Understanding Compliance Levels
You can view compliance at three different levels:
Organization Level (
/orgs/{orgId}/compliance)- Overall compliance across all projects
- Common issues affecting multiple workflows
- Organization-wide trends
Project Level (
/projects/{projectId}/guardrails)- Compliance for all workflows in a specific project
- Project-specific compliance summary
Repository Level (
/repos/{repoId}/guardrails)- All workflows within a single repository
- Repository compliance overview
Compliance Guardrails and Categories
Compliance Guardrails are individual rules that are used to evaluate whether or not a given GitHub Actions Workflow is compliance with organizational standards. These rules are generally evaluated based on the source code of the workflow, but can also include other information including dependabot configurations. Here is an example rule:
Every GitHub Actions Workflow must explicitly define minimum required permissions for GITHUB_TOKEN at the workflow job level. Default permissions or "write-all" violate least privilege principle.
Individual GitHub Actions Workflows can be scored against a centralized list of these rules to determine their compliance score. This is useful information that serves two purposes:
- Developers - see which rules a workflow failed so they can implement fixes
- Administrators - see aggregated compliance scores to gain a strategic view of the organization's automations
How Guardrails Work
Compliance rules are organized into categories that apply to different types of workflow files. Each rule:
- Has a clear description of the requirement
- Includes an importance level (Critical, High, Medium, or Low)
- Is evaluated automatically by AI
- Provides specific feedback when workflows don't comply
Rule Importance Levels
Rules are prioritized to help you focus on what matters most:
| Level | Badge Color | Description | Example |
|---|---|---|---|
| Critical | Red | Security-critical issues requiring immediate action | "All workflows must include secret scanning" |
| High | Orange | Important best practices that should be addressed soon | "Production deployments require approval gates" |
| Medium | Yellow | Recommended practices for improved quality | "Workflows should use dependency caching" |
| Low | Blue | Nice-to-have improvements | "Add descriptive comments to complex steps" |
Category Conditions
Categories use file path patterns to determine which rules apply to specific workflows. For example:
**/*.yml- Applies to all YAML files.github/workflows/*.yml- Applies only to GitHub Actions workflow files
This ensures that workflows are only evaluated against relevant rules.
Running Compliance Evaluations
Triggering an Evaluation
You can evaluate workflows on-demand from any compliance dashboard:
- Locate the workflow in the compliance table
- Click "Run Evaluation" next to the workflow
- The evaluation status will change to "Pending"
Monitoring Progress
Evaluations run automatically and update in real-time:
- Pending: Evaluation is queued and waiting to start
- Running: AI is actively analyzing your workflow
- Complete: Evaluation finished successfully
- Failed: An error occurred during evaluation
The dashboard automatically refreshes every 5 seconds while evaluations are in progress.
Understanding Your Results
Compliance Scores
Your compliance score is calculated as:
Score = (Passing Rules / Total Applicable Rules) × 100
Important Notes:
- Scores range from 0% to 100%
- Rules marked as "Not Applicable" or "Unknown" are excluded from the calculation
- Color coding helps you quickly identify issues:
- Green (≥80%): Good compliance
- Yellow (60-79%): Needs attention
- Red (<60%): Requires immediate action
Rule Evaluation Results
Each rule in your evaluation will have one of four results:
| Result | Icon | Meaning |
|---|---|---|
| Pass | ✓ Green checkmark | Your workflow meets the requirement |
| Fail | ✗ Red X | Your workflow doesn't meet the requirement |
| Not Applicable | - Gray dash | This rule doesn't apply to your workflow |
| Unknown | ? Gray question mark | The evaluation was inconclusive |
Understanding Failure Comments
When a rule fails, the AI provides a specific explanation of why. For example:
Rule: "Production deployments must have manual approval steps" Result: Fail Comment: "No approval gate found for production deployments. The workflow deploys directly to the 'prod' environment without requiring manual approval."
These comments help you understand exactly what needs to be fixed.
Developers - Compliance Scores in Projects
Individual developers can see compliance scores in their project dashboard, under the "Guardrails" section. If a workflow has a compliance score, it will be populated on that dashboard. If a workflow does not have a compliance score, you can click the "Run Evaluation" button to calculate the score which takes about a minute to execute. Developers can click on each workflow to see which rules pass/failed, then enter the GenAI Editor to implement fixes.
Automatic Issue and PR Creation
Future releases of the compliance guardrails feature will include the ability to automatically remediate all failed compliance guardrail rules and open a Pull Request in GitHub. Alternatively, the platform can create an issue for your GenAI coding tool of choice to implement.
Administrators - Aggregated Compliance Scores
Administrators can access the Compliance Center on the left-navbar of the application to view a high-level status of the organization's workflow compliance scores. The dashboard shows score over time, the current score, and major violations. CodeCargo comes built-in with about 30 industry-standard recommendations for GitHub Actions Workflow compliance.
Custom Compliance Guardrail Rules
Future releases of the compliance guardrails feature will include the ability to upload your organization's compliance documents. CodeCargo will then parse the document, extract applicable rules, then work with you via genAI chat to fine-tune the rules so the Expert Compliance Agent can effectively evaluate the rules.
Configurable Score Triggers
Future releases of the compliance guardrails feature will include the ability to customize when CodeCargo evaluates your GitHub Actions Workflows for compliance scores. As an example, this might include every time a workflow runs, or anytime a workflow is updated via a pull request.