> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zenable.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Compliance Pre-Audit
> Upload your framework (SOC 2, HIPAA, FedRAMP, etc.) and governance to get continuous compliance monitoring directly in your SDLC
## Overview
Audit preparation is stressful, manual, and reveals surprises at the worst time. Upload your framework (SOC 2, HIPAA, FedRAMP, etc.) and governance to get continuous compliance monitoring directly in your SDLC, enabling you to pass audits on the first attempt with zero surprises.
## How It Works
1. **Upload Your Framework** - Any compliance document, audit checklist, or regulatory requirement at [zenable.app](https://www.zenable.app?utm_source=docs\&utm_medium=compliance-pre-audit\&utm_content=upload-framework)
2. **Automatic Extraction** - We identify and structure all technical requirements
3. **Continuous Enforcement** - Every developer action is checked against your requirements
4. **Evidence Generation** - Generate custom compliance reports using our MCP server
## Universal Framework Support
Zenable is a flexible multi-purpose tool that supports any requirements, including any and all compliance frameworks:
• SOC 2 Trust Services Criteria
• HIPAA Technical Safeguards
• FedRAMP Security Controls
• ISO 27001 Annex A Controls
• GDPR Data Protection Requirements
• PCI DSS Requirements
• Your internal security policies
• Customer contractual requirements
• Industry-specific regulations
• Vendor assessment criteria
• M\&A due diligence standards
• Partner integration requirements
## Real-World Example: Custom Security Policy
Imagine uploading your organization's security policy that states:
> "All API endpoints must implement rate limiting of no more than 100 requests per minute per user, use OAuth 2.0 authentication, and log all access attempts with user ID, timestamp, and IP address."
### What Zenable Prevents
With this requirement uploaded, Zenable would automatically:
```python theme={null}
# ❌ Would be flagged
@app.route('/api/users')
def get_users():
return jsonify(users)
# ✅ Zenable ensures
@app.route('/api/users')
@rate_limit(100, per=60) # 100 requests per minute
def get_users():
return jsonify(users)
```
```python theme={null}
# ❌ Would be flagged
@app.route('/api/data')
def get_data():
return sensitive_data
# ✅ Zenable ensures
@app.route('/api/data')
@require_oauth2
def get_data():
return sensitive_data
```
```python theme={null}
# ❌ Would be flagged
def process_request(request):
return handle(request)
# ✅ Zenable ensures
def process_request(request):
log_access(
user_id=request.user.id,
timestamp=datetime.now(),
ip_address=request.remote_addr
)
return handle(request)
```
## Running Compliance Checks
### Unified Assessment
After uploading your compliance frameworks to [zenable.app](https://www.zenable.app?utm_source=docs\&utm_medium=compliance-pre-audit\&utm_content=configure-frameworks), run a single unified check across all frameworks:
```bash theme={null}
# Check against all uploaded frameworks at once
zenable check '**/*'
```
This single command checks your codebase against:
* All uploaded compliance frameworks (SOC 2, HIPAA, FedRAMP, etc.)
* Your custom organizational policies
* Industry-specific regulations
* Contractual requirements
The results show compliance status across all frameworks simultaneously.
## Framework-Specific Examples
### HIPAA Technical Safeguards
Upload your HIPAA requirements document, and Zenable ensures:
**Requirement**: "Implement procedures to verify that a person seeking access to ePHI is authorized (§164.312(d))"
**What Gets Prevented**:
* Direct database queries without access checks
* Missing authentication on health data endpoints
* Unencrypted storage of patient information
* Missing audit logs for PHI access
### FedRAMP Security Controls
Upload FedRAMP control requirements:
**Requirement**: "The information system enforces approved authorizations for logical access (AC-3)"
**What Gets Prevented**:
* Hardcoded credentials in source code
* Missing role-based access controls
* Unauthorized privilege escalation paths
* Unvalidated user input in security contexts
### GDPR Data Protection
Upload GDPR requirements:
**Requirement**: "Implement appropriate technical measures to ensure data protection by design (Article 25)"
**What Gets Prevented**:
* Missing data encryption at rest
* Lack of data deletion capabilities
* Absent consent management
* Uncontrolled data retention
## Evidence Generation with MCP Server
### Setting Up for Compliance Reports
After configuring the MCP server ([setup guide](/integrations/mcp/getting-started)), you can use AI assistance to generate comprehensive compliance evidence:
```bash theme={null}
# Install and configure MCP server
zenable install
```
Use your AI assistant (Claude, Cursor, Antigravity, etc.) with prompts like:
**Example prompt for SOC 2 evidence:**
> "Generate a SOC 2 compliance report by checking all authentication, encryption, and logging implementations. For each file, send it to Zenable for analysis and compile the results into a summary showing: control objectives met, gaps identified, and remediation recommendations."
**Example prompt for multi-framework assessment:**
> "Create a comprehensive compliance assessment covering SOC 2, GDPR, and our internal security policies. Check each module in our codebase against these frameworks using Zenable, then produce an executive summary with compliance percentages, critical findings, and a prioritized remediation plan."
**Example prompt for audit preparation:**
> "Prepare evidence for our upcoming HIPAA audit. Analyze all patient data handling code, encryption implementations, and access controls using Zenable. Generate a detailed report mapping each finding to specific HIPAA requirements with supporting code references."
The AI assistant will:
* Send each relevant file to Zenable for analysis
* Map findings to specific compliance requirements
* Generate formatted reports with code references
* Create audit-ready documentation
### Continuous Compliance Monitoring
Zenable provides automatic compliance monitoring at every stage:
**Real-Time Enforcement**
* **MCP Integration** - Every file edit in your IDE is checked instantly
* **PR Review Bot** - Automatic review on every pull request
* **Unified Checks** - Single command validates against all frameworks
No manual workflow setup required - just install the GitHub App and MCP server to get started.
## Benefits
### For Development Teams
* **Compliance Made Simple** - Requirements automatically translated into actionable code feedback
* **Fix Issues Early** - Catch compliance gaps in the IDE, not during audit season
* **Focus on Features** - Let Zenable handle compliance complexity while you build
### For Compliance Teams
* **Continuous Monitoring** - Real-time visibility into compliance posture across all code
* **Automated Evidence Collection** - Every code change tracked and mapped to requirements
* **Proactive Risk Management** - Identify and address gaps before they become findings
### For Auditors
* **Complete Audit Trail** - Every requirement traced from policy to implementation
* **Real-Time Evidence** - Current compliance status, not point-in-time snapshots
* **Simplified Review Process** - Pre-organized evidence mapped to control objectives
## Getting Started
Visit [zenable.app](https://www.zenable.app?utm_source=docs\&utm_medium=compliance-pre-audit\&utm_content=get-started) to upload your compliance documents
Install automated PR reviews in two clicks at [zenable.io/github](https://zenable.io/github?utm_source=docs\&utm_medium=compliance-pre-audit\&utm_content=github-install)
```bash theme={null}
zenable install
```
Seriously, that's it. You're all set.
Your requirements are now enforced automatically across all development
## Next Steps
* [Set up GitHub integration](/integrations/vcs-reviewers/github) or [GitLab integration](/integrations/vcs-reviewers/gitlab) for PR/MR-level enforcement
* Implement [Policy as Code](/use-cases/policy-as-code) for custom controls
* Configure [Security Assessment](/use-cases/security-assessment) for deeper analysis