Last Updated: January 18, 2026
Compliance Approach
ChangeGuard is designed for production and regulated environments. A Kubernetes Operator runs inside your cluster and manages all security scanning, SBOM generation, and audit logging with clear data boundaries.
Self-hosted first: All security scanning (KubeBench, Grype, Falco, Pluto, Syft) executes inside your cluster. Only metadata and scan summaries are sent to the ChangeGuard control plane — never secrets, manifests, or application data.
Supply Chain Compliance (EO 14028, NIST SP 800-218)
- SBOM generation: Syft produces CycloneDX or SPDX JSON Software Bill of Materials for every container image running in your cluster. Exportable per-image from the dashboard.
- CVE scanning: Grype scans all container images against the National Vulnerability Database. Critical and high-severity findings feed directly into the CSC score.
- CIS benchmarks: KubeBench validates your cluster configuration against the CIS Kubernetes Benchmark (controls for master, node, etcd, and policies).
Identity & Access Governance
- RBAC risk analysis: Graph-based mapping of every ServiceAccount, User, and Group to their permissions and blast radius. Detects cluster-admin abuse, wildcard permissions, and privilege escalation paths.
- Least privilege validation: Identifies overprivileged identities and default ServiceAccounts with custom role bindings.
- Per-identity risk scoring: 0-100 risk scores with blast radius classification (cluster/namespace/resource).
Audit & Evidence
- Full audit trail: Every deployment decision, authentication event, and configuration change logged with timestamp, user, source IP, and outcome.
- CSV/JSON export: Score history, cluster security reports, and audit trails exportable for compliance evidence collection.
- Branded PDF compliance reports: One-click export of a branded PDF showing framework controls, pass/fail status, and evidence — ready to attach to a SOC 2 audit package.
- SBOM export: Per-image CycloneDX JSON download for supply chain compliance documentation.
Data Processing
- Customer control: You deploy and configure the operator via a single CRD. Control what's enabled, scan schedules, and data collection scope.
- Data minimization: Agent collects resource metadata only. Kubernetes Secrets values are never collected or transmitted.
- Encryption: TLS 1.2+ in transit. AES-256 at rest (PostgreSQL, AWS-managed keys).
- Outbound-only: Agent initiates outbound connections. No inbound access required.
Compliance Programs
ChangeGuard supports SOC 2, ISO 27001, HIPAA, PCI DSS, and FedRAMP programs through automated security scanning, SBOM generation, CIS benchmarking, RBAC analysis, and audit evidence export. Specific attestations depend on deployment mode and plan tier.
Vendor and Subprocessor Management
We may use trusted vendors for website hosting, analytics, and payment processing. When cloud-connected features are enabled, vendors may provide infrastructure for hosting the control plane. We evaluate vendors for appropriate security practices and limit their access to what is necessary.
Contact
If you have compliance requirements or need a security/compliance briefing, contact us via the Contact page.