Compliance
HZSec automatically maps every finding to the relevant compliance framework controls. No manual tagging, no spreadsheets — the audit trail builds itself as you scan and fix.
Supported frameworks
OWASP Top 10
The ten most critical web application security risks. Every HZSec finding is mapped to an OWASP category (A01–A10) where applicable.
CIS Benchmarks
Center for Internet Security hardening guidelines. HZSec maps system hardening and configuration findings to CIS controls for Linux, Docker, and Kubernetes environments.
SOC 2 (CC criteria)
Trust Service Criteria for Security. HZSec maps applicable findings to CC6.x (Logical and Physical Access Controls) and CC7.x (System Operations) controls.
Auto-tagging
Every finding is tagged at scan time. You don't need to configure which findings map to which frameworks — the mapping is built into the detection rules. Example:
// Example finding with auto-applied framework tags
{
"id": "f_a1b2c3",
"type": "VULN_SQLI",
"severity": "HIGH",
"description": "SQL injection via string concatenation",
"frameworks": [
"OWASP:A03", // Injection
"CWE-89", // Improper Neutralization of SQL Input
"SOC2:CC7.1" // System configuration
]
}Compliance gap percentage
The Compliance view shows a gap percentage for each framework. This number represents the proportion of a framework's mapped controls that have no open findings against them.
Example: OWASP Top 10 has 10 categories. If your scan has open findings tagged to OWASP:A03 (Injection) and OWASP:A05 (Security Misconfiguration), 2 categories are “failing” and 8 are “passing” — giving you an 80% OWASP score.
Fixing those 2 findings moves the score to 100%. The score reflects what's been scanned — not what hasn't been checked yet.
The gap percentage is based on HZSec's automated scan coverage. It does not substitute for a manual control assessment or a formal certification audit.
Fix memory and recurrence tracking
When you resolve a finding — either via auto-fix or manually — HZSec records the fix in the audit log. If the same issue reappears in a later scan (same type, same file region), HZSec marks it as recurring.
Recurring findings signal that the surface patch didn't address the root cause. They are highlighted differently in the findings list and in exported reports, so auditors can see the pattern.
// Audit log entry for a recurring finding
{
"finding_id": "f_a1b2c3",
"type": "SECRET_EXPOSED",
"first_seen": "2025-01-10T14:22:00Z",
"resolved": "2025-01-10T15:05:00Z",
"reappeared": "2025-01-14T09:18:00Z",
"recurrence_count": 2,
"status": "RECURRING"
}Audit log export
The audit log is formatted to be shareable with an auditor without additional interpretation. Each export includes scan timestamps, finding summaries with severities, framework tags, applied fixes, and recurrence status.
Export is available from the desktop app's Reports view. Select a scan or a date range, choose JSON or PDF, and click Export. The CLI does not currently expose a report command.
What the export contains
What HZSec doesn't do
HZSec is a developer security tool, not a compliance certifier. It helps you find issues, track fixes, and prepare evidence — but it does not issue compliance certifications or replace a professional penetration test.
A 100% gap score in HZSec means every finding HZSec can detect has been resolved. It does not mean your application is vulnerability-free or that you will pass a SOC 2 audit. Use HZSec to strengthen your posture and generate supporting evidence — then work with a qualified auditor for formal certification.
Team plan — shared audit trail
On the Team plan, all seats share a consolidated compliance view and audit trail. Each finding is attributed to the team member who resolved it, and shared notes can be attached to any finding for auditor context.
Compliance gap tracking, audit log export, framework mapping, and recurrence tracking are available on all plans — including Free. See Pricing for a full feature comparison.