---
title: "Your Codebase Ships Fast. Your Compliance Posture Doesn't Have To Crawl."
published: false
tags: [devsecops, compliance, python, opensource]
---
## The Audit That Ate My Sprint
Six weeks before our Series A close, our CTO forwarded me a calendar invite titled "SOC2 Readiness Call" with no other context.
What followed was three weeks of me, a shared Google Sheet, and the slow realization that "evidence collection" is just archaeology — except instead of dinosaur bones, you're digging up screenshots of IAM policies you vaguely remember configuring in 2022.
If you've lived this, you know the feeling. If you haven't yet — you will.
The core problem isn't that compliance is *hard*. It's that compliance tooling was designed for a world where infrastructure was static and audits were events. Neither of those things is true anymore.
That's the problem [ComplianceWeave](https://complianceweave.io) was built to fix.
---
## What ComplianceWeave Actually Does
ComplianceWeave treats your compliance posture the same way a good monitoring stack treats your application: **continuously, programmatically, and with alerting when things drift**.
It scans your infrastructure against SOC2, GDPR, HIPAA, and ISO 27001 simultaneously — not sequentially, not manually — and surfaces gaps *before* your auditor does. When it finds something, it doesn't just flag it. It generates a remediation plan with the specific steps to fix it.
The output is audit-ready reports you can hand to an assessor without spending a week reformatting spreadsheets.
No agents to install. No vendor lock-in on your evidence vault. API-first, so it fits into the pipelines you already have.
---
## Quick Start
bash
pip install complianceweave
Three lines to your first compliance scan:
python
from complianceweave import Client
cw = Client(api_key="cw_your_key_here")
report = cw.scan(frameworks=["soc2", "gdpr"], target="aws://your-account-id")
print(report.summary())
That's it. You'll get back a structured `ComplianceReport` object with findings organized by control, severity, and framework. No YAML configuration files. No 40-page setup guide.
---
## A Real-World Use Case: Compliance Checks in Your CI/CD Pipeline
Here's where it gets interesting for DevSecOps teams.
The traditional compliance model is point-in-time: you get audited once a year, panic, fix things, and repeat. But your infrastructure changes *constantly*. A new S3 bucket here, a relaxed security group there, a developer who turned off MFA "just temporarily."
ComplianceWeave's continuous monitoring catches these drifts as they happen. But you can also push it earlier in the lifecycle — into your deployment pipeline itself.
Here's a GitHub Actions step that blocks a deployment if it would introduce a HIPAA violation:
python
compliance_gate.py — runs as a CI step pre-deploy
import sys
from complianceweave import Client
from complianceweave.models import Severity
cw = Client(api_key=os.environ["CW_API_KEY"])
Scan the proposed infrastructure changes (Terraform plan output)
scan = cw.scan_changeset(
frameworks=["hipaa", "soc2"],
changeset_path="./tfplan.json",
baseline="aws://prod-account-id"
)
critical_findings = scan.findings.filter(severity=Severity.CRITICAL)
if critical_findings:
print(f"🚨 Deployment blocked: {len(critical_findings)} critical compliance violation(s)\n")
for finding in critical_findings:
print(f" [{finding.framework.upper()}] {finding.control_id}: {finding.description}")
print(f" → Fix: {finding.remediation_summary}\n")
sys.exit(1)
print(f"✅ Compliance gate passed. {scan.findings.count()} minor findings logged.")
sys.exit(0)
yaml
.github/workflows/deploy.yml (relevant step)
- name: Compliance Gate run: python compliance_gate.py env: CW_API_KEY: ${{ secrets.CW_API_KEY }}
Now compliance isn't a quarterly event — it's a check that runs on every PR touching infrastructure. Your auditor gets a continuous evidence trail. Your developers get fast feedback. Your CTO stops forwarding you ominous calendar invites.
---
## The Remediation Plans Are Actually Useful
A lot of compliance tools will tell you *that* something is wrong. ComplianceWeave tells you *how to fix it* — specifically, not generically.
python
findings = report.findings.filter(framework="gdpr", severity=Severity.HIGH)
for finding in findings:
plan = cw.get_remediation_plan(finding.id)
print(f"Control: {finding.control_id} — {finding.title}")
print(f"Estimated fix time: {plan.estimated_effort}")
print(f"Steps:")
for i, step in enumerate(plan.steps, 1):
print(f" {i}. {step.description}")
if step.terraform_snippet:
print(f"
hcl\n {step.terraform_snippet}\n
")
The remediation plans are framework-aware. A finding that touches both GDPR and SOC2 will give you steps that satisfy both controls simultaneously, so you're not fixing the same underlying issue twice with different paperwork.
---
## What It Doesn't Do (Honesty Section)
ComplianceWeave automates evidence collection and continuous monitoring. It does not:
- Replace your compliance officer or legal counsel
- Guarantee you'll pass an audit (no tool can — auditors have opinions)
- Cover every niche sub-framework or regional data residency regulation out of the box
Think of it as the difference between a linter and a code reviewer. The linter catches the obvious stuff automatically and consistently. The human reviewer handles judgment calls. ComplianceWeave is the linter for your compliance posture.
---
## Who This Is For
If you're a **DevSecOps engineer** who's tired of being handed a spreadsheet two weeks before an audit and told to "fill in the evidence column" — this is for you.
If you're a **compliance team** that wants to move from reactive scrambling to proactive monitoring without hiring a full-time infrastructure person to run manual checks — this is for you.
If you're a **CTO at a startup** who needs to hit SOC2 Type II before your next enterprise deal closes and you don't have six months to do it the old way — this is *especially* for you.
---
## Get Started
The API is live. The Python client is on PyPI. The documentation covers all four frameworks with control-by-control explanations written for engineers, not auditors.
**→ Try the API:** [complianceweave.io/signup](https://complianceweave.io/signup) — free tier includes 1 framework, unlimited scans
**→ Star the Python client on GitHub:** [github.com/complianceweave/complianceweave-python](https://github.com/complianceweave/complianceweave-python) — issues, PRs, and framework coverage requests welcome
**→ Join the Discord:** We're actively building this with early users. If you have a compliance horror story (and you definitely do), we want to hear it.
---
*Built by engineers who once spent three weeks in a Google Sheet. Never again.*
Top comments (0)