Software development teams face a large and growing number of obstacles: shifting design requirements, organizational blockers, tight deadlines, complicated tech stacks and software supply chains. One emerging challenge that developers and IT leaders face is the need to stay compliant with regulations and control frameworks that stipulate comprehensive data security, incident response, and monitoring and reporting requirements.

Compliance requirements can add significant overhead to an organization. Fortunately, it is possible to automate compliance-related activities using continuous integration and third-party tools. In this article, you will review examples of common compliance frameworks, best practices for achieving compliance as a software delivery organization, and how you can automate compliance with CI/CD.

Examples of software compliance requirements

Many regulatory standards in different industries mandate compliance with software development guidelines. The rapid increase of these standards results from the explosive growth of digital technology, and the emerging cyber threat it brings. While compliance is not the same as security, it does establish the minimum comprehensive baselines an organization’s security must meet, if not exceed.

For example, the Health Insurance Portability and Accountability Act (HIPAA) specifies privacy and security protections for personally identifiable health information used by healthcare providers and practitioners in the US. Another standard is the Payment Card Industry Data Security Standards (PCI-DSS). It provides card transaction guardrails that protect consumer privacy. Specifically, it prohibits the storage and the unencrypted transmission and processing of personal card details like card verification values (CVV2s), entire magnetic strips, and PINs.

For service providers, Service Organization Controls 2 (SOC2) reports are a valuable compliance endorsement that confirms the trust service criteria of the organization’s service delivery processes and controls.

Even governments have compliance requirements before entering into business with contractors. For example, the Federal Risk and Authorization Management Program (FedRAMP) is a certification that government contractors must have to prove that their cloud offering is secure enough to house national data.

In practice, most businesses aim for certification in more than one compliance standard to target markets in different regions and put their clientele at ease. As such, many US-based cloud service providers aim for the European Union’s (EU) General Data Protection Regulation (GDPR) compliance approval to offer services to EU-based customers.

Software compliance best practices

Implementing well-known compliance best practices is a great way to measure your competence in internal corporate governance, risk management processes, organizational oversight policies, vendor management, and general security awareness. Examples of common software compliance practices include:

  • Strict access controls and permissions
  • Comprehensive testing and change management
  • Supply chain vulnerability scanning
  • Regular compliance audits

The next section explores some of these practices and describes ways your organization can reduce its compliance burden by automating and streamlining your compliance practices.

Access controls, roles, and permissions

Access control is a set of guidelines and procedures for user and infrastructure access. It ensures that you have cordoned off private and proprietary information from unauthorized access and that the blast radius is small in the event of a breach.

Access control begins with authentication, which involves confirming the identity of users before granting access to sensitive data. At a minimum, user authentication involves validating a unique username and password. It can also involve scans of the face, fingerprints, or eyes, or a cryptography certificate. Two-factor authentication, for example, often requires both a username and password combo and a biometric scan.

After authentication, you can implement role-based access control (RBAC) policies. These policies restrict access to information based on the user’s assigned role in the organization. RBAC policies should be based on the principle of least privilege, meaning users should have access to only those resources they need to do their jobs. Along with RBAC, you can use attribute-based access control (ABAC) to provide granular access based on user or object characteristics, action types, or more. For example, you can use ABAC to implement company policy for stopping work at cutover times or on weekends.

Access, roles, and permissions should be valid for a fixed time and withdrawn on expiration or when no longer in use. This means constant monitoring, which you can automate through scheduled cleanup scans or policy-as-code software such as Open Policy Agent that can evaluate and enforce access policies written in declarative code.

Comprehensive testing

Software testing includes functional and non-functional testing. Functional testing proves that an application works well compared to a set of requirements or specifications. Non-functional testing assesses application behavior at scale, how it contributes to the end-user experience, and how well it adheres to internal and external security requirements.

Even thought your software and infrastructure pass functionality, performance, reliability, and security testing, they can still be non-compliant. Non-compliant code is more vulnerable, and could result in a non-compliant status, negatively impact reputation, and attract heavy fines.

Organizations can conduct comprehensive compliance testing to check for application and infrastructure vulnerabilities in user access rights, transmission and storage of personally identifiable information, and program change control procedures. Compliance checks also validate organizations’ documentation and procedures, activity logs, and software licenses.

While many compliance tests can be automated, some organizations require a combination of automated and manual checks. For example:

  • An automated functional test confirms that an app’s login feature works.
  • Manual non-functional tests confirm that passwords are not visible and are encrypted on the database, as specified in the development code.

Similarly, an automated security test might ensure an application is protected against insecure direct object reference (IDOR). Through manual checks, a compliance test might focus on coding style and confirm the use of universally unique identifiers (UUIDs) when defining user and object models. It might also confirm that:

  • The application checks for valid objects and logged-in users before a task is executed
  • URL parameters are obscured
  • Error messages are descriptive but vague enough to prevent correct guesses about software architecture and vulnerabilities

Supply chain vulnerability scans

To avoid reinventing the wheel, software developers use dependencies on prebuilt external components. An organization inherits the software supply chain of its software components. This inheritance introduces risks that can have far-reaching consequences.

An excellent way to mitigate this risk is to incorporate automated security vulnerability scanning and advisories in your codebase. At a minimum, most security vulnerability scanners can scan for the top 10 Open Web Application Security Project (OWASP) vulnerabilities. Vulnerabilities are also collated from security bulletins, chatter, and independent research.

Compliance audits

Compliance audits review how well your implementation of the documented policies in your records conforms to official ones. The audit may start with your codebase, checking for misconfigurations and exposed secrets. An audit can then move on to review your builds, deployed artifacts, and infrastructure.

Ensure that you provide resources with the least privilege and access with authentication and proper roles. They should be logically segmented and devolved when no longer in use. Other checks should validate the data storage lifecycle, and that personally identifiable information is not stored in plain text or at all. Also, well-written failback and failover process documents must be available, and the techniques periodically and rigorously demonstrated.

You can further guarantee product compliance by auditing the tests you carry out with tools that can provide end-to-end traceability, management, and analysis. Make sure that logs that capture all system activity are available to give observability and ease system audit exercises.

How to automate compliance with CI/CD

The best way to automate compliance in your software development organization is to implement a comprehensive continuous integration and continuous delivery (CI/CD) practice. Using automated CI/CD pipelines can accelerate your team’s development. You can also incorporate DevSecOps and compliance best practices into your workflows to create continuous compliance.

Many CI/CD providers encourage a configuration-as-code approach to defining pipelines. This approach helps teams

Your team can also implement role-based access control policies for CI/CD pipelines along with branch and tag filters that restrict who can make changes to pipeline configuration or trigger a release and under what conditions. Most services also offer comprehensive audit logging that allows organizations to retrieve detailed records of system events for reporting purposes.

In addition to traceability and access control benefits, continuous integration enables teams to incorporate a range of third-party security and vulnerability scanning tools into the build and test stages of their pipelines. You can use CircleCI’s orbs to incorporate popular security and vulnerability scanning tools across all stages of your pipeline, with just a few lines of code.

For example, orbs make it straightforward to integrate SAST and DAST scans for vulnerability and compliance management.

At the build stage of your pipeline, you can use the Snyk orb to run static application security testing (SAST) jobs to detect dependency vulnerabilities, compliance, and license issues.

At the deployment stage, you can run dynamic application security testing (DAST) jobs to catch runtime vulnerabilities in production. Tools like Deepfactor and StackHawk provide prioritized insights into application code, package dependencies, web APIs, and compliance with common vulnerabilities and exposures (CVEs) based on actual app behavior.

For teams in highly regulated industries with stringent data protection requirements, you can opt to install continuous integration tooling on premises behind your firewall for added security. Or, if you prefer the flexibility of a hybrid approach, you can set up self-hosted runners to run specific jobs on private infrastructure. With this option, you can automate redundancy steps such as autoscaling during peak demand or switching to other data centers in the event of a regional outage.


Compliance mandates for software delivery define the minimum an organization’s security and business practices must meet or exceed. Different compliance regulations apply to different industries but generally advocate the principle of least privilege, role-based access control, privacy and protection of personally identifiable data, agile and comprehensive testing, and regular audits for observability.

With continuous integration and delivery, you can reduce compliance overhead in the development and delivery of software. CircleCI facilitates compliance best practices like assigning granular role-based permissions, automating security and vulnerability scans, running jobs on private infrastructure, and generating audit logs for events in the system and jobs in your CI/CD pipeline. As a SOC-2 certified and FedRAMP-authorized cloud provider, CircleCI gives organizations in highly regulated industries the confidence they need to move quickly while maintaining security and compliance.

To get started automating your compliance practices and eliminating bottlenecks in your development process, sign up for a free CircleCI plan today.