Compliance as Code: A Developer's Guide to Automated Compliance
Compliance as code defines and enforces compliance requirements through machine-readable code — learn the principles, tools, and API patterns to automate it
Compliance as Code: A Developer's Guide to Automated Compliance
Compliance as code is the practice of defining, managing, and enforcing compliance requirements through machine-readable code rather than manual processes, spreadsheets, or static documents.
For developers working in B2B software companies, compliance as code means treating security policies, audit evidence, and certification tracking the same way you treat application code — version-controlled, testable, automated, and integrated into your CI/CD pipeline. Instead of a quarterly scramble to collect screenshots and fill audit binders, compliance checks run continuously alongside your deployments.
The Shift from Spreadsheet Compliance to Programmable Compliance
Traditional compliance workflows look like this: a compliance manager maintains a spreadsheet of controls, manually collects evidence before each audit, emails documents to auditors, and hopes nothing has drifted since the last review. This approach worked when companies had a single framework and one audit per year.
It breaks down when you face:
- Multiple overlapping frameworks — ISO 27001, SOC 2, NIS2, and DORA share dozens of controls but require different evidence formats. Manual mapping creates duplication, inconsistency, and inevitable gaps.
- Cloud infrastructure that changes hourly — Infrastructure-as-code deployments can invalidate compliance evidence within minutes. Point-in-time assessments miss configuration drift entirely.
- Enterprise buyers demanding proof before signing — Procurement teams now require security documentation upfront, not after the verbal close. Manually assembling compliance packages for each prospect does not scale.
- Regulations requiring continuous evidence — NIS2 and DORA expect ongoing compliance demonstration, not annual checkbox exercises.
Compliance as code solves these problems by making compliance requirements executable. Instead of a document that says "all production databases must be encrypted at rest," you write a policy check that queries your cloud provider API and fails your deployment if encryption is not enabled.
Key Principles of Compliance as Code
Version Control
Every compliance policy, control definition, and evidence collection script lives in a Git repository. Changes are reviewed through pull requests, approved by the appropriate stakeholders, and tracked with full audit history. When an auditor asks "when did this policy change and who approved it?" the answer is a Git commit.
Automation
Evidence collection, control monitoring, and compliance reporting run automatically — triggered by deployments, scheduled intervals, or API events. No human needs to remember to take a screenshot or update a spreadsheet.
Continuous Monitoring
Rather than checking compliance once per quarter, compliance-as-code systems monitor continuously. When a control drifts out of compliance — an expired certification, a misconfigured access policy, a document that needs updating — the system detects it immediately and alerts the right team.
Testability
Compliance checks are written as testable assertions. Just as you write unit tests for application logic, you write compliance tests for security controls. These tests run in CI/CD and fail the build if a compliance requirement is not met.
Declarative Policies
Instead of procedural runbooks ("log into AWS, navigate to S3, check encryption settings"), compliance-as-code uses declarative policies that define the desired state ("all S3 buckets must have server-side encryption enabled"). The automation layer handles the how.
Compliance as Code vs Traditional GRC Tools
| Capability | Traditional GRC | Compliance as Code |
|---|---|---|
| Policy storage | Word documents, SharePoint | Git repository with version history |
| Evidence collection | Manual screenshots, spreadsheets | Automated API queries and scripts |
| Control monitoring | Periodic manual review | Continuous automated checks |
| Change tracking | Document revision history (if maintained) | Git commits with PR reviews and approvals |
| Audit preparation | Weeks of manual compilation | On-demand generated evidence packages |
| Developer integration | Separate workflow, separate tools | Integrated into CI/CD pipeline |
| Drift detection | Found during next audit | Real-time alerts |
| Framework mapping | Manual cross-referencing | Programmatic mapping with shared evidence |
Traditional GRC tools are valuable for governance workflows, risk registers, and board-level reporting. Compliance as code handles the operational evidence layer — the actual collection, monitoring, and enforcement of controls. Many organizations use both.
How Orbiq Enables Compliance as Code
Orbiq's REST API exposes every trust center operation as a programmable endpoint, making it a natural building block for compliance-as-code workflows. Here is how each API capability maps to compliance-as-code principles:
API-Driven Document Management
Instead of manually uploading compliance documents through a web interface, use the Documents API to publish, version, and manage documents programmatically:
# Upload a new version of your security policy
curl -X POST "$ORBIQ_BASE_URL/documents" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"title": "Information Security Policy v3.2",
"description": "Updated quarterly security policy — approved via PR #847",
"category": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
"access_level": "public"
}'
# Upload the actual file
curl -X PUT "$ORBIQ_BASE_URL/documents/{document_id}/file" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-F "file=@security-policy-v3.2.pdf"
When your security policy changes, a CI/CD step uploads the new version automatically. Your trust center always reflects the latest approved document.
Programmatic Certification Tracking
Track certification status through the API and build automated monitoring:
async function checkCertificationExpiry() {
const response = await fetch(`${ORBIQ_BASE_URL}/certifications`, {
headers: { Authorization: `Bearer ${ORBIQ_API_KEY}` }
});
const { data: certifications } = await response.json();
const thirtyDaysFromNow = new Date();
thirtyDaysFromNow.setDate(thirtyDaysFromNow.getDate() + 30);
for (const cert of certifications) {
const expiry = new Date(cert.expiry_date);
if (expiry <= thirtyDaysFromNow) {
console.log(`WARNING: ${cert.title} expires on ${cert.expiry_date}`);
await notifyComplianceTeam(cert);
}
}
}
Run this as a daily scheduled job. Your compliance team gets notified before certifications lapse — not after an auditor or customer discovers the gap.
Automated Access Request Workflows
Build approval logic that runs automatically when prospects request access to compliance documents:
import requests
def process_access_requests():
response = requests.get(
f"{BASE_URL}/access-requests",
headers={"Authorization": f"Bearer {ORBIQ_API_KEY}"}
)
requests_data = response.json().get("data", [])
approved_domains = ["bigcorp.com", "enterprise.io", "partner.co"]
for req in requests_data:
if req["review_status"] != "to_review":
continue
requester_domain = req.get("email", "").split("@")[-1]
if requester_domain in approved_domains:
requests.patch(
f"{BASE_URL}/access-requests/{req['id']}",
headers={"Authorization": f"Bearer {ORBIQ_API_KEY}"},
json={"review_status": "approved"}
)
else:
notify_security_team(req)
AI-Powered Questionnaire Responses
The Ask API lets you automate security questionnaire responses using your knowledge base as the source of truth:
curl -X POST "$ORBIQ_BASE_URL/ask" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"question": "Do you encrypt data at rest and in transit?",
"question_type": "text"
}'
The response is grounded in your actual compliance data — not hallucinated from general knowledge. For a deep dive into building agentic questionnaire automation, see Agentic AI for Compliance.
Example: CI/CD Pipeline for Compliance
Here is a practical example of compliance as code integrated into a GitHub Actions workflow:
name: Compliance Checks
on:
schedule:
- cron: "0 8 * * 1" # Every Monday at 8am
push:
branches: [main]
paths:
- "policies/**"
- "docs/compliance/**"
jobs:
compliance-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check certification expiry
env:
ORBIQ_API_KEY: ${{ secrets.ORBIQ_API_KEY }}
run: |
node scripts/check-cert-expiry.js
- name: Sync updated policies to trust center
if: github.event_name == 'push'
env:
ORBIQ_API_KEY: ${{ secrets.ORBIQ_API_KEY }}
run: |
node scripts/sync-policies.js
- name: Verify document freshness
env:
ORBIQ_API_KEY: ${{ secrets.ORBIQ_API_KEY }}
run: |
node scripts/check-doc-freshness.js
This pipeline runs on two triggers: a weekly schedule to check certification expiry and document freshness, and on every push to main that modifies policy files to sync updates to your trust center automatically.
Getting Started with Compliance as Code
If you are moving from manual compliance to a code-driven approach, start with these three steps:
-
Inventory your controls and evidence sources. Before automating, list every control you need to maintain and where the evidence lives. Map each control to the API endpoint or data source that can provide evidence programmatically.
-
Automate evidence collection first. The highest-ROI starting point is replacing manual screenshot-taking and spreadsheet-updating with automated API queries. Use Orbiq's Documents and Certifications APIs to keep your trust center current without manual uploads.
-
Add monitoring and alerting. Once evidence collection is automated, add continuous monitoring: certification expiry checks, document freshness validation, and access request processing. These can start as simple cron jobs and evolve into event-driven workflows.
For a step-by-step guide to setting up the API foundations, see How to Build a Trust Center with the Orbiq API. For the agentic AI approach — where AI agents handle compliance workflows autonomously — see Agentic AI for Compliance.
How Orbiq Helps
Orbiq is the API-first trust center platform that makes compliance as code practical. Every trust center operation — document management, certification tracking, NDA workflows, AI-powered questionnaire responses, access request automation, and brand configuration — is exposed through a well-documented REST API at docs.orbiqhq.com.
The platform is EU-hosted, SOC 2 compliant, and designed for developer workflows. Whether you are building compliance checks into your CI/CD pipeline, automating vendor assurance processes, or deploying white-label trust centers for multiple clients, Orbiq's API gives you the building blocks to treat compliance as code rather than compliance as paperwork.
Explore the full API at the Orbiq Developer Hub or read the API reference.
FAQ
What is compliance as code?
Compliance as code is the practice of defining, managing, and enforcing compliance requirements through machine-readable code. Instead of maintaining policies in Word documents and collecting evidence in spreadsheets, compliance as code uses version-controlled scripts, automated API calls, and CI/CD integrations to monitor controls, collect evidence, and enforce policies continuously.
How is compliance as code different from compliance automation?
Compliance automation refers broadly to any software that replaces manual compliance work. Compliance as code is a specific methodology within that umbrella — it emphasizes treating compliance artifacts the same way developers treat application code: version-controlled, testable, reviewable through pull requests, and integrated into CI/CD pipelines. Compliance automation may use a GUI; compliance as code is inherently developer-driven. For more on compliance automation platforms, see the Compliance Automation glossary entry.
What tools do I need for compliance as code?
At minimum, you need a version control system (Git), a CI/CD platform (GitHub Actions, GitLab CI, etc.), and an API-first compliance platform like Orbiq. You write policy checks and evidence collection scripts that run in your pipeline and call the compliance platform's API to sync documents, monitor certifications, and process access requests.
Can compliance as code work for ISO 27001 and SOC 2?
Yes. Both ISO 27001 and SOC 2 define controls that can be monitored and evidenced through automated checks. Technical controls (encryption, access management, logging) are 70–90% automatable. Governance and process controls still require human oversight, but evidence collection and reporting for those controls can be automated. Compliance as code handles the evidence layer; human judgment handles the governance layer.
How do I integrate compliance as code with my existing CI/CD pipeline?
Add compliance checks as pipeline steps alongside your existing build and test stages. For example, add a step that queries the Orbiq Certifications API to verify no certifications are expiring, a step that syncs updated policy documents to your trust center, and a step that validates your security configuration against declared policies. These checks can block deployments (fail the build) or run as advisory notifications depending on your risk tolerance.