Overview

Sttor Code Compliance Reports convert scan results into framework-aligned evidence so engineering and security teams can understand readiness and gaps without building custom spreadsheets. A compliance report typically provides:

1. Control mapping
   • Sttor rules (CODE-xxxx, PACKAGE-xxxx, IAC-xxxx, SECRET-xxxx, etc.) mapped to relevant controls per framework.
2. Coverage and status
   • What controls are covered by your scans
   • Pass/Fail/Partial indicators based on detected issues and rule outcomes
3. Evidence drill-down
   • Each failed control links back to concrete findings (file, line, dependency, policy, etc.)
4. Scoring
   • A compliance score/grade to track improvement over time

Important scoring rule (governance-aware):

• Findings marked False Positive are treated as not applicable to scoring.
• Findings marked Ignored / Acceptable Risk are treated as accepted exceptions and do not count against compliance scoring.
• Only “active” findings (Open / Unresolved) are included in the compliance impact calculation.

Compliance report summary (score + control coverage)