Automated compliance checking across coding standards, security requirements, license obligations, and privacy regulations.
Overview¶
The compliance handler performs multi-phase verification using three specialized agents. It is domain-agnostic — all language-specific patterns (naming conventions, deprecated functions, memory/locking patterns) are loaded dynamically from the active domain plugin via DomainRegistry.
Verification phases:
- License Compliance (
LicenseDetector) — missing headers, GPL conflicts, incompatible license combinations - Privacy Compliance (
ComplianceValidator) — PII without encryption, missing data retention, logging sensitive data, consent checks - Security Compliance (
ComplianceValidator) — hardcoded credentials, banned crypto (MD5/SHA1/DES), insufficient randomness, missing input validation - Coding Standards (
StandardsChecker) — documentation coverage, naming conventions, cyclomatic complexity (>20), magic numbers - Graph Analysis (
CallGraphAnalyzer) — blast radius of violations, fix risk assessment, impact scoring
Output formats: JSON (structured report in state) and Markdown (localized EN/RU via ComplianceReportFormatter).
Quick Start¶
# Select Compliance Scenario via CLI or MCP
/select 08
CLI¶
# Run compliance check via standards command
python -m src.cli.import_commands standards report --format md --output compliance.md
# Run compliance check via audit
python -m src.cli audit --db data/projects/myproject.duckdb --language en
# GOST R 71207-2024 qualification testing
python -m src.cli qualification run --suite juliet --juliet-path /path/to/juliet \
--languages c --cwe CWE-476,CWE-190,CWE-191 --gocpg-path gocpg/gocpg.exe
MCP (AI Assistant)¶
codegraph_compliance(query="Check coding standards compliance", db_path="data/projects/myproject.duckdb")
GOST R 71207-2024 Qualification Testing¶
CodeGraph now covers the Phase 6 certification-ready workflow for GOST R 71207-2024:
qualification run --suite julietexecutes real GoCPG analysis on the official Juliet suites- qualification reports compute FP/FN using the GOST formulas
- analysis profiles, analysis scopes, and function-scoped matching are supported end-to-end
Observed results on official Juliet _01 subsets for covered CWE CWE-476/CWE-190/CWE-191:
| Language | Sample | FP rate | FN rate | Status |
|---|---|---|---|---|
C |
24 | 33.33% | 0.00% | PASS |
C++ |
4 | 0.00% | 0.00% | PASS |
Java |
853 | 1.86% | 26.17% | PASS |
C# |
685 | 16.09% | 15.12% | PASS |
By subtype:
C:integer_overflowFP0.00%, FN0.00%;null_derefFP50.00%, FN0.00%C++:null_derefFP0.00%, FN0.00%Java:integer_overflowFP0.65%, FN26.57%;null_derefFP25.00%, FN14.29%C#:integer_overflowFP16.67%, FN15.15%;null_derefFP0.00%, FN14.29%
Coding Standards Compliance¶
Style Violations¶
> Check for coding standard violations
╭─────────────── Style Compliance ────────────────────────────╮
│ │
│ Violations Found: 47 │
│ │
│ By Category: │
│ Naming conventions: 18 │
│ Indentation: 12 │
│ Comment style: 9 │
│ Function length: 8 │
│ │
│ Sample Violations: │
│ │
│ 🟡 src/server/utils/cache.c:234 │
│ Variable 'TempVar' should use snake_case │
│ │
│ 🟡 src/server/executor/hash_join.c:567 │
│ Function exceeds 500 line limit (612 lines) │
│ │
╰──────────────────────────────────────────────────────────────╯
Thresholds from configuration:
- Function length: loc_very_large = 500 lines
- Cyclomatic complexity: high_complexity = 20
- Blast radius (high risk): blast_radius_high = 20 affected methods
API Compatibility¶
> Check for deprecated API usage
╭─────────────── API Compliance ──────────────────────────────╮
│ │
│ Deprecated API Usage: │
│ │
│ 🔴 strcpy() - Use strlcpy/strncpy instead │
│ Locations: 23 occurrences │
│ Blast radius: HIGH (45 transitive callers) │
│ │
│ 🔴 sprintf() - Use snprintf instead │
│ Locations: 45 occurrences │
│ Blast radius: HIGH (78 transitive callers) │
│ │
│ 🟡 gets() - Use fgets instead │
│ Locations: 2 occurrences │
│ Blast radius: LOW (3 callers) │
│ │
│ Remediation: Use safe string functions │
│ │
╰──────────────────────────────────────────────────────────────╯
Deprecated functions are loaded from the domain plugin via DomainRegistry.get_deprecated_functions().
Security Compliance¶
CWE Mapping¶
> Map findings to CWE identifiers
╭─────────────── CWE Mapping ─────────────────────────────────╮
│ │
│ Common Weakness Enumeration Findings: │
│ │
│ CWE-798 (Hardcoded Credentials): 2 occurrences │
│ CRITICAL — hardcoded secrets in source │
│ │
│ CWE-89 (SQL Injection): 3 occurrences │
│ Missing parameterized queries │
│ │
│ CWE-120 (Buffer Overflow): 5 occurrences │
│ Unbounded string operations │
│ │
│ CWE-338 (Insufficient Randomness): 1 occurrence │
│ Non-cryptographic PRNG for security │
│ │
│ CWE-476 (NULL Pointer Deref): 12 occurrences │
│ Missing NULL checks after allocation │
│ │
╰──────────────────────────────────────────────────────────────╯
OWASP Categories¶
The handler checks for common vulnerability patterns mapped to OWASP categories:
| Category | What is Checked |
|---|---|
| Injection (A03) | SQL injection, command injection, format string |
| Broken Authentication | Hardcoded credentials, weak password handling |
| Sensitive Data Exposure | PII without encryption, logging sensitive data |
| Broken Access Control | Missing authorization checks |
| Security Misconfiguration | Banned crypto algorithms (MD5, SHA1, DES per NIST) |
| Insufficient Logging | Missing audit trail for security events |
License Compliance¶
> Check license compliance
╭─────────────── License Compliance ──────────────────────────╮
│ │
│ License Analysis: │
│ │
│ 🔴 CRITICAL: GPL conflict in proprietary module │
│ src/server/contrib/extension.c — GPL-3.0 header │
│ Project license: MIT — incompatible │
│ │
│ 🟡 WARNING: Missing license headers │
│ 12 files without SPDX license identifiers │
│ │
│ ✅ PASSED: No incompatible license combinations │
│ │
╰──────────────────────────────────────────────────────────────╯
Privacy Compliance¶
> Check privacy regulation compliance
╭─────────────── Privacy Compliance ──────────────────────────╮
│ │
│ Privacy Analysis: │
│ │
│ 🔴 CRITICAL: PII stored without encryption │
│ Personal data fields lack encryption (GDPR Art. 32) │
│ │
│ 🔴 CRITICAL: Logging sensitive data │
│ Password/SSN/credit card data in log output │
│ │
│ 🟡 HIGH: Missing data retention policy │
│ No TTL/cleanup for personal data (GDPR Art. 5) │
│ │
│ 🟡 HIGH: Missing user consent checks │
│ No consent verification before data processing │
│ (GDPR Art. 7) │
│ │
╰──────────────────────────────────────────────────────────────╯
Documentation Compliance¶
Comment Coverage¶
> Check documentation coverage
╭─────────────── Documentation Compliance ────────────────────╮
│ │
│ Comment Coverage Analysis: │
│ │
│ Overall coverage: 67% │
│ │
│ By Module: │
│ core/: 78% ✅ │
│ parser/: 72% ✅ │
│ optimizer/: 65% 🟡 │
│ storage/: 54% 🔴 │
│ utils/: 48% 🔴 │
│ │
│ Missing Documentation: │
│ - 23 public functions without comments │
│ - 8 complex functions without algorithm explanation │
│ │
╰──────────────────────────────────────────────────────────────╯
Example Questions¶
- “Check for coding standard violations”
- “Find deprecated API usage”
- “Map findings to CWE identifiers”
- “Check license compliance”
- “Check privacy regulation compliance”
- “Verify documentation coverage”
- “What functions have hardcoded credentials?”
Related Scenarios¶
- Security Audit - Deep security analysis
- Code Review - Review compliance
- Tech Debt - Technical debt assessment