The Compliance Dashboard provides a centralized view of your organization's policy compliance across all IaC, Configuration, and Kubernetes projects. It aggregates policy check results, calculates a posture score, and lets you generate and share PDF reports.
ops0 tracks compliance at two points in the infrastructure lifecycle:
| Point | When | What's checked |
|---|---|---|
| Deployment-time | During every IaC or Configuration deploy | Policies evaluated against the Terraform plan or configuration state before apply runs |
| Post-deployment | After apply completes | Policy check results recorded against the final deployed state |
Both types of results flow into the compliance dashboard. A project is non-compliant if any policy check has failed. A project is unmonitored if no policies are attached to it.
The compliance page uses a three-panel layout:
| Panel | Content |
|---|---|
| Left | Policy Group Tree — browse policy groups and compliance frameworks |
| Center | Detail view — policies, controls, and violation details for the selected group |
| Right | Project coverage — which projects are mapped to the selected group |
Each panel can be collapsed using the toggle arrow at its edge. Collapsing the left panel gives more space to the detail view. Collapsing the right panel is useful when you want to focus on policy details without the project coverage list.
Click the Trend icon in the compliance header to open the Trend Analytics modal. This shows compliance metric history over time — useful for tracking whether your posture is improving or regressing week over week.
Trend analytics requires sufficient historical policy check data. The feature shows data from the past 30 days and may show limited results for newly configured organizations.
Click Executive Dashboard in the compliance header to open a summary view designed for leadership and auditors. It condenses the compliance posture into a single-page view covering:
This view is also available as a section in the PDF Organization Report.
The header shows organization-wide metrics:
| Metric | Description |
|---|---|
| Posture Score | (compliant projects / monitored projects) × 100. Projects with no policies are excluded from the denominator. |
| Risk Rating | Derived from the distribution of violation severities: Low, Medium, High, or Critical |
| Control Coverage | Percentage of framework controls that have at least one policy mapped |
| Compliant Projects | Count of projects with zero active policy violations |
| State | Meaning |
|---|---|
| Compliant | All policy checks pass |
| Non-compliant | One or more policy checks failed |
| Unmonitored | No policies are mapped to this project |
Navigate to Compliance → [project] to see the detailed compliance view for a single project:
For each failed policy check, violations include the resource address (e.g., aws_s3_bucket.data) alongside the violation message. This lets you pinpoint exactly which resource is non-compliant rather than just which policy failed.
Policy severity maps to compliance violation priority:
| Policy Severity | Violation Priority |
|---|---|
| Error | Critical / High |
| Warning | Medium |
| Info | Low |
| Filter | Options |
|---|---|
| Severity | Critical, High, Medium, Low |
| Project | Select specific project |
| Policy | Select specific policy |
| Date Range | Last 24h, 7d, 30d, custom |
Both report types generate as PDF documents with professional formatting — including executive summary, infrastructure inventory, policy evaluation results, violation details, and remediation recommendations.
| Report | Scope | Contents |
|---|---|---|
| Project Report | Single project | Posture score, policy check results, violations, remediation steps |
| Organization Report | All projects | Executive summary, risk assessment, per-project breakdown, framework coverage |
Open the Compliance page.
Select Project Report or Organization Report.
The report generates and downloads immediately.
Share compliance reports with external stakeholders — auditors, customers, or leadership — through secure, password-protected links.
From the compliance page, click the Share button.
| Option | Description |
|---|---|
| Password | Required — protects the shared report |
| Password Hint | Optional — shown on the access page |
| Expiration | When the link stops working |
| Max Views | Maximum number of times the report can be accessed |
Choose which sections to include in the shared snapshot:
Copy the generated URL and send to stakeholders.
Recipients visit the URL, enter the password, and see a read-only snapshot of the compliance data at the time the link was created. All accesses are logged with IP address and timestamp.
View all active links at Compliance → Share → Manage Links:
ops0 includes 38 built-in compliance frameworks with pre-written Rego policies. Import a framework to create a policy group containing all its controls.
| Platform | Notes |
|---|---|
| AWS | Terraform and CloudFormation variants |
| Azure | Terraform variant |
| GCP | Terraform variant |
| Oracle Cloud | Terraform variant |
| Kubernetes | Kyverno-based cluster controls |
| Ansible | Configuration-management controls |
Available for AWS, GCP, Azure, and Oracle Cloud:
| Framework | Description |
|---|---|
| SOC 2 | SOC 2 Type II controls for security, availability, and confidentiality |
| HIPAA | HIPAA Security Rule technical safeguards |
| GDPR | GDPR data protection technical controls |
| ISO 27001 | ISO/IEC 27001 information security controls |
| ISO 27002 | ISO/IEC 27002 security practice controls |
AWS frameworks additionally have CloudFormation variants for teams using CloudFormation instead of Terraform.
| Standard | Description |
|---|---|
| NSA Kubernetes Hardening | NSA/CISA Kubernetes Hardening Guidance |
| Pod Security Standards (PSS) | Kubernetes Pod Security Standards |
| Standard | Description |
|---|---|
| STIG Ansible | DISA STIG compliance checks for Ansible |
Make sure the fix was deployed, then check the latest policy check result. If the resource address changed (e.g. after a rename), the old violation may remain until the next scan.
The posture score updates after each deployment triggers a policy check. Check the per-project compliance view for the most recent check timestamp.
Verify the policy's package name is unique. A duplicate package name causes silent evaluation failure. Also confirm the policy is enabled and mapped to the project.
Create a new share link. Existing links cannot be reactivated after they expire or are revoked.
