The $0 Compliance Stack
Passing Enterprise Audits Using Only Open Source
The Lie We’re All Sold
“You need expensive GRC tools to pass enterprise audits.”
Reality:
Auditors don’t care about tools
They care about controls, traceability and evidence
Compliance ≠ Software
Compliance = Verifiable system behaviour
Core Philosophy: Compliance-by-Construction
Instead of:
Manual screenshots
Jira tickets
Excel risk registers
Design systems where:
Evidence is produced automatically
Controls are enforced at runtime
Audits become read-only queries
The Compliance Stack
🔐 Identity & Access (ISO A.5, A.9 | PCI 7, 8)
Control Goal |
Open Source |
|---|---|
| Central identity | Keycloak |
| MFA / SSO | Keycloak + WebAuthn |
| Service identity | SPIFFE / SPIRE |
| RBAC enforcement | Kubernetes native RBAC |
📦 Source Control & CI/CD (ISO A.8, A.12 | PCI 6)
Control |
Open Source |
|---|---|
| Git integrity | Git + signed commits |
| CI/CD | GitHub Actions / GitLab CI |
| Secrets | HashiCorp Vault |
| IaC scanning | Checkov |
| SAST | Semgrep |
🐳 Runtime & Infrastructure (ISO A.12, A.13 | PCI 2, 10)
Area |
Open Source |
|---|---|
| Orchestration | Kubernetes |
| Network policy | Cilium |
| Runtime security | Falco |
| Admission control | Kyverno |
| eBPF telemetry | Cilium + Falco |
📊 Logging, Monitoring & Evidence (ISO A.12, A.16 | PCI 10)
Need |
Open Source |
|---|---|
| Logs | Loki |
| Metrics | Prometheus |
| Traces | OpenTelemetry |
| Dashboards | Grafana |
| SIEM-lite | Wazuh |
📁 Evidence Storage (ISO A.7, A.18 | PCI 12)
Requirement |
Open Source |
|---|---|
| WORM storage | MinIO (Object Lock) |
| Retention policies | Lifecycle rules |
| Audit trails | Hash-based integrity |
Real-World System Design
Key Insight: Auditors never touch production; they interrogate evidence APIs
ISO-27001 & PCI-DSS Control Mapping
Example: ISO-27001 A.12.4 (Logging)
Requirement |
Implementation |
|---|---|
| Event logging | Loki |
| Access logs | Kubernetes Audit Logs |
| Integrity | Object Lock |
| Review | Grafana dashboards |
Example: PCI-DSS 10.2 (Audit Trails)
Requirement |
Implementation |
|---|---|
| User actions | Keycloak + K8s audit |
| System events | Falco |
| Retention | MinIO Object Lock |
| Alerting | Prometheus |
What Auditors Actually Said
“This is one of the cleanest evidence trails we’ve seen.”
Why?
No human-generated artifacts
No subjective interpretation
Everything timestamped, immutable and reproducible
Why This Scales Better Than Paid GRC Tools
Paid GRC |
$0 Stack |
|---|---|
| Manual updates | Auto-generated |
| Screenshot culture | Telemetry culture |
| Lagging indicators | Real-time controls |
| Vendor lock-in | Architecture ownership |
The Hard Truth
If your compliance fails when Jira is down, you were never compliant
In conclusion, this isn’t a “cost-saving hack”. It’s how high-trust, high-scale systems are designed when:
Security is non-negotiable
Audits are frequent
Engineering time is sacred
so overall, Compliance didn’t get cheaper. It just got engineered ;)
