COSA (Compliance Orchestration Situational Awareness) is a multi-part system which allows teams to integrate compliance into a CI/CD pipeline, shift security left (in the DevSecOps process), and track/report progress towards compliance goals. It orchestrates a series of tests, each of which may be automated, manual, or inherited. As a result, it promotes incremental achievement rather than assuming that 100% automation is possible. Multiple control catalogs are supported. Note that COSA is not a scanner - instead, it uses existing scanners to perform that function, recording the results as attachments. - View it on GitHub