No developer likes writing compliance documentation. Worse still is hand-collecting evidence with screenshots from production environments. This applies just as much to auditors as it does to developers! The dream is full compliance automation hidden from developers, but achieving this means enforcing a rigid development environment — one developers run away from.

Internal developer portals like Backstage template the "standard" approach so that good security posture becomes the path of least resistance, while allowing flexibility where justified. OSCAL Compass, a CNCF Sandbox project, extends this to compliance by providing machine-readable artifacts using the OSCAL standard.

This talk demonstrates how combining these two CNCF projects lets developers produce correct compliance artifacts without leaving their ecosystem. The speakers bring two perspectives: an automation-friendly compliance auditor, and a developer who wants to write less documentation.