firmis compliance - Compliance Evidence Reporting
Synopsis
Section titled “Synopsis”firmis compliance report [path] [options]firmis compliance frameworksDescription
Section titled “Description”Auditors want evidence. Generating it manually is slow, error-prone, and miserable. firmis compliance generates it automatically from your scan results.
The report subcommand runs a full scan across your agent stack using all 324 detection rules, then maps every finding to the compliance frameworks you are working against. Each finding is linked to the exact control, article, or requirement it satisfies - with file locations, rule IDs, and timestamps formatted for submission.
The frameworks subcommand lists every supported framework and its controls without running a scan. Use it to understand what coverage you get before committing to a full report run.
Traditional compliance tooling was built for traditional software. It has no concept of what an MCP server is, what prompt injection looks like as a risk to document, or how an EU AI Act Article 13 transparency requirement differs from a GDPR data minimization obligation. Firmis maps your actual agent stack to these actual frameworks.
Supported frameworks: SOC 2, EU AI Act, GDPR, NIST AI RMF, OWASP Agentic Top 10, ISO 42001, MITRE ATLAS.
Examples
Section titled “Examples”List supported frameworks and their controls
Section titled “List supported frameworks and their controls”npx firmis compliance frameworksGenerate a full compliance report across all frameworks
Section titled “Generate a full compliance report across all frameworks”npx firmis compliance report . --output compliance-report.txtSOC 2 only, saved to file
Section titled “SOC 2 only, saved to file”npx firmis compliance report . --framework soc2 --output soc2-evidence.txtJSON output for programmatic processing
Section titled “JSON output for programmatic processing”npx firmis compliance report . --format json --output compliance.jsonEU AI Act mapping with verbose control detail
Section titled “EU AI Act mapping with verbose control detail”npx firmis compliance report . --framework ai-act --verboseScope to a single platform and suppress terminal output
Section titled “Scope to a single platform and suppress terminal output”npx firmis compliance report . --platform mcp --format json --output mcp-compliance.json --quietOptions
Section titled “Options”compliance report
Section titled “compliance report”| Flag | Type | Default | Description |
|---|---|---|---|
--framework <name> | string | all frameworks | Filter to one framework. Accepted values: soc2, ai-act, gdpr, nist, owasp, iso42001, mitre-atlas. |
--format <type> | string | terminal | Output format. terminal for human-readable output. json for programmatic processing or ticketing systems. |
--output <file> | string | stdout | Write the report to a file instead of stdout. |
--platform <name> | string | all platforms | Scope the scan to a specific platform only. |
--quiet | boolean | false | Suppress all terminal output except the final report. |
--verbose | boolean | false | Show detailed control-level mapping with rule IDs and evidence references. |
compliance frameworks
Section titled “compliance frameworks”No options. Prints all supported frameworks and their mapped controls.
Exit Codes
Section titled “Exit Codes”| Code | Meaning |
|---|---|
0 | Report generated successfully. |
1 | Unknown framework specified via --framework. |
1 | Scan or report generation failed with an error. |
See Also
Section titled “See Also”- scan - generate the findings that compliance maps to
- Threat Categories - all 21 categories, each mapped to compliance frameworks
- Compliance Reporting guide - step-by-step walkthrough for preparing an audit submission