SOC2-Copilot

🧩 SOC2-Copilot — AI-Powered Code & Cloud Compliance Enforcer

Automating Secure Coding, SOC 2 Auditing, and Cloud Compliance through Bedrock + Semgrep using Strands Agents

🚀 Inspiration

Security scanning is everywhere — but compliance isn’t. Most teams can detect insecure code, yet still fail audits because mapping those findings to SOC 2 controls, documenting remediations, and maintaining compliance across codebases, S3 buckets, and cloud workloads is tedious and inconsistent.

We built SOC2-Copilot to fix that — a secure AI assistant that bridges code-level detection with cloud-level compliance enforcement, creating a continuous, automated path to SOC 2 readiness.

💡 What It Does

SOC2-Copilot serves as a compliance enforcer for both local repositories and cloud systems, combining Semgrep and AWS Bedrock (Claude 3.5 Sonnet) to automatically detect, explain, and even fix issues — all mapped to SOC 2 principles. • 🧠 Scans your code and cloud files (S3, Drive, local repos) for violations and vulnerabilities. • 🔍 Maps findings to SOC 2 controls like Logical Access, Change Management, and Confidentiality. • 💬 Explains issues in plain English through a Bedrock-based LLM agent trained to reason about security best practices. • 🔧 Applies automatic, non-destructive fixes — saving .autofix versions of files that meet compliance. • ☁️ Performs full-cloud compliance scans, correlating misconfigurations in AWS S3, IAM, and storage policies with your source-level vulnerabilities. • 📊 Generates audit-ready reports with clear severity breakdowns, control mappings, and fix traces.

🏗️ How We Built It • Semgrep CLI provides deep static analysis of codebases and cloud IaC files. • A Python agent framework (semgrep_agents.py) orchestrates findings and communicates with AWS Bedrock via the Converse API. • The Instruction Agent turns Semgrep JSON into precise, actionable security remediations — one per file, never hallucinated. • The Autofix Agent parses those instructions and safely edits the source or config files, producing audit-safe .autofix copies. • The Cloud Compliance Module enumerates files from connected S3 buckets or cloud repos, runs Semgrep scans remotely, and merges results with local compliance data. • Each fix and scan is tagged with SOC 2 control references for direct mapping in audit exports.

🧱 Challenges We Ran Into • Cloud credential resolution: integrating both IAM credentials and Bedrock bearer tokens cleanly. • LLM hallucination prevention: enforcing real-file-only edits with allowed_files and structured JSON validation. • Autofix safety: ensuring no destructive or syntactically invalid changes. • Cross-environment normalization: unifying Semgrep output from codebases and S3 configurations.

🏆 Accomplishments We’re Proud Of • Built a fully automated SOC 2 compliance assistant that covers both code and cloud. • Implemented a secure LLM prompting system with strict context and JSON enforcement. • Created a universal autofix engine that safely corrects insecure code patterns at scale. • Extended Semgrep scanning to remote cloud directories, allowing compliance monitoring across storage systems. • Significantly reduced manual audit preparation time — from days to minutes.

🧠 What We Learned • LLMs become truly valuable in compliance when bound by strict schemas and scoped to real data. • Security scanning tools like Semgrep are powerful — but pairing them with reasoning models turns them into compliance systems, not just detectors. • Reliable Bedrock API integration requires careful handling of bearer tokens and AWS profile fallbacks. • Cloud compliance isn’t just about detection — it’s about traceable, fixable, and explainable security posture.

🔮 What’s Next for SOC2-Copilot • Cloud Integrations: deeper support for AWS Config, GCP IAM, and Azure Policy. • Dashboard: a unified compliance panel to visualize open issues and fix coverage in real time. • Auto-report generation: one-click SOC 2 audit report exports with control mappings and fix history. • GitHub Actions Integration: continuous compliance scans on PRs and CI/CD pipelines. • Multi-framework Support: extend autofix coverage to Terraform, CloudFormation, and Dockerfiles.