Competencies: DevSecOps > Compliance as Code

Compliance as Code

Body of Knowledge

Topic	Description	Relevance	Career Tracks
Policy as Code Fundamentals	Expressing policies as code, automated enforcement, audit trails, version control for policies.	Critical	DevSecOps, Platform Engineer, Compliance
Open Policy Agent (OPA)	Rego language, policy bundles, decision logs, data integration, OPA deployment patterns.	High	Platform Engineer, DevSecOps
Gatekeeper	OPA for Kubernetes, constraint templates, constraints, audit mode, mutation policies.	High	Platform Engineer, DevSecOps
Kyverno	Kubernetes-native policies, validate/mutate/generate, policy reports, CLI validation.	High	Platform Engineer, DevSecOps
HashiCorp Sentinel	Policy as code for Terraform Enterprise, policy sets, enforcement levels, testing.	Medium	DevSecOps (HashiCorp stack)
CIS Benchmarks	Center for Internet Security benchmarks, automated assessment, remediation guidance.	High	Security Engineer, Compliance
Infrastructure Compliance Scanning	Checkov, tfsec, Terrascan, KICS, custom policies, CI/CD integration.	High	DevSecOps, Security Engineer
Continuous Compliance	Automated compliance monitoring, drift detection, evidence collection, compliance dashboards.	High	Compliance, DevSecOps
InSpec	Chef InSpec for infrastructure testing, compliance profiles, platform resources.	Medium	DevSecOps, Compliance
Audit Automation	Evidence collection, attestation generation, compliance reporting, GRC integration.	Medium	Compliance, Security Engineer

Topic

Description

Relevance

Career Tracks

Policy as Code Fundamentals

Expressing policies as code, automated enforcement, audit trails, version control for policies.

Critical

DevSecOps, Platform Engineer, Compliance

Open Policy Agent (OPA)

Rego language, policy bundles, decision logs, data integration, OPA deployment patterns.

High

Platform Engineer, DevSecOps

Gatekeeper

OPA for Kubernetes, constraint templates, constraints, audit mode, mutation policies.

High

Platform Engineer, DevSecOps

Kyverno

Kubernetes-native policies, validate/mutate/generate, policy reports, CLI validation.

High

Platform Engineer, DevSecOps

HashiCorp Sentinel

Policy as code for Terraform Enterprise, policy sets, enforcement levels, testing.

Medium

DevSecOps (HashiCorp stack)

CIS Benchmarks

Center for Internet Security benchmarks, automated assessment, remediation guidance.

High

Security Engineer, Compliance

Infrastructure Compliance Scanning

Checkov, tfsec, Terrascan, KICS, custom policies, CI/CD integration.

High

DevSecOps, Security Engineer

Continuous Compliance

Automated compliance monitoring, drift detection, evidence collection, compliance dashboards.

High

Compliance, DevSecOps

InSpec

Chef InSpec for infrastructure testing, compliance profiles, platform resources.

Medium

DevSecOps, Compliance

Audit Automation

Evidence collection, attestation generation, compliance reporting, GRC integration.

Medium

Compliance, Security Engineer

Personal Status

Topic	Level	Evidence	Active Projects	Gaps
Policy as Code	Beginner	Vault policies written in HCL; understand OPA/Rego concepts from CISSP study	Secrets Vault	No OPA/Gatekeeper, no Sentinel, no Kyverno for Kubernetes policy enforcement
Kubernetes Policy Enforcement	—	—	—	No Gatekeeper/Kyverno experience
Infrastructure Compliance Scanning	—	—	—	No Checkov/tfsec implementation
Audit & Evidence Automation	—	—	—	No automated compliance evidence collection

Topic

Level

Evidence

Active Projects

Gaps

Policy as Code

Beginner

Vault policies written in HCL; understand OPA/Rego concepts from CISSP study

Secrets Vault

No OPA/Gatekeeper, no Sentinel, no Kyverno for Kubernetes policy enforcement

Kubernetes Policy Enforcement

—

No Gatekeeper/Kyverno experience

Infrastructure Compliance Scanning

—

No Checkov/tfsec implementation

Audit & Evidence Automation

—

No automated compliance evidence collection