Automating SDLC Evidence: How GRC Platforms Can Stop Chasing Engineers for Screenshots
SOC 2 audits are plagued by manual evidence gathering. Learn how to architect an automated 'Compliance Observer' using Unified APIs to link tickets, PRs, and builds.
The most expensive meeting in your company isn't the board meeting. It's the "evidence gathering" sprint before a SOC 2 Type II audit window closes.
Specifically, it's the meeting where a Product Manager sits down with an Engineering Lead to manually cross-reference a spreadsheet of 500 production deployments against a list of Jira tickets. The auditor demands proof for Common Criteria 8.1 (Change Management): "Did every piece of code deployed to production originate from an approved ticket, and did it pass automated testing?"
For most GRC (Governance, Risk, and Compliance) platforms, solving this problem—much like automating employee compliance—is the holy grail. If you can automate the collection of this "Chain of Custody"—linking the Intent (the Ticket) to the Action (the Pull Request) to the Outcome (the Build/Deployment)—you save your customers hundreds of engineering hours annually.
But building this automation is a nightmare of fragmentation. You have to map Jira's SOAP-legacy quirks to GitHub's REST API, then Linear's GraphQL to CircleCI's distinct data model. And that's just for one customer.
Here is how you can architect a universal "Compliance Observer" that automates SDLC evidence collection using Unified APIs, effectively ending the era of compliance-by-screenshot.
The "Chain of Custody" Data Problem
To satisfy a rigorous auditor, you need to construct a narrative for every single deployment. That narrative looks like this:
- Ticket Created:
PROJ-123created in Jira (Intent). - Code Written: Branch
feature/PROJ-123-fix-logincreated in GitHub. - Code Reviewed: PR #45 opened, linked to
PROJ-123, and approved by a peer. - Tests Passed: CircleCI build #9982 passed for commit
abc1234. - Deployed: Code merged and deployed to
productionenvironment.
If you are building a GRC tool, your job is to ingest data from all these systems and draw the lines between them. The technical challenge is that these systems do not natively talk to each other in a standardized way—a challenge we've discussed in the context of rigid schemas.
- Identifier Mismatch: Jira uses keys (
PROJ-123), Linear uses short IDs (LIN-45), and GitHub uses SHA hashes. - Schema Chaos: A "Build" in Jenkins looks nothing like a "Workflow Run" in GitHub Actions. A "Ticket" in Asana has a completely different state machine than a "Story" in Clubhouse/Shortcut.
Architecting the Compliance Observer
Instead of building point-to-point integrations for every permutation of tools (e.g., Jira+Jenkins, Asana+GitLab, Linear+CircleCI), you can use a Unified API approach to normalize the data flow.
We will use two primary unified models:
- Unified CI/CD: To track Repos, Pull Requests, and Builds.
- Unified Ticketing: To track Tickets, Statuses, and Assignees.
Step 1: The Trigger (Unified Webhooks)
The entry point for evidence collection is the Deployment or Build. You cannot rely on polling; you need real-time awareness when code hits production.
Using Truto's Unified Webhooks, you can subscribe to build:created and build:updated events. Whether the customer uses Travis CI, CircleCI, or GitHub Actions, you receive a normalized payload.
// Normalized Webhook Payload: build:updated
{
"event_type": "record:updated",
"resource": "ci-cd/builds",
"payload": {
"id": "987654321",
"status": "success",
"branch": "feature/PROJ-123-fix-auth",
"commit_message": "[PROJ-123] Fix authentication timeout logic",
"commit_sha": "7b3f1a2...",
"started_at": "2023-10-27T10:00:00Z",
"completed_at": "2023-10-27T10:05:00Z",
"url": "https://circleci.com/gh/org/repo/123"
}
}Developer Tip: Always filter webhooks for status == "success" and ensure the build is targeting a protected environment (like main, master, or production). Failed builds are noise; successful builds are audit artifacts.
Step 2: The Trace (Regex & Heuristics)
Once you have the Build object, you need to find the Ticket ID. This is the bridge between the CI/CD world and the Ticketing world.
Since APIs rarely link these explicitly, you must rely on convention. Developers typically embed ticket IDs in two places:
- Branch Names:
feature/PROJ-123-new-button - Commit Messages:
PROJ-123: Added new button
Your observer service should parse the branch and commit_message fields from the normalized Build object using a configurable regex (e.g., /[A-Z]+-\d+/ for Jira or /[a-z]{3}-\d+/ for Linear).
Step 3: The Verification (Unified Ticketing API)
Now that you extracted PROJ-123, you need to verify its legitimacy. An auditor wants to know: "Was this ticket actually approved?"
You can query the Unified Ticketing API to fetch the ticket details, agnostic of whether the customer uses Jira, Zendesk, or Linear.
Request:
GET /unified/ticketing/tickets?remote_id=PROJ-123
Normalized Response:
{
"id": "ticket_abc123",
"remote_id": "PROJ-123",
"name": "Fix authentication timeout logic",
"status": "Done",
"type": "Bug",
"priority": "High",
"assignee": {
"name": "Jane Doe",
"email": "jane@example.com"
},
"created_at": "2023-10-25T09:00:00Z",
"updated_at": "2023-10-27T11:00:00Z"
}By checking the status field against a list of "approved" states (e.g., "Done", "Ready for QA", "Deployed"), you can programmatically validate the intent.
Handling the "Squash and Merge" Edge Case
One of the most painful realities of software engineering is the "Squash and Merge" strategy on GitHub. When a developer merges a PR with 50 commits into main, those commits are often squashed into a single commit with a new SHA hash.
If your GRC platform relies solely on matching Commit SHAs between the PR and the Deployment, you will fail. The SHA on the PR (abc...) will not match the SHA on main (def...) after a squash merge.
The Fix: Instead of tracking commits, track Pull Requests.
- Use the Unified CI/CD API to fetch
PullRequestsassociated with the repository. - Look at the
merge_commit_shafield on the PR object. - Match that SHA to the
commit_shain the Build object.
This provides a robust link even when history is rewritten.
The "Long Tail" of Developer Tools
The real value of using a Unified API for this architecture isn't just supporting Jira and GitHub. It's supporting the long tail of tools your customers actually use. This mirrors the long tail of identity challenge: you cannot rely on just the top providers.
Startups might use Linear and GitHub Actions. Enterprises might use Jira On-Prem and Jenkins. Mid-market companies might use Asana and GitLab CI.
If you build this "Compliance Observer" logic once against Truto's unified models, you automatically support all these combinations. You don't need to write a specific parser for Jenkins XML output or Jira's complex SOAP responses.
Why This Matters for Product Managers
For PMs building GRC or Developer Tools, this is a feature that directly impacts your customer's churn rate.
If your tool requires customers to manually upload CSVs or screenshots to prove compliance, you are a burden. If your tool automatically flags a production deployment as "Non-Compliant" because it detected a code change with no associated ticket, you are a strategic partner.
You are moving your product from "passive record keeping" to "active governance."
FAQ
- What is SOC 2 Common Criteria 8.1?
- CC8.1 focuses on Change Management, requiring organizations to authorize, test, and approve all changes to system components (software, infrastructure) before deployment.
- How do I link Jira tickets to GitHub PRs automatically?
- The most reliable method is parsing the branch name or commit message for the ticket ID (e.g., 'PROJ-123') using a regex, then verifying the ticket status via API.
- Can I automate evidence collection for Jenkins and GitLab?
- Yes. By using a Unified CI/CD API, you can normalize build and deployment data from tools like Jenkins, GitLab CI, and CircleCI into a standard format for easy auditing.
