Compliance without the audit-week scramble
If you're pursuing SOC 2, ISO 27001, or SMB1001, you've probably realised that “we scan our code for vulnerabilities” is the kind of control auditors ask about — and “we run a scan once a quarter when we remember” isn't the answer they want.
Kolega gives you the continuous code-scanning evidence these frameworks expect, in a format auditors actually accept. No manual evidence-gathering the week before the audit.
Frameworks Kolega supports
We help engineering teams meet code-scanning requirements for the three frameworks most early-stage and mid-market companies pursue.
SOC 2 (Type I and Type II)
The trust services criteria explicitly require continuous monitoring for security vulnerabilities. SOC 2 Type II auditors want to see scans running over time, not just a snapshot. Kolega's PR-level scanning produces the audit trail auditors need.
ISO 27001
Annex A controls A.14 (system acquisition, development and maintenance) and A.12 (operations security) require secure development practices, including vulnerability management. Kolega satisfies the code-scanning portion of these controls with documented findings and remediation evidence.
SMB1001
The Australian SMB cybersecurity framework includes requirements for secure software development practices. Kolega's scanning and remediation workflow fits cleanly into Levels 2 and above of the framework.
What auditors actually want to see
Most code-scanning controls audit against four things.
Scans run regularly and continuously
Auditors want evidence that scanning happens automatically, not on a manual cadence that depends on someone remembering. Kolega scans on every PR by default — the audit trail proves this.
Findings are tracked through to resolution
A scan that finds 50 issues and forgets about them doesn't satisfy a control. Auditors want to see findings flow through a workflow: detected → triaged → fixed or accepted with documented reasoning. Kolega's dashboard tracks every finding's state with timestamps.
Critical findings have a defined response time
SOC 2 and ISO 27001 both expect organisations to define how quickly they respond to critical vulnerabilities. Kolega can be configured to block merges on critical findings, ensuring nothing ships unpatched.
The process is documented
You need a written policy that says how scanning happens, who reviews findings, and how fixes are validated. We provide template documentation you can adapt to your organisation, which significantly cuts audit prep time.
What we provide for audits
Scan history evidence
Exportable scan logs showing what was scanned, when, and what was found. Goes back as far as your retention tier allows.
Findings lifecycle reports
Per-finding timeline showing when it was detected, who triaged it, when it was fixed, and how the fix was validated.
Coverage reports
Which repositories are scanned, when they were last scanned, and any gaps in coverage.
Policy documentation templates
Reusable language for your security policy covering how vulnerability scanning operates in your environment.
Auditor-friendly export
Reports formatted for the questions auditors actually ask, not raw JSON dumps.
These are available across all paid tiers. Enterprise customers get additional custom reporting and longer retention.
Where Kolega fits in a broader compliance program
To be clear about what we are and aren't.
The code-scanning evidence layer
For the parts of SOC 2, ISO 27001, and SMB1001 that cover application security and vulnerability management.
A full compliance automation platform
We don't replace Vanta, Drata, Secureframe, or Sprinto. Those tools manage the broader compliance program — policies, training, vendor reviews, access controls, evidence collection across your whole stack. Kolega is the SAST piece of that.
A common stack: Vanta or Drata orchestrates the overall compliance program, Kolega provides the code-scanning evidence inside it.
When this matters
Compliance scanning matters most at three points in a company's lifecycle.
Your first SOC 2 ask
When your first enterprise customer asks for your SOC 2 report and you don't have one yet. Kolega gives you the code-scanning portion ready for a Type I audit.
Audit prep stops being a fire drill
When you're scaling and audit preparation needs to stop being an all-hands fire drill every twelve months. Continuous scanning means the evidence is already there when the auditor arrives.
Multi-framework coverage
When you've got SOC 2 and you're adding ISO 27001 for international customers, or SMB1001 for Australian government contracts. Kolega already supports all three with the same scanning evidence.
See it in practice
The fastest way to understand whether Kolega fits your compliance needs is to run a scan and see what the reports look like.
For specific compliance questions, we'll point you at the right documentation or get on a call with your security lead.