Evidence Export
Push compliance evidence directly into your existing audit toolchain.
Export formats
Section titled “Export formats”| Format | Flag | Tier | Description |
|---|---|---|---|
| SCC JSON | --format=scc-json | Team+ | Google Security Command Center findings |
| Audit Manager | --format=audit-manager | Team+ | AWS Audit Manager evidence |
| Purview | --format=purview | Team+ | Microsoft Purview Compliance Manager |
| Vanta | --format=vanta | Agency | Vanta integration (file or API) |
| Drata | --format=drata | Agency | Drata integration (file or API) |
| Secureframe | --format=secureframe | Agency | Secureframe integration (file or API) |
| GRC JSON | --format=grc-json | Community+ | Generic GRC interchange format |
Cloud-native export (Team+)
Section titled “Cloud-native export (Team+)”Export findings directly to your cloud provider’s audit service.
# Google Security Command Centercomplyform export --format=scc-json \ --input=findings.json \ --project=my-gcp-project \ --source=organizations/123456/sources/789
# AWS Audit Managercomplyform export --format=audit-manager \ --input=findings.json \ --assessment-id=a1b2c3d4-5678-90ab-cdef-111111111111
# Microsoft Purviewcomplyform export --format=purview \ --input=findings.json \ --tenant-id=a1b2c3d4-5678-90ab-cdef-222222222222GRC platform export (Agency)
Section titled “GRC platform export (Agency)”Export to third-party GRC platforms. Generate a file for manual upload or push directly via API.
# File export for manual uploadcomplyform export --format=vanta \ --input=findings.json \ --output-file=vanta-evidence.json
# Direct API pushcomplyform export --format=drata \ --input=findings.json \ --api-key=$DRATA_API_KEY \ --pushBatch export
Section titled “Batch export”Export to multiple formats in one invocation (Agency tier).
complyform export --format=scc-json,vanta,grc-json \ --input=findings.json \ --output-dir=evidence/This writes one file per format into the evidence/ directory: evidence/scc-json.json, evidence/vanta.json, evidence/grc-json.json.
Signed attestations
Section titled “Signed attestations”Generate a cryptographically signed attestation for point-in-time compliance evidence.
# Generate signed attestation during assessmentcomplyform assess --frameworks=soc2 --attest --output-file=soc2-attestation.json
# Verify an existing attestationcomplyform verify --attestation=soc2-attestation.jsonThe attestation includes the assessment timestamp, framework version, resource inventory hash, and an Ed25519 signature. Auditors can verify the attestation independently without access to your infrastructure.
Next steps
Section titled “Next steps”complyform export— full export options and format detailscomplyform assess— assessment with--attestflag- Air-Gapped Environments — offline evidence generation