Skip to content
Compliance · a catalog of ten frameworks

Compliance, declared honestly.

Every framework runs on the same honest pattern. A tool can disprove a control — a fired check is a real failure — but it can never prove conformance. So Watchdog does the provable part rigorously: it evidences the automatable slice, blocks you from passing a control it caught failing without a recorded reason, and leaves the rest where it belongs — with a named person who self-declares. We measure; you declare. We never certify.

A clean automated result is necessary, not sufficient — a green Watchdog score is never, by itself, a compliance claim.

Trust and transparency

The honest truth most compliance tools won't tell you.

The snake oil
  • A "compliant" badge from a scanner that only ever saw the markup or the manifest
  • Dashboards that quietly turn "no automated finding" into "passed"
  • Most of these regimes are organizational; tooling touches only a slice
  • No tool is accepted as proof of conformance under any of these laws — none
What's actually true
  • A tool can prove a failure (a live CVE, a leaked secret, a missing label) but never the absence of all failures
  • The automatable evidence it CAN produce is concrete: SCA across NuGet & npm, a CycloneDX SBOM every scan, and security findings tagged with their MITRE CWE id — the supply-chain trail CRA / DORA / NIS2 ask for
  • Conformance rests on human judgement + process the analyzer cannot see
  • These regimes make the organization declare and be supervised — accountability sits with management
  • So the only honest tool does the provable part and is candid about the rest
Evaluation

How a control gets evaluated — what a tool can do, and where a human must.

Tool-automated

Controls with an automatable surface (a live CVE, a committed secret, a missing label). A failure here is real, pre-set to Fail, and gates sign-off.

Evidence-assisted

Needs a rendered runtime, assistive tech, or operational evidence (contrast, focus order, access control, backups). You evaluate it; we record the basis.

Human judgement

Process and meaning no tool decides — governance, incident handling, the resilience-testing programme, whether an alt text is equivalent. You judge it.

Integrity

The integrity keystone: we won't let you pass what we caught failing.

The failure-gate

When static analysis catches a real failure on a control, the self-assessment pre-sets it to Fail and locks it. To mark it Pass anyway, you must record a written justification — reproduced, in full, in an Integrity section of the artifact. A thermometer you can hide readings from is rigged; this one can't be.

Provenance on every line

Each control's verdict says how it was reached — tool-verified, evidence-assisted, AI-drafted-and-reviewed, or human attestation — so a buyer, an auditor, or a competent authority can see exactly which claims a machine stands behind and which a person does.

The lifecycle

The workflow — identical for every framework.

Scan & enable.

Watchdog assesses the automatable surface. Each framework is Automatic / On / Off per repository; Automatic turns one on (and asks you to keep it) when your codebase is mature for it.

Self-assess & evidence.

A signed-in member works through every control — the gate enforcing honesty as they go — adds notes and reference links, and attaches supporting documents (a pentest, a manual test report) that each control can cite. Every upload is hashed.

Sign.

A named declarant signs; the declaration freezes into immutable, tamper-evident bytes (a SHA-256 you can re-verify). It may honestly conclude "does not fully conform" — signing attests the evaluation is complete and accurate, not that everything passed.

Export & require.

Download one artifact — the declaration with its evidence travelling inside it (embedded, or referenced with its hash in an evidence register) — and optionally bind a contract profile to require a current signed declaration before a delivery passes.

Keep it current.

Each declaration is anchored to one scan. Extend re-issues it for the latest scan in one click — carrying your answers, re-running the gate so any regression surfaces, and superseding the prior one. An archive keeps the full, audit-ready lineage.

Honesty guardrails

What Watchdog will never claim.

  • We do not certify and are not a notified body or competent authority
  • A Watchdog score is not a compliance claim
  • "Tool clean" means no automated failure — necessary, not sufficient
  • We never auto-pass a control on your behalf — nothing is signed without a human
  • Organizational controls are recorded as human attestation, never dressed up as tool-evidenced
Why the candour is the product

A compliance claim is only worth what its honesty can survive. By doing the provable part rigorously and refusing to fake the rest, Watchdog gives you a declaration that holds up to an auditor, a regulator, and a court — not just a marketing page.

Declare it honestly.

Or talk to us