MODEL
Threat model → TSC scope.
The model names the in-scope services and data. Each finding ties to a Trust Service Criterion.
SOC 2
Trust Service Criteria mapped to your code, not your spreadsheet.
VibeReview is SOC 2 Type II certified itself. The same audit log and guardrail engine that supports our own examination produces TSC evidence for your AI-assisted code. CC6, CC7, CC8 controls map to guardrail enforcement and PR review logs.
14-day free trial · No card required
You prompting Cursor · app/api/flags/toggle.py
"Add an endpoint that flips a feature flag for production."
VibeReview matched 3 Trust Service Criteria · invisibly - ✓ CC6.1 — require a flag-admin role; deny by default
- ✓ CC7.1 — emit a change event to the audit pipeline
- ✓ CC8.1 — require a reviewer approval on prod-scoped changes
@app.post("/flags/{key}/toggle")
@require_role("flag_admin")
def toggle(
key: str,
body: ToggleIn,
actor = Depends(auth),
):
if body.environment == "prod":
require_reviewer_approval(
change=f"flag.{key}",
reviewer=body.reviewer_id,
)
flags.set(key, body.value, env=body.environment)
audit.log(
"flag.toggled",
actor=actor.id,
key=key,
env=body.environment,
value=body.value,
)✓ Role-gated, reviewer-approved, audit-logged. CC6.1, CC7.1, CC8.1 covered without a manual policy step.
ENFORCE
Guardrails → CC6, CC7, CC8 controls.
CC6 logical access. CC7 system operations. CC8 change management. Each guardrail names the criterion it enforces.
EVIDENCE
PR review → per-criterion evidence.
Every diff that touches an in-scope path runs the criteria. Audit log records the criterion and the outcome over the Type II observation window.
REPORT
Mapping report → auditor-ready.
Per-TSC coverage. Evidence-pack export. Hand it to your auditor on day one of fieldwork.
WHAT'S COVERED
Trust Service Criteria and the VibeReview controls behind them.
Focus is the Security TSC, with additional support for Availability, Confidentiality, and Processing Integrity.
- CC6.1 Logical access controls: Guardrails enforce authentication, authorization, and tenant isolation patterns per service.
- CC6.6 Boundary protection: Guardrails on input validation, output encoding, SSRF protection, and egress policy.
- CC6.7 Restriction of unauthorized changes: Policy-as-code guardrails. Every rule change is a Git PR with approvals.
- CC7.1 Monitoring controls: Audit log of guardrail enforcement, exportable to your SIEM.
- CC7.2 Detection of security events: PR review flags guardrail violations on every diff. Findings logged as security events.
- CC8.1 Change management: Threat model refreshes on every commit. Guardrail changes go through Git PRs. Evidence per change.
- A1.2 Availability — change management: Guardrails on resilience patterns, circuit breakers, retry logic, and graceful degradation.
- C1.1 Confidentiality — protection of confidential information: Guardrails on encryption-at-rest, encryption-in-transit, and sensitive-data classification.
- PI1.1 Processing integrity — input validation: Guardrails on schema validation, range checks, and contract testing on every input boundary.
Get the SOC 2 mapping report for your repo.
We walk you through per-criterion coverage and the evidence-pack export. Bring your auditor.