Compliance Reports
AI-generated compliance narratives mapped to framework requirements. Each report explains what was tested, what passed, what failed, and how to remediate — in language auditors understand.
What's in a report?
- Executive summary with overall compliance score
- Framework-specific findings mapped to requirement IDs (e.g., API1:2023, PCI-DSS 6.5)
- AI-generated narrative explaining each finding in context
- Remediation guidance with code examples where applicable
- Evidence timestamps and scan metadata (scan ID, date, NAT version)
Report formats
| Format | Use case |
|---|---|
| Auditor submission, formal documentation | |
| HTML | Web-based sharing, permalink distribution |
| Markdown | Developer-friendly, version-controllable |
Generate a report
CLI:
nat ai compliance-report --framework owasp --scan-id scan_001 --output report.pdfAPI:
POST /api/v1/ai/compliance-report
Content-Type: application/json
{
"framework": "owasp",
"scan_id": "scan_001",
"format": "pdf"
}Dashboard: Open any completed scan → click "Generate Report" in the Compliance tile → select framework and format.
Example report excerpt
## OWASP API Security Top 10 — Compliance Report
**Scan:** scan_001 | **Generated:** 2024-01-15 | **Status:** ⚠️ Partial
### API1:2023 — Broken Object Level Authorization
**Status:** ❌ FAIL
NAT identified 1 critical BOLA vulnerability on GET /api/v1/users/{id}.
Authenticated users can retrieve records belonging to other users by
substituting sequential numeric user IDs in the path parameter.
**Evidence:** finding_003 — Scan scan_001 — 2024-01-15T10:22:00Z
**Remediation:** Enforce object-level authorization on every data-fetching
endpoint. Verify that the authenticated user owns or is authorized to access
the requested resource before returning data.
This control cannot be marked compliant until finding_003 is resolved
and a clean scan is verified.
---
### API2:2023 — Broken Authentication
**Status:** ✅ PASS
All 12 authentication-related checks passed. Token expiry, refresh token
rotation, and brute-force protection are functioning correctly.
**Evidence:** scan_001 — checks auth_001 through auth_012 — all passed.Sharing with auditors
| Method | How |
|---|---|
| PDF export | nat ai compliance-report --format pdf --output report.pdf |
| Permalink URL | Available in Dashboard → Compliance → Reports → Share |
| Email delivery | Configure in Dashboard → Settings → Compliance → Auto-email |
For full CLI reference, see AI Assistant → Compliance Reports.
Plan availability
| Plan | Compliance reports |
|---|---|
| Free | Report preview in dashboard only — no export |
| Pro | 5 reports / month |
| Team | Unlimited |
| Enterprise | Unlimited + custom branding |
In a hurry? See Quick Scans
Was this helpful?