Skip to content

[Feature] Compliance evidence collection and control evaluation command for SailPoint CLI #224

New issue
New issue
Open
#225
Open
[Feature] Compliance evidence collection and control evaluation command for SailPoint CLI#224
#225
@ethanolivertroy

Description

@ethanolivertroy
ethanolivertroy
opened on Feb 25, 2026

Is your feature request related to a problem? Please describe.

SailPoint customers are required to produce evidence for compliance frameworks (e.g., NIST 800-53, ISO 27001, SOC 2). Today, this evidence is frequently collected manually via screenshots, ad-hoc API queries, or spreadsheet exports which is slow, inconsistent, and not machine-readable. While the SailPoint CLI offers primitives like search, api, spconfig export, and report, it does not provide a unified way to collect and evaluate all governance and configuration data necessary for repeatable compliance evidence.

Describe the solution you'd like.

Introduce a new top-level command: sail compliance. This would offer:

  • sail compliance collect: Gathers compliance-relevant tenant data (such as AUTH_ORG config, password policies, SOD policies, certifications/access reviews, identity/role/source summaries, lifecycle states, and workflows) into a structured evidence JSON file.
  • sail compliance evaluate: Applies a set of control definitions (starting with NIST 800-53, but extensible) to the evidence, producing pass/fail findings mapped to controls, with links to the supporting data. Users can select different control packs for other frameworks if desired.
  • Output formats: JSON for programmatic downstream use, with optional Markdown/HTML for audit evidence.
  • Supports both point-in-time and scheduled collection (for CI/CD).

Describe alternatives you've considered.

  • Building a standalone SailPoint compliance adapter tool (external project)
  • Cherry-picking from report or search commands (not unified or scalable)
  • Keeping manual evidence processes (error-prone, non-repeatable)

Additional context

  • Technically, this would be implemented as a new directory: cmd/compliance/
  • Follows established CLI architectural patterns (like cmd/report/)
  • Schema and control packs would be community-extensible
  • This feature would greatly reduce manual effort and speed up responses to auditors and customer requests
  • An initial implementation is being developed in a fork and can be contributed as a PR

Thanks for considering!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions