Automatic evidence works by using Events which are processed by Automations to create Evidence.


Events are a record of what happened. They can be ingested by either connecting an available integration or by posting your own events to our Events API. The following example describes what you can expect by connecting your Github or Gitlab instances with Comply:

  • Event type (e.g. "Pull Request Merged", "Vulnerability Scan", "Background Check Complete").

  • Tags that describe the event (e.g. "CI Passed" or "CI Failed", "High Severity" or "Low Severity", "Passed" or "Criminal History")

  • Assets related to the event (e.g. the code repository, application server, or employee)

  • Payload containing metadata about the event


Automations specify an event type and tags. When new events are added to the system, all automations for that event type are run and if the event has all of the tags it will create a piece of evidence. The automation also defines the status and mapped controls of the evidence as well as what ticket (if any) to create. Let's look at an example.

Let's say I receive an Event with the type "Vulnerability Scan" with one tag "High Severity" and 3 automations for this event type:

  • "Vulnerability Scan Ran", which has no tags so I always have a record of my vulnerability scans.
  • "Low Severity Vulnerability Detected" which looks for the tag "Low Severity". This automation is processed against the example event without creating a piece of evidence because the event does not have a matching tag.
  • "High Severity Vulnerability Detected" which looks for the tag "High Severity". When the example is processed by this automation, the matching tag triggers a piece of evidence be created with a status of needs attention.

So from this event, I now have 2 pieces of evidence: that my vulnerability scan ran and that a high severity vulnerability ran. By separating "what happened" (Events) from "my interpretation of what happened", you have a flexible system that allows you to automate and manage your compliance program with less manual evidence gathering required.