It treats compliance as policy as data: you declare what you want to check and what compliant state looks like, and the system continuously evaluates live cluster state instead of running point-in-time scans.
Key ideas: • Agent-based runtime state collection in Kubernetes • Deterministic policy evaluation (no SCAP XML) • Results emitted as time-bound attestations, not snapshots • Framework-agnostic (STIG, NIST, SSDF, etc.)
The repo is ready to build and test: • Dockerfiles and Helm charts included • Starter policy library with basic coverage • End-to-end reference architecture (agent → evaluator → result sink)
This is aimed at people doing platform security, DevSecOps, or compliance in regulated environments where snapshot evidence doesn’t hold up.