This chapter covers the core features and capabilities of Compliance Automation Suite.
The Compliance Automation Suite provides production-ready tooling for organizations operating
on Databricks and Azure that must satisfy GDPR, SOC 2 Type II, ISO 27001, and the EU NIS2
Directive. Instead of manually assembling evidence and cross-referencing spreadsheets before
every audit cycle, this suite automates the heavy lifting: continuous control verification,
evidence collection, gap analysis, and audit-readiness reporting.
New in v2.0: The suite now includes a comprehensive operational audit module with 9
automated audit scripts covering catalog inventory, job analysis, secret management, compute
costs, storage security, token hygiene, query history, data lineage, and table permissions.
These operational audits use Python standard library only (no pip dependencies) and
produce HTML and JSON reports with findings mapped to compliance frameworks (GDPR, SOC 2,
ISO 27001, NIS2).
Every script is designed as a Databricks notebook or standalone Python module so it slots
directly into existing lakehouse architectures. The control mappings translate regulatory
language into concrete technical controls you can verify programmatically.
mappings/)| File | Description |
|---|---|
gdpr_databricks_controls.md | GDPR articles mapped to Databricks technical controls |
soc2_azure_controls.md | SOC 2 Trust Service Criteria mapped to Azure services |
iso27001_controls.md | ISO 27001:2022 Annex A controls in spreadsheet format |
nis2_checklist.md | NIS2 Directive (EU 2022/2555) compliance checklist |
scripts/)| File | Description |
|---|---|
access_control_audit.py | Audit workspace ACLs, group memberships, token lifetimes |
encryption_verification.py | Verify encryption at rest, in transit, and key management |
data_retention_check.py | Check data lifecycle against retention policies |
audit_log_validation.py | Validate audit log completeness and integrity |
network_security_check.py | Assess network security posture and segmentation |
audits/) — NEW in v2.0A self-contained Python package with 9 automated audit scripts, a shared API client,
configuration module, and utility library. Zero pip dependencies — uses only Python
standard library (http.client, ssl, json, csv, logging, etc.).
| File | Description |
|---|---|
__init__.py | Package init with ALL_AUDITS registry and AUDIT_REGISTRY dict |
config.py | Configuration via environment variables, API endpoints, thresholds |
utils.py | DatabricksApiClient (stdlib), BaseAudit ABC, Finding dataclass |
catalog_inventory.py | Unity Catalog schemas, tables, volumes, data classification gaps |
job_inventory.py | Job configurations, schedules, failure rates, permission issues |
secret_inventory.py | Secret scopes, ACLs, secret age and rotation compliance |
compute_analysis.py | Cluster sizing, cost analysis, idle clusters, autoscaling gaps |
external_storage.py | External locations, storage credentials, access patterns |
token_inventory.py | PAT tokens, age, expiration status, overprivileged tokens |
query_history.py | SQL query patterns, expensive queries, warehouse utilization |
data_lineage.py | Table-level lineage, cross-catalog dependencies, orphaned tables |
table_permissions.py | Table/view grants, overprivileged principals, public access |
Each audit produces structured Finding objects with:
reports/)| File | Description |
|---|---|
__init__.py | Package init exposing HtmlReportGenerator, JsonReportGenerator |
html_report.py | Professional HTML report generator (stdlib string.Template) |
json_report.py | Machine-readable JSON report for programmatic consumption |
templates/audit_report.html | HTML template with severity charts, findings tables, recommendations |
gdpr/)| File | Description |
|---|---|
dsr_handler.py | Data Subject Request handler (access, portability, erasure) |
consent_tracking.py | Consent lifecycle tracking integration pattern |
dpia_template.md | Data Protection Impact Assessment template |
ropa_generator.py | Records of Processing Activities generator |
templates/)| File | Description |
|---|---|
soc2_evidence_binder.md | SOC 2 evidence binder organized by TSC |
audit_preparation.md | 30-day countdown audit preparation guide |
scheduling_guide.md | Guide to scheduling automated audits (cron, ADF, Workflows, GitHub Actions) |
dashboards/)| File | Description |
|---|---|
compliance_dashboard.sql | Real-time compliance posture SQL dashboard |
| File | Description |
|---|---|
run_audit.sh | Shell script to run all 9 operational audits with HTML/JSON reporting |
scripts/, gdpr/, dashboards/)databricks-sdk >= 0.20.0azure-identity >= 1.15.0azure-mgmt-resource >= 23.0.0pyspark (available by default in Databricks Runtime)cryptography >= 41.0.0requests >= 2.31.0audits/, reports/, run_audit.sh)DATABRICKS_HOST, DATABRICKS_TOKENFollow this guide to get Compliance Automation Suite up and running in your environment.
The fastest way to get started is with the orchestrator script:
# Set required environment variables
export DATABRICKS_HOST='https://your-workspace.cloud.databricks.com'
export DATABRICKS_TOKEN='dapi_YOUR_TOKEN_HERE'
export AUDIT_COMPANY_NAME='Acme Corp'
# Run all 9 operational audits with both HTML and JSON output
chmod +x run_audit.sh
./run_audit.sh --all --format bothTo run a specific audit:
# Run only the token inventory audit
./run_audit.sh --audit token_inventory --format json
# Run only compute analysis
./run_audit.sh --audit compute_analysis --format html#### Available audit IDs for --audit:
| ID | Description |
|---|---|
catalog_inventory | Unity Catalog inventory and classification |
job_inventory | Job configurations and health analysis |
secret_inventory | Secret scopes and rotation compliance |
compute_analysis | Cluster sizing and cost optimization |
external_storage | External locations and storage credentials |
token_inventory | PAT token hygiene and expiration |
query_history | SQL query patterns and warehouse costs |
data_lineage | Table lineage and dependency analysis |
table_permissions | Table grants and access control review |
#### Running from Python directly:
import os
import sys
# Ensure the suite root is on the path
sys.path.insert(0, "/path/to/compliance-automation-suite")
from audits.utils import DatabricksApiClient
from audits import ALL_AUDITS, AUDIT_REGISTRY
# Initialize the API client (reads DATABRICKS_HOST and DATABRICKS_TOKEN from env)
client = DatabricksApiClient()
# Run all audits
for audit_cls in ALL_AUDITS:
audit = audit_cls(client=client)
result = audit.execute()
print(f"{audit.audit_name}: {len(result.get('findings', []))} findings")
# Or run a specific audit
TokenInventory = AUDIT_REGISTRY["token_inventory"]
audit = TokenInventory(client=client)
result = audit.execute()#### Generating reports programmatically:
from reports.html_report import HtmlReportGenerator
from reports.json_report import JsonReportGenerator
# After running audits, generate reports
html_gen = HtmlReportGenerator(output_dir="./output")
html_gen.generate(audit_results=results, company_name="Acme Corp")
json_gen = JsonReportGenerator(output_dir="./output")
json_gen.generate(audit_results=results, company_name="Acme Corp")# In a Databricks notebook
%run ./scripts/access_control_audit
auditor = AccessControlAuditor(workspace_url="https://adb-xxxx.azuredatabricks.net")
report = auditor.run_full_audit()
report.to_delta("compliance.access_control_audit_results")Schedule each audit script as a Databricks Workflow job on a cadence that matches your
compliance requirements:
Compliance scripts:
access_control_audit.py, audit_log_validation.pyencryption_verification.py, network_security_check.pydata_retention_check.pyOperational audits:
token_inventory, compute_analysiscatalog_inventory, job_inventory, secret_inventory, external_storage, query_history, table_permissionsdata_lineageSee templates/scheduling_guide.md for detailed cron, ADF, Databricks Workflows, and
GitHub Actions scheduling examples.
Execute dashboards/compliance_dashboard.sql in Databricks SQL to create a real-time
compliance posture dashboard that aggregates findings from all audit scripts.
from gdpr.dsr_handler import DSRHandler
handler = DSRHandler(catalog="main", schemas=["production", "analytics"])
results = handler.handle_access_request(subject_id="user@example.com")
handler.export_portable_copy(results, format="json")┌─────────────────────────────────────────────────────────────────────────┐
│ COMPLIANCE AUTOMATION SUITE v2.0 │
├──────────────────────────┬──────────────────────────────────────────────┤
│ Compliance Layer │ Operational Audit Layer (NEW) │
│ │ │
│ scripts/ │ audits/ │
│ ├─ access_control │ ├─ catalog_inventory │
│ ├─ encryption │ ├─ job_inventory │
│ ├─ data_retention │ ├─ secret_inventory │
│ ├─ audit_log │ ├─ compute_analysis │
│ └─ network_security │ ├─ external_storage │
│ │ ├─ token_inventory │
│ gdpr/ │ ├─ query_history │
│ ├─ dsr_handler │ ├─ data_lineage │
│ ├─ consent_tracking │ └─ table_permissions │
│ ├─ dpia_template │ │
│ └─ ropa_generator │ reports/ │
│ │ ├─ html_report.py │
│ mappings/ │ ├─ json_report.py │
│ ├─ gdpr_controls │ └─ templates/audit_report.html │
│ ├─ soc2_controls │ │
│ ├─ iso27001_controls │ run_audit.sh (orchestrator) │
│ └─ nis2_checklist │ │
├──────────────────────────┴──────────────────────────────────────────────┤
│ Shared Infrastructure │
│ ├─ Control Mappings → Framework references on every finding │
│ ├─ Delta Lake Tables → Persistent findings store │
│ ├─ SQL Dashboard → Real-time compliance posture │
│ └─ Evidence Binder → Audit-ready documentation │
└─────────────────────────────────────────────────────────────────────────┘
1. Operational audits discover your actual infrastructure state (what exists, how it's
configured, what's at risk)
2. Compliance scripts verify that infrastructure meets regulatory requirements (is
encryption enabled? are logs retained long enough?)
3. Control mappings tie both layers back to specific regulatory articles and controls
4. Reports present findings with compliance framework references for auditor consumption
5. Dashboard provides a real-time compliance posture view
The operational audit module is configured via environment variables. All settings have
sensible defaults. See audits/config.py for the complete reference.
| Variable | Default | Description |
|---|---|---|
DATABRICKS_HOST | *(required)* | Workspace URL (e.g., https://adb-xxxx.azuredatabricks.net) |
DATABRICKS_TOKEN | *(required)* | API token (PAT or service principal) |
AUDIT_OUTPUT_DIR | ./output | Directory for report output |
AUDIT_LOG_LEVEL | INFO | Logging level (DEBUG, INFO, WARNING, ERROR) |
AUDIT_COMPANY_NAME | Organization | Company name for reports |
AUDIT_TOKEN_MAX_AGE_DAYS | 90 | Maximum acceptable PAT age |
AUDIT_CLUSTER_MAX_IDLE_MINUTES | 60 | Maximum acceptable cluster idle time |
AUDIT_SQL_HISTORY_LOOKBACK_DAYS | 30 | How far back to analyze SQL history |
All compliance scripts accept configuration via environment variables or a
compliance_config.json file placed in the workspace root:
{
"workspace_url": "https://adb-xxxx.azuredatabricks.net",
"catalog": "main",
"findings_schema": "compliance",
"retention_policy_table": "compliance.retention_policies",
"alert_webhook_url": "https://hooks.example.com/services/YOUR_WEBHOOK_HERE",
"max_token_lifetime_days": 90,
"required_encryption_algorithm": "AES-256",
"audit_log_retention_days": 365
}Get the full Compliance Automation Suite and unlock everything.
Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.
Access all interactive tools with complete data, all workload profiles, and the full scenario library.
Downloadable source code, configuration files, and working examples from every chapter.
Free updates for life. Every new chapter, tool, and improvement included.