Ryn - SOC 2 Compliance Scanner

Find SOC 2 violations instantly. Fix them with one click. Free, open-source, local-first compliance scanning for developers.

Comment

Inspiration

We got tired of $50k+/year compliance tools that treat developers like auditors. Most SOC 2 solutions require teams to manually review code, understand control frameworks, and generate evidence trails. We're developers. we wanted a tool built for developers. One that speaks our language (code), not auditor-speak (controls). We decided to build a tool that not only finds compliance violations but actually fixes them automatically.

What it does

Ryn scans your codebase for SOC 2 compliance violations across four key controls: CC6.1 (access control), CC6.7 (secrets management), CC7.2 (audit logging), and A1.2 (resilience). It uses a hybrid engine - fast regex patterns for common issues and AI analysis for semantic understanding. When violations are found, you can instantly generate AI-powered fixes and apply them with one click. All scanning happens locally. Your code never leaves your machine unless you opt-in for LLM assistance. Works with local projects or real-time GitHub repo tracking.

How we built it

Backend (Rust + Tauri): Built the scanning engine in Rust for speed, using regex patterns + Tree-sitter AST parsing for hybrid detection across Python, JavaScript, Go, and Rust.

Frontend (Next.js + React): Landing page in Next.js, app UI in Tauri's webview with an IPC layer converting JS and Rust communication seamlessly.

AI Integration (Grok): Integrated Grok for fix generation with cost limits per scan. Optimized to minimize API calls - pattern detection first, AI only when needed.

Halloween Theme (Kiro AI): Kiro generated 9 animated components (~2,500 lines), 3 custom hooks, and Easter eggs for the Halloween feature. Floating ghost violation cards, poof animations on fix apply, and atmospheric effects - all type-safe and zero breaking changes.

Real-time Tracking (GitHub OAuth + LSP): Added GitHub integration for repo tracking and an embedded LSP server so violations appear in your IDE while coding.

Challenges we ran into

  • Parsing accuracy: Building AST analysis for multiple languages (Python, JS, Rust, Go) without false positives was hard. Had to fine-tune regex + Tree-sitter integration.
  • Cost control: LLM API costs spiral quickly. Implemented per-scan cost limits and hybrid scanning to minimize AI calls.
  • Cross-platform builds: Getting Tauri to compile for macOS (Intel + ARM), Windows, and Linux required significant debugging.
  • Real-time GitHub tracking: GitHub rate limits and webhook management was complex. Had to implement smart polling and caching.

Accomplishments that we're proud of

  • One-click fixes: Not just detection - we actually apply patches to your codebase and rescan to verify the fix worked.
  • Hybrid engine: Pattern-based scanning is fast, AI fills the semantic gaps.
  • IDE integration: Built an embedded LSP server so developers see violations while coding, not after.
  • Audit trail: Every action is logged (scans, fixes applied, violations dismissed) for compliance evidence.
  • Halloween theme: We went extra and added a spooky Halloween mode with custom styling and Apple Intelligence generated (brainrot) emojis. This is where Kiro did a wonderful job! 🎃

What we learned

  • Developers hate complexity. Most compliance tools fail because they're built for auditors, not the people writing code.
  • Speed matters. A tool that takes 30 seconds to scan loses users. We optimized pattern scanning to sub-second performance.

What's next for Ryn - SOC 2 Compliance Scanner

  • Multi-language AST support: Currently strong on Python/JS/Go. Expanding to Java, C#, Ruby.
  • Custom rule builder: Let teams define org-specific compliance rules beyond SOC 2.
  • GitHub Actions integration: Fail CI/CD pipelines if violations detected, auto-fix on merge.

Built With

Share this project:

Updates