Shifting Left with Compliance as Code: How Drata Eliminates Infrastructure Bottlenecks
By integrating Compliance as Code into our DevOps pipeline, we’ve not only enhanced our own compliance posture but also strengthened our ability to help customers achieve the same.
At Drata, we don’t just provide a security and compliance automation platform—we use it ourselves.
Our GRC, Engineering, and Security teams rely on Drata to continuously monitor and collect evidence of our security controls, ensuring we remain audit-ready while maintaining customer trust. But like many of our customers, we face the challenge of balancing rapid deployments with stringent compliance requirements.
The Challenge: Bridging the Gap Between DevOps and Compliance
As we scaled our infrastructure and adopted Terraform to manage workloads in the cloud, our GRC team encountered a new layer of complexity. Unlike our engineering team, GRC wasn’t deeply familiar with Terraform’s intricacies, making it difficult to pinpoint compliance issues when controls failed.
“For us, it’s not always clear what the expectations are from GRC. It would be helpful if they can clearly articulate the perceived risk of the compliance issue so we can prioritize those and know when to schedule them in.” —Jake Hammontree (Manager, Site Reliability Engineer)
Without clear context on DevSecOps from GRC, and with limited visibility into compliance-related issues, our teams spent weeks investigating problems buried in thousands of lines of code. This slowed down remediation efforts and created unnecessary delays.
Shifting Compliance Left: Embedding Security Early
We needed a more efficient way to work together—a solution that would allow us to share responsibility and proactively minimize risk. The answer was Compliance as Code.
By embedding IT compliance policies directly into our development process, we could identify security and compliance gaps much earlier. Rather than waiting until after deployment, we caught and remediated issues as developers wrote code. This shift not only saved us time and cost but also improved collaboration between GRC and DevOps.
To take things further, our DevOps team leveraged Drata’s Compliance as Code Pipelines feature. By integrating Drata with our CI/CD tool, GitHub Actions, we enforced policies that prevented non-compliant code changes from ever reaching production.
A Clear Path to Success
Today, we’ve automated control monitoring across 48+ code repositories, enabling our engineering team to push an average of 120 updates to our Terraform repository each month. With every update carrying potential security and compliance risks, these automations have been crucial in maintaining our security posture.
Before implementing Compliance as Code, addressing a single compliance issue took an average of two weeks. Now, with automated controls and early feedback loops, the time spent triaging issues has been cut in half—from 2-5 hours per week to just 1-2 hours. Critical infrastructure-related issues have also dropped to just one per month, significantly reducing risk.
“Overall, having compliance feedback earlier, before we deploy, has helped us to make sure we are not getting into those ticketed situations in the first place. We can solve the problem before our GRC team sees it, rather than when it actually presents risks to the organization and our compliance posture.” —Jake Hammontree (Manager, Site Reliability Engineer)
By integrating Compliance as Code into our DevOps pipeline, we’ve not only enhanced our own compliance posture but also strengthened our ability to help customers achieve the same. At Drata, we practice what we preach—because security and compliance should be seamless, proactive, and built into the foundation of every organization.
