Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.changeguard.ai/llms.txt

Use this file to discover all available pages before exploring further.

Audit Trail

Every significant action in ChangeGuard is recorded in an immutable audit trail:
  • Deployment gate decisions (SAFE, WARN, BLOCK)
  • Policy evaluations and scoring events
  • CI/CD validation requests and results
  • Suppression changes (muted/unmuted risks)
  • Configuration changes (notification channels, policies)
  • ArgoCD sync events and webhook activity
Each audit entry includes:
FieldDescription
TimestampUTC time of the event
UserEmail of the user or agent for automated events
Source IPOriginating IP address (from X-Forwarded-For)
ClusterCluster name and ID
ResourceKubernetes resource involved (e.g., deployment/api-server)
ActionWhat was attempted (deploy, validate, sync)
DecisionGate result (SAFE, REVIEW, BLOCK)
CSC ScoreScore at the time of the event
RisksActive risks that influenced the decision

Audit Export

Export the full audit trail as CSV from Intelligence → Audit Trail → Export. The CSV includes all fields above, plus GitHub/GitLab context (PR number, approval status, CI pass/fail, branch, commit SHA) when available. Source IP is included in every row for incident correlation.
Use audit exports for compliance reviews, incident investigations, and change management reporting. The export covers your full history — there is no time limit on retention.

Security Headers

The ChangeGuard dashboard enforces modern security headers on every response:
HeaderValuePurpose
Strict-Transport-Securitymax-age=31536000; includeSubDomainsForces HTTPS for 1 year, prevents downgrade attacks
Content-Security-PolicyRestricts scripts, styles, and connections to self + APIPrevents XSS and data exfiltration
X-Frame-OptionsSAMEORIGINPrevents clickjacking via iframes
X-Content-Type-OptionsnosniffPrevents MIME type sniffing
X-XSS-Protection1; mode=blockLegacy XSS filter (defense in depth)
Referrer-Policystrict-origin-when-cross-originLimits referrer leakage
Permissions-Policycamera=(), microphone=(), geolocation=()Blocks unnecessary browser APIs

Error Handling

API error responses for server-side failures return a generic "Internal server error" message. Detailed error information is logged server-side only and never exposed to clients. This prevents information disclosure that could aid attackers. Validation errors (400-level) return specific, actionable messages to help users correct their input.

Security Monitoring

ChangeGuard logs security-relevant events for monitoring:
  • Login success: Email, tenant, source IP
  • Login failure: Email, source IP
  • Rate limiting: Email, source IP, endpoint
  • API key creation/revocation: Key prefix, scope, tenant
  • Integration config changes: Provider, tenant
  • Webhook blocks: URL, reason (SSRF prevention)
These logs are available via Kubernetes log aggregation on the backend deployment.

SOC 2 Readiness

ChangeGuard implements controls aligned with SOC 2 Trust Service Criteria:
CategoryControls
SecurityTLS everywhere, bcrypt hashing, RBAC, rate limiting, WAF, CORS, CSP, HSTS
AvailabilityAWS EKS with multi-AZ, RDS with automated backups, health monitoring
ConfidentialityAES-256 at rest, tenant isolation, no secret collection, token masking
Processing IntegrityAudit trail on all decisions, score history persistence, deterministic scoring
PrivacyData minimization, no PII collection beyond login email, cascading deletion
SOC 2 Type II certification is on our roadmap. Contact security@changeguard.ai if your organization requires a formal attestation or has specific compliance questions.

Responsible Disclosure

If you discover a security vulnerability in ChangeGuard, please report it to security@changeguard.ai. We commit to acknowledging reports within 24 hours and providing a remediation timeline within 72 hours.