Compliance as code is an emerging idea about automating compliance through programmed compliance controls and checks. Given scant existing research thus far, the paper presents an empirical analysis of a compliance as code project addressing open source software (OSS) projects and products. The dataset examined covers a little over 1,500 unique compliance rules designed and implemented for 14 Linux distribution releases from five vendors. According to the results, (1) the coverage of the rules varies across the five vendors. Then, (2) the brief rationales provided for the rules do not exhibit statistical similarities but the short code snippets for these do show similarities to some extent. Furthermore, (3) as many as 24 controls are covered from over 10 different organizations, among them governmental agencies, standardization organizations, and non-profit associations. Finally, (4) the rules can be mapped to the essential cyber security requirements of the Cyber Resilience Act (CRA), although only modest agreement exists among the three authors regarding individual mappings. This observation supports an argument that the compliance as code project studied could be updated with new compliance checks. Given that also operating systems are in the CRA's scope when used in a network-connected product, such an updating would have also practical relevance in the nearby future.

翻译：代码化合规是一种新兴理念，旨在通过程序化的合规控制与检查实现自动化合规。鉴于目前相关研究尚不充分，本文对一项针对开源软件项目与产品的代码化合规项目进行了实证分析。所检数据集涵盖为五个供应商的14个Linux发行版版本设计和实施的1500余条独立合规规则。研究结果表明：(1) 五个供应商的规则覆盖范围存在差异；(2) 规则所附简要理论依据未呈现统计相似性，但其简短代码片段确实表现出一定程度的相似性；(3) 多达24项控制措施覆盖了超过10个不同组织（包括政府机构、标准化组织及非营利协会）的要求；(4) 这些规则可映射至《网络弹性法案》的核心网络安全要求，尽管三位作者对具体映射关系的判断仅存在有限共识。该发现支持以下论点：所研究的代码化合规项目可通过新增合规检查进行更新。鉴于操作系统在网络连接产品中的应用亦属《网络弹性法案》管辖范围，此类更新在近期将具有实际应用价值。