This study addresses the verification challenges faced by open-source software—particularly Linux distributions—under diverse and overlapping compliance requirements. It presents the first systematic empirical analysis of over 1,500 real-world “compliance-as-code” rules drawn from 14 major distributions. Employing static analysis, textual similarity metrics, code clustering, and cross-standard mapping techniques, the research uncovers significant disparities in rule coverage across vendors and reveals that while rule rationales exhibit semantic fragmentation, their underlying code snippets often display localized similarity. The work identifies 24 core security controls commonly adopted by more than ten international organizations and establishes preliminary mappings between these rules and emerging regulatory frameworks such as the Cyber Resilience Act (CRA). These findings lay a theoretical and practical foundation for scalable, automated compliance verification and dynamic rule updating.

Compliance as code is an emerging idea about automating compliance through programmed compliance controls and checks. Given scant existing research thus far, the paper presents an empirical analysis of a compliance as code project addressing open source software (OSS) projects and products. The dataset examined covers a little over 1,500 unique compliance rules designed and implemented for 14 Linux distribution releases from five vendors. According to the results, (1) the coverage of the rules varies across the five vendors. Then, (2) the brief rationales provided for the rules do not exhibit statistical similarities but the short code snippets for these do show similarities to some extent. Furthermore, (3) as many as 24 controls are covered from over 10 different organizations, among them governmental agencies, standardization organizations, and non-profit associations. Finally, (4) the rules can be mapped to the essential cyber security requirements of the Cyber Resilience Act (CRA), although only modest agreement exists among the three authors regarding individual mappings. This observation supports an argument that the compliance as code project studied could be updated with new compliance checks. Given that also operating systems are in the CRA's scope when used in a network-connected product, such an updating would have also practical relevance in the nearby future.