compliance-auditor
About
The compliance-auditor skill automates auditing and monitoring for major frameworks like SOC2, HIPAA, GDPR, and PCI-DSS. It is used for running compliance checks, implementing controls, generating reports, and preparing for external audits. Key capabilities include assessing controls against specific framework criteria using tools like Read, Write, Edit, Bash, Grep, and Glob.
Quick Install
Claude Code
Recommended/plugin add https://github.com/majiayu000/claude-skill-registrygit clone https://github.com/majiayu000/claude-skill-registry.git ~/.claude/skills/compliance-auditorCopy and paste this command in Claude Code to install this skill
Documentation
Compliance Auditor
Automated compliance auditing and continuous monitoring for regulatory frameworks.
When to Use
- Running SOC2, HIPAA, GDPR, or PCI-DSS audits
- Implementing compliance controls
- Generating compliance reports
- Monitoring compliance posture
- Preparing for external audits
Compliance Frameworks
SOC2 Type II
Trust Service Criteria:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
HIPAA
Key Requirements:
- PHI protection
- Access controls
- Audit logging
- Encryption (at rest and in transit)
- Business Associate Agreements
GDPR
Key Requirements:
- PII identification and protection
- Consent management
- Data subject rights
- Data retention policies
- Cross-border transfer controls
PCI-DSS
Requirements:
- Cardholder data protection
- Network segmentation
- Encryption
- Access controls
- Regular security testing
Automated Compliance Checks
# Compliance scanner
class ComplianceScanner:
def scan_soc2(self, codebase_path: str) -> ComplianceReport:
findings = []
# Check for hardcoded secrets
secrets = self.detect_secrets(codebase_path)
if secrets:
findings.append(Finding(
severity='CRITICAL',
control='CC6.1 - Logical Access',
issue='Hardcoded credentials found',
locations=secrets
))
# Check encryption
if not self.verify_encryption_at_rest():
findings.append(Finding(
severity='HIGH',
control='CC6.7 - Encryption',
issue='Encryption at rest not enabled'
))
# Check audit logging
if not self.verify_audit_logging():
findings.append(Finding(
severity='HIGH',
control='CC7.2 - Monitoring',
issue='Insufficient audit logging'
))
return ComplianceReport(
framework='SOC2',
score=self.calculate_score(findings),
findings=findings
)
def scan_hipaa(self, codebase_path: str) -> ComplianceReport:
findings = []
# Detect PHI in logs
phi_exposure = self.detect_phi_in_logs(codebase_path)
if phi_exposure:
findings.append(Finding(
severity='CRITICAL',
requirement='§164.308(a)(1)(ii)(D) - Information Access',
issue='PHI exposed in application logs',
locations=phi_exposure
))
# Check encryption
if not self.verify_hipaa_encryption():
findings.append(Finding(
severity='CRITICAL',
requirement='§164.312(a)(2)(iv) - Encryption',
issue='PHI not encrypted at rest'
))
return ComplianceReport(
framework='HIPAA',
score=self.calculate_score(findings),
findings=findings
)
Compliance Controls Implementation
# Infrastructure as Code - Compliance controls
compliance_controls:
soc2:
access_control:
- mfa_required: true
- password_policy:
min_length: 12
require_uppercase: true
require_numbers: true
require_symbols: true
- session_timeout: 900 # 15 minutes
encryption:
- data_at_rest: AES-256
- data_in_transit: TLS 1.2+
- key_rotation: 90 # days
monitoring:
- centralized_logging: true
- log_retention: 365 # days
- alerts:
- unauthorized_access
- privilege_escalation
- data_exfiltration
hipaa:
phi_protection:
- encryption_required: true
- access_logging: true
- minimum_necessary: true
audit_controls:
- log_phi_access: true
- log_modifications: true
- log_deletions: true
- retention_period: 2555 # 7 years
Best Practices
- ✅ Run compliance scans weekly minimum
- ✅ Automate compliance checks in CI/CD
- ✅ Maintain compliance evidence automatically
- ✅ Regular security training for team
- ✅ Document all compliance controls
- ✅ Conduct annual risk assessments
Related Skills
security-architectagentcompliance-officeragent/compliance-scancommand
GitHub Repository
Related Skills
content-collections
MetaThis skill provides a production-tested setup for Content Collections, a TypeScript-first tool that transforms Markdown/MDX files into type-safe data collections with Zod validation. Use it when building blogs, documentation sites, or content-heavy Vite + React applications to ensure type safety and automatic content validation. It covers everything from Vite plugin configuration and MDX compilation to deployment optimization and schema validation.
creating-opencode-plugins
MetaThis skill provides the structure and API specifications for creating OpenCode plugins that hook into 25+ event types like commands, files, and LSP operations. It offers implementation patterns for JavaScript/TypeScript modules that intercept and extend the AI assistant's lifecycle. Use it when you need to build event-driven plugins for monitoring, custom handling, or extending OpenCode's capabilities.
sglang
MetaSGLang is a high-performance LLM serving framework that specializes in fast, structured generation for JSON, regex, and agentic workflows using its RadixAttention prefix caching. It delivers significantly faster inference, especially for tasks with repeated prefixes, making it ideal for complex, structured outputs and multi-turn conversations. Choose SGLang over alternatives like vLLM when you need constrained decoding or are building applications with extensive prefix sharing.
langchain
MetaLangChain is a framework for building LLM applications using agents, chains, and RAG pipelines. It supports multiple LLM providers, offers 500+ integrations, and includes features like tool calling and memory management. Use it for rapid prototyping and deploying production systems like chatbots, autonomous agents, and question-answering services.