playbooks

home / skills / dexploarer / hyper-forge / compliance-auditor

compliance-auditor skill

/.claude/skills/compliance-auditor

This skill automates regulatory audits and continuous monitoring for SOC2 HIPAA GDPR and PCI-DSS, generating reports and maintaining compliance posture.

npx playbooks add skill dexploarer/hyper-forge --skill compliance-auditor

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
4.6 KB
---
name: compliance-auditor  
description: Automated compliance auditing for SOC2, HIPAA, GDPR, and PCI-DSS. Activates for compliance checks, security audits, regulatory requirements, and compliance automation.
allowed-tools: [Read, Write, Edit, Bash, Grep, Glob]
---

# Compliance Auditor

Automated compliance auditing and continuous monitoring for regulatory frameworks.

## When to Use

- Running SOC2, HIPAA, GDPR, or PCI-DSS audits
- Implementing compliance controls
- Generating compliance reports
- Monitoring compliance posture
- Preparing for external audits

## Compliance Frameworks

### SOC2 Type II
**Trust Service Criteria:**
- Security
- Availability  
- Processing Integrity
- Confidentiality
- Privacy

### HIPAA
**Key Requirements:**
- PHI protection
- Access controls
- Audit logging
- Encryption (at rest and in transit)
- Business Associate Agreements

### GDPR
**Key Requirements:**
- PII identification and protection
- Consent management
- Data subject rights
- Data retention policies
- Cross-border transfer controls

### PCI-DSS
**Requirements:**
- Cardholder data protection
- Network segmentation
- Encryption
- Access controls
- Regular security testing

## Automated Compliance Checks

```python
# Compliance scanner
class ComplianceScanner:
    def scan_soc2(self, codebase_path: str) -> ComplianceReport:
        findings = []
        
        # Check for hardcoded secrets
        secrets = self.detect_secrets(codebase_path)
        if secrets:
            findings.append(Finding(
                severity='CRITICAL',
                control='CC6.1 - Logical Access',
                issue='Hardcoded credentials found',
                locations=secrets
            ))
        
        # Check encryption
        if not self.verify_encryption_at_rest():
            findings.append(Finding(
                severity='HIGH',
                control='CC6.7 - Encryption',
                issue='Encryption at rest not enabled'
            ))
        
        # Check audit logging
        if not self.verify_audit_logging():
            findings.append(Finding(
                severity='HIGH',
                control='CC7.2 - Monitoring',
                issue='Insufficient audit logging'
            ))
        
        return ComplianceReport(
            framework='SOC2',
            score=self.calculate_score(findings),
            findings=findings
        )
    
    def scan_hipaa(self, codebase_path: str) -> ComplianceReport:
        findings = []
        
        # Detect PHI in logs
        phi_exposure = self.detect_phi_in_logs(codebase_path)
        if phi_exposure:
            findings.append(Finding(
                severity='CRITICAL',
                requirement='§164.308(a)(1)(ii)(D) - Information Access',
                issue='PHI exposed in application logs',
                locations=phi_exposure
            ))
        
        # Check encryption
        if not self.verify_hipaa_encryption():
            findings.append(Finding(
                severity='CRITICAL',
                requirement='§164.312(a)(2)(iv) - Encryption',
                issue='PHI not encrypted at rest'
            ))
        
        return ComplianceReport(
            framework='HIPAA',
            score=self.calculate_score(findings),
            findings=findings
        )
```

## Compliance Controls Implementation

```yaml
# Infrastructure as Code - Compliance controls
compliance_controls:
  soc2:
    access_control:
      - mfa_required: true
      - password_policy:
          min_length: 12
          require_uppercase: true
          require_numbers: true
          require_symbols: true
      - session_timeout: 900  # 15 minutes
    
    encryption:
      - data_at_rest: AES-256
      - data_in_transit: TLS 1.2+
      - key_rotation: 90  # days
    
    monitoring:
      - centralized_logging: true
      - log_retention: 365  # days
      - alerts:
          - unauthorized_access
          - privilege_escalation
          - data_exfiltration
  
  hipaa:
    phi_protection:
      - encryption_required: true
      - access_logging: true
      - minimum_necessary: true
    
    audit_controls:
      - log_phi_access: true
      - log_modifications: true
      - log_deletions: true
      - retention_period: 2555  # 7 years
```

## Best Practices

- ✅ Run compliance scans weekly minimum
- ✅ Automate compliance checks in CI/CD
- ✅ Maintain compliance evidence automatically
- ✅ Regular security training for team
- ✅ Document all compliance controls
- ✅ Conduct annual risk assessments

## Related Skills

- `security-architect` agent
- `compliance-officer` agent
- `/compliance-scan` command

Overview

This skill automates compliance auditing and continuous monitoring for SOC2, HIPAA, GDPR, and PCI-DSS. It scans codebases, infrastructure, and logs to detect gaps, generates prioritized findings, and produces evidence-ready reports to support audits. The skill integrates into CI/CD pipelines to enforce controls and maintain an up-to-date compliance posture.

How this skill works

The auditor inspects source code, configuration, and logs to detect hardcoded secrets, PHI/PII exposures, missing encryption, and inadequate logging. It maps findings to specific controls or regulatory requirements, scores the overall posture, and outputs actionable remediation guidance. Integration points include pre-commit/CI scans, scheduled monitoring, and report exports for external auditors.

When to use it

  • Preparing for SOC2, HIPAA, GDPR, or PCI-DSS assessments
  • Automating compliance checks in CI/CD pipelines
  • Detecting PHI/PII or secrets leakage in code and logs
  • Maintaining continuous monitoring and evidence collection
  • Prior to external audits or third-party assessments

Best practices

  • Run automated scans at least weekly and on every pull request
  • Enforce findings as gates in CI/CD for critical/high severity issues
  • Maintain centralized logging and retain audit logs according to regulatory retention requirements
  • Rotate encryption keys and enforce strong encryption (AES-256, TLS 1.2+)
  • Document controls, remediation steps, and evidence artifacts for audit traceability

Example use cases

  • SOC2 Type II readiness: scan repos and infra for access, encryption, and logging controls
  • HIPAA compliance: detect PHI in logs, verify encryption at rest, and validate access logging
  • GDPR readiness: identify PII locations, verify consent flows, and confirm retention policies
  • PCI-DSS checks: validate cardholder data protections, segmentation, and regular security testing
  • Continuous compliance: integrate with CI to block code that introduces critical compliance regressions

FAQ

Which frameworks does this auditor cover?

SOC2, HIPAA, GDPR, and PCI-DSS are supported with control mappings and tailored checks.

How are severity and remediation prioritized?

Findings are rated (e.g., CRITICAL, HIGH) based on impact and control mapping; the report includes suggested remediation steps and references to the specific control or regulation.