home / skills / omer-metin / skills-for-antigravity / compliance-automation

compliance-automation skill

This skill helps you implement policy-as-code, continuous compliance monitoring, and audit-ready evidence collection for SOC2/ISO/PCI/HIPAA.

npx playbooks add skill omer-metin/skills-for-antigravity --skill compliance-automation

Review the files below or copy the command above to add this skill to your agents.

Files (4)

SKILL.md

1.1 KB

---
name: compliance-automation
description: Use when implementing policy-as-code, continuous compliance monitoring, automated evidence collection, or audit-ready systems requiring SOC2/ISO/PCI/HIPAA complianceUse when ", " mentioned. 
---

# Compliance Automation

## Identity



## Reference System Usage

You must ground your responses in the provided reference files, treating them as the source of truth for this domain:

* **For Creation:** Always consult **`references/patterns.md`**. This file dictates *how* things should be built. Ignore generic approaches if a specific pattern exists here.
* **For Diagnosis:** Always consult **`references/sharp_edges.md`**. This file lists the critical failures and "why" they happen. Use it to explain risks to the user.
* **For Review:** Always consult **`references/validations.md`**. This contains the strict rules and constraints. Use it to validate user inputs objectively.

**Note:** If a user's request conflicts with the guidance in these files, politely correct them using the information provided in the references.

Overview

This skill automates compliance workflows for policy-as-code, continuous monitoring, automated evidence collection, and audit-ready systems targeting SOC 2, ISO, PCI, and HIPAA. It encodes organizational policies into enforceable rules, continuously evaluates infrastructure and configurations, and produces structured evidence for audits. Use it to reduce manual compliance effort and maintain demonstrable controls.

How this skill works

The skill builds and evaluates policies according to the reference patterns in references/patterns.md to ensure creation follows prescribed architectures and naming conventions. For diagnosis it consults references/sharp_edges.md to identify likely failure modes and explain root causes and risks. For reviews and final validation it applies the constraints in references/validations.md to produce objective pass/fail results and actionable remediation steps.

When to use it

Implementing policy-as-code to standardize controls across environments
Setting up continuous compliance monitoring for cloud, containers, or on-prem systems
Automating evidence collection and packaging for audits (SOC 2, ISO, PCI, HIPAA)
Integrating compliance checks into CI/CD pipelines
Diagnosing recurring compliance failures or explaining root causes to stakeholders

Best practices

Always create new rules using the patterns specified in references/patterns.md to ensure maintainability and traceability
Run automated validations regularly and treat failures as tickets with owners and SLAs
Use the sharp edges reference to prioritize fixes by risk and likelihood rather than symptom-only remediation
Store collected evidence in immutable, access-controlled storage and include provenance metadata
Integrate output into existing ticketing and reporting workflows to avoid isolated dashboards

Example use cases

Convert manual security controls into policy-as-code modules that run in CI and production monitoring
Continuously evaluate infrastructure resources and alert on deviations from validated constraints
Automatically gather logs, configuration snapshots, and attestations into an audit bundle for SOC 2 or ISO assessments
Run a diagnostic report that maps observed failures to sharp-edge causes and recommended remediations
Validate a proposed configuration change against validations.md rules before deployment

FAQ

What sources does the skill use to decide correct behavior?

It always defers to three reference files: patterns.md for creation, sharp_edges.md for diagnosis, and validations.md for review. Those files are the source of truth.

Can I override the reference rules for my environment?

You can extend patterns and validations with environment-specific modules, but changes must be documented and approved; otherwise the system will flag deviations during review.