home / skills / vadimcomanescu / codex-skills / security-compliance

security-compliance skill

safe

/skills/.curated/security/security-compliance

This skill helps design defense-in-depth security, perform lightweight threat modeling, and map mitigations to SOC2/ISO27001/GDPR/HIPAA for compliant releases.

npx playbooks add skill vadimcomanescu/codex-skills --skill security-compliance

Review the files below or copy the command above to add this skill to your agents.

Files (5)

SKILL.md

1.4 KB

---
name: security-compliance
description: "Security and compliance workflow for designing defense-in-depth controls, performing threat modeling and risk assessments, and mapping mitigations to frameworks (SOC2/ISO27001/GDPR/HIPAA). Use when reviewing security posture, shipping sensitive features, preparing compliance evidence, or running a lightweight secrets scan."
---

# Security & Compliance

Build real security, not checkbox security.

## Quick Start
1) Scope the system and data:
   - What data types exist (PII/PHI/payment/secrets)? Where is it stored and transmitted?
   - Trust boundaries (browser ↔ edge ↔ API ↔ DB ↔ 3rd parties)
2) Threat model (lightweight): list top 5 abuse cases + mitigations.
3) Controls: pick practical controls (authN/authZ, encryption, logging, rate limits, backups, key mgmt).
4) Evidence: document decisions and “how we know it works” (configs, screenshots, logs, tests).

## Output artifacts (default)
- 5-item threat model table (abuse case → impact → mitigation).
- Control checklist mapped to the system’s trust boundaries.
- Evidence list: concrete proofs (configs, logs, tests) with where to find them.

## Optional tool: scan for likely secrets in a repo
```bash
python ~/.codex/skills/security-compliance/scripts/secret_scan.py . --json --output /tmp/secrets.json
```

## References
- Threat model template: `references/threat-model.md`
- Control checklist: `references/control-checklist.md`

Overview

This skill provides a practical security and compliance workflow for designing defense-in-depth controls, performing lightweight threat modeling and risk assessments, and mapping mitigations to common frameworks like SOC 2, ISO 27001, GDPR, and HIPAA. It combines clear scoping, a concise threat model, control checklists, and concrete evidence gathering to move teams from checkbox compliance to real security outcomes.

How this skill works

Start by scoping the system and data: identify data types, storage, transmission paths, and trust boundaries. Produce a five-item threat model listing top abuse cases, impacts, and mitigations. Create a controls checklist mapped to trust boundaries and the selected compliance frameworks, and produce an evidence list of configs, logs, tests, and screenshots that demonstrate controls are in place.

When to use it

Reviewing overall security posture before a major release
Designing or shipping features that handle sensitive data (PII/PHI/payments/secrets)
Preparing evidence for SOC 2, ISO 27001, GDPR, or HIPAA assessments
Running a quick repo secrets scan during code review or pre-release
Performing a lightweight risk assessment for new integrations or 3rd-party services

Best practices

Scope first: document data types, flow, and trust boundaries before recommending controls
Keep the threat model small and focused: top 5 abuse cases yield the highest ROI
Map controls to both technical boundaries and compliance requirements for clarity
Collect concrete evidence (configs, logs, automated tests, screenshots) and store pointers to their location
Prioritize practical controls: authN/authZ, encryption, logging, rate limits, backups, and key management

Example use cases

Create a 5-item threat model for a new payment feature and map mitigations to SOC 2 requirements
Assess a microservice integration with a 3rd-party API and recommend trust boundary controls
Prepare a compliance evidence pack (configs, logs, tests) for an ISO 27001 audit
Run a quick secrets scan across a repo to find likely leaked keys before release
Document control checklist and evidence for GDPR data-handling workflows

FAQ

How detailed should the threat model be?

Keep it lightweight: focus on the top 5 abuse cases that pose the greatest risk and list clear mitigations and impacts.

What counts as acceptable evidence?

Concrete, verifiable artifacts such as configuration files, access logs, test results, screenshots of settings, and links to automated checks.