Security Compliance Audit
Map your product to SOC 2, GDPR, HIPAA, PCI-DSS, or ISO 27001 controls and track evidence, findings, and remediation before launch or audits.
Overview
Security-compliance-audit is an agent skill most often used in Ship (also Validate, Operate) that structures multi-framework compliance control reviews with status, evidence, and remediation.
Install
npx skills add https://github.com/aj-geddes/useful-ai-prompts --skill security-compliance-auditWhat is this skill?
- Python ComplianceAuditor pattern with per-framework control loading (SOC 2, GDPR, HIPAA, PCI-DSS, ISO 27001)
- Per-control evidence lists, findings, remediation text, owner, and due dates
- Four control statuses: compliant, non_compliant, partially_compliant, not_applicable
- Structured Control dataclass for exportable audit artifacts (JSON-friendly)
- Framework-specific control catalogs you extend with your environment checks
- 5 compliance frameworks modeled (SOC 2, GDPR, HIPAA, PCI-DSS, ISO 27001)
- 4 control status values per control
Adoption & trust: 538 installs on skills.sh; 250 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You know you need SOC 2 or GDPR coverage but have no consistent control list, evidence trail, or remediation backlog your agent can maintain.
Who is it for?
Solo builders shipping B2B SaaS or regulated-adjacent apps who want a documented control matrix before sales diligence or certification projects.
Skip if: Teams that only need a one-off dependency CVE scan or already have a GRC platform with live integrations—use dedicated scanners and GRC tools instead of this template.
When should I use this skill?
You are preparing for a compliance framework review, customer security questionnaire, or internal audit and need a structured control register.
What do I get? / Deliverables
You get a framework-aligned control register with statuses, findings, and owned remediation items you can export and work through before external audit or customer security reviews.
- Per-framework control list with status and findings
- Remediation backlog with owners and due dates
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Compliance gap analysis is a canonical Ship concern because it gates release and customer trust, even when you start scoping requirements earlier. Security subphase is where control libraries, status enums, and remediation owners belong—not ad-hoc notes in a README.
Where it fits
List which GDPR and PCI controls apply before you commit to storing payment or health-related fields.
Score each SOC 2 control as compliant or partial and attach evidence links ahead of a customer security review.
Re-open non_compliant controls after an incident or vendor change and assign new due dates.
How it compares
Structured compliance control tracking for agent-led gap analysis, not a live cloud CSPM product or penetration-test report generator.
Common Questions / FAQ
Who is security-compliance-audit for?
Indie and small-team builders who must speak credibly about SOC 2, GDPR, HIPAA, PCI-DSS, or ISO 27001 before enterprise deals, fundraising, or formal audits.
When should I use security-compliance-audit?
During Validate when scoping data handling and scope boundaries, in Ship before release and security reviews, and in Operate when refreshing control evidence after process or infra changes.
Is security-compliance-audit safe to install?
Treat it as guidance and sample Python structures you run in your repo; review the Security Audits panel on this Prism page and inspect any code the agent generates before handling production data.
SKILL.md
READMESKILL.md - Security Compliance Audit
# Automated Compliance Checker ## Automated Compliance Checker ```python # compliance_auditor.py from dataclasses import dataclass, field from typing import List, Dict from enum import Enum import json from datetime import datetime class ComplianceFramework(Enum): SOC2 = "SOC 2" GDPR = "GDPR" HIPAA = "HIPAA" PCI_DSS = "PCI-DSS" ISO_27001 = "ISO 27001" class ControlStatus(Enum): COMPLIANT = "compliant" NON_COMPLIANT = "non_compliant" PARTIALLY_COMPLIANT = "partially_compliant" NOT_APPLICABLE = "not_applicable" @dataclass class Control: control_id: str framework: ComplianceFramework category: str description: str requirement: str status: ControlStatus evidence: List[str] = field(default_factory=list) findings: List[str] = field(default_factory=list) remediation: str = "" owner: str = "" due_date: str = "" class ComplianceAuditor: def __init__(self, framework: ComplianceFramework): self.framework = framework self.controls: List[Control] = [] self.load_controls() def load_controls(self): """Load compliance controls for the framework""" if self.framework == ComplianceFramework.SOC2: self.load_soc2_controls() elif self.framework == ComplianceFramework.GDPR: self.load_gdpr_controls() elif self.framework == ComplianceFramework.HIPAA: self.load_hipaa_controls() elif self.framework == ComplianceFramework.PCI_DSS: self.load_pci_dss_controls() def load_soc2_controls(self): """Load SOC 2 Trust Service Criteria""" soc2_controls = [ { 'control_id': 'CC6.1', 'category': 'Logical and Physical Access Controls', 'description': 'Restrict logical access', 'requirement': 'Implement authentication and authorization mechanisms' }, { 'control_id': 'CC6.2', 'category': 'Logical and Physical Access Controls', 'description': 'Use encryption', 'requirement': 'Encrypt data in transit and at rest' }, { 'control_id': 'CC6.6', 'category': 'Logical and Physical Access Controls', 'description': 'Restrict physical access', 'requirement': 'Implement physical access controls' }, { 'control_id': 'CC7.2', 'category': 'System Monitoring', 'description': 'Detect security incidents', 'requirement': 'Implement monitoring and alerting' }, { 'control_id': 'CC7.3', 'category': 'System Monitoring', 'description': 'Evaluate security events', 'requirement': 'Review and analyze security logs' } ] for ctrl in soc2_controls: self.controls.append(Control( control_id=ctrl['control_id'], framework=self.framework, category=ctrl['category'], description=ctrl['description'], requirement=ctrl['requirement'], status=ControlStatus.NOT_APPLICABLE )) def load_gdpr_controls(self): """Load GDPR requirements""" gdpr_controls = [ { 'control_id': 'Art.5', 'category': 'Data Processing Principles', 'description': 'Lawfulness, fairness, and transparency', 'requirement': 'Process data lawfully, fairly, and transparently' }, { 'control_id': 'Art.15', 'category': 'Data Subject Rights', 'description': 'Right of access', 'requirement': 'Provide data subject access to their data' }, { 'control