Agent Skills Framework Extension
Compliance Validation Skill
When to Use This Skill
Use this skill when implementing compliance validation patterns in your codebase.
How to Use This Skill
- Review the patterns and examples below
- Apply the relevant patterns to your implementation
- Follow the best practices outlined in this skill
Automated compliance validation for SOC2, HIPAA, GDPR, and PCI DSS with audit trail generation and policy enforcement.
Core Capabilities
- SOC2 Validation - Trust Services Criteria compliance
- HIPAA Compliance - Healthcare data protection
- GDPR Validation - EU data privacy regulations
- PCI DSS - Payment card security standards
- Audit Trails - Compliance evidence generation
SOC2 Compliance Checker
#!/usr/bin/env python3
"""
SOC2 Trust Services Criteria compliance validator.
"""
from dataclasses import dataclass
from typing import List, Dict
from pathlib import Path
import json
@dataclass
class ComplianceCheck:
control_id: str
category: str
requirement: str
status: str
evidence: List[str]
notes: str = ""
class SOC2Validator:
def __init__(self, project_path: Path):
self.project_path = project_path
self.checks: List[ComplianceCheck] = []
def validate_security_controls(self):
"""Validate security controls (CC6)."""
# CC6.1: Logical and physical access controls
self.checks.append(ComplianceCheck(
control_id="CC6.1",
category="Security",
requirement="Logical and physical access controls",
status=self._check_access_controls(),
evidence=["IAM policies", "MFA configuration", "Access logs"]
))
# CC6.6: Encryption
self.checks.append(ComplianceCheck(
control_id="CC6.6",
category="Security",
requirement="Data encryption at rest and in transit",
status=self._check_encryption(),
evidence=["TLS configuration", "Database encryption", "S3 encryption"]
))
def validate_availability(self):
"""Validate availability controls (A1)."""
self.checks.append(ComplianceCheck(
control_id="A1.1",
category="Availability",
requirement="Infrastructure monitoring and capacity planning",
status=self._check_monitoring(),
evidence=["Monitoring dashboards", "Alerts configuration", "Capacity reports"]
))
def _check_access_controls(self) -> str:
"""Check access control implementation."""
# Check for IAM policies, MFA, etc.
has_iam = (self.project_path / "terraform/iam.tf").exists()
return "compliant" if has_iam else "non-compliant"
def _check_encryption(self) -> str:
"""Check encryption implementation."""
# Check TLS config, database encryption, etc.
has_tls = True # Simplified check
return "compliant" if has_tls else "non-compliant"
def _check_monitoring(self) -> str:
"""Check monitoring implementation."""
has_monitoring = (self.project_path / "monitoring").exists()
return "compliant" if has_monitoring else "non-compliant"
def generate_report(self) -> Dict:
"""Generate SOC2 compliance report."""
compliant = [c for c in self.checks if c.status == "compliant"]
non_compliant = [c for c in self.checks if c.status == "non-compliant"]
report = {
'framework': 'SOC2',
'total_controls': len(self.checks),
'compliant': len(compliant),
'non_compliant': len(non_compliant),
'compliance_rate': (len(compliant) / len(self.checks)) * 100,
'checks': [
{
'control_id': c.control_id,
'category': c.category,
'requirement': c.requirement,
'status': c.status,
'evidence': c.evidence,
'notes': c.notes
}
for c in self.checks
]
}
with open('soc2-compliance-report.json', 'w') as f:
json.dump(report, f, indent=2)
return report
if __name__ == '__main__':
validator = SOC2Validator(Path.cwd())
validator.validate_security_controls()
validator.validate_availability()
report = validator.generate_report()
print(f"SOC2 Compliance: {report['compliance_rate']:.1f}%")
print(f"Compliant: {report['compliant']}/{report['total_controls']}")
GDPR Compliance Checklist
# gdpr-compliance-checklist.yaml
data_protection_principles:
lawfulness: "Legal basis for processing documented"
transparency: "Privacy notices provided to data subjects"
purpose_limitation: "Data used only for stated purposes"
data_minimisation: "Only necessary data collected"
accuracy: "Mechanisms to keep data accurate"
storage_limitation: "Data retention policies defined"
security: "Appropriate security measures implemented"
data_subject_rights:
right_to_access: "Process for data access requests"
right_to_rectification: "Process for data correction"
right_to_erasure: "Process for data deletion"
right_to_portability: "Data export functionality"
right_to_object: "Opt-out mechanisms"
technical_measures:
encryption: "Data encrypted at rest and in transit"
pseudonymisation: "Personal data pseudonymised where possible"
access_controls: "Role-based access control implemented"
audit_logs: "Comprehensive audit logging"
breach_detection: "Security incident monitoring"
organizational_measures:
dpo_appointed: "Data Protection Officer designated"
staff_training: "GDPR training provided to staff"
vendor_agreements: "Data processing agreements with vendors"
impact_assessments: "DPIAs conducted for high-risk processing"
breach_notification: "Breach notification procedures documented"
Usage Examples
SOC2 Compliance Validation
Apply compliance-validation skill to validate SOC2 Trust Services Criteria compliance and generate audit report
GDPR Compliance Assessment
Apply compliance-validation skill to assess GDPR data protection compliance with checklist validation
Compliance Framework Mapping
Cross-reference table for common controls across frameworks:
| Control Area | SOC2 | HIPAA | GDPR | PCI DSS |
|---|---|---|---|---|
| Access Control | CC6.1, CC6.2 | §164.312(a)(1) | Art. 32(1)(b) | Req 7, 8 |
| Encryption | CC6.6, CC6.7 | §164.312(a)(2)(iv) | Art. 32(1)(a) | Req 3.4, 4.1 |
| Audit Logging | CC7.2 | §164.312(b) | Art. 30 | Req 10 |
| Incident Response | CC7.3, CC7.4 | §164.308(a)(6) | Art. 33, 34 | Req 12.10 |
| Data Retention | CC6.5 | §164.530(j) | Art. 5(1)(e) | Req 3.1 |
| Vendor Management | CC9.2 | §164.308(b)(1) | Art. 28 | Req 12.8 |
| Risk Assessment | CC3.1 | §164.308(a)(1)(ii)(A) | Art. 35 | Req 12.2 |
| Security Training | CC1.4 | §164.308(a)(5) | Art. 39(1)(b) | Req 12.6 |
Usage: When validating one framework, check related controls in other applicable frameworks.
# Example: Check related controls across frameworks
CONTROL_MAPPING = {
'encryption': {
'soc2': ['CC6.6', 'CC6.7'],
'hipaa': ['164.312(a)(2)(iv)', '164.312(e)(2)(ii)'],
'gdpr': ['Art. 32(1)(a)'],
'pci_dss': ['3.4', '4.1']
}
}
def get_related_controls(control_area: str, frameworks: list[str]) -> dict:
"""Get related controls across multiple frameworks."""
return {fw: CONTROL_MAPPING.get(control_area, {}).get(fw, [])
for fw in frameworks}
Integration Points
- security-audit-patterns - Security control validation
- cloud-architecture-review - Infrastructure compliance
- documentation-patterns - Policy documentation
Success Output
When this skill completes successfully, output:
✅ SKILL COMPLETE: compliance-validation
Compliance Assessment Complete:
- [x] SOC2 validation: [compliant]/[total] controls ([percentage]%)
- [x] GDPR assessment: [compliant]/[total] requirements ([percentage]%)
- [x] HIPAA compliance: [compliant]/[total] safeguards ([percentage]%)
- [x] PCI DSS validation: [compliant]/[total] requirements ([percentage]%)
- [x] Audit trails generated
Outputs:
- SOC2 compliance report: [path]
- GDPR checklist validation: [path]
- HIPAA safeguards assessment: [path]
- PCI DSS validation: [path]
- Audit evidence directory: [path]
Non-Compliance Items: [count]
- Critical: [count]
- High: [count]
- Medium: [count]
- Low: [count]
Completion Checklist
Before marking this skill as complete, verify:
- All applicable compliance frameworks validated
- Evidence files collected and documented
- Non-compliant items categorized by severity
- Remediation recommendations provided for each issue
- Audit trail generated with timestamps
- Reports exported in required formats (JSON, PDF)
- Compliance rate calculated accurately
- Policy documentation references verified
Failure Indicators
This skill has FAILED if:
- ❌ Compliance validation script throws exceptions
- ❌ Evidence files missing or inaccessible
- ❌ Critical controls marked compliant without verification
- ❌ Compliance rate calculation incorrect
- ❌ Audit trail incomplete or missing timestamps
- ❌ Reports not generated in required formats
- ❌ Framework requirements not up-to-date (outdated standards)
- ❌ False positives on compliance checks (marked compliant but actually non-compliant)
When NOT to Use
Do NOT use this skill when:
- Compliance framework not applicable to project
- Solution: Identify relevant frameworks first
- Automated validation insufficient (requires manual audit)
- Solution: Use for initial assessment, then manual review
- Framework requirements not implemented in validation script
- Solution: Extend script with missing requirements first
- Evidence collection not automated
- Solution: Manual evidence gathering with checklist
- Compliance status already certified by third-party auditor
- Solution: Use for monitoring, not initial certification
- Real-time compliance monitoring needed
- Solution: Implement continuous compliance monitoring tools
- Custom compliance requirements beyond standard frameworks
- Solution: Create custom validation checklist
Anti-Patterns (Avoid)
| Anti-Pattern | Problem | Solution |
|---|---|---|
| Checkbox compliance (no evidence) | False confidence | Collect actual evidence for each control |
| Point-in-time validation only | Compliance drift | Implement continuous monitoring |
| Ignoring severity levels | Misplaced priorities | Triage critical issues first |
| Validating against outdated standards | Non-compliance risk | Update framework requirements regularly |
| No remediation tracking | Issues persist | Track fixes to completion |
| Automated checks without manual review | Missed nuances | Combine automation with human verification |
| Single framework focus | Gaps in coverage | Validate all applicable frameworks |
| No baseline comparison | Cannot measure improvement | Establish baseline, track over time |
| Treating compliance as one-time | Ongoing requirement | Schedule regular re-validation |
| No segregation of duties | Audit validity questioned | Independent validation review |
Principles
This skill embodies the following CODITECT principles:
#1 Recycle → Extend → Re-Use → Create
- Reuses standard framework checklists (SOC2, GDPR, HIPAA, PCI DSS)
- Extends with custom evidence collection
- Creates audit trail from validation results
#2 Automation with Minimal Human Intervention
- Automated control validation where possible
- Automatic evidence file discovery
- Self-generating audit trails
- Automated report generation
#3 Separation of Concerns
- SOC2 validation independent from GDPR
- Evidence collection separate from compliance checking
- Reporting isolated from validation logic
#5 Eliminate Ambiguity
- Explicit compliance status (compliant/non-compliant/partial)
- Clear evidence requirements per control
- Severity classification (critical/high/medium/low)
#6 Clear, Understandable, Explainable
- Compliance reports explain non-compliance reasons
- Evidence references show what was validated
- Remediation recommendations guide fixes
#7 First Principles Thinking
- Compliance based on framework intent, not just checkboxes
- Control effectiveness validated, not just existence
- Evidence quality matters, not just presence
#8 No Assumptions
- Validates evidence files exist before marking compliant
- Confirms framework requirements current (not outdated)
- Checks actual implementation, not just documentation
- Verifies audit trail timestamps accurate