generating-compliance-reports
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseGenerating Compliance Reports
生成合规报告
Overview
概述
Generate structured compliance reports for major security frameworks including
PCI DSS, HIPAA, SOC 2, GDPR, and ISO 27001. This skill scans codebases,
configurations, and infrastructure definitions to assess compliance posture,
maps findings to specific framework controls, and produces audit-ready
documentation with evidence references and gap analysis.
生成适用于主流安全框架的结构化合规报告,包括PCI DSS、HIPAA、SOC 2、GDPR和ISO 27001。本技能会扫描代码库、配置和基础设施定义以评估合规态势,将发现的问题映射到特定的框架控制项,并生成可直接用于审计的文档,附带证据参考和差距分析。
Prerequisites
前置要求
- Access to the target codebase, infrastructure configs, and policy documents in
${CLAUDE_SKILL_DIR}/ - Knowledge of the target compliance framework and its applicable scope
- Standard shell utilities and Grep/Glob available for evidence gathering
- Reference: for PCI DSS guidelines, HIPAA compliance checklist, SOC 2 framework overview, config schema, and API documentation
${CLAUDE_SKILL_DIR}/references/README.md
- 可访问 下的目标代码库、基础设施配置和政策文档
${CLAUDE_SKILL_DIR}/ - 了解目标合规框架及其适用范围
- 具备可用于证据收集的标准shell工具和Grep/Glob
- 参考:可获取PCI DSS指南、HIPAA合规检查清单、SOC 2框架概述、配置 schema 和API文档
${CLAUDE_SKILL_DIR}/references/README.md
Instructions
使用说明
- Determine the target compliance framework (PCI DSS, HIPAA, SOC 2, GDPR, ISO 27001, or custom) and identify applicable control domains based on the system under audit.
- Enumerate the control requirements for the target framework -- for PCI DSS, map the 12 requirements and their sub-controls; for HIPAA, map Administrative, Physical, and Technical Safeguards; for SOC 2, map Trust Services Criteria (CC1-CC9).
- Scan the codebase for evidence of control implementation: encryption at rest and in transit (TLS configuration, database encryption), access controls (RBAC definitions, IAM policies), logging and monitoring (audit log configuration, SIEM integration), and data retention policies.
- Evaluate each control as Compliant, Partially Compliant, Non-Compliant, or Not Applicable -- document the evidence file path and line number for each assessment.
- For Partially Compliant and Non-Compliant controls, describe the specific gap: what is missing, what risk it introduces, and what remediation is required.
- Calculate an overall compliance score as percentage of applicable controls that are fully compliant.
- Generate the report with these sections: Executive Summary, Scope and Methodology, Control-by-Control Assessment, Gap Analysis, Risk Rating, Remediation Roadmap with priority and effort estimates, and Evidence Appendix.
- Write the report to using the Write tool.
${CLAUDE_SKILL_DIR}/compliance-report-[framework]-[date].md - Validate the report against the config schema in if applicable.
${CLAUDE_SKILL_DIR}/references/README.md
- 确定目标合规框架(PCI DSS、HIPAA、SOC 2、GDPR、ISO 27001或自定义框架),并基于待审计系统识别适用的控制域
- 枚举目标框架的控制要求:针对PCI DSS,映射12项要求及其子控制项;针对HIPAA,映射管理、物理和技术保障措施;针对SOC 2,映射信任服务标准(CC1-CC9)
- 扫描代码库获取控制项落地的证据:静态和传输加密(TLS配置、数据库加密)、访问控制(RBAC定义、IAM策略)、日志和监控(审计日志配置、SIEM集成)以及数据留存政策
- 将每个控制项评估为「合规」、「部分合规」、「不合规」或「不适用」——记录每项评估对应的证据文件路径和行号
- 针对部分合规和不合规的控制项,描述具体差距:缺失内容、引入的风险以及所需的修复措施
- 计算整体合规分数,即完全合规的适用控制项占比的百分比
- 生成包含以下板块的报告:执行摘要、范围与方法论、逐项控制评估、差距分析、风险评级、带优先级和工作量预估的修复路线图,以及证据附录
- 使用Write工具将报告写入
${CLAUDE_SKILL_DIR}/compliance-report-[framework]-[date].md - 如适用,对照 中的配置 schema 验证报告有效性
${CLAUDE_SKILL_DIR}/references/README.md
Output
输出
- Compliance report: Markdown document with Executive Summary, Scope, Control Assessment (table with Control ID, Description, Status, Evidence, Gap), Risk Rating, and Remediation Roadmap
- Compliance score: Percentage of applicable controls rated Compliant, broken down by control domain
- Gap analysis: Prioritized list of non-compliant controls with risk impact and remediation effort (high/medium/low)
- Evidence index: File paths and line references for each control assessment
- Remediation roadmap: Prioritized action items with estimated effort, owner assignment placeholders, and target dates
- 合规报告:Markdown格式文档,包含执行摘要、范围、控制项评估(含控制ID、描述、状态、证据、差距的表格)、风险评级和修复路线图
- 合规分数:合规的适用控制项占比百分比,按控制域拆分展示
- 差距分析:按优先级排序的不合规控制项列表,包含风险影响和修复工作量(高/中/低)
- 证据索引:每个控制项评估对应的文件路径和行号参考
- 修复路线图:按优先级排序的行动项,包含预估工作量、负责人占位符和目标日期
Error Handling
错误处理
| Error | Cause | Solution |
|---|---|---|
| Unknown compliance framework requested | Framework not in supported list | Map the custom framework controls manually or select the closest standard framework as a baseline |
| Insufficient evidence for control assessment | Codebase lacks configuration files or documentation | Mark the control as "Evidence Not Available" and recommend documenting the control implementation |
| Mixed framework versions | Codebase references multiple versions of a standard (e.g., PCI DSS 3.2.1 vs 4.0) | Clarify the target version and assess against that version only; note version discrepancies in the report |
| Large codebase scan timeout | Too many files to scan within time limits | Scope the scan to relevant directories (e.g., |
| Conflicting control evidence | Different parts of the codebase implement conflicting security policies | Flag as Partially Compliant and document both implementations; recommend standardization |
| 错误 | 原因 | 解决方案 |
|---|---|---|
| 请求的合规框架未知 | 框架不在支持列表中 | 手动映射自定义框架控制项,或选择最接近的标准框架作为基准 |
| 控制项评估证据不足 | 代码库缺少配置文件或文档 | 将控制项标记为「证据不可用」,建议补充控制项落地的相关文档 |
| 框架版本混杂 | 代码库引用了同一标准的多个版本(例如PCI DSS 3.2.1和4.0) | 明确目标版本,仅对照该版本评估;在报告中注明版本差异 |
| 大型代码库扫描超时 | 待扫描文件数量超出时间限制 | 限定扫描范围为相关目录(例如 |
| 控制项证据冲突 | 代码库不同部分实现了冲突的安全策略 | 标记为部分合规,同时记录两种实现;建议统一标准 |
Examples
示例
PCI DSS Compliance Report
PCI DSS合规报告
Scan an e-commerce application in for PCI DSS v4.0 compliance.
Assess Requirement 2 (Apply Secure Configurations) by checking for default
credentials in config files, Requirement 3 (Protect Stored Account Data) by
verifying encryption of cardholder data fields, and Requirement 6 (Develop and
Maintain Secure Systems) by checking dependency vulnerability status. Produce a
report rating each requirement as Compliant/Non-Compliant with file-level evidence.
${CLAUDE_SKILL_DIR}/扫描 下的电商应用的PCI DSS v4.0合规情况。通过检查配置文件中的默认凭证评估要求2(应用安全配置),通过验证持卡人数据字段的加密情况评估要求3(保护存储的账户数据),通过检查依赖项漏洞状态评估要求6(开发和维护安全系统)。生成报告,对每项要求标注合规/不合规状态,并附带文件级别的证据。
${CLAUDE_SKILL_DIR}/HIPAA Technical Safeguards Audit
HIPAA技术保障措施审计
Evaluate a healthcare application against HIPAA Technical Safeguards. Check
164.312(a)(1) Access Control by reviewing authentication and RBAC implementations,
164.312(e)(1) Transmission Security by verifying TLS 1.2+ enforcement, and
164.312(b) Audit Controls by confirming audit logging captures access to PHI.
Generate a gap analysis with remediation steps for each non-compliant safeguard.
对照HIPAA技术保障措施评估医疗应用。通过检查身份认证和RBAC实现情况评估164.312(a)(1)访问控制要求,通过验证TLS 1.2+强制启用情况评估164.312(e)(1)传输安全要求,通过确认审计日志捕获PHI访问情况评估164.312(b)审计控制要求。生成差距分析,为每个不合规的保障措施提供修复步骤。
SOC 2 Type II Readiness Assessment
SOC 2 Type II准备度评估
Assess SOC 2 Trust Services Criteria CC6 (Logical and Physical Access Controls)
and CC7 (System Operations) by scanning for access control policies, change
management procedures, incident response documentation, and monitoring
configurations. Produce a readiness report indicating which criteria need
additional evidence or implementation before a formal SOC 2 audit.
通过扫描访问控制策略、变更管理流程、事件响应文档和监控配置,评估SOC 2信任服务标准CC6(逻辑和物理访问控制)和CC7(系统运营)的落地情况。生成准备度报告,标明在正式SOC 2审计前哪些标准需要补充额外证据或实现。