Generating Compliance Reports

Overview

Generate structured compliance reports for major security frameworks including

PCI DSS, HIPAA, SOC 2, GDPR, and ISO 27001. This skill scans codebases,

configurations, and infrastructure definitions to assess compliance posture,

maps findings to specific framework controls, and produces audit-ready

documentation with evidence references and gap analysis.

Prerequisites

• Access to the target codebase, infrastructure configs, and policy documents in ${CLAUDESKILLDIR}/
• Knowledge of the target compliance framework and its applicable scope
• Standard shell utilities and Grep/Glob available for evidence gathering
• Reference: ${CLAUDESKILLDIR}/references/README.md for PCI DSS guidelines, HIPAA compliance checklist, SOC 2 framework overview, config schema, and API documentation

Instructions

1. Determine the target compliance framework (PCI DSS, HIPAA, SOC 2, GDPR, ISO 27001, or custom) and identify applicable control domains based on the system under audit.
2. Enumerate the control requirements for the target framework -- for PCI DSS, map the 12 requirements and their sub-controls; for HIPAA, map Administrative, Physical, and Technical Safeguards; for SOC 2, map Trust Services Criteria (CC1-CC9).
3. Scan the codebase for evidence of control implementation: encryption at rest and in transit (TLS configuration, database encryption), access controls (RBAC definitions, IAM policies), logging and monitoring (audit log configuration, SIEM integration), and data retention policies.
4. Evaluate each control as Compliant, Partially Compliant, Non-Compliant, or Not Applicable -- document the evidence file path and line number for each assessment.
5. For Partially Compliant and Non-Compliant controls, describe the specific gap: what is missing, what risk it introduces, and what remediation is required.
6. Calculate an overall compliance score as percentage of applicable controls that are fully compliant.
7. Generate the report with these sections: Executive Summary, Scope and Methodology, Control-by-Control Assessment, Gap Analysis, Risk Rating, Remediation Roadmap with priority and effort estimates, and Evidence Appendix.
8. Write the report to ${CLAUDESKILLDIR}/compliance-report-[framework]-[date].md using the Write tool.
9. Validate the report against the config schema in ${CLAUDESKILLDIR}/references/README.md if applicable.

Output

• Compliance report: Markdown document with Executive Summary, Scope, Control Assessment (table with Control ID, Description, Status, Evidence, Gap), Risk Rating, and Remediation Roadmap
• Compliance score: Percentage of applicable controls rated Compliant, broken down by control