compliance-checker
Audits a codebase or business process for regulatory compliance across GDPR, HIPAA, SOC2, CCPA, and PCI-DSS. Scans for PII handling, data retention, encryption, access controls, audit logging, consent management, and data transfer issues. Generates a structured compliance report with findings, gap analysis, remediation steps, and evidence requirements.
git clone --depth 1 https://github.com/OneWave-AI/claude-skills /tmp/compliance-checker && cp -r /tmp/compliance-checker/compliance-checker ~/.claude/skills/compliance-checkerSKILL.md
# Compliance Checker Perform thorough regulatory compliance audits against one or more frameworks, identify gaps, and produce actionable remediation guidance with evidence requirements suitable for certification preparation. ## Contents - `references/frameworks.md` — the five supported frameworks (GDPR, HIPAA, SOC 2, CCPA, PCI-DSS): scope, key articles/requirements, penalties, and reference links. - `references/scan-patterns.md` — the seven scan categories, their search patterns, scan execution rules, and common pitfalls to always check. - `references/classification.md` — compliance status values, risk severity rubric, and the remediation detail fields. - `references/cross-framework-mapping.md` — control-area-to-framework mapping and the glossary. - `references/output-template.md` — the full `compliance-report.md` structure, including per-framework gap-analysis tables and evidence packs. ## Workflow Run the full methodology for every audit. Do not skip steps. ### Phase 1: Discovery and Scoping 1. Identify the target: codebase, infrastructure configuration, business process documentation, or a combination. 2. Determine applicable frameworks from the data types processed, geographic scope, industry, and business model. See `references/frameworks.md`. When none are specified, assess all five and note applicability. 3. Map the data flow: where regulated data enters, how it is processed, where it is stored, and how it exits. 4. Inventory data categories present (PII, PHI, CHD, sensitive PI, special category data). ### Phase 2: Scanning and Evidence Collection 5. Scan each of the seven categories — PII/sensitive data, data retention, encryption, access controls, audit logging, consent management, and data transfer. Apply the search patterns and execution rules in `references/scan-patterns.md`. Record exact file paths, line numbers, and snippets for both positive findings and gaps. ### Phase 3: Gap Analysis 6. Map each finding to specific framework requirements, assign a compliance status, and assign a risk severity to every non-compliant or partial finding. Use the rubric in `references/classification.md`. ### Phase 4: Remediation Planning 7. For each non-compliant or partial finding, produce the remediation detail (description, regulatory reference, current state, required state, steps, evidence, effort, dependencies) per `references/classification.md`. Cross-reference `references/cross-framework-mapping.md` to flag when one action closes gaps across multiple frameworks. ### Phase 5: Report Generation 8. Generate `compliance-report.md` in the project root (or a user-specified location), following the mandatory structure in `references/output-template.md`. Every section is required; if a section has no findings, state that explicitly. ## Behavioral Rules 1. Never fabricate findings. Back every finding with scan evidence. When evidence is absent, mark UNABLE TO ASSESS rather than guess. 2. Be specific. Reference exact file paths, line numbers, function names, and configuration keys. 3. Distinguish technical from organizational controls. Note when a finding requires verifying organizational controls (training, policies, physical security) that code review alone cannot confirm. 4. Consider the full stack: application code, database schemas, infrastructure configuration, CI/CD pipelines, dependency manifests, documentation, and environment configuration. 5. Prioritize actionable findings. Specify exact changes; avoid vague recommendations like "improve security". 6. Respect the scope. Audit only what is provided. Do not assume broader infrastructure without evidence. 7. Account for frameworks and libraries that handle compliance concerns (ORM parameterized queries, framework CSRF protection); credit them as positive findings but verify configuration. 8. Avoid false positives. Missing a marginal finding is better than reporting a non-gap. Err toward accuracy. 9. Cross-reference across frameworks. Note when a single remediation addresses multiple regulations. 10. Date and version everything so the report can be compared against future audits. ## Responding to Requests - "Audit this codebase" / "check compliance": Confirm which frameworks to focus on (or assess all five), run Phases 1-5, generate `compliance-report.md`, and summarize the most critical findings. - "Check for [framework]": Focus on that framework, still scan all seven categories, and map findings only to it. - "Check [category]" (e.g., "check encryption"): Focus the scan on that category and map findings to all applicable frameworks. - "Are we [requirement] compliant?" (e.g., GDPR Art. 17): Focus on the relevant controls, give a direct assessment with evidence, and offer remediation if gaps exist. - Business process documentation instead of code: Adapt the methodology to document analysis, focus on policy and procedure requirements, and note that technical controls cannot be verified without codebase access.
Audit websites for accessibility issues and WCAG compliance. Use when checking accessibility, fixing a11y issues, or ensuring WCAG compliance.
Deploy a 2-layer parallel agent hierarchy for large, parallelizable work — big refactors, multi-file migrations, codebase-wide audits, bulk generation. Layer 1 is 3-50+ specialist agents, each with its own full context window; Layer 2 is 2+ sub-agents per member. Includes git safety, tiered sizing, a pre-deploy gate, phantom-completion checks, and multi-wave follow-up.
Deploys swarms of sub-agents for massive parallel data processing tasks. Unlike agent-army (which is for code changes), this is for DATA tasks -- processing 1000 documents, analyzing datasets, bulk content generation. Configurable swarm size, task distribution, result aggregation, progress tracking, and error recovery.
Designs and deploys custom agent teams for specific business workflows. Interactive discovery of business processes, then generates complete team configurations with specialized agent roles, tool access, communication protocols, and handoff rules.
Agent-to-Agent (A2A) communication protocol. Connect two or more Claude agents that pass messages, share context, delegate tasks, and collaborate. Implements structured handoffs, shared memory, and multi-agent conversations.
Assesses how ready a business is for AI adoption across six dimensions. Evaluates data maturity, tech stack, team skills, process documentation, budget, and culture. Generates a comprehensive ai-readiness-report.md with scores, gap analysis, and recommended starting points. Aligned with OneWave AI's audit methodology.
Generate animated videos and motion graphics from natural language descriptions. Creates a standalone Vite + React project with Framer Motion scenes that auto-play in the browser. Use when the user wants to create animations, motion graphics, video intros, animated presentations, or product demos.
Generate comprehensive API documentation including endpoint descriptions, request/response examples, authentication guides, error codes, and SDKs. Creates OpenAPI/Swagger specs, REST API docs, and developer-friendly reference materials. Use when users need to document APIs, create technical references, or write developer documentation.