/compliance-check Workflow

Role

This skill is a scan coordinator. It orchestrates parallel compliance signal scans per requested framework, synthesizes findings, and produces a structured report with a PASS / PASS_WITH_NOTES / BLOCKED verdict. It checks code-level signals only — it does not verify organizational, infrastructure, or procedural controls.

This report is a development aid, not a compliance certification.

Inputs

• Framework(s): $ARGUMENTS (required)
  • fedramp — Federal Risk and Authorization Management Program code-level controls
  • fips — FIPS 140-3 approved cryptography and key management patterns
  • owasp — OWASP Top 10 compliance with evidence
  • soc2 — SOC 2 Type II code-level security controls

Multiple frameworks can be specified: /compliance-check fips owasp

Step 0 — Parse and validate framework arguments

Tool: Read

Parse $ARGUMENTS as a space-separated list of framework names.

Normalize each to lowercase for matching.

Validation: For each argument, check against the supported list: fedramp, fips, owasp, soc2.

If any unknown framework name is found, stop immediately with: "Unknown framework: [name]. Supported: fedramp, fips, owasp, soc2.

Usage: /compliance-check [fedramp|fips|owasp|soc2] [...] Multiple frameworks may be specified: /compliance-check fips owasp"

If $ARGUMENTS is empty, stop with: "Framework argument required. Supported: fedramp, fips, owasp, soc2.

Usage: /compliance-check [fedramp|fips|owasp|soc2] [...]"

Derive timestamp: [timestamp] = current ISO datetime (e.g., 2026-03-25T14-30-00)

Store the validated list of frameworks for Step 1.

Step 1 — Parallel compliance scans (one per framework)

Dispatch one Task subagent per validated framework, all in parallel.

Tool: Task (one subagent per framework, dispatched in parallel)

Scope constraint (apply to all scan prompts): Limit analysis to code-level signals only: source code files, configuration files (Dockerfiles, docker-compose, Kubernetes manifests, terraform, CI configs), dependency manifests (package.json, requirements.txt, go.mod, Cargo.toml), and hardcoded values. Do NOT attempt to verify organizational policies, infrastructure controls, personnel procedures, or runtime behavior.

If fedramp is in the validated framework list:

Tool: Task, subagent_type=general-purpose, model=claude-opus-4-6

Prompt: "Perform a FedRAMP code-level compliance signal scan. Scope: source code, configuration files, deployment manifests only.

Do NOT attempt to verify organizational policies, infrastructure controls outside the codebase, or personnel procedures.

Check for these FedRAMP code-level signals:

Access Control (AC):

• Role-based access control (RBAC) implementation patterns in code
• Least privilege enforcement (no overly broad permission grants in code)
• Session timeout configuration in application code
• Multi-factor authentication enforcement in authentication flows

Audit and Accountability (AU):

• Audit logging calls present for security-relevant events (login, logout, privilege changes, data access)
• Log entries include who, what, when, where (user ID, action, timestamp, source IP)
• Sensitive data excluded from log statements (no passwords, tokens, PII in log calls)

Configuration Management (CM):

• No hardcoded environment-specific values (IPs, hostnames) in source code
• Configuration loaded from environment variables or secret managers (not hardcoded)
• Dependency pinning (exact versions in manifests, not ranges for production deps)

Identification and Authentication (IA):

• Password complexity enforcement (min length, complexity rules in validation code)
• Account lockout after failed attempts (present in authentication logic)
• Secure credential storage patterns (hashing libraries used, not plaintext storage)

System and Communications Protection (SC):

• TLS/HTTPS enforcement in HTTP client configuration
• No HTTP (non-TLS) connections to external services in code
• Encryption at rest patterns (use of encryption libraries for stored sensitive data)

Rate each finding: Critical / High / Medium / Low. Write to ./plans/compliance-check-[timestamp].fedramp.md"

If fips is in the validated framework list:

Tool: Task, subagent_type=general-purpose, model=claude-opus-4-6

Prompt: "Perform a FIPS 140-3 code-level compliance signal scan. Scope: source code, configuration files, dependency manifests only.

Do NOT attempt to verify CMVP certification status of runtime cryptographic modules. Check only what is visible in source code.

Check for these FIPS code-level signals:

Approved Cryptographic Algorithms — flag any use of non-FIPS-approved algorithms:

• Hash functions: MD5, SHA-1 are NOT approved. SHA-2 (SHA-256, SHA-384, SHA-512) and SHA-3 are approved.
• Symmetric encryption: DES, 3DES, RC4, RC2, Blowfish are NOT approved. AES (128, 192, 256-bit) is approved.
• Asymmetric encryption: RSA < 2048 bits is NOT approved. RSA >= 2048, ECDSA with NIST curves (P-256, P-384, P-521) are approved.
• Key agreement: DH < 2048 bits is NOT approved. DH >= 2048, ECDH with NIST curves are approved.
• MAC: HMAC-SHA1 is borderline — flag for review. HMAC-SHA-256 and above are approved.

Key Management Patterns:

• Key derivation using PBKDF2, HKDF, or NIST-approved KDFs (flag use of custom KDFs)
• Key lengths meeting FIPS minimums (flag short keys)
• Secure key storage patterns (keys not hardcoded in source)

Random Number Generation:

• Use of cryptographically secure RNG (flag use of Math.random(), random.random(), or non-CSPRNG for security purposes)
• Flag use of predictable seeds for security-sensitive randomness

Cipher Mode of Operation:

• Flag ECB mode usage (not approved for most uses)
• Flag unauthenticated CBC for encryption-then-MAC concerns (prefer GCM or CCM)

Rate each finding: Critical / High / Medium / Low. Critical: Non-FIPS algorithm actively used in security-sensitive path. High: Non-FIPS algorithm used but context unclear, or key length below minimum. Medium: Potentially non-FIPS pattern requiring manual review. Low: Informational — approved algorithm but suboptimal configuration.

Write to ./plans/compliance-check-[timestamp].fips.md"

If owasp is in the validated framework list:

Tool: Task, subagent_type=general-purpose, model=claude-opus-4-6

Prompt: "Perform an OWASP Top 10 (2021) code-level compliance signal scan. Scope: source code and configuration files only.

Check each OWASP Top 10 category for code-level evidence of compliance or violation:

A01 - Broken Access Control:

• Missing authorization checks on sensitive endpoints
• Insecure direct object references (user-controlled IDs without ownership check)
• CORS misconfiguration (wildcard origins in code)

A02 - Cryptographic Failures:

• Sensitive data transmitted in HTTP (non-TLS)
• Weak or deprecated cryptographic algorithms (see FIPS scan for specifics)
• Secrets hardcoded in source

A03 - Injection:

• SQL queries built by string concatenation (not parameterized)
• Command injection (os.system, exec with user input)
• LDAP, XPath, SSTI injection patterns
• NoSQL injection (unvalidated object queries)

A04 - Insecure Design:

• Missing input validation on public API endpoints
• Business logic that can be bypassed by parameter manipulation
• Rate limiting absent on authentication/sensitive endpoints

A05 - Security Misconfiguration:

• Debug endpoints or stack traces exposed in production configuration
• Default credentials in config files
• Unnecessary features or services enabled in deployment manifests

A06 - Vulnerable and Outdated Components:

• Dependency manifests present for review (flag if lock files are absent)
• Known vulnerable version ranges (flag if visible from manifest context)

A07 - Identification and Authentication Failures:

• Weak session management (short session IDs, missing expiry)
• Brute force protection absent on login endpoints
• Insecure passw