Marketplace compliance-checker
Check code against security compliance standards and best practices.
install
source · Clone the upstream repo
git clone https://github.com/aiskillstore/marketplace
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/aiskillstore/marketplace "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/curiouslearner/compliance-checker" ~/.claude/skills/aiskillstore-marketplace-compliance-checker && rm -rf "$T"
manifest:
skills/curiouslearner/compliance-checker/SKILL.mdsource content
Compliance Checker Skill
Check code against security compliance standards and best practices.
Instructions
You are a security compliance expert. When invoked:
-
Security Standards Compliance:
- OWASP Top 10
- OWASP ASVS (Application Security Verification Standard)
- CWE Top 25 Most Dangerous Software Weaknesses
- SANS Top 25
- NIST Cybersecurity Framework
- ISO 27001 controls
-
Industry-Specific Compliance:
- PCI-DSS (Payment Card Industry)
- HIPAA (Healthcare)
- GDPR (Data Privacy - EU)
- SOC 2 (Service Organization Controls)
- CCPA (California Consumer Privacy Act)
- FERPA (Education)
-
Coding Standards:
- Secure coding guidelines
- Input validation requirements
- Output encoding standards
- Cryptography standards
- Session management requirements
- Error handling best practices
-
Data Protection:
- Encryption at rest
- Encryption in transit
- Data classification
- Sensitive data handling
- Data retention policies
- Personally Identifiable Information (PII) protection
-
Generate Report: Comprehensive compliance assessment with gap analysis
OWASP Top 10 (2021)
A01:2021 - Broken Access Control
Checklist
- [ ] Authorization checks on all protected resources - [ ] No access control bypass via URL manipulation - [ ] Proper CORS configuration - [ ] No insecure direct object references (IDOR) - [ ] Metadata manipulation prevention - [ ] JWT tokens validated properly - [ ] Force browsing protection - [ ] API access controls enforced
Detection Patterns
// ❌ VIOLATION - No authorization check app.get('/api/users/:id', authenticateUser, async (req, res) => { const user = await User.findById(req.params.id); res.json(user); // Any authenticated user can access any user data }); // ✅ COMPLIANT - Proper authorization app.get('/api/users/:id', authenticateUser, async (req, res) => { if (req.params.id !== req.user.id && !req.user.isAdmin) { return res.status(403).json({ error: 'Forbidden' }); } const user = await User.findById(req.params.id); res.json(user); });
A02:2021 - Cryptographic Failures
Checklist
- [ ] Sensitive data encrypted at rest - [ ] TLS/SSL enforced (HTTPS only) - [ ] Strong encryption algorithms (AES-256, RSA-2048+) - [ ] No hardcoded encryption keys - [ ] Proper key management - [ ] Password hashing with Argon2, bcrypt, or PBKDF2 - [ ] No weak cryptographic algorithms (MD5, SHA1, DES) - [ ] Secure random number generation - [ ] No sensitive data in URLs or logs
Detection Patterns
// ❌ VIOLATION - Weak encryption const crypto = require('crypto'); const cipher = crypto.createCipher('des', 'password'); // DES is weak // ❌ VIOLATION - Hardcoded key const key = 'my-secret-key-123'; // ✅ COMPLIANT - Strong encryption const algorithm = 'aes-256-gcm'; const key = Buffer.from(process.env.ENCRYPTION_KEY, 'hex'); const iv = crypto.randomBytes(16); const cipher = crypto.createCipheriv(algorithm, key, iv);
A03:2021 - Injection
Checklist
- [ ] SQL parameterized queries (no string concatenation) - [ ] NoSQL injection prevention - [ ] LDAP injection prevention - [ ] OS command injection prevention - [ ] XML injection prevention - [ ] Input validation on all user inputs - [ ] Output encoding - [ ] ORM/ODM usage with parameterized queries
Detection Patterns
// ❌ VIOLATION - SQL Injection const query = `SELECT * FROM users WHERE email = '${email}'`; // ❌ VIOLATION - NoSQL Injection db.users.find({ email: req.body.email }); // If email is {"$ne": null} // ❌ VIOLATION - Command Injection exec(`ping ${userInput}`); // ✅ COMPLIANT - Parameterized query const query = 'SELECT * FROM users WHERE email = ?'; db.query(query, [email]); // ✅ COMPLIANT - NoSQL with validation const email = String(req.body.email); db.users.find({ email: email }); // ✅ COMPLIANT - Command validation const { execFile } = require('child_process'); execFile('ping', ['-c', '1', validatedHost]);
A04:2021 - Insecure Design
Checklist
- [ ] Threat modeling performed - [ ] Security requirements defined - [ ] Secure development lifecycle followed - [ ] Rate limiting implemented - [ ] Resource limits enforced - [ ] Circuit breaker patterns for external services - [ ] Defense in depth strategy - [ ] Fail securely (fail closed, not open)
A05:2021 - Security Misconfiguration
Checklist
- [ ] No default credentials - [ ] No unnecessary features enabled - [ ] Security headers configured - [ ] Error messages don't leak information - [ ] Latest security patches applied - [ ] No directory listing - [ ] Proper file permissions - [ ] Secure admin interfaces - [ ] No debug mode in production
Detection Patterns
// ❌ VIOLATION - Debug mode enabled if (process.env.NODE_ENV === 'production') { app.use(express.errorHandler()); // Leaks stack traces } // ❌ VIOLATION - Detailed error messages app.use((err, req, res, next) => { res.status(500).json({ error: err.message, stack: err.stack, // Information disclosure query: req.query }); }); // ✅ COMPLIANT - Generic error messages app.use((err, req, res, next) => { logger.error(err); // Log details server-side res.status(500).json({ error: 'Internal server error' // Generic message }); });
A06:2021 - Vulnerable and Outdated Components
Checklist
- [ ] Dependencies regularly updated - [ ] No known vulnerable dependencies - [ ] Dependency scanning in CI/CD - [ ] Unused dependencies removed - [ ] Dependencies from trusted sources only - [ ] Software Bill of Materials (SBOM) maintained - [ ] Security advisories monitored
A07:2021 - Identification and Authentication Failures
Checklist
- [ ] Strong password requirements - [ ] Multi-factor authentication available - [ ] Secure session management - [ ] No credential stuffing vulnerabilities - [ ] Account lockout after failed attempts - [ ] Secure password recovery - [ ] Session invalidation on logout - [ ] Session timeout implemented - [ ] No weak password hashing
A08:2021 - Software and Data Integrity Failures
Checklist
- [ ] Code signing implemented - [ ] Integrity checks for updates - [ ] No insecure deserialization - [ ] CI/CD pipeline security - [ ] Dependency integrity verification (SRI) - [ ] No untrusted data deserialization
Detection Patterns
// ❌ VIOLATION - Insecure deserialization const userData = JSON.parse(req.body.data); eval(userData.code); // Never do this // ❌ VIOLATION - No integrity check <script src="https://cdn.example.com/library.js"></script> // ✅ COMPLIANT - Subresource Integrity <script src="https://cdn.example.com/library.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux..." crossorigin="anonymous"> </script>
A09:2021 - Security Logging and Monitoring Failures
Checklist
- [ ] Authentication events logged - [ ] Authorization failures logged - [ ] Input validation failures logged - [ ] Logs protected from tampering - [ ] Sensitive data not logged - [ ] Centralized logging - [ ] Log retention policy - [ ] Alerting for suspicious activities - [ ] Regular log review
Detection Patterns
// ❌ VIOLATION - No logging app.post('/login', async (req, res) => { const user = await authenticate(req.body); res.json({ token: generateToken(user) }); // No logging of authentication attempts }); // ❌ VIOLATION - Logging sensitive data logger.info('User login', { email: user.email, password: req.body.password, // Never log passwords ssn: user.ssn }); // ✅ COMPLIANT - Proper security logging app.post('/login', async (req, res) => { try { const user = await authenticate(req.body); logger.info('Successful login', { userId: user.id, ip: req.ip, timestamp: new Date() }); res.json({ token: generateToken(user) }); } catch (error) { logger.warn('Failed login attempt', { email: req.body.email, // OK to log email ip: req.ip, timestamp: new Date() }); res.status(401).json({ error: 'Invalid credentials' }); } });
A10:2021 - Server-Side Request Forgery (SSRF)
Checklist
- [ ] URL validation for user-provided URLs - [ ] Whitelist of allowed domains - [ ] No access to internal network resources - [ ] Network segmentation - [ ] Disable unnecessary URL schemas (file://, gopher://)
Detection Patterns
// ❌ VIOLATION - SSRF vulnerability app.post('/fetch', async (req, res) => { const url = req.body.url; // User-controlled const response = await fetch(url); // Can access internal services res.json(await response.json()); }); // ✅ COMPLIANT - URL validation const allowedDomains = ['api.example.com', 'cdn.example.com']; app.post('/fetch', async (req, res) => { const url = new URL(req.body.url); // Validate protocol if (!['http:', 'https:'].includes(url.protocol)) { return res.status(400).json({ error: 'Invalid protocol' }); } // Validate domain if (!allowedDomains.includes(url.hostname)) { return res.status(400).json({ error: 'Domain not allowed' }); } // Prevent internal network access if (url.hostname === 'localhost' || url.hostname.startsWith('127.') || url.hostname.startsWith('192.168.') || url.hostname.startsWith('10.')) { return res.status(400).json({ error: 'Internal network access denied' }); } const response = await fetch(url.href); res.json(await response.json()); });
PCI-DSS Compliance
Requirement 2: Do not use vendor-supplied defaults
- [ ] Default passwords changed - [ ] Unnecessary default accounts removed - [ ] Default settings reviewed and hardened - [ ] System hardening standards implemented
Requirement 3: Protect stored cardholder data
// ❌ VIOLATION - Storing full credit card await db.payments.create({ cardNumber: '4532-1234-5678-9010', // PCI violation cvv: '123', // Never store CVV cardholderName: 'John Doe' }); // ✅ COMPLIANT - Tokenization const token = await paymentProcessor.tokenize({ cardNumber: req.body.cardNumber }); await db.payments.create({ token: token, // Store token, not card number last4: req.body.cardNumber.slice(-4), // Last 4 digits OK cardholderName: 'John Doe' });
Requirement 6: Develop and maintain secure systems and applications
- [ ] Security patches applied within 1 month - [ ] Custom application code reviewed for vulnerabilities - [ ] Secure coding guidelines followed - [ ] Change control processes - [ ] Separation of development, test, and production
Requirement 8: Identify and authenticate access
- [ ] Unique user IDs - [ ] Strong authentication - [ ] MFA for remote access - [ ] Password requirements (min 7 chars, complex) - [ ] Account lockout after 6 failed attempts - [ ] Session timeout (15 min idle)
Requirement 10: Log and monitor all access
- [ ] User access logged - [ ] Admin actions logged - [ ] Failed access attempts logged - [ ] Logs protected - [ ] Daily log review - [ ] Log retention (90 days minimum)
HIPAA Compliance
Technical Safeguards
Access Control (§164.312(a))
- [ ] Unique user identification - [ ] Emergency access procedures - [ ] Automatic logoff - [ ] Encryption and decryption
Audit Controls (§164.312(b))
// ✅ COMPLIANT - HIPAA audit logging function logPhiAccess(action, user, patient, details) { auditLog.create({ timestamp: new Date(), action: action, // CREATE, READ, UPDATE, DELETE userId: user.id, userName: user.name, patientId: patient.id, resourceType: 'PHI', ipAddress: req.ip, details: details, result: 'SUCCESS' }); } app.get('/patient/:id', authenticateUser, async (req, res) => { const patient = await Patient.findById(req.params.id); logPhiAccess('READ', req.user, patient, { fields: ['name', 'diagnosis', 'medications'] }); res.json(patient); });
Integrity (§164.312(c))
- [ ] Data integrity mechanisms - [ ] Protection against improper alteration/destruction - [ ] Digital signatures or checksums
Transmission Security (§164.312(e))
- [ ] TLS for data in transit - [ ] End-to-end encryption - [ ] Network security (VPN, firewalls)
Protected Health Information (PHI) Handling
// ❌ VIOLATION - PHI in logs logger.info('Patient data:', { name: patient.name, ssn: patient.ssn, // PHI in logs diagnosis: patient.diagnosis }); // ❌ VIOLATION - PHI in URLs app.get('/patient', (req, res) => { // PHI in query string (logged in access logs) const diagnosis = req.query.diagnosis; }); // ✅ COMPLIANT - Protected PHI logger.info('Patient data accessed', { patientId: patient.id, // ID only, no PHI userId: req.user.id }); // Use request body for PHI app.post('/patient/search', (req, res) => { const diagnosis = req.body.diagnosis; // Not in URL/logs });
GDPR Compliance
Data Processing Principles
Lawfulness, Fairness, and Transparency
- [ ] Legal basis for processing documented - [ ] Privacy policy published - [ ] Consent mechanisms implemented - [ ] Data processing purposes defined
Purpose Limitation
// ✅ COMPLIANT - Clear purpose const userConsent = { email: { marketing: false, // User opted out transactional: true, // Necessary for service newsletter: true // User opted in } }; // Check consent before processing async function sendEmail(user, type, content) { if (!user.consent.email[type]) { logger.warn('Email not sent - no consent', { userId: user.id, type: type }); return; } await emailService.send(user.email, content); }
Data Minimization
// ❌ VIOLATION - Collecting unnecessary data const user = { name: req.body.name, email: req.body.email, ssn: req.body.ssn, // Not needed for account dob: req.body.dob, // Not needed mothersMaiden: req.body.mothersMaiden // Excessive }; // ✅ COMPLIANT - Only necessary data const user = { name: req.body.name, email: req.body.email // Only collect what's needed for service };
Storage Limitation
// ✅ COMPLIANT - Data retention policy const RETENTION_PERIOD = 90 * 24 * 60 * 60 * 1000; // 90 days // Automated deletion async function cleanupOldData() { const cutoffDate = new Date(Date.now() - RETENTION_PERIOD); await InactiveAccounts.deleteMany({ lastLogin: { $lt: cutoffDate } }); logger.info('Data cleanup completed', { deletedBefore: cutoffDate }); } // Schedule daily cron.schedule('0 2 * * *', cleanupOldData);
Integrity and Confidentiality
- [ ] Encryption at rest - [ ] Encryption in transit - [ ] Access controls - [ ] Pseudonymization where possible - [ ] Regular security assessments
GDPR Rights Implementation
Right to Access (Article 15)
app.get('/api/user/data-export', authenticateUser, async (req, res) => { const userData = await User.findById(req.user.id); const userPosts = await Post.find({ authorId: req.user.id }); const userComments = await Comment.find({ authorId: req.user.id }); const dataExport = { personalData: { name: userData.name, email: userData.email, createdAt: userData.createdAt }, posts: userPosts, comments: userComments, exportedAt: new Date(), format: 'JSON' }; res.json(dataExport); });
Right to Erasure (Article 17)
app.delete('/api/user/account', authenticateUser, async (req, res) => { // Verify user intent if (req.body.confirm !== 'DELETE') { return res.status(400).json({ error: 'Confirmation required' }); } const userId = req.user.id; // Delete all user data await User.deleteOne({ _id: userId }); await Post.deleteMany({ authorId: userId }); await Comment.deleteMany({ authorId: userId }); await Session.deleteMany({ userId: userId }); // Log deletion for compliance logger.info('User data deleted', { userId: userId, deletedAt: new Date(), requestIp: req.ip }); res.json({ success: true, message: 'All data deleted' }); });
Right to Data Portability (Article 20)
app.get('/api/user/data-portable', authenticateUser, async (req, res) => { const format = req.query.format || 'json'; const data = await getUserData(req.user.id); if (format === 'csv') { res.setHeader('Content-Type', 'text/csv'); res.setHeader('Content-Disposition', 'attachment; filename=data.csv'); res.send(convertToCSV(data)); } else { res.setHeader('Content-Type', 'application/json'); res.setHeader('Content-Disposition', 'attachment; filename=data.json'); res.json(data); } });
Usage Examples
@compliance-checker @compliance-checker --standard owasp @compliance-checker --standard pci-dss @compliance-checker --standard hipaa @compliance-checker --standard gdpr @compliance-checker --report @compliance-checker src/
Compliance Report Format
# Security Compliance Assessment Report **Application**: Healthcare Portal **Assessment Date**: 2024-01-15 **Standards Checked**: OWASP Top 10, HIPAA, GDPR **Assessor**: Security Compliance Scanner v2.0 --- ## Executive Summary **Overall Compliance**: 64% **Status**: ⚠️ PARTIALLY COMPLIANT **Violations by Severity**: - Critical: 8 - High: 15 - Medium: 23 - Low: 12 **Standards Summary**: - OWASP Top 10: 58% compliant - HIPAA: 71% compliant - GDPR: 69% compliant --- ## OWASP Top 10 Compliance **Score**: 58/100 (F) | Category | Status | Issues | |----------|--------|--------| | A01: Broken Access Control | ❌ FAIL | 12 | | A02: Cryptographic Failures | ⚠️ PARTIAL | 3 | | A03: Injection | ✅ PASS | 0 | | A04: Insecure Design | ⚠️ PARTIAL | 5 | | A05: Security Misconfiguration | ❌ FAIL | 8 | | A06: Vulnerable Components | ⚠️ PARTIAL | 6 | | A07: Auth Failures | ❌ FAIL | 11 | | A08: Data Integrity | ✅ PASS | 1 | | A09: Logging Failures | ⚠️ PARTIAL | 7 | | A10: SSRF | ✅ PASS | 0 | ### Critical Violations #### A01: Missing Authorization Checks (12 endpoints) **Files**: src/routes/patients.js, src/routes/records.js ```javascript // src/routes/patients.js:45 app.get('/api/patients/:id', authenticateUser, async (req, res) => { const patient = await Patient.findById(req.params.id); res.json(patient); // ❌ No authorization check });
Required Fix:
app.get('/api/patients/:id', authenticateUser, async (req, res) => { const patient = await Patient.findById(req.params.id); // Check authorization if (!canAccessPatient(req.user, patient)) { return res.status(403).json({ error: 'Forbidden' }); } res.json(patient); });
HIPAA Compliance
Score: 71/100 (C)
Administrative Safeguards: 75%
- ✅ Security Management Process
- ✅ Assigned Security Responsibility
- ⚠️ Workforce Security (incomplete training)
- ✅ Information Access Management
- ⚠️ Security Awareness Training (no annual updates)
Physical Safeguards: 80%
- ✅ Facility Access Controls
- ✅ Workstation Use Policy
- ✅ Workstation Security
- ⚠️ Device and Media Controls (incomplete)
Technical Safeguards: 65%
-
⚠️ Access Control (§164.312(a))
- ✅ Unique User Identification
- ❌ Emergency Access Procedure missing
- ⚠️ Automatic Logoff (inconsistent timeout)
- ✅ Encryption and Decryption
-
✅ Audit Controls (§164.312(b))
- ✅ Logging implemented
- ✅ Regular log review
-
⚠️ Integrity (§164.312(c))
- ⚠️ Mechanism to authenticate PHI (partial)
-
⚠️ Transmission Security (§164.312(e))
- ✅ TLS enforced
- ❌ End-to-end encryption missing for backups
Critical Findings
PHI in Application Logs
Severity: Critical Regulation: §164.312(b)
// src/utils/logger.js:34 logger.info('Patient record accessed', { patientName: patient.name, // ❌ PHI in logs ssn: patient.ssn, // ❌ PHI in logs diagnosis: patient.diagnosis // ❌ PHI in logs });
Required Fix: Remove PHI from logs, use IDs only
Missing Automatic Logoff
Severity: High Regulation: §164.312(a)(2)(iii)
Currently: No automatic session timeout Required: 15-minute idle timeout
Fix:
app.use(session({ cookie: { maxAge: 15 * 60 * 1000 // 15 minutes }, rolling: true }));
GDPR Compliance
Score: 69/100 (D)
Lawfulness of Processing: 80%
- ✅ Legal basis documented
- ✅ Privacy policy published
- ⚠️ Consent mechanism (needs opt-in for marketing)
- ✅ Data processing purposes defined
Data Subject Rights: 60%
- ✅ Right to Access (implemented)
- ⚠️ Right to Rectification (partial)
- ❌ Right to Erasure (not implemented)
- ❌ Right to Data Portability (not implemented)
- ⚠️ Right to Object (partial)
Security of Processing: 75%
- ✅ Encryption in transit
- ✅ Encryption at rest
- ⚠️ Access controls (needs improvement)
- ✅ Pseudonymization (where applicable)
- ⚠️ Regular security assessments
Critical Findings
Right to Erasure Not Implemented
Severity: Critical Article: 17 GDPR
No endpoint for users to delete their data.
Required Implementation:
app.delete('/api/user/delete-account', async (req, res) => { // Implement full data deletion await deleteUserData(req.user.id); res.json({ success: true }); });
Excessive Data Collection
Severity: High Principle: Data Minimization
Currently collecting: name, email, phone, address, DOB, SSN, income Required for service: name, email
Fix: Remove unnecessary fields from registration
Remediation Plan
Phase 1: Critical (0-7 days)
- Add authorization checks to all endpoints
- Remove PHI from application logs
- Implement Right to Erasure (GDPR)
- Fix automatic session timeout
- Reduce data collection to minimum
Estimated Effort: 40 hours Priority: P0
Phase 2: High (7-30 days)
- Implement data portability
- Add emergency access procedures
- Complete security awareness training
- Implement end-to-end encryption for backups
- Update consent mechanisms
Estimated Effort: 60 hours Priority: P1
Phase 3: Medium (30-90 days)
- Enhance audit logging
- Implement data retention automation
- Complete workforce security training
- Enhance access control mechanisms
- Regular security assessments
Estimated Effort: 80 hours Priority: P2
Compliance Metrics
Current State
- OWASP: 58% (F)
- HIPAA: 71% (C)
- GDPR: 69% (D)
- Overall: 64% (D)
Target State (Post-Remediation)
- OWASP: 95%+ (A)
- HIPAA: 95%+ (A)
- GDPR: 95%+ (A)
- Overall: 95%+ (A)
Timeline to Compliance
- Phase 1: 7 days
- Phase 2: 30 days
- Phase 3: 90 days
- Full Compliance: 90 days
Recommendations
Immediate
- Assign compliance officer
- Create compliance roadmap
- Implement critical fixes
- Document all changes
Short-term
- Regular compliance audits (monthly)
- Security training for all staff
- Penetration testing
- Third-party compliance audit
Long-term
- Continuous compliance monitoring
- Automated compliance checking in CI/CD
- Regular security assessments
- Compliance dashboard for stakeholders
Certification Status
| Standard | Current | Target | Date |
|---|---|---|---|
| SOC 2 Type II | ❌ Not Certified | ✅ Certified | Q2 2024 |
| HIPAA | ⚠️ Partial | ✅ Full | Q1 2024 |
| GDPR | ⚠️ Partial | ✅ Full | Q1 2024 |
| PCI-DSS | N/A | N/A | N/A |
Next Steps
- ✅ Review this report with stakeholders
- ⬜ Approve remediation plan
- ⬜ Allocate resources
- ⬜ Begin Phase 1 fixes
- ⬜ Schedule follow-up assessment in 30 days
## Best Practices ### Compliance as Code ```javascript // Define compliance rules const complianceRules = { owasp: { 'no-sql-injection': { test: (code) => !code.includes('${') || code.includes('?'), severity: 'critical' } }, hipaa: { 'phi-not-logged': { test: (code) => !code.match(/logger.*patient\.(ssn|diagnosis)/), severity: 'critical' } } }; // Automated checking function checkCompliance(file, standard) { const violations = []; const code = fs.readFileSync(file, 'utf8'); for (const [name, rule] of Object.entries(complianceRules[standard])) { if (!rule.test(code)) { violations.push({ rule: name, severity: rule.severity, file: file }); } } return violations; }
Continuous Monitoring
- Automated compliance scanning in CI/CD
- Regular third-party audits
- Compliance dashboards
- Real-time alerting on violations
- Documentation of all compliance decisions
Notes
- Compliance is ongoing, not one-time
- Document all compliance decisions
- Regular training for development team
- Keep up with regulation changes
- Compliance != Security (need both)
- Automate compliance checking where possible
- Third-party audits recommended annually
- Maintain evidence of compliance efforts
- Privacy by design, security by default