Vibeship-spawner-skills compliance-automation

id: compliance-automation name: Compliance Automation category: enterprise description: Use when implementing policy-as-code, continuous compliance monitoring, automated evidence collection, or audit-ready systems requiring SOC2/ISO/PCI/HIPAA compliance

patterns: golden_rules: - rule: "Policies in version control" reason: "Audit trail, peer review, rollback" - rule: "Evidence immutable once collected" reason: "Prevents tampering, maintains integrity" - rule: "Continuous > periodic assessment" reason: "Drift detected in minutes, not months" - rule: "Controls map to frameworks" reason: "One control satisfies multiple frameworks" - rule: "Automate evidence collection" reason: "Manual collection doesn't scale"

control_status: - "pass" - "fail" - "not_applicable" - "error"

severity_levels: critical: "Immediate action required" high: "Action within 24 hours" medium: "Action within 1 week" low: "Informational"

evidence_types: - "screenshot" - "log_export" - "config_snapshot" - "api_response" - "report" - "attestation"

common_frameworks: soc2: full_name: "SOC 2 Type II" focus: "Trust Service Criteria" controls: "CC series" iso27001: full_name: "ISO 27001" focus: "Information Security Management" controls: "Annex A" pci_dss: full_name: "PCI DSS" focus: "Payment Card Security" controls: "12 requirements" hipaa: full_name: "HIPAA" focus: "Healthcare Data Protection" controls: "Administrative, Physical, Technical"

ccm_components: policy_engine: "OPA Rego rules" evidence_collector: "Automated artifact gathering" continuous_monitoring: "Real-time assessment" drift_detection: "Baseline comparison" alerting: "Violation notifications"

anti_patterns:

• pattern: "Manual evidence collection" problem: "Doesn't scale, error-prone" solution: "Automated collectors with scheduling"
• pattern: "Point-in-time audits" problem: "Drift undetected between audits" solution: "Continuous monitoring"
• pattern: "Policies in documentation" problem: "Can't be enforced automatically" solution: "Policy-as-code with OPA"
• pattern: "Siloed compliance" problem: "Duplicated effort per framework" solution: "Unified control framework"
• pattern: "Evidence in email/tickets" problem: "Not immutable, hard to find" solution: "Centralized evidence store with integrity"

implementation_checklist: pre_implementation: - "Identify applicable frameworks (SOC2, ISO, PCI, HIPAA)" - "Map controls across frameworks (reduce duplication)" - "Define evidence requirements per control" - "Establish baseline configurations" policy_as_code: - "Convert control requirements to OPA Rego" - "Version control all policies" - "Test policies with known-good and known-bad inputs" - "Document policy rationale" evidence_collection: - "Implement collectors for each control" - "Set up immutable evidence storage (S3 Object Lock)" - "Define retention periods (typically 7 years)" - "Automate collection schedules" continuous_monitoring: - "Deploy CCM platform" - "Configure alerting thresholds" - "Set up drift detection baselines" - "Integrate with incident management" reporting: - "Generate OSCAL-compliant reports" - "Create executive dashboards" - "Automate auditor portal updates" - "Track compliance score trends"

handoffs:

• skill: gdpr-privacy trigger: "privacy-specific compliance"
• skill: sox-compliance trigger: "financial controls and audit"

ecosystem: policy_engines: - "Open Policy Agent (OPA)" - "HashiCorp Sentinel" - "AWS Config Rules" - "Azure Policy" evidence: - "S3 Object Lock" - "Azure Immutable Blob" - "Drata" - "Vanta" standards: - "OSCAL" - "NIST CSF" - "CIS Benchmarks" platforms: - "Drata" - "Vanta" - "Secureframe" - "Tugboat Logic"

sources: frameworks: - "NIST OSCAL" - "AICPA SOC 2" - "ISO 27001" tools: - "Open Policy Agent Documentation" - "AWS Config Developer Guide"