/compliance - Compliance Check

Check code against security and regulatory compliance standards.

Usage

/compliance [target] [--standard owasp|pci|hipaa|gdpr|soc2|all]

Arguments:

• target - File, directory, or "all" (default: current directory)
• --standard - Compliance standard to check (default: owasp)

Examples

/compliance
/compliance src/api/ --standard owasp
/compliance --standard pci
/compliance src/data/ --standard gdpr
/compliance all --standard all

Supported Standards

OWASP Top 10

• Injection flaws
• Broken authentication
• Sensitive data exposure
• XML external entities
• Broken access control
• Security misconfiguration
• Cross-site scripting
• Insecure deserialization
• Vulnerable components
• Insufficient logging

PCI-DSS

• Cardholder data protection
• Encryption requirements
• Access control
• Network security
• Vulnerability management

HIPAA

• PHI handling
• Access controls
• Audit logging
• Data encryption
• Transmission security

GDPR

• Personal data handling
• Consent management
• Data minimization
• Right to erasure support
• Data portability

SOC 2

• Security controls
• Availability requirements
• Processing integrity
• Confidentiality
• Privacy controls

Output Format

## Compliance Report

**Target:** src/api/
**Standard:** OWASP Top 10
**Date:** 2024-01-15

### Compliance Score: 78/100

### Findings by Category

#### A01:2021 - Broken Access Control
**Status:** FAIL (2 issues)

1. **Missing authorization check**
   - File: src/api/admin.ts:45
   - Issue: Endpoint lacks role verification
   - Fix: Add authorization middleware

2. **Insecure direct object reference**
   - File: src/api/users.ts:78
   - Issue: User ID taken from URL without ownership check
   - Fix: Verify resource ownership

#### A02:2021 - Cryptographic Failures
**Status:** PASS

#### A03:2021 - Injection
**Status:** WARN (1 issue)

1. **Potential SQL injection**
   - File: src/api/search.ts:23
   - Issue: Dynamic query construction
   - Fix: Use parameterized queries

### Summary
| Category | Status | Issues |
|----------|--------|--------|
| A01 Access Control | FAIL | 2 |
| A02 Crypto | PASS | 0 |
| A03 Injection | WARN | 1 |
| A04 Insecure Design | PASS | 0 |
| A05 Misconfiguration | WARN | 2 |
| A06 Vulnerable Components | PASS | 0 |
| A07 Auth Failures | PASS | 0 |
| A08 Data Integrity | PASS | 0 |
| A09 Logging | WARN | 1 |
| A10 SSRF | PASS | 0 |

### Remediation Priority
1. [HIGH] Fix access control issues before deployment
2. [MEDIUM] Address injection warning
3. [LOW] Improve logging coverage

Skill Used

security-compliance-check

When to Use Agent Instead

Use the Software Architect or DevOps Engineer agent when:

• Compliance remediation planning needed
• Infrastructure compliance review required
• Audit preparation assistance