atum-compliance
Regulatory compliance and security audits. EU AI Act (Article 15 traceability via ATUM Audit integration), open-source license compliance (detection and audit), supply chain risk auditing, security scanning. Includes compliance-expert and security-expert agents, /atum-audit, /compliance, and /security-audit commands. Core differentiator for European enterprises facing regulatory requirements. Depends on atum-core.
Component Overview
Install
npx claudepluginhub arnwaldn/atum-plugins-collection --plugin atum-complianceComponent Details
Commands (2)
Regulatory compliance audit (GDPR/RGPD, PCI-DSS, HIPAA, EAA, NIS2, EU AI Act risk-class). For application security use /security-audit. For cryptographic file integrity use /atum-audit.
Application security audit — OWASP Top 10, secrets scanning, auth/crypto review, injection surface. For regulatory compliance use /compliance. For file integrity use /atum-audit.
Agents (5)
API security audit specialist focused on the OWASP API Security Top 10 (2023) — API1:2023 Broken Object Level Authorization (BOLA), API2:2023 Broken Authentication, API3:2023 Broken Object Property Level Authorization (mass assignment + excessive data exposure), API4:2023 Unrestricted Resource Consumption (rate limiting + payload size + query complexity), API5:2023 Broken Function Level Authorization, API6:2023 Unrestricted Access to Sensitive Business Flows (anti-automation), API7:2023 Server Side Request Forgery (SSRF), API8:2023 Security Misconfiguration, API9:2023 Improper Inventory Management (shadow APIs, deprecated endpoints), API10:2023 Unsafe Consumption of APIs. Covers REST API testing (Postman, Burp, custom scripts), GraphQL audits (introspection, query depth limiting, field-level auth, batching attacks, alias abuse), gRPC security, webhook security (HMAC signature verification, replay protection, IP allowlist), OAuth 2.0 and OIDC vulnerabilities (PKCE bypass, redirect_uri manipulation, JWT weaknesses), API gateway hardening (Kong, Tyk, AWS API Gateway), and structured reporting with CWE/CVSS mapping. Use when auditing a REST/GraphQL/gRPC API before public launch, hardening an existing API after a security incident, or designing API security controls for a new service. Differentiates from generic `penetration-tester` by deep API-specific expertise and `security-reviewer` by focus on runtime testing rather than static code review.
Regulatory compliance specialist for production-ready commercial projects in EU/US/international markets. Covers 14+ major regulations: GDPR (Privacy by Design, lawful basis, DPO obligations), EU AI Act (Article 15 traceability, risk classification), PCI-DSS (payment data), HIPAA (US health), CCPA/CPRA (California privacy), DORA (financial sector), NIS2 (cybersecurity), DSA/DMA, EAA (accessibility), eIDAS, COPPA, ePrivacy, Cookie Law, copyright/IP. Use when assessing regulatory exposure, designing privacy-by-design features, preparing for compliance audits, drafting data processing records, or validating commercial readiness. NOT a substitute for qualified legal counsel.
Penetration testing specialist focused on offensive security assessments — web application pentesting (Burp Suite Pro, OWASP ZAP, Caido, sqlmap, ffuf, nuclei templates), API pentesting (Postman/Bruno + custom fuzzing, Postman flows, REST and GraphQL exploitation), network reconnaissance (nmap, masscan, naabu, amass for subdomain enum), Active Directory pentesting (BloodHound, Impacket, CrackMapExec/NetExec, mimikatz), cloud pentesting (ScoutSuite, Prowler, Pacu for AWS, ROADtools for Azure), wireless pentesting (aircrack-ng, hashcat for WPA cracking), social engineering simulation (GoPhish), Metasploit framework, exploit development basics, OWASP Testing Guide methodology, MITRE ATT&CK mapping, and structured reporting (executive summary + technical findings + reproduction steps + remediation + CVSS scoring). Use for authorized penetration tests on systems you own or have written permission to test, red team exercises, capture-the-flag (CTF) challenges, or security training. Differentiates from `security-reviewer` (PR-focused defensive code review) and `security-expert` (broad security architecture) by specializing in offensive testing methodology and tooling for finding vulnerabilities through active probing rather than code review.
Application security and pentesting specialist for proactive security audits, vulnerability assessment, infrastructure hardening, and compliance. Covers OWASP Top 10 (2025 incl. supply chain failures and exceptional condition mishandling), application security (input validation, CSP, CORS, JWT, rate limiting), infrastructure security (container hardening, secrets management, network segmentation), DevSecOps (SAST/DAST/SCA, threat modeling), and incident response. Use for security audits, threat modeling, vulnerability assessment, hardening reviews, or proactive security consulting. Distinct from `security-reviewer` (atum-reviewers) which focuses on PR review.
Software supply chain security specialist focused on the threats described by SLSA (Supply-chain Levels for Software Artifacts) framework, NIST SSDF (Secure Software Development Framework), and the EU Cyber Resilience Act — dependency management (npm, pip, cargo, gem, maven, gradle, go modules, NuGet — lockfile integrity, transitive dependencies audit, typosquatting detection, dependency confusion attacks), SBOM generation (Syft, CycloneDX, SPDX, GitHub SBOM API), vulnerability scanning (Snyk, Dependabot, Renovate, Trivy, Grype, OSV-Scanner, Socket.dev, Phylum, GitHub Advanced Security), CI/CD pipeline hardening (least privilege OIDC instead of long-lived secrets, signed commits with Sigstore gitsign, signed releases with cosign keyless, build provenance attestations, GitHub Actions pinned by SHA not tag, reusable workflows with restricted permissions), package signing and verification (npm provenance, PyPI Trusted Publishing, Maven Central GPG, RubyGems sigstore), private registry strategies (Artifactory, Nexus, GitHub Packages, internal mirrors), and incident response for compromised dependencies (event-stream, ua-parser-js, colors.js, polyfill.io case studies). Use when auditing the dependency posture of an existing project, hardening a CI/CD pipeline against supply chain attacks, designing a secure-by-default release process, generating SBOMs for compliance, or responding to a CVE in a transitive dependency. Differentiates from generic `security-expert` by deep specialization in the build / dependency / release axis of the security threat surface.
Skills (4)
Regulatory compliance detection and routing. Use when code touches authentication, payments, user data, cookies, health data, children content, AI deployment, or e-commerce.
Detect and audit open-source licenses in project dependencies. Use when reviewing license compatibility, checking for copyleft contamination, generating compliance reports, or evaluating SPDX identifiers. Covers npm, pip, cargo, go modules, and multi-ecosystem license scanning. Warns about GPL/AGPL in proprietary projects.
Scan your Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.
Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.
Hooks (1)
README
Similar Plugins
ecc
The most comprehensive Claude Code plugin — 38 agents, 156 skills, 72 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning
Executes bash commands
Hook triggers when Bash tool is used
Uses power tools
Uses Bash, Write, or Edit tools