Plugin

fips-compliance-checker

Name: fips-compliance-checker
Author: opendatahub-io

A plugin providing a subagent to scan a source code project for potential FIPS compliance issues

npx claudepluginhub jeremyeder/ai-helpers-fixed --plugin fips-compliance-checker

Component Overview

Commands

Agents

Component Details

Commands (1)

Fips Scan

/fips-scan

Scan project or container image for FIPS 140-3 compliance violations

Agents (1)

fips-compliance-checker

/fips-compliance-checker

MUST BE USED PROACTIVELY when you need to audit a containerized application for FIPS 140-3 compliance. Specifically invoke this agent when: <example> Context: User has just finished implementing cryptographic operations in their Python application and wants to ensure FIPS compliance. user: "I've added encryption to our user authentication module using the cryptography library. Can you check if this is FIPS compliant?" assistant: "I'll use the fips-compliance-checker:fips-compliance-checker agent to analyze your code for FIPS 140-3 compliance issues." <agent invocation with Task tool> </example> <example> Context: User is preparing to containerize their application and wants a compliance check before deployment. user: "We're about to build our container image for production. The app uses some crypto libraries and we need to be FIPS compliant on RHEL 9." assistant: "Let me launch the fips-compliance-checker:fips-compliance-checker agent to scan your dependencies and source code for potential FIPS 140-3 compliance violations." <agent invocation with Task tool> </example> <example> Context: User provides a container image reference for scanning. user: "Can you check if quay.io/myorg/myapp:v1.2.3 is FIPS compliant?" assistant: "I'll use the fips-compliance-checker:fips-compliance-checker agent to scan this container image for FIPS 140-3 compliance, including running check-payload if available." <agent invocation with Task tool> </example> <example> Context: User is reviewing dependencies in their Go application. user: "I'm using the standard Go crypto package. Is this okay for FIPS?" assistant: "I need to use the fips-compliance-checker:fips-compliance-checker agent to evaluate your Go crypto usage for FIPS 140-3 compliance on RHEL 9." <agent invocation with Task tool> </example> MUST BE USED PROACTIVELY when: - User mentions cryptographic operations, encryption, hashing, or TLS/SSL in their code - User discusses container images for Red Hat products or RHEL-based deployments - User adds dependencies that might include cryptographic libraries - User mentions FIPS, compliance, security certifications, or government requirements - User is working with Java, Python, Go, Rust, or C/C++ code that handles sensitive data

README

FIPS 140-3 Compliance Checker

A Claude Code plugin that provides comprehensive FIPS 140-3 compliance auditing for containerized applications running on Red Hat Enterprise Linux 9 (or later).

Overview

This plugin helps ensure your applications meet FIPS 140-3 cryptographic compliance requirements by:

Analyzing source code for cryptographic operations
Scanning dependencies for non-compliant libraries
Detecting prohibited or non-approved algorithms
Verifying container base images and configurations
Identifying operations that bypass RHEL's FIPS-certified cryptographic boundary

Installation

Via Git URL (Direct Reference)

Add this plugin directly via Git URL:

# SSH
/plugin add git@github.com:grdryn/fips-compliance-checker-claude-code-plugin.git

# HTTPS
/plugin add https://github.com/grdryn/fips-compliance-checker-claude-code-plugin

Via Marketplace

If a marketplace includes this plugin, install via:

/plugin install fips-compliance-checker@<marketplace-name>

Prerequisites

The Python scanner uses Bandit in a containerized environment and requires one of the following container runtimes:

Podman (recommended for RHEL/Fedora):
```
dnf install podman
```

Docker:

# See https://docs.docker.com/get-docker/

On first run, the scanner will automatically pull the Bandit container image (ghcr.io/pycqa/bandit/bandit:latest, ~50MB).

Air-gapped environments: Pre-pull the image and ensure it's available in your local registry:

podman pull ghcr.io/pycqa/bandit/bandit:latest
# or
docker pull ghcr.io/pycqa/bandit/bandit:latest

Usage

Slash Command (Explicit)

Use the fully-qualified /fips-compliance-checker:fips-scan command for direct invocation:

# Scan the current project
/fips-compliance-checker:fips-scan

# Scan a specific container image
/fips-compliance-checker:fips-scan quay.io/myorg/myapp:v1.2.3

Note: Claude Code CLI currently requires the fully-qualified format /plugin-name:command-name.

Natural Language (Auto-selection)

The agent will automatically activate when you ask FIPS-related questions:

"Can you check if my app is FIPS compliant?"
"I've added encryption to my authentication module. Is this FIPS compliant?"
"We need to verify FIPS compliance before deploying to production"
"Is using the standard Go crypto package okay for FIPS?"

The agent proactively activates when you mention:

Cryptographic operations (encryption, hashing, TLS/SSL)
FIPS, compliance, or security certifications
Container images for Red Hat products or RHEL deployments
Working with crypto libraries in Java, Python, Go, Rust, or C/C++

What Gets Scanned

Dependencies

requirements.txt, Pipfile (Python)
go.mod, go.sum (Go)
Cargo.toml, Cargo.lock (Rust)
pom.xml, build.gradle (Java)
package.json (Node.js)
CMakeLists.txt, Makefile (C/C++)

Source Code Analysis

Direct cryptographic operations
Algorithm usage patterns
Random number generation methods
Key derivation functions
JWT libraries and algorithm choices
Certificate validation settings

Container Analysis

Base image compliance (UBI9, RHEL9, etc.)
Installed cryptographic packages
FIPS mode capability
Static linking detection

Build Configuration

Static linking flags
Vendored dependencies
Compilation flags affecting FIPS
Environment variables

Default Exclusions

By default, the scanner excludes non-production code from analysis to focus on actual runtime compliance issues. The following patterns are automatically excluded:

Test Code

*/tests/* - Test directories
*/test_*.py - Test file prefix pattern
*/*_test.py - Test file suffix pattern
*/conftest.py - pytest configuration

Examples & Documentation

*/examples/*, */samples/* - Example code directories
*/demo/*, */demos/* - Demo applications
*/docs/examples/* - Documentation examples
*/tutorials/* - Tutorial code
*/playground/* - Experimental/playground code

Scripts & Utilities

*/benchmarks/* - Benchmark code
*/scripts/* - Utility scripts
*/tools/* - Development tools
*/utilities/* - Helper utilities

Build Artifacts

*/venv/*, */.venv/*, */env/* - Virtual environments
*/build/*, */dist/* - Build outputs
*/__pycache__/*, */.eggs/* - Python cache
*/node_modules/* - Node.js dependencies

Custom Exclusions

You can add additional exclusion patterns using the --exclude flag:

# Scan Python code with custom exclusions
cd scripts/python
./scan-python-fips.sh --exclude "*/vendor/*" --exclude "*/legacy/*"

Note: Custom exclusions are added to the default patterns (not replacing them).

Suppressing Findings

View full README on GitHub

Similar Plugins

security-pro-pack

1.9k

Professional security tools for Claude Code: vulnerability scanning, compliance, cryptography audit, container & API security

v1.0.0

Stats

Version0.1.0

Stars0

Forks1

MaintenanceGood

AddedFeb 1, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Available In

odh-ai-helpers27 odh-ai-helpers odh-ai-helpers

Safety Signals

Caution

Uses power tools

Uses Bash, Write, or Edit tools

Help us improve

Share bugs, ideas, or general feedback.

Back to Plugins

FIPS 140-3 Compliance Checker

A Claude Code plugin that provides comprehensive FIPS 140-3 compliance auditing for containerized applications running on Red Hat Enterprise Linux 9 (or later).

Overview

This plugin helps ensure your applications meet FIPS 140-3 cryptographic compliance requirements by:

Analyzing source code for cryptographic operations
Scanning dependencies for non-compliant libraries
Detecting prohibited or non-approved algorithms
Verifying container base images and configurations
Identifying operations that bypass RHEL's FIPS-certified cryptographic boundary

Installation

Via Git URL (Direct Reference)

Add this plugin directly via Git URL:

# SSH
/plugin add git@github.com:grdryn/fips-compliance-checker-claude-code-plugin.git

# HTTPS
/plugin add https://github.com/grdryn/fips-compliance-checker-claude-code-plugin

Via Marketplace

If a marketplace includes this plugin, install via:

/plugin install fips-compliance-checker@<marketplace-name>

Prerequisites

The Python scanner uses Bandit in a containerized environment and requires one of the following container runtimes:

Podman (recommended for RHEL/Fedora):
```
dnf install podman
```

Docker:

# See https://docs.docker.com/get-docker/

On first run, the scanner will automatically pull the Bandit container image (ghcr.io/pycqa/bandit/bandit:latest, ~50MB).

Air-gapped environments: Pre-pull the image and ensure it's available in your local registry:

podman pull ghcr.io/pycqa/bandit/bandit:latest
# or
docker pull ghcr.io/pycqa/bandit/bandit:latest

Usage

Slash Command (Explicit)

Use the fully-qualified /fips-compliance-checker:fips-scan command for direct invocation:

# Scan the current project
/fips-compliance-checker:fips-scan

# Scan a specific container image
/fips-compliance-checker:fips-scan quay.io/myorg/myapp:v1.2.3

Note: Claude Code CLI currently requires the fully-qualified format /plugin-name:command-name.

Natural Language (Auto-selection)

The agent will automatically activate when you ask FIPS-related questions:

"Can you check if my app is FIPS compliant?"
"I've added encryption to my authentication module. Is this FIPS compliant?"
"We need to verify FIPS compliance before deploying to production"
"Is using the standard Go crypto package okay for FIPS?"

The agent proactively activates when you mention:

Cryptographic operations (encryption, hashing, TLS/SSL)
FIPS, compliance, or security certifications
Container images for Red Hat products or RHEL deployments
Working with crypto libraries in Java, Python, Go, Rust, or C/C++

What Gets Scanned

Dependencies

requirements.txt, Pipfile (Python)
go.mod, go.sum (Go)
Cargo.toml, Cargo.lock (Rust)
pom.xml, build.gradle (Java)
package.json (Node.js)
CMakeLists.txt, Makefile (C/C++)

Source Code Analysis

Direct cryptographic operations
Algorithm usage patterns
Random number generation methods
Key derivation functions
JWT libraries and algorithm choices
Certificate validation settings

Container Analysis

Base image compliance (UBI9, RHEL9, etc.)
Installed cryptographic packages
FIPS mode capability
Static linking detection

Build Configuration

Static linking flags
Vendored dependencies
Compilation flags affecting FIPS
Environment variables

Default Exclusions

By default, the scanner excludes non-production code from analysis to focus on actual runtime compliance issues. The following patterns are automatically excluded:

Test Code

*/tests/* - Test directories
*/test_*.py - Test file prefix pattern
*/*_test.py - Test file suffix pattern
*/conftest.py - pytest configuration

Examples & Documentation

*/examples/*, */samples/* - Example code directories
*/demo/*, */demos/* - Demo applications
*/docs/examples/* - Documentation examples
*/tutorials/* - Tutorial code
*/playground/* - Experimental/playground code

Scripts & Utilities

*/benchmarks/* - Benchmark code
*/scripts/* - Utility scripts
*/tools/* - Development tools
*/utilities/* - Helper utilities

Build Artifacts

*/venv/*, */.venv/*, */env/* - Virtual environments
*/build/*, */dist/* - Build outputs
*/__pycache__/*, */.eggs/* - Python cache
*/node_modules/* - Node.js dependencies

Custom Exclusions

You can add additional exclusion patterns using the --exclude flag:

# Scan Python code with custom exclusions
cd scripts/python
./scan-python-fips.sh --exclude "*/vendor/*" --exclude "*/legacy/*"

Note: Custom exclusions are added to the default patterns (not replacing them).

fips-compliance-checker

Component Overview

Component Details

Commands (1)

Agents (1)

README

FIPS 140-3 Compliance Checker

Overview

Installation

Via Git URL (Direct Reference)

Via Marketplace

Prerequisites

Usage

Slash Command (Explicit)

Natural Language (Auto-selection)

What Gets Scanned

Dependencies

Source Code Analysis

Container Analysis

Build Configuration

Default Exclusions

Test Code

Examples & Documentation

Scripts & Utilities

Build Artifacts

Custom Exclusions

Suppressing Findings

Similar Plugins

security-pro-pack

Help us improve

Help us improve

fips-compliance-checker

Component Overview

Component Details

Commands (1)

Agents (1)

README

FIPS 140-3 Compliance Checker

Overview

Installation

Via Git URL (Direct Reference)

Via Marketplace

Prerequisites

Usage

Slash Command (Explicit)

Natural Language (Auto-selection)

What Gets Scanned

Dependencies

Source Code Analysis

Container Analysis

Build Configuration

Default Exclusions

Test Code

Examples & Documentation

Scripts & Utilities

Build Artifacts

Custom Exclusions

Suppressing Findings

Similar Plugins

security-pro-pack

Help us improve

insecure-defaults

cyber-neo

compliance

sentinel

vulnerability-scanning