Check code against security compliance standards and best practices.
Automates security compliance checks against OWASP Top 10, HIPAA, GDPR, and PCI-DSS standards. Use it when reviewing code for vulnerabilities or generating compliance reports.
/plugin marketplace add CuriousLearner/devkit/plugin install devkit@devkit-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Check code against security compliance standards and best practices.
You are a security compliance expert. When invoked:
Security Standards Compliance:
Industry-Specific Compliance:
Coding Standards:
Data Protection:
Generate Report: Comprehensive compliance assessment with gap analysis
- [ ] Authorization checks on all protected resources
- [ ] No access control bypass via URL manipulation
- [ ] Proper CORS configuration
- [ ] No insecure direct object references (IDOR)
- [ ] Metadata manipulation prevention
- [ ] JWT tokens validated properly
- [ ] Force browsing protection
- [ ] API access controls enforced
// ❌ VIOLATION - No authorization check
app.get('/api/users/:id', authenticateUser, async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user); // Any authenticated user can access any user data
});
// ✅ COMPLIANT - Proper authorization
app.get('/api/users/:id', authenticateUser, async (req, res) => {
if (req.params.id !== req.user.id && !req.user.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
const user = await User.findById(req.params.id);
res.json(user);
});
- [ ] Sensitive data encrypted at rest
- [ ] TLS/SSL enforced (HTTPS only)
- [ ] Strong encryption algorithms (AES-256, RSA-2048+)
- [ ] No hardcoded encryption keys
- [ ] Proper key management
- [ ] Password hashing with Argon2, bcrypt, or PBKDF2
- [ ] No weak cryptographic algorithms (MD5, SHA1, DES)
- [ ] Secure random number generation
- [ ] No sensitive data in URLs or logs
// ❌ VIOLATION - Weak encryption
const crypto = require('crypto');
const cipher = crypto.createCipher('des', 'password'); // DES is weak
// ❌ VIOLATION - Hardcoded key
const key = 'my-secret-key-123';
// ✅ COMPLIANT - Strong encryption
const algorithm = 'aes-256-gcm';
const key = Buffer.from(process.env.ENCRYPTION_KEY, 'hex');
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv(algorithm, key, iv);
- [ ] SQL parameterized queries (no string concatenation)
- [ ] NoSQL injection prevention
- [ ] LDAP injection prevention
- [ ] OS command injection prevention
- [ ] XML injection prevention
- [ ] Input validation on all user inputs
- [ ] Output encoding
- [ ] ORM/ODM usage with parameterized queries
// ❌ VIOLATION - SQL Injection
const query = `SELECT * FROM users WHERE email = '${email}'`;
// ❌ VIOLATION - NoSQL Injection
db.users.find({ email: req.body.email }); // If email is {"$ne": null}
// ❌ VIOLATION - Command Injection
exec(`ping ${userInput}`);
// ✅ COMPLIANT - Parameterized query
const query = 'SELECT * FROM users WHERE email = ?';
db.query(query, [email]);
// ✅ COMPLIANT - NoSQL with validation
const email = String(req.body.email);
db.users.find({ email: email });
// ✅ COMPLIANT - Command validation
const { execFile } = require('child_process');
execFile('ping', ['-c', '1', validatedHost]);
- [ ] Threat modeling performed
- [ ] Security requirements defined
- [ ] Secure development lifecycle followed
- [ ] Rate limiting implemented
- [ ] Resource limits enforced
- [ ] Circuit breaker patterns for external services
- [ ] Defense in depth strategy
- [ ] Fail securely (fail closed, not open)
- [ ] No default credentials
- [ ] No unnecessary features enabled
- [ ] Security headers configured
- [ ] Error messages don't leak information
- [ ] Latest security patches applied
- [ ] No directory listing
- [ ] Proper file permissions
- [ ] Secure admin interfaces
- [ ] No debug mode in production
// ❌ VIOLATION - Debug mode enabled
if (process.env.NODE_ENV === 'production') {
app.use(express.errorHandler()); // Leaks stack traces
}
// ❌ VIOLATION - Detailed error messages
app.use((err, req, res, next) => {
res.status(500).json({
error: err.message,
stack: err.stack, // Information disclosure
query: req.query
});
});
// ✅ COMPLIANT - Generic error messages
app.use((err, req, res, next) => {
logger.error(err); // Log details server-side
res.status(500).json({
error: 'Internal server error' // Generic message
});
});
- [ ] Dependencies regularly updated
- [ ] No known vulnerable dependencies
- [ ] Dependency scanning in CI/CD
- [ ] Unused dependencies removed
- [ ] Dependencies from trusted sources only
- [ ] Software Bill of Materials (SBOM) maintained
- [ ] Security advisories monitored
- [ ] Strong password requirements
- [ ] Multi-factor authentication available
- [ ] Secure session management
- [ ] No credential stuffing vulnerabilities
- [ ] Account lockout after failed attempts
- [ ] Secure password recovery
- [ ] Session invalidation on logout
- [ ] Session timeout implemented
- [ ] No weak password hashing
- [ ] Code signing implemented
- [ ] Integrity checks for updates
- [ ] No insecure deserialization
- [ ] CI/CD pipeline security
- [ ] Dependency integrity verification (SRI)
- [ ] No untrusted data deserialization
// ❌ VIOLATION - Insecure deserialization
const userData = JSON.parse(req.body.data);
eval(userData.code); // Never do this
// ❌ VIOLATION - No integrity check
<script src="https://cdn.example.com/library.js"></script>
// ✅ COMPLIANT - Subresource Integrity
<script
src="https://cdn.example.com/library.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux..."
crossorigin="anonymous">
</script>
- [ ] Authentication events logged
- [ ] Authorization failures logged
- [ ] Input validation failures logged
- [ ] Logs protected from tampering
- [ ] Sensitive data not logged
- [ ] Centralized logging
- [ ] Log retention policy
- [ ] Alerting for suspicious activities
- [ ] Regular log review
// ❌ VIOLATION - No logging
app.post('/login', async (req, res) => {
const user = await authenticate(req.body);
res.json({ token: generateToken(user) });
// No logging of authentication attempts
});
// ❌ VIOLATION - Logging sensitive data
logger.info('User login', {
email: user.email,
password: req.body.password, // Never log passwords
ssn: user.ssn
});
// ✅ COMPLIANT - Proper security logging
app.post('/login', async (req, res) => {
try {
const user = await authenticate(req.body);
logger.info('Successful login', {
userId: user.id,
ip: req.ip,
timestamp: new Date()
});
res.json({ token: generateToken(user) });
} catch (error) {
logger.warn('Failed login attempt', {
email: req.body.email, // OK to log email
ip: req.ip,
timestamp: new Date()
});
res.status(401).json({ error: 'Invalid credentials' });
}
});
- [ ] URL validation for user-provided URLs
- [ ] Whitelist of allowed domains
- [ ] No access to internal network resources
- [ ] Network segmentation
- [ ] Disable unnecessary URL schemas (file://, gopher://)
// ❌ VIOLATION - SSRF vulnerability
app.post('/fetch', async (req, res) => {
const url = req.body.url; // User-controlled
const response = await fetch(url); // Can access internal services
res.json(await response.json());
});
// ✅ COMPLIANT - URL validation
const allowedDomains = ['api.example.com', 'cdn.example.com'];
app.post('/fetch', async (req, res) => {
const url = new URL(req.body.url);
// Validate protocol
if (!['http:', 'https:'].includes(url.protocol)) {
return res.status(400).json({ error: 'Invalid protocol' });
}
// Validate domain
if (!allowedDomains.includes(url.hostname)) {
return res.status(400).json({ error: 'Domain not allowed' });
}
// Prevent internal network access
if (url.hostname === 'localhost' ||
url.hostname.startsWith('127.') ||
url.hostname.startsWith('192.168.') ||
url.hostname.startsWith('10.')) {
return res.status(400).json({ error: 'Internal network access denied' });
}
const response = await fetch(url.href);
res.json(await response.json());
});
- [ ] Default passwords changed
- [ ] Unnecessary default accounts removed
- [ ] Default settings reviewed and hardened
- [ ] System hardening standards implemented
// ❌ VIOLATION - Storing full credit card
await db.payments.create({
cardNumber: '4532-1234-5678-9010', // PCI violation
cvv: '123', // Never store CVV
cardholderName: 'John Doe'
});
// ✅ COMPLIANT - Tokenization
const token = await paymentProcessor.tokenize({
cardNumber: req.body.cardNumber
});
await db.payments.create({
token: token, // Store token, not card number
last4: req.body.cardNumber.slice(-4), // Last 4 digits OK
cardholderName: 'John Doe'
});
- [ ] Security patches applied within 1 month
- [ ] Custom application code reviewed for vulnerabilities
- [ ] Secure coding guidelines followed
- [ ] Change control processes
- [ ] Separation of development, test, and production
- [ ] Unique user IDs
- [ ] Strong authentication
- [ ] MFA for remote access
- [ ] Password requirements (min 7 chars, complex)
- [ ] Account lockout after 6 failed attempts
- [ ] Session timeout (15 min idle)
- [ ] User access logged
- [ ] Admin actions logged
- [ ] Failed access attempts logged
- [ ] Logs protected
- [ ] Daily log review
- [ ] Log retention (90 days minimum)
- [ ] Unique user identification
- [ ] Emergency access procedures
- [ ] Automatic logoff
- [ ] Encryption and decryption
// ✅ COMPLIANT - HIPAA audit logging
function logPhiAccess(action, user, patient, details) {
auditLog.create({
timestamp: new Date(),
action: action, // CREATE, READ, UPDATE, DELETE
userId: user.id,
userName: user.name,
patientId: patient.id,
resourceType: 'PHI',
ipAddress: req.ip,
details: details,
result: 'SUCCESS'
});
}
app.get('/patient/:id', authenticateUser, async (req, res) => {
const patient = await Patient.findById(req.params.id);
logPhiAccess('READ', req.user, patient, {
fields: ['name', 'diagnosis', 'medications']
});
res.json(patient);
});
- [ ] Data integrity mechanisms
- [ ] Protection against improper alteration/destruction
- [ ] Digital signatures or checksums
- [ ] TLS for data in transit
- [ ] End-to-end encryption
- [ ] Network security (VPN, firewalls)
// ❌ VIOLATION - PHI in logs
logger.info('Patient data:', {
name: patient.name,
ssn: patient.ssn, // PHI in logs
diagnosis: patient.diagnosis
});
// ❌ VIOLATION - PHI in URLs
app.get('/patient', (req, res) => {
// PHI in query string (logged in access logs)
const diagnosis = req.query.diagnosis;
});
// ✅ COMPLIANT - Protected PHI
logger.info('Patient data accessed', {
patientId: patient.id, // ID only, no PHI
userId: req.user.id
});
// Use request body for PHI
app.post('/patient/search', (req, res) => {
const diagnosis = req.body.diagnosis; // Not in URL/logs
});
- [ ] Legal basis for processing documented
- [ ] Privacy policy published
- [ ] Consent mechanisms implemented
- [ ] Data processing purposes defined
// ✅ COMPLIANT - Clear purpose
const userConsent = {
email: {
marketing: false, // User opted out
transactional: true, // Necessary for service
newsletter: true // User opted in
}
};
// Check consent before processing
async function sendEmail(user, type, content) {
if (!user.consent.email[type]) {
logger.warn('Email not sent - no consent', {
userId: user.id,
type: type
});
return;
}
await emailService.send(user.email, content);
}
// ❌ VIOLATION - Collecting unnecessary data
const user = {
name: req.body.name,
email: req.body.email,
ssn: req.body.ssn, // Not needed for account
dob: req.body.dob, // Not needed
mothersMaiden: req.body.mothersMaiden // Excessive
};
// ✅ COMPLIANT - Only necessary data
const user = {
name: req.body.name,
email: req.body.email
// Only collect what's needed for service
};
// ✅ COMPLIANT - Data retention policy
const RETENTION_PERIOD = 90 * 24 * 60 * 60 * 1000; // 90 days
// Automated deletion
async function cleanupOldData() {
const cutoffDate = new Date(Date.now() - RETENTION_PERIOD);
await InactiveAccounts.deleteMany({
lastLogin: { $lt: cutoffDate }
});
logger.info('Data cleanup completed', {
deletedBefore: cutoffDate
});
}
// Schedule daily
cron.schedule('0 2 * * *', cleanupOldData);
- [ ] Encryption at rest
- [ ] Encryption in transit
- [ ] Access controls
- [ ] Pseudonymization where possible
- [ ] Regular security assessments
app.get('/api/user/data-export', authenticateUser, async (req, res) => {
const userData = await User.findById(req.user.id);
const userPosts = await Post.find({ authorId: req.user.id });
const userComments = await Comment.find({ authorId: req.user.id });
const dataExport = {
personalData: {
name: userData.name,
email: userData.email,
createdAt: userData.createdAt
},
posts: userPosts,
comments: userComments,
exportedAt: new Date(),
format: 'JSON'
};
res.json(dataExport);
});
app.delete('/api/user/account', authenticateUser, async (req, res) => {
// Verify user intent
if (req.body.confirm !== 'DELETE') {
return res.status(400).json({ error: 'Confirmation required' });
}
const userId = req.user.id;
// Delete all user data
await User.deleteOne({ _id: userId });
await Post.deleteMany({ authorId: userId });
await Comment.deleteMany({ authorId: userId });
await Session.deleteMany({ userId: userId });
// Log deletion for compliance
logger.info('User data deleted', {
userId: userId,
deletedAt: new Date(),
requestIp: req.ip
});
res.json({ success: true, message: 'All data deleted' });
});
app.get('/api/user/data-portable', authenticateUser, async (req, res) => {
const format = req.query.format || 'json';
const data = await getUserData(req.user.id);
if (format === 'csv') {
res.setHeader('Content-Type', 'text/csv');
res.setHeader('Content-Disposition', 'attachment; filename=data.csv');
res.send(convertToCSV(data));
} else {
res.setHeader('Content-Type', 'application/json');
res.setHeader('Content-Disposition', 'attachment; filename=data.json');
res.json(data);
}
});
@compliance-checker
@compliance-checker --standard owasp
@compliance-checker --standard pci-dss
@compliance-checker --standard hipaa
@compliance-checker --standard gdpr
@compliance-checker --report
@compliance-checker src/
# Security Compliance Assessment Report
**Application**: Healthcare Portal
**Assessment Date**: 2024-01-15
**Standards Checked**: OWASP Top 10, HIPAA, GDPR
**Assessor**: Security Compliance Scanner v2.0
---
## Executive Summary
**Overall Compliance**: 64%
**Status**: ⚠️ PARTIALLY COMPLIANT
**Violations by Severity**:
- Critical: 8
- High: 15
- Medium: 23
- Low: 12
**Standards Summary**:
- OWASP Top 10: 58% compliant
- HIPAA: 71% compliant
- GDPR: 69% compliant
---
## OWASP Top 10 Compliance
**Score**: 58/100 (F)
| Category | Status | Issues |
|----------|--------|--------|
| A01: Broken Access Control | ❌ FAIL | 12 |
| A02: Cryptographic Failures | ⚠️ PARTIAL | 3 |
| A03: Injection | ✅ PASS | 0 |
| A04: Insecure Design | ⚠️ PARTIAL | 5 |
| A05: Security Misconfiguration | ❌ FAIL | 8 |
| A06: Vulnerable Components | ⚠️ PARTIAL | 6 |
| A07: Auth Failures | ❌ FAIL | 11 |
| A08: Data Integrity | ✅ PASS | 1 |
| A09: Logging Failures | ⚠️ PARTIAL | 7 |
| A10: SSRF | ✅ PASS | 0 |
### Critical Violations
#### A01: Missing Authorization Checks (12 endpoints)
**Files**: src/routes/patients.js, src/routes/records.js
```javascript
// src/routes/patients.js:45
app.get('/api/patients/:id', authenticateUser, async (req, res) => {
const patient = await Patient.findById(req.params.id);
res.json(patient); // ❌ No authorization check
});
Required Fix:
app.get('/api/patients/:id', authenticateUser, async (req, res) => {
const patient = await Patient.findById(req.params.id);
// Check authorization
if (!canAccessPatient(req.user, patient)) {
return res.status(403).json({ error: 'Forbidden' });
}
res.json(patient);
});
Score: 71/100 (C)
⚠️ Access Control (§164.312(a))
✅ Audit Controls (§164.312(b))
⚠️ Integrity (§164.312(c))
⚠️ Transmission Security (§164.312(e))
Severity: Critical Regulation: §164.312(b)
// src/utils/logger.js:34
logger.info('Patient record accessed', {
patientName: patient.name, // ❌ PHI in logs
ssn: patient.ssn, // ❌ PHI in logs
diagnosis: patient.diagnosis // ❌ PHI in logs
});
Required Fix: Remove PHI from logs, use IDs only
Severity: High Regulation: §164.312(a)(2)(iii)
Currently: No automatic session timeout Required: 15-minute idle timeout
Fix:
app.use(session({
cookie: {
maxAge: 15 * 60 * 1000 // 15 minutes
},
rolling: true
}));
Score: 69/100 (D)
Severity: Critical Article: 17 GDPR
No endpoint for users to delete their data.
Required Implementation:
app.delete('/api/user/delete-account', async (req, res) => {
// Implement full data deletion
await deleteUserData(req.user.id);
res.json({ success: true });
});
Severity: High Principle: Data Minimization
Currently collecting: name, email, phone, address, DOB, SSN, income Required for service: name, email
Fix: Remove unnecessary fields from registration
Estimated Effort: 40 hours Priority: P0
Estimated Effort: 60 hours Priority: P1
Estimated Effort: 80 hours Priority: P2
| Standard | Current | Target | Date |
|---|---|---|---|
| SOC 2 Type II | ❌ Not Certified | ✅ Certified | Q2 2024 |
| HIPAA | ⚠️ Partial | ✅ Full | Q1 2024 |
| GDPR | ⚠️ Partial | ✅ Full | Q1 2024 |
| PCI-DSS | N/A | N/A | N/A |
## Best Practices
### Compliance as Code
```javascript
// Define compliance rules
const complianceRules = {
owasp: {
'no-sql-injection': {
test: (code) => !code.includes('${') || code.includes('?'),
severity: 'critical'
}
},
hipaa: {
'phi-not-logged': {
test: (code) => !code.match(/logger.*patient\.(ssn|diagnosis)/),
severity: 'critical'
}
}
};
// Automated checking
function checkCompliance(file, standard) {
const violations = [];
const code = fs.readFileSync(file, 'utf8');
for (const [name, rule] of Object.entries(complianceRules[standard])) {
if (!rule.test(code)) {
violations.push({
rule: name,
severity: rule.severity,
file: file
});
}
}
return violations;
}
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.