generating-security-audit-reports

Generating Security Audit Reports

Overview

Aggregate vulnerability scan results, configuration analyses, and compliance assessments into a structured, auditor-ready security report. Map every finding to a CVSS severity, applicable compliance control (PCI-DSS, HIPAA, SOC 2, GDPR), and a prioritized remediation timeline.

Prerequisites

• Vulnerability scanner outputs (Nmap, Nessus, OpenVAS, OWASP ZAP) available in ${CLAUDE_SKILL_DIR}/security/
• Application and infrastructure configuration files accessible
• SAST/DAST tool results (e.g., Semgrep, Snyk, Trivy, Bandit)
• Applicable compliance framework documentation identified (PCI-DSS v4.0, HIPAA Security Rule, SOC 2 TSC, GDPR)
• Write permissions for report output directory ${CLAUDE_SKILL_DIR}/reports/

Instructions

1. Inventory all available security data sources by scanning ${CLAUDE_SKILL_DIR}/security/ for scanner outputs, log files, and configuration exports.
2. Parse vulnerability findings and normalize severity using CVSS 3.1 base scores: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9).
3. Cross-reference each finding against applicable compliance controls. Map to specific PCI-DSS requirements (e.g., Req 6.5 for injection flaws), HIPAA safeguards, or SOC 2 Common Criteria.
4. Deduplicate findings across scanners and merge related vulnerabilities into consolidated entries with all affected assets listed.
5. Classify access control weaknesses, encryption gaps, and authentication deficiencies into separate report sections.
6. Generate an executive summary including total findings by severity, overall risk score, and top-5 critical remediation priorities.
7. Build a detailed findings table: finding ID, CWE number, affected component, CVSS score, compliance mapping, remediation steps, and evidence links.
8. Produce a compliance status matrix showing pass/fail/partial for each applicable standard requirement.
9. Create remediation recommendations with effort estimates (hours), priority ranking, and suggested timelines.
10. Format the final report as Markdown to ${CLAUDE_SKILL_DIR}/reports/security-audit-YYYYMMDD.md. Optionally produce JSON for Jira/ServiceNow import.

See ${CLAUDE_SKILL_DIR}/references/implementation.md for the detailed four-phase implementation workflow.

Output

• Audit Report: ${CLAUDE_SKILL_DIR}/reports/security-audit-YYYYMMDD.md containing executive summary, detailed findings, compliance matrix, and remediation plan
• Findings JSON: Machine-readable findings for ticketing system import
• Compliance Matrix: Per-requirement pass/fail/partial status for each applicable framework
• Remediation Backlog: Prioritized list with effort estimates and owner assignments

Error Handling

Error	Cause	Solution
No security scan results found	Scanner outputs missing from ${CLAUDE_SKILL_DIR}/security/	Specify alternate data source paths or run preliminary scans with nmap -sV or trivy fs .
Cannot assess compliance -- requirements unavailable	Compliance framework checklist not provided	Fall back to OWASP Top 10 and CWE Top 25 as baseline; note limitation in report
Permission denied reading config files	Insufficient filesystem access	Request elevated permissions or provide exported configuration snapshots
Scan results exceed processing capacity	Thousands of findings from multiple scanners	Process in batches by severity (Critical/High first), then merge
Conflicting severity ratings across scanners	Different tools score the same vulnerability differently	Use CVSS 3.1 base score as canonical severity; note discrepancies in appendix

Examples

• "Generate a SOC 2 security audit report for the API using scan results in ${CLAUDE_SKILL_DIR}/security/."
• "Create a PCI-DSS compliance-focused security assessment with a prioritized remediation plan for all Critical and High findings."
• "Produce a HIPAA security audit from the Nessus and Trivy outputs, mapping each finding to the relevant HIPAA safeguard."

Resources

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• CWE Top 25: https://cwe.mitre.org/top25/
• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• PCI-DSS v4.0 Requirements: https://www.pcisecuritystandards.org/
• CVSS 3.1 Calculator: https://www.first.org/cvss/calculator/3.1
• ${CLAUDE_SKILL_DIR}/references/errors.md -- full error handling reference
• ${CLAUDE_SKILL_DIR}/references/examples.md -- additional usage examples
• https://intentsolutions.io