zhongwei/gh-jeremylongshore-claude-code-plugins-plus-plugins-devops-compliance-checker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:19:06 +08:00
commit 0162a5a055
11 changed files with 484 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
skills/compliance-checker/assets/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Assets
Bundled resources for compliance-checker skill
- [ ] compliance_report_template.md: Markdown template for generating compliance reports.
- [ ] example_infrastructure_config.yaml: Example infrastructure configuration file for demonstration purposes.
- [ ] compliance_rules.json: JSON file containing compliance rules and checks.

49
skills/compliance-checker/assets/compliance_report_template.md Normal file
View File

@@ -0,0 +1,49 @@
# Compliance Report
**Date:** `[Insert Date]`
**Prepared for:** `[Insert Client Name/Organization]`
**Prepared by:** `[Your Name/Company Name]`
**Compliance Standard:** `[SOC2, HIPAA, PCI-DSS, or other - Specify Here]`
## Executive Summary
`[Provide a brief overview of the compliance status. Highlight key findings, overall compliance level (e.g., compliant, non-compliant, partially compliant), and any immediate actions required. Keep this concise and easy to understand for non-technical stakeholders. For example: "This report assesses the compliance of [Organization Name]'s infrastructure with the SOC2 Type II standard. Overall, the infrastructure demonstrates a high level of compliance. However, [Number] minor deficiencies were identified related to [Area of Deficiency]. Remediation steps are outlined in the Recommendations section."]`
## 1. Scope
`[Clearly define the scope of the compliance assessment. What systems, applications, networks, or processes were included in the assessment? What was the period covered by the assessment? Be specific. For example: "This assessment covers all infrastructure components related to the processing, storage, and transmission of customer data, including servers, databases, network devices, and associated applications. The period covered by this assessment is January 1, 2024 to March 31, 2024."]`
## 2. Methodology
`[Describe the methodology used to conduct the compliance assessment. What standards or frameworks were used? What types of evidence were reviewed (e.g., policies, procedures, logs, configurations)? What tools were used to automate the assessment process? For example: "The compliance assessment was conducted in accordance with the [Compliance Standard] framework. Evidence was gathered through a review of policies, procedures, system configurations, log files, and vulnerability scan results. Automated compliance checks were performed using the Compliance Checker plugin."]`
## 3. Findings
### 3.1. Compliant Controls
`[List the controls that were found to be compliant. For each control, provide a brief description and justification for why it is considered compliant. Include references to specific evidence where applicable. For example: "Control 1.1: Access to sensitive data is restricted to authorized personnel. This control is compliant based on a review of access control lists and employee onboarding procedures, which demonstrate that access is granted on a least-privilege basis."]`
### 3.2. Non-Compliant Controls
`[List the controls that were found to be non-compliant. For each control, provide a detailed description of the deficiency, the potential impact, and the required remediation steps. Include references to specific evidence where applicable. For example: "Control 2.3: Regular vulnerability scans are performed on all systems. This control is non-compliant as vulnerability scans are only performed quarterly instead of monthly as required by the [Compliance Standard] framework. This increases the risk of exploitation of known vulnerabilities. Remediation steps include scheduling monthly vulnerability scans and verifying the results."]`
### 3.3. Partially Compliant Controls
`[List the controls that were found to be partially compliant. For each control, provide details on the areas where compliance is met and the areas where it is lacking. Include the potential impact and the required remediation steps. Include references to specific evidence where applicable. For example: "Control 3.4: System logs are regularly reviewed for suspicious activity. This control is partially compliant. System logs are collected and stored centrally, but the review process is not consistently documented. This increases the risk of undetected security incidents. Remediation steps include documenting the log review process and ensuring that all reviews are properly logged."]`
## 4. Recommendations
`[Provide specific and actionable recommendations for remediating the identified deficiencies. Prioritize the recommendations based on the severity of the risk. Include estimated timelines for implementation. For example: "1. Implement monthly vulnerability scans and verify the results (Priority: High, Estimated Timeline: 2 weeks). 2. Document the log review process and ensure that all reviews are properly logged (Priority: Medium, Estimated Timeline: 4 weeks). 3. [Add other recommendations here]"]`
## 5. Conclusion
`[Summarize the overall compliance status and reiterate the key findings and recommendations. Emphasize the importance of ongoing compliance monitoring and maintenance. For example: "Overall, [Organization Name]'s infrastructure demonstrates a [Compliance Level] level of compliance with the [Compliance Standard] standard. The identified deficiencies should be addressed promptly to mitigate potential risks. Ongoing compliance monitoring and maintenance are essential to ensure continued compliance and protect sensitive data."]`
## 6. Appendix
`[Include any supporting documentation, such as detailed vulnerability scan reports, policy documents, or system configuration details. This section is optional. You can also include a glossary of terms used in the report.]`
**Disclaimer:** This report is based on the information provided and the assessments conducted at the time of the assessment. Compliance status may change over time. It is the responsibility of [Client Name/Organization] to maintain ongoing compliance with the [Compliance Standard] standard.

131
skills/compliance-checker/assets/compliance_rules.json Normal file
View File

@@ -0,0 +1,131 @@
{
"_comment": "Compliance rules and checks for various standards.",
"standards": [
{
"name": "SOC2",
"version": "Type II",
"description": "SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients.",
"categories": [
{
"name": "Security",
"controls": [
{
"id": "SOC2-Security-1",
"description": "Implement multi-factor authentication (MFA) for all user accounts.",
"type": "check",
"platform": ["AWS", "Azure", "GCP"],
"remediation": "Enable MFA on all user accounts. Review access logs for unauthorized access attempts.",
"check": {
"type": "script",
"language": "python",
"code": "def check_mfa(platform):\n if platform == 'AWS':\n # AWS specific MFA check\n pass\n elif platform == 'Azure':\n # Azure specific MFA check\n pass\n elif platform == 'GCP':\n # GCP specific MFA check\n pass\n return True # Placeholder for actual check\n\ncheck_mfa('AWS')",
"success_message": "MFA is enabled for all user accounts.",
"failure_message": "MFA is not enabled for all user accounts. Remediation steps provided."
},
"tags": ["authentication", "security"]
},
{
"id": "SOC2-Security-2",
"description": "Regularly audit and review user access permissions.",
"type": "check",
"platform": ["AWS", "Azure", "GCP"],
"remediation": "Conduct a user access review and revoke unnecessary permissions. Implement a least privilege access model.",
"check": {
"type": "api",
"endpoint": "/users/permissions",
"method": "GET",
"success_condition": "all(permission['status'] == 'active' for permission in response)",
"success_message": "User access permissions are regularly audited and reviewed.",
"failure_message": "User access permissions are not regularly audited or reviewed. Remediation steps provided."
},
"tags": ["authorization", "security"]
}
]
}
]
},
{
"name": "HIPAA",
"version": "Final Rule",
"description": "HIPAA sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.",
"categories": [
{
"name": "Administrative Safeguards",
"controls": [
{
"id": "HIPAA-Admin-1",
"description": "Implement a security awareness and training program for all employees.",
"type": "check",
"platform": ["General"],
"remediation": "Conduct regular security awareness training sessions. Document the training program and employee participation.",
"check": {
"type": "manual",
"instructions": "Verify that a security awareness and training program is in place and that all employees have completed the training.",
"success_message": "A security awareness and training program is in place and employees have completed the training.",
"failure_message": "A security awareness and training program is not in place or employees have not completed the training. Remediation steps provided."
},
"tags": ["training", "security", "administrative"]
},
{
"id": "HIPAA-Admin-2",
"description": "Conduct a risk assessment to identify potential vulnerabilities and threats.",
"type": "check",
"platform": ["General"],
"remediation": "Conduct a comprehensive risk assessment and develop a risk management plan.",
"check": {
"type": "manual",
"instructions": "Review the risk assessment documentation and verify that it addresses potential vulnerabilities and threats.",
"success_message": "A risk assessment has been conducted and a risk management plan is in place.",
"failure_message": "A risk assessment has not been conducted or a risk management plan is not in place. Remediation steps provided."
},
"tags": ["risk assessment", "security", "administrative"]
}
]
}
]
},
{
"name": "PCI-DSS",
"version": "4.0",
"description": "The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.",
"categories": [
{
"name": "Build and Maintain a Secure Network and Systems",
"controls": [
{
"id": "PCI-DSS-Network-1",
"description": "Install and maintain a firewall configuration to protect cardholder data.",
"type": "check",
"platform": ["AWS", "Azure", "GCP"],
"remediation": "Review firewall rules and ensure that they are properly configured to protect cardholder data. Implement intrusion detection and prevention systems.",
"check": {
"type": "script",
"language": "python",
"code": "def check_firewall(platform):\n if platform == 'AWS':\n # AWS specific firewall check\n pass\n elif platform == 'Azure':\n # Azure specific firewall check\n pass\n elif platform == 'GCP':\n # GCP specific firewall check\n pass\n return True # Placeholder for actual check\n\ncheck_firewall('AWS')",
"success_message": "Firewall is properly configured to protect cardholder data.",
"failure_message": "Firewall is not properly configured to protect cardholder data. Remediation steps provided."
},
"tags": ["firewall", "network", "security"]
},
{
"id": "PCI-DSS-Network-2",
"description": "Change vendor-supplied defaults for system passwords and other security parameters.",
"type": "check",
"platform": ["AWS", "Azure", "GCP"],
"remediation": "Change all vendor-supplied defaults for system passwords and other security parameters. Implement strong password policies.",
"check": {
"type": "api",
"endpoint": "/systems/defaults",
"method": "GET",
"success_condition": "all(system['default_password_changed'] == True for system in response)",
"success_message": "Vendor-supplied defaults have been changed for system passwords and other security parameters.",
"failure_message": "Vendor-supplied defaults have not been changed for system passwords and other security parameters. Remediation steps provided."
},
"tags": ["password", "security", "defaults"]
}
]
}
]
}
]
}

114
skills/compliance-checker/assets/example_infrastructure_config.yaml Normal file
View File

@@ -0,0 +1,114 @@
# Infrastructure Configuration for Compliance Checker Plugin
# General Settings
general:
environment: production # Environment (development, staging, production)
region: us-west-2 # AWS Region (e.g., us-east-1, eu-west-1)
account_id: REPLACE_ME # AWS Account ID or equivalent for other platforms
organization_name: YOUR_VALUE_HERE # Your organization's name
contact_email: compliance@example.com # Contact email for compliance inquiries
# Compliance Standards to Check
compliance_standards:
soc2:
enabled: true # Enable SOC2 compliance check
type_i: false # Check for Type I compliance (point-in-time)
type_ii: true # Check for Type II compliance (period-of-time)
hipaa:
enabled: false # Enable HIPAA compliance check
business_associate_agreement: true # Indicates a BAA is in place
pci_dss:
enabled: false # Enable PCI DSS compliance check
cardholder_data_environment: false # Indicates a cardholder data environment exists
# Infrastructure Components to Evaluate
infrastructure:
compute:
ec2: # AWS EC2 Instances
enabled: true
instance_ids: # List of EC2 instance IDs to check. Leave empty to check all.
- REPLACE_ME #Example instance id
- YOUR_VALUE_HERE #Another example instance id
security_group_rules: # Security Group rules to enforce
ingress:
- port: 22
protocol: tcp
cidr_blocks:
- 10.0.0.0/16 # Allow SSH access from internal network. REPLACE WITH MORE SECURE RULES IN PRODUCTION.
egress:
- port: 80
protocol: tcp
cidr_blocks:
- 0.0.0.0/0 # Allow HTTP access to the internet. REPLACE WITH MORE RESTRICTIVE RULES IN PRODUCTION.
lambda: # AWS Lambda Functions
enabled: false
function_names: # List of Lambda function names to check. Leave empty to check all.
- REPLACE_ME
gcp_compute_engine: # Google Cloud Compute Engine Instances
enabled: false
instance_names: # List of Compute Engine instance names to check. Leave empty to check all.
- YOUR_VALUE_HERE
storage:
s3: # AWS S3 Buckets
enabled: true
bucket_names: # List of S3 bucket names to check. Leave empty to check all.
- REPLACE_ME
encryption_enabled: true # Require encryption at rest
public_access_blocked: true # Block public access to buckets
cloud_storage: # Google Cloud Storage Buckets
enabled: false
bucket_names: # List of Cloud Storage bucket names to check. Leave empty to check all.
- YOUR_VALUE_HERE
database:
rds: # AWS RDS Databases
enabled: true
instance_ids: # List of RDS instance IDs to check. Leave empty to check all.
- REPLACE_ME
encryption_enabled: true # Require encryption at rest
publicly_accessible: false # Ensure databases are not publicly accessible
cloud_sql: # Google Cloud SQL Instances
enabled: false
instance_names: # List of Cloud SQL instance names to check. Leave empty to check all.
- YOUR_VALUE_HERE
network:
vpc: # AWS VPCs
enabled: true
vpc_ids: # List of VPC IDs to check. Leave empty to check all.
- REPLACE_ME
flow_logs_enabled: true # Require VPC Flow Logs for auditing
virtual_network: # Google Cloud VPCs
enabled: false
network_names: # List of VPC network names to check. Leave empty to check all.
- YOUR_VALUE_HERE
# Logging and Monitoring Configuration
logging:
cloudwatch: # AWS CloudWatch
enabled: true
log_group_retention_days: 30 # Retention period for CloudWatch logs
stackdriver: # Google Cloud Stackdriver Logging
enabled: false
log_retention_days: 30 # Retention period for Stackdriver logs
# Identity and Access Management (IAM) Configuration
iam:
aws_iam: # AWS IAM
enabled: true
mfa_required: true # Require multi-factor authentication for privileged users
password_policy: # Password policy requirements
minimum_length: 14
require_symbols: true
require_numbers: true
require_uppercase: true
require_lowercase: true
password_reuse_prevention: 24 # Number of passwords to prevent reuse
google_cloud_iam: # Google Cloud IAM
enabled: false
mfa_required: true # Require multi-factor authentication for privileged users
# Reporting Configuration
reporting:
frequency: weekly # How often to generate compliance reports (daily, weekly, monthly)
report_recipients: # List of email addresses to receive compliance reports
- REPLACE_ME # Example compliance report email
output_format: pdf # Report output format (pdf, csv, json)