AgentSkillsCN

tm-compliance

将威胁与控制措施映射至OWASP Top 10、SOC2、PCI-DSS、HIPAA、GDPR等合规框架,生成覆盖百分比与差距分析的合规报告。当您需要核查合规状态、映射安全框架,或生成审计文档时,可使用此技能。

SKILL.md
--- frontmatter
name: tm-compliance
description: Map threats and controls to compliance frameworks like OWASP Top 10, SOC2, PCI-DSS, HIPAA, GDPR. Generates compliance reports with coverage percentages and gaps. Use when checking compliance status, mapping to security frameworks, or generating audit documentation.
allowed-tools: Read, Write, Glob

Compliance Mapping

Purpose

Map your threat model to compliance frameworks to:

  • Calculate compliance coverage percentages
  • Identify compliance gaps
  • Generate audit-ready documentation
  • Track requirements across multiple frameworks

Usage

code
/tm-compliance [--framework <name>] [--policy <path>] [--gaps-only]

Arguments:

  • --framework: Framework(s) to map: owasp, soc2, pci-dss, hipaa, gdpr, custom
  • --policy: Path to custom policy document
  • --gaps-only: Only show gaps/non-compliance

Supported Frameworks

OWASP Top 10 2021

IDName
A01Broken Access Control
A02Cryptographic Failures
A03Injection
A04Insecure Design
A05Security Misconfiguration
A06Vulnerable and Outdated Components
A07Identification and Authentication Failures
A08Software and Data Integrity Failures
A09Security Logging and Monitoring Failures
A10Server-Side Request Forgery (SSRF)

SOC2 Trust Services Criteria

CategoryDescription
CC6.1Logical and Physical Access Controls
CC6.2System Access Authentication
CC6.3Access Restriction and Privileges
CC6.6System Boundaries
CC6.7Transmission Integrity
CC6.8Data Integrity
CC7.1Configuration Management
CC7.2Change Management

PCI-DSS v4.0

RequirementDescription
1Install and maintain network security controls
2Apply secure configurations
3Protect stored account data
4Protect cardholder data during transmission
5Protect from malicious software
6Develop and maintain secure systems
7Restrict access by business need
8Identify users and authenticate access
9Restrict physical access
10Log and monitor access
11Test security regularly
12Support information security with policies

Mapping Process

For Each Framework Requirement

  1. Identify related threats

    • Match requirement to STRIDE categories
    • Find threats in those categories
  2. Identify related controls

    • Find controls that mitigate related threats
    • Check control implementation status
  3. Assess compliance status

    • compliant: All related controls implemented
    • partial: Some controls implemented
    • non-compliant: No controls or all missing
  4. Document evidence

    • Link to verified controls
    • Note gaps

Output Files

compliance.json

json
{
  "version": "1.0",
  "generated": "ISO-8601",
  "frameworks": [
    {
      "name": "OWASP Top 10 2021",
      "version": "2021",
      "overall_compliance": 82,
      "mappings": [
        {
          "requirement_id": "A01:2021",
          "requirement_name": "Broken Access Control",
          "description": "Restrictions on authenticated users not properly enforced",
          "stride_categories": ["elevation-of-privilege", "information-disclosure"],
          "related_threats": ["threat-010", "threat-011"],
          "related_controls": ["control-020", "control-021"],
          "status": "partial",
          "coverage": 85,
          "gaps": ["gap-005"],
          "evidence": [
            "RBAC implemented in src/middleware/authorize.ts",
            "Missing: Object-level authorization"
          ]
        }
      ]
    }
  ]
}

compliance-report.md (Visual Report)

markdown
# Compliance Report

**Generated**: [Date]
**Frameworks**: OWASP Top 10 2021, SOC2

## Executive Summary

COMPLIANCE OVERVIEW ═══════════════════════════════════════════════════════════

OWASP Top 10 2021 ───────────────────────────────────────────────────────── A01 Broken Access Control: ████████░░ 85% (1 gap) A02 Cryptographic Failures: ██████████ 100% A03 Injection: ███████░░░ 70% (3 gaps) A04 Insecure Design: ██████░░░░ 55% (5 gaps) A05 Security Misconfiguration: █████████░ 95% (1 gap) A06 Vulnerable Components: █████████░ 90% (1 gap) A07 Auth Failures: ████████░░ 75% (4 gaps) A08 Data Integrity Failures: ████████░░ 85% (2 gaps) A09 Logging Failures: ████████░░ 80% (2 gaps) A10 SSRF: ██████████ 100% ───────────────────────────────────────────────────────── OVERALL: ████████░░ 82%

SOC2 Trust Services ───────────────────────────────────────────────────────── CC6.1 Logical Access: █████████░ 90% (1 gap) CC6.2 Authentication: ████████░░ 80% (2 gaps) CC6.3 Access Restriction: █████████░ 95% (1 gap) ───────────────────────────────────────────────────────── OVERALL: █████████░ 88%

code

## OWASP Top 10 2021

### A01:2021 - Broken Access Control

┌─────────────────────────────────────────────────────────┐ │ STATUS: ⚠ Partial (85%) │ ├─────────────────────────────────────────────────────────┤ │ RELATED THREATS: │ │ • THREAT-010: IDOR in user profile │ │ • THREAT-011: Missing function-level access control │ │ │ │ CONTROLS: │ │ ✓ RBAC implementation │ │ ⚠ Object-level authorization (partial) │ │ │ │ GAPS: │ │ • GAP-005: Missing object-level checks │ │ │ │ EVIDENCE: │ │ src/middleware/authorize.ts:15-89 │ └─────────────────────────────────────────────────────────┘

code

### A02:2021 - Cryptographic Failures

┌─────────────────────────────────────────────────────────┐ │ STATUS: ✓ Compliant (100%) │ ├─────────────────────────────────────────────────────────┤ │ CONTROLS: │ │ ✓ TLS 1.3 enforced │ │ ✓ AES-256 encryption at rest │ │ ✓ Bcrypt password hashing │ │ │ │ EVIDENCE: │ │ src/config/tls.ts:5 │ │ src/db/encryption.ts:12 │ └─────────────────────────────────────────────────────────┘

code

[Additional requirements...]

STRIDE to Framework Mapping

OWASP Top 10

STRIDE CategoryOWASP Requirements
SpoofingA07
TamperingA03, A08
RepudiationA09
Information DisclosureA01, A02
Denial of ServiceA05
Elevation of PrivilegeA01, A04

SOC2

STRIDE CategorySOC2 Criteria
SpoofingCC6.1, CC6.2
TamperingCC6.7, CC6.8
RepudiationCC7.2
Information DisclosureCC6.1, CC6.3
Denial of ServiceCC6.6
Elevation of PrivilegeCC6.3

Instructions for Claude

When executing this skill:

  1. Load threat model state:

    • Read .threatmodel/state/threats.json
    • Read .threatmodel/state/controls.json
    • Read .threatmodel/state/gaps.json
  2. Load framework definitions:

    • Reference built-in framework mappings
    • Load custom policies if specified
  3. For each framework:

    • Map requirements to STRIDE categories
    • Find related threats
    • Find related controls
    • Assess coverage
  4. Calculate compliance:

    • Per-requirement status
    • Per-framework percentage
    • Overall score
  5. Generate reports with visuals IN THE FILES:

    • JSON for programmatic use
    • Markdown with ASCII progress bars, status boxes, and visual indicators
    • The compliance-report.md MUST include:
      • Visual progress bars: ████████░░ 85%
      • Status indicators: , ,
      • Visual box frames for each requirement
    • These visuals go in the written file, not just console output
  6. Console summary (also display to user):

    code
    Compliance Mapping Complete
    ===========================
    
    Frameworks Analyzed: 2
    
    OWASP Top 10 2021:
      A01 Broken Access Control:     ████████░░ 85%  (1 gap)
      A02 Cryptographic Failures:    ██████████ 100%
      A03 Injection:                 ███████░░░ 70%  (3 gaps)
      ...
      Overall: 82%
    
    SOC2 Trust Services:
      CC6.1 Logical Access:          █████████░ 90%  (1 gap)
      CC6.2 Authentication:          ████████░░ 80%  (2 gaps)
      ...
      Overall: 88%
    
    Total Gaps: 11
      High Priority: 4
      Medium Priority: 5
      Low Priority: 2
    
    Files Created:
      .threatmodel/state/compliance.json
      .threatmodel/reports/compliance-report.md
    
    Next Steps:
      Run /tm-report to generate full risk report
    

Reference Files