vendor-security-questionnaire
Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
Best use case
vendor-security-questionnaire is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
Teams using vendor-security-questionnaire should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/vendor-security-questionnaire/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How vendor-security-questionnaire Compares
| Feature / Agent | vendor-security-questionnaire | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Vendor Security Questionnaire Skill
## Purpose
Automate vendor security assessment through standardized questionnaire generation, response parsing, security posture scoring, and risk report generation for third-party risk management programs.
## Capabilities
### Questionnaire Generation
- Generate industry-standard security questionnaires
- Create SIG (Standardized Information Gathering) questionnaires
- Build CAIQ (Consensus Assessment Initiative Questionnaire) forms
- Generate custom questionnaires based on risk tier
- Create vendor-type-specific assessments
- Support multiple response formats
### Response Parsing and Analysis
- Parse questionnaire responses from various formats
- Extract key security control information
- Identify missing or incomplete responses
- Flag concerning answers for review
- Compare responses against requirements
- Validate evidence attachments
### Security Posture Scoring
- Calculate vendor security scores
- Weight scores by control importance
- Compare against industry benchmarks
- Track score trends over time
- Generate risk-adjusted ratings
- Identify score improvement areas
### Assessment Status Tracking
- Track assessment workflow status
- Monitor response deadlines
- Send automated reminders
- Escalate overdue assessments
- Maintain assessment history
- Archive completed assessments
### Risk Report Generation
- Generate executive risk summaries
- Create detailed technical reports
- Produce comparison reports
- Build risk heat maps
- Generate board-level dashboards
- Export data for GRC systems
### Vendor Compliance Monitoring
- Track vendor compliance commitments
- Monitor remediation progress
- Verify evidence of compliance
- Alert on compliance drift
- Schedule periodic reassessments
- Maintain compliance documentation
## Questionnaire Standards
| Standard | Use Case | Questions |
|----------|----------|-----------|
| SIG Lite | Low-risk vendors | ~100 |
| SIG Core | Medium-risk vendors | ~300 |
| SIG Full | High-risk vendors | ~800+ |
| CAIQ | Cloud providers | ~300 |
| VSAQ | General vendors | Variable |
| Custom | Specific needs | Variable |
## Assessment Domains
- Information Security Management
- Access Control
- Data Protection
- Network Security
- Application Security
- Physical Security
- Business Continuity
- Incident Response
- Compliance and Legal
- Third-Party Management
## Integrations
- **OneTrust**: Third-party risk management
- **ProcessUnity**: Vendor risk management
- **SecurityScorecard**: Security ratings
- **BitSight**: Security ratings and benchmarks
- **Prevalent**: Third-party risk intelligence
- **Shared Assessments**: SIG questionnaire tools
## Target Processes
- Third-Party Vendor Security Assessment
- Vendor Onboarding Security Review
- Annual Vendor Reassessment
- Vendor Risk Management
## Input Schema
```json
{
"type": "object",
"properties": {
"operation": {
"type": "string",
"enum": ["generate", "parse", "score", "report", "track"],
"description": "Questionnaire operation type"
},
"vendorInfo": {
"type": "object",
"properties": {
"vendorName": { "type": "string" },
"vendorId": { "type": "string" },
"vendorType": { "type": "string" },
"riskTier": { "type": "string", "enum": ["critical", "high", "medium", "low"] },
"dataAccess": { "type": "array", "items": { "type": "string" } }
}
},
"questionnaireType": {
"type": "string",
"enum": ["SIG-Lite", "SIG-Core", "SIG-Full", "CAIQ", "VSAQ", "custom"],
"description": "Questionnaire standard to use"
},
"customDomains": {
"type": "array",
"items": { "type": "string" },
"description": "Specific domains to assess"
},
"responseFile": {
"type": "string",
"description": "Path to questionnaire response file"
},
"scoringCriteria": {
"type": "object",
"properties": {
"minimumScore": { "type": "number" },
"criticalControls": { "type": "array" },
"weightings": { "type": "object" }
}
},
"deadline": {
"type": "string",
"format": "date",
"description": "Assessment completion deadline"
}
},
"required": ["operation"]
}
```
## Output Schema
```json
{
"type": "object",
"properties": {
"assessmentId": {
"type": "string"
},
"operation": {
"type": "string"
},
"timestamp": {
"type": "string",
"format": "date-time"
},
"vendorInfo": {
"type": "object"
},
"questionnaire": {
"type": "object",
"properties": {
"type": { "type": "string" },
"totalQuestions": { "type": "integer" },
"domains": { "type": "array" },
"filePath": { "type": "string" }
}
},
"responseAnalysis": {
"type": "object",
"properties": {
"questionsAnswered": { "type": "integer" },
"questionsSkipped": { "type": "integer" },
"evidenceProvided": { "type": "integer" },
"concerningResponses": { "type": "array" },
"missingInformation": { "type": "array" }
}
},
"securityScore": {
"type": "object",
"properties": {
"overallScore": { "type": "number" },
"riskRating": { "type": "string", "enum": ["low", "medium", "high", "critical"] },
"domainScores": {
"type": "array",
"items": {
"type": "object",
"properties": {
"domain": { "type": "string" },
"score": { "type": "number" },
"findings": { "type": "array" }
}
}
},
"benchmarkComparison": { "type": "object" },
"scoreHistory": { "type": "array" }
}
},
"riskFindings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"findingId": { "type": "string" },
"domain": { "type": "string" },
"severity": { "type": "string" },
"description": { "type": "string" },
"recommendation": { "type": "string" }
}
}
},
"assessmentStatus": {
"type": "object",
"properties": {
"status": { "type": "string" },
"deadline": { "type": "string" },
"daysRemaining": { "type": "integer" },
"remindersent": { "type": "boolean" }
}
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
},
"reportPath": {
"type": "string"
}
}
}
```
## Usage Example
```javascript
skill: {
name: 'vendor-security-questionnaire',
context: {
operation: 'generate',
vendorInfo: {
vendorName: 'Cloud SaaS Provider',
riskTier: 'high',
dataAccess: ['PII', 'financial']
},
questionnaireType: 'SIG-Core',
deadline: '2024-03-15'
}
}
```Related Skills
web-security
OWASP Top 10, security headers, CSP, XSS prevention, and vulnerability prevention.
security-scanner
Run security scans including SAST, dependency scanning, and secret detection
security-sandbox
Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.
Offensive Security Skill
Offensive security tools and techniques integration
hardware-security
Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.
cloud-security-testing
Multi-cloud security assessment and penetration testing capabilities. Execute Prowler/ScoutSuite assessments, analyze IAM policies, identify cloud misconfigurations, test permissions, and enumerate cloud resources across AWS/GCP/Azure.
Burp Suite/Web Security Skill
Web application security testing with Burp Suite integration
aiml-security
AI/ML model security testing and adversarial research capabilities. Generate adversarial examples, test model robustness, perform model extraction attacks, test for data poisoning, analyze model fairness, and support ART framework integration.
vendor-risk-monitor
Continuous vendor security monitoring for security ratings, breach notifications, and risk change detection
owasp-security-scanner
Automated OWASP Top 10 vulnerability detection and assessment. Run OWASP ZAP automated scans, detect injection vulnerabilities, identify broken authentication patterns, check for sensitive data exposure, analyze security misconfigurations, and generate OWASP-compliant reports.
multi-cloud-security-posture
Unified cloud security posture management across AWS, Azure, and GCP with normalized metrics and CIS benchmark comparison
iac-security-scanner
Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi