Compliance Mapping

This skill should be used when the user asks about "compliance mapping", "PCI-DSS", "HIPAA", "SOC 2", "NIST CSF", "regulatory requirements", "compliance report", or needs to map security findings to compliance framework requirements.

14 stars

Best use case

Compliance Mapping is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

This skill should be used when the user asks about "compliance mapping", "PCI-DSS", "HIPAA", "SOC 2", "NIST CSF", "regulatory requirements", "compliance report", or needs to map security findings to compliance framework requirements.

Teams using Compliance Mapping should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/compliance-mapping/SKILL.md --create-dirs "https://raw.githubusercontent.com/allsmog/vuln-scout/main/vuln-scout/skills/compliance-mapping/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/compliance-mapping/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Compliance Mapping Compares

Feature / AgentCompliance MappingStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

This skill should be used when the user asks about "compliance mapping", "PCI-DSS", "HIPAA", "SOC 2", "NIST CSF", "regulatory requirements", "compliance report", or needs to map security findings to compliance framework requirements.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Compliance Framework Mapping

## Purpose

Map VulnScout security findings to compliance framework requirements. This enables security teams to understand the regulatory impact of discovered vulnerabilities and prioritize remediation based on compliance obligations.

## Supported Frameworks

### PCI-DSS v4.0

Payment Card Industry Data Security Standard for organizations handling cardholder data.

| Requirement | Description | VulnScout Finding Types |
|-------------|-------------|------------------------|
| 6.2.1 | Secure development practices | All code-level findings |
| 6.2.2 | Software security training | Recurring pattern findings |
| 6.2.3 | Code review before release | Unverified findings in diff |
| 6.2.4 | Prevent common vulnerabilities | sql-injection, xss, command-injection, path-traversal |
| 6.3.1 | Identify vulnerabilities via scanning | All findings from /scan |
| 6.3.2 | Maintain inventory of custom software | Framework detection results |
| 6.4.1 | Public-facing web app protection | ssrf, xss, csrf, open-redirect |
| 6.4.2 | Automated technical solution for web attacks | WAF findings, missing CSP |
| 6.5.1-6.5.6 | Address common coding vulnerabilities | Injection, auth bypass, XSS, access control |

### HIPAA Security Rule (45 CFR 164.312)

Health Insurance Portability and Accountability Act technical safeguards.

| Section | Description | VulnScout Finding Types |
|---------|-------------|------------------------|
| 164.312(a)(1) | Access Control | access-control, idor, business-logic |
| 164.312(a)(2)(i) | Unique User Identification | auth-bypass, session fixation |
| 164.312(a)(2)(iii) | Automatic Logoff | session management findings |
| 164.312(a)(2)(iv) | Encryption at Rest | cryptographic-failures, hardcoded-secret |
| 164.312(b) | Audit Controls | logging-failures |
| 164.312(c)(1) | Integrity Controls | sql-injection, deserialization, ssti |
| 164.312(c)(2) | Authentication of ePHI | auth-bypass, hardcoded-secret |
| 164.312(d) | Person/Entity Authentication | auth-bypass, insecure-randomness |
| 164.312(e)(1) | Transmission Security | cryptographic-failures, ssrf |
| 164.312(e)(2)(i) | Integrity Controls (transmission) | ssti, xss, command-injection |
| 164.312(e)(2)(ii) | Encryption in Transit | cryptographic-failures |

### SOC 2 Trust Services Criteria

Service Organization Control 2 for SaaS and cloud service providers.

| Criteria | Description | VulnScout Finding Types |
|----------|-------------|------------------------|
| CC6.1 | Logical and Physical Access | access-control, idor, auth-bypass |
| CC6.2 | Credential Management | hardcoded-secret, insecure-randomness |
| CC6.3 | Access Roles and Responsibilities | access-control, business-logic |
| CC6.6 | System Boundary Protection | ssrf, open-redirect, cors-misconfig |
| CC6.7 | Data Flow Restrictions | path-traversal, xxe, deserialization |
| CC6.8 | Malicious Software Prevention | command-injection, code-injection, ssti |
| CC7.1 | System Monitoring | logging-failures, exception-handling |
| CC7.2 | Anomaly Detection | insecure-randomness, race-condition |
| CC7.3 | Security Event Evaluation | logging-failures |
| CC7.4 | Incident Response | All critical/high findings |
| CC8.1 | Change Management | Findings in diff (--since-commit) |

### NIST Cybersecurity Framework (CSF) 2.0

| Function | Category | VulnScout Finding Types |
|----------|----------|------------------------|
| **Identify** | ID.AM - Asset Management | Framework detection, scope results |
| **Identify** | ID.RA - Risk Assessment | Threat model, STRIDE analysis |
| **Protect** | PR.AC - Access Control | access-control, idor, auth-bypass |
| **Protect** | PR.DS - Data Security | sql-injection, path-traversal, cryptographic-failures |
| **Protect** | PR.IP - Protective Processes | All remediated findings |
| **Protect** | PR.MA - Maintenance | Diff-aware scan results |
| **Detect** | DE.AE - Anomalies and Events | logging-failures, exception-handling |
| **Detect** | DE.CM - Continuous Monitoring | /scan --since-commit results |
| **Respond** | RS.AN - Analysis | Verified findings with evidence |
| **Recover** | RC.IM - Improvements | Patch advisor recommendations |

## Finding Type to Compliance Mapping

| Finding Type | PCI-DSS | HIPAA | SOC 2 | NIST CSF |
|-------------|---------|-------|-------|----------|
| sql-injection | 6.2.4, 6.5.1 | 164.312(c)(1) | CC6.8 | PR.DS |
| xss | 6.2.4, 6.4.1 | 164.312(e)(2)(i) | CC6.8 | PR.DS |
| command-injection | 6.2.4 | 164.312(e)(2)(i) | CC6.8 | PR.DS |
| path-traversal | 6.2.4 | 164.312(a)(1) | CC6.7 | PR.DS |
| ssrf | 6.4.1 | 164.312(e)(1) | CC6.6 | PR.DS |
| deserialization | 6.2.4 | 164.312(c)(1) | CC6.7 | PR.DS |
| ssti | 6.2.4 | 164.312(c)(1) | CC6.8 | PR.DS |
| xxe | 6.2.4 | 164.312(c)(1) | CC6.7 | PR.DS |
| access-control | 6.5.4 | 164.312(a)(1) | CC6.1 | PR.AC |
| auth-bypass | 6.5.3 | 164.312(d) | CC6.1 | PR.AC |
| hardcoded-secret | 6.2.4 | 164.312(a)(2)(iv) | CC6.2 | PR.AC |
| cryptographic-failures | 6.2.4 | 164.312(e)(2)(ii) | CC6.2 | PR.DS |
| logging-failures | 6.2.4 | 164.312(b) | CC7.1 | DE.AE |
| insecure-randomness | 6.2.4 | 164.312(d) | CC7.2 | PR.DS |
| idor | 6.5.4 | 164.312(a)(1) | CC6.1 | PR.AC |
| ldap-injection | 6.2.4, 6.5.1 | 164.312(c)(1) | CC6.8 | PR.DS |

## Report Integration

When generating a compliance-aware report, use the `--compliance` flag:

```
/vuln-scout:report --compliance pci-dss,hipaa,soc2
```

This appends a Compliance Impact section to the report:

```markdown
## Compliance Impact

### PCI-DSS v4.0
| Requirement | Status | Findings |
|-------------|--------|----------|
| 6.2.4 | FAIL | 3 injection findings |
| 6.4.1 | PASS | No public-facing web app findings |

### HIPAA 164.312
| Section | Status | Findings |
|---------|--------|----------|
| 164.312(a)(1) | FAIL | 2 access control findings |
| 164.312(c)(1) | FAIL | 1 SQL injection finding |
```

## Methodology

### Step 1: Determine Applicable Frameworks
Ask the user which compliance frameworks apply to their organization.

### Step 2: Run Standard Audit
```
/vuln-scout:full-audit .
```

### Step 3: Map Findings to Requirements
Use the mapping table above to categorize each finding by its compliance impact.

### Step 4: Prioritize by Compliance Risk
Findings that affect multiple frameworks should be prioritized higher.

### Step 5: Generate Compliance Report
Include both the technical finding details and the compliance requirement references.

## Integration with Other Skills

- Use **business-logic** for access control requirement mapping (PCI-DSS 6.5.4, HIPAA 164.312(a))
- Use **cryptographic-failures** for encryption requirements (HIPAA 164.312(e), PCI-DSS 6.2.4)
- Use **logging-failures** for audit control requirements (HIPAA 164.312(b), SOC 2 CC7.1)
- Use **security-misconfiguration** for baseline hardening requirements

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.