Map threats and controls to compliance frameworks like OWASP Top 10, SOC2, PCI-DSS, HIPAA, GDPR. Generates compliance reports with coverage percentages and gaps. Use when checking compliance status, mapping to security frameworks, or generating audit documentation.
View on GitHubjosemlopez/threat-modeling-toolkit
threat-modeling-toolkit
skills/tm-compliance/SKILL.md
January 22, 2026
Select agents to install to:
npx add-skill https://github.com/josemlopez/threat-modeling-toolkit/blob/main/skills/tm-compliance/SKILL.md -a claude-code --skill tm-complianceInstallation paths:
.claude/skills/tm-compliance/# Compliance Mapping ## Purpose Map your threat model to compliance frameworks to: - Calculate compliance coverage percentages - Identify compliance gaps - Generate audit-ready documentation - Track requirements across multiple frameworks ## Usage ``` /tm-compliance [--framework <name>] [--policy <path>] [--gaps-only] ``` **Arguments**: - `--framework`: Framework(s) to map: owasp, soc2, pci-dss, hipaa, gdpr, custom - `--policy`: Path to custom policy document - `--gaps-only`: Only show gaps/non-compliance ## Supported Frameworks ### OWASP Top 10 2021 | ID | Name | |----|------| | A01 | Broken Access Control | | A02 | Cryptographic Failures | | A03 | Injection | | A04 | Insecure Design | | A05 | Security Misconfiguration | | A06 | Vulnerable and Outdated Components | | A07 | Identification and Authentication Failures | | A08 | Software and Data Integrity Failures | | A09 | Security Logging and Monitoring Failures | | A10 | Server-Side Request Forgery (SSRF) | ### SOC2 Trust Services Criteria | Category | Description | |----------|-------------| | CC6.1 | Logical and Physical Access Controls | | CC6.2 | System Access Authentication | | CC6.3 | Access Restriction and Privileges | | CC6.6 | System Boundaries | | CC6.7 | Transmission Integrity | | CC6.8 | Data Integrity | | CC7.1 | Configuration Management | | CC7.2 | Change Management | ### PCI-DSS v4.0 | Requirement | Description | |-------------|-------------| | 1 | Install and maintain network security controls | | 2 | Apply secure configurations | | 3 | Protect stored account data | | 4 | Protect cardholder data during transmission | | 5 | Protect from malicious software | | 6 | Develop and maintain secure systems | | 7 | Restrict access by business need | | 8 | Identify users and authenticate access | | 9 | Restrict physical access | | 10 | Log and monitor access | | 11 | Test security regularly | | 12 | Support information security with policies | ## Mapping Process ### For Each Framework Requirement