← Back to registry
Skill
security-compliance
"Security and compliance workflow for designing defense-in-depth controls, performing threat modeling and risk assessments, and mapping mitigations to frameworks (SOC2/ISO27001/GDPR/HIPAA). Use when reviewing security posture, shipping sensitive features, preparing compliance evidence, or running a lightweight secrets scan."
Install
One-line setup
Copy and run this in your terminal to install the skill. Re-run to reinstall and update an existing install.
npx codex-skills-registry@latest --skill=security/security-compliance --yesSecurity & Compliance
Build real security, not checkbox security.
Quick Start
- Scope the system and data:
- What data types exist (PII/PHI/payment/secrets)? Where is it stored and transmitted?
- Trust boundaries (browser ↔ edge ↔ API ↔ DB ↔ 3rd parties)
- Threat model (lightweight): list top 5 abuse cases + mitigations.
- Controls: pick practical controls (authN/authZ, encryption, logging, rate limits, backups, key mgmt).
- Evidence: document decisions and “how we know it works” (configs, screenshots, logs, tests).
Output artifacts (default)
- 5-item threat model table (abuse case → impact → mitigation).
- Control checklist mapped to the system’s trust boundaries.
- Evidence list: concrete proofs (configs, logs, tests) with where to find them.
Optional tool: scan for likely secrets in a repo
python ~/.codex/skills/security-compliance/scripts/secret_scan.py . --json --output /tmp/secrets.json
References
- Threat model template:
references/threat-model.md - Control checklist:
references/control-checklist.md