ISO 27001:2022 Software Development Compliance Scanner

Scans a repository and produces a compliance gap report against the ISO 27001:2022 Annex A software development controls (8.4, 8.25–8.33).

Before you start

Read references/controls.md — it contains the per-control scoring rules, example fix suggestions, and the mapping from evidence to status.

For 8.28 (Secure Coding) checks, also read references/secure-coding-patterns.md which contains the per-language/framework lookup tables for libraries, config locations, and unsafe code patterns.

Architecture: two-phase scan → score

The skill separates evidence collection (deterministic) from compliance scoring (judgment-based). This eliminates inconsistency where the same file gets assessed differently for different controls.