Generating Security Audit Reports

Overview

Aggregate vulnerability scan results, configuration analyses, and compliance assessments into a structured, auditor-ready security report. Map every finding to a CVSS severity, applicable compliance control (PCI-DSS, HIPAA, SOC 2, GDPR), and a prioritized remediation timeline.

Prerequisites

• Vulnerability scanner outputs (Nmap, Nessus, OpenVAS, OWASP ZAP) available in ${CLAUDE_SKILL_DIR}/security/
• Application and infrastructure configuration files accessible
• SAST/DAST tool results (e.g., Semgrep, Snyk, Trivy, Bandit)
• Applicable compliance framework documentation identified (PCI-DSS v4.0, HIPAA Security Rule, SOC 2 TSC, GDPR)
• Write permissions for report output directory ${CLAUDE_SKILL_DIR}/reports/

Instructions

1. Inventory all available security data sources by scanning ${CLAUDE_SKILL_DIR}/security/ for scanner outputs, log files, and configuration exports.
2. Parse vulnerability findings and normalize severity using CVSS 3.1 base scores: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9).
3. Cross-reference each finding against applicable compliance controls. Map to specific PCI-DSS requirements (e.g., Req 6.5 for injection flaws), HIPAA safeguards, or SOC 2 Common Criteria.
4. Deduplicate findings across scanners and merge related vulnerabilities into consolidated entries with all affected assets listed.