Generate comprehensive security audit reports for applications and systems.
Use when you need to assess security posture, identify vulnerabilities, evaluate compliance status, or create formal security documentation.
Trigger with phrases like "create security audit report", "generate security assessment", "audit security posture", or "PCI-DSS compliance report".
Aggregate vulnerability scan results, configuration analyses, and compliance assessments into a structured, auditor-ready security report. Map every finding to a CVSS severity, applicable compliance control (PCI-DSS, HIPAA, SOC 2, GDPR), and a prioritized remediation timeline.
Prerequisites
Vulnerability scanner outputs (Nmap, Nessus, OpenVAS, OWASP ZAP) available in ${CLAUDE_SKILL_DIR}/security/
Application and infrastructure configuration files accessible
Write permissions for report output directory ${CLAUDE_SKILL_DIR}/reports/
Instructions
Inventory all available security data sources by scanning ${CLAUDE_SKILL_DIR}/security/ for scanner outputs, log files, and configuration exports.
Parse vulnerability findings and normalize severity using CVSS 3.1 base scores: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9).
Cross-reference each finding against applicable compliance controls. Map to specific PCI-DSS requirements (e.g., Req 6.5 for injection flaws), HIPAA safeguards, or SOC 2 Common Criteria.
Deduplicate findings across scanners and merge related vulnerabilities into consolidated entries with all affected assets listed.
Classify access control weaknesses, encryption gaps, and authentication deficiencies into separate report sections.
Generate an executive summary including total findings by severity, overall risk score, and top-5 critical remediation priorities.
Build a detailed findings table: finding ID, CWE number, affected component, CVSS score, compliance mapping, remediation steps, and evidence links.
Produce a compliance status matrix showing pass/fail/partial for each applicable standard requirement.
Create remediation recommendations with effort estimates (hours), priority ranking, and suggested timelines.
Format the final report as Markdown to ${CLAUDE_SKILL_DIR}/reports/security-audit-YYYYMMDD.md. Optionally produce JSON for Jira/ServiceNow import.
See ${CLAUDE_SKILL_DIR}/references/implementation.md for the detailed four-phase implementation workflow.
Output
Audit Report: ${CLAUDE_SKILL_DIR}/reports/security-audit-YYYYMMDD.md containing executive summary, detailed findings, compliance matrix, and remediation plan
Findings JSON: Machine-readable findings for ticketing system import
Compliance Matrix: Per-requirement pass/fail/partial status for each applicable framework
Remediation Backlog: Prioritized list with effort estimates and owner assignments
Error Handling
Error
Cause
Solution
No security scan results found
Scanner outputs missing from ${CLAUDE_SKILL_DIR}/security/
Specify alternate data source paths or run preliminary scans with nmap -sV or trivy fs .