proffesor-for-testing/compliance-testing
.claude/skills/compliance-testing/SKILL.md
Regulatory compliance testing for GDPR, CCPA, HIPAA, SOC2, PCI-DSS and industry-specific regulations. Use when ensuring legal compliance, preparing for audits, or handling sensitive data.
$ install --global
skillsauthnpx skillsauth add proffesor-for-testing/agentic-qe compliance-testingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 11, 2026, 8:18 PM324.5s5 files scanned
SKILL.md
- name:
- compliance-testing
- description:
- Regulatory compliance testing for GDPR, CCPA, HIPAA, SOC2, PCI-DSS and industry-specific regulations. Use when ensuring legal compliance, preparing for audits, or handling sensitive data.
- category:
- specialized-testing
- priority:
- high
- tokenEstimate:
- 900
- agents:
- [qe-security-scanner, qe-test-executor, qe-quality-gate]
- implementation_status:
- optimized
- optimization_version:
- 1.0
- last_optimized:
- 2025-12-02
- dependencies:
- []
- quick_reference_card:
- true
- tags:
- [compliance, gdpr, hipaa, pci-dss, ccpa, soc2, privacy, audit]
- trust_tier:
- 3
- schema_path:
- schemas/output.json
- validator_path:
- scripts/validate-config.json
- eval_path:
- evals/compliance-testing.yaml
Compliance Testing
<default_to_action> When validating regulatory compliance:
- IDENTIFY applicable regulations (GDPR, HIPAA, PCI-DSS, etc.)
- MAP requirements to testable controls
- TEST data rights (access, erasure, portability)
- VERIFY encryption and access logging
- GENERATE audit-ready reports with evidence
Quick Compliance Checklist:
- Data subject rights work (access, delete, export)
- PII is encrypted at rest and in transit
- Access to sensitive data is logged
- Consent is tracked with timestamps
- Payment card data not stored (only tokenized)
Critical Success Factors:
- Non-compliance = €20M or 4% revenue (GDPR)
- Audit trail everything
- Test continuously, not just before audits </default_to_action>
Quick Reference Card
When to Use
- Legal compliance requirements
- Before security audits
- Handling PII/PHI/PCI data
- Entering new markets (EU, CA, healthcare)
Major Regulations
| Regulation | Scope | Key Focus | |------------|-------|-----------| | GDPR | EU data | Privacy rights, consent | | CCPA | California | Consumer data rights | | HIPAA | Healthcare | PHI protection | | PCI-DSS | Payments | Card data security | | SOC2 | SaaS | Security controls |
Penalties
| Regulation | Maximum Fine | |------------|--------------| | GDPR | €20M or 4% revenue | | HIPAA | $1.5M per violation | | PCI-DSS | $100k/month | | CCPA | $7,500 per violation |
GDPR Compliance Testing
// Test data subject rights
test('user can request their data', async () => {
const response = await api.post('/data-export', { userId });
expect(response.status).toBe(200);
expect(response.data.downloadUrl).toBeDefined();
const data = await downloadFile(response.data.downloadUrl);
expect(data).toHaveProperty('profile');
expect(data).toHaveProperty('orders');
});
test('user can delete their account', async () => {
await api.delete(`/users/${userId}`);
// All personal data deleted
expect(await db.users.findOne({ id: userId })).toBeNull();
expect(await db.orders.find({ userId })).toHaveLength(0);
// Audit log retained (legal requirement)
expect(await db.auditLogs.find({ userId })).toBeDefined();
});
test('consent is tracked', async () => {
await api.post('/consent', {
userId, type: 'marketing', granted: true,
timestamp: new Date(), ipAddress: '192.168.1.1'
});
const consent = await db.consents.findOne({ userId, type: 'marketing' });
expect(consent.timestamp).toBeDefined();
expect(consent.ipAddress).toBeDefined();
});
HIPAA Compliance Testing
// Test PHI security
test('PHI is encrypted at rest', async () => {
const patient = await db.patients.create({
ssn: '123-45-6789',
medicalHistory: 'Diabetes'
});
const raw = await db.raw('SELECT * FROM patients WHERE id = ?', patient.id);
expect(raw.ssn).not.toBe('123-45-6789'); // Should be encrypted
});
test('access to PHI is logged', async () => {
await api.get('/patients/123', {
headers: { 'User-Id': 'doctor456' }
});
const auditLog = await db.auditLogs.findOne({
resourceType: 'patient',
resourceId: '123',
userId: 'doctor456'
});
expect(auditLog.action).toBe('read');
expect(auditLog.timestamp).toBeDefined();
});
PCI-DSS Compliance Testing
// Test payment card handling
test('credit card numbers not stored', async () => {
await api.post('/payment', {
cardNumber: '4242424242424242',
expiry: '12/25', cvv: '123'
});
const payment = await db.payments.findOne({ /* ... */ });
expect(payment.cardNumber).toBeUndefined();
expect(payment.last4).toBe('4242'); // Only last 4
expect(payment.tokenId).toBeDefined(); // Token from gateway
});
test('CVV never stored', async () => {
const payments = await db.raw('SELECT * FROM payments');
const hasCVV = payments.some(p =>
JSON.stringify(p).toLowerCase().includes('cvv')
);
expect(hasCVV).toBe(false);
});
Agent-Driven Compliance
// Comprehensive compliance validation
await Task("Compliance Validation", {
regulations: ['GDPR', 'PCI-DSS'],
scope: 'full-application',
generateAuditReport: true
}, "qe-security-scanner");
// Returns:
// {
// gdpr: { compliant: true, controls: 12, passed: 12 },
// pciDss: { compliant: false, controls: 8, passed: 7 },
// violations: [{ control: 'card-storage', severity: 'critical' }],
// auditReport: 'compliance-audit-2025-12-02.pdf'
// }
Agent Coordination Hints
Memory Namespace
aqe/compliance-testing/
├── regulations/* - Regulation requirements
├── controls/* - Control test results
├── audit-reports/* - Generated audit reports
└── violations/* - Compliance violations
Fleet Coordination
const complianceFleet = await FleetManager.coordinate({
strategy: 'compliance-validation',
agents: [
'qe-security-scanner', // Scan for vulnerabilities
'qe-test-executor', // Execute compliance tests
'qe-quality-gate' // Block non-compliant releases
],
topology: 'sequential'
});
Related Skills
- security-testing - Security vulnerabilities
- test-data-management - PII handling
- accessibility-testing - Legal requirements
Remember
Compliance is mandatory, not optional. Fines are severe: GDPR up to €20M or 4% of revenue, HIPAA up to $1.5M per violation. But beyond fines, non-compliance damages reputation and user trust.
Audit trail everything. Every access to sensitive data, every consent, every deletion must be logged with timestamps and user IDs.
With Agents: Agents validate compliance requirements continuously, detect violations early, and generate audit-ready reports. Catch compliance issues in development, not in audits.
Gotchas
- Agent checks GDPR consent flow but misses data retention — always verify deletion/anonymization actually works
- Compliance reports with "100% compliant" are suspicious — no real system is fully compliant, verify each claim
- Agent may test US regulations only — explicitly specify jurisdiction (EU, CA, etc.) for correct requirements
- PII in test data is itself a compliance violation — never use production PII, use synthetic generators
- Audit trail gaps are invisible until audit time — verify logging exists for EVERY data access, not just writes
Related Skills
proffesor-for-testing/qe-xp-practices
development
VerifiedTrustedCommunity
Apply XP practices including pair programming, ensemble programming, continuous integration, and sustainable pace. Use when implementing agile development practices, improving team collaboration, or adopting technical excellence practices.
304SKILL.mdUpdated Apr 11, 2026
proffesor-for-testing/qe-wms-testing-patterns
development
VerifiedTrustedCommunity
Warehouse Management System testing patterns for inventory operations, pick/pack/ship workflows, wave management, EDI X12/EDIFACT compliance, RF/barcode scanning, and WMS-ERP integration. Use when testing WMS platforms (Blue Yonder, Manhattan, SAP EWM).
304SKILL.mdUpdated Apr 11, 2026
proffesor-for-testing/qe-visual-testing-advanced
testing
VerifiedTrustedCommunity
Advanced visual regression testing with pixel-perfect comparison, AI-powered diff analysis, responsive design validation, and cross-browser visual consistency. Use when detecting UI regressions, validating designs, or ensuring visual consistency.
304SKILL.mdUpdated Apr 11, 2026
proffesor-for-testing/qe-verification-quality
development
VerifiedTrustedCommunity
Comprehensive truth scoring, code quality verification, and automatic rollback system with 0.95 accuracy threshold for ensuring high-quality agent outputs and codebase reliability.
304SKILL.mdUpdated Apr 11, 2026