compliance-pilot

March 2, 2026 · View on GitHub

A Claude Code plugin for AWS compliance scanning, remediation, and audit reporting. Covers SOC 2 and HIPAA using Prowler.

Installation

claude plugin install prajapatimehul/compliance-pilot

Or install from a local directory:

claude plugin install /path/to/compliance-pilot

Prerequisites

Claude Code (latest)
Prowler 5.x (pip install prowler)
AWS credentials configured (aws configure or environment variables)

Commands

After installation, four skills are available:

Command	Description
`/compliance-pilot:scan`	Run Prowler scan, create structured findings
`/compliance-pilot:remediate`	Fix findings with evidence capture and human approval
`/compliance-pilot:posture`	Show compliance posture dashboard
`/compliance-pilot:audit-report`	Generate audit-ready report grouped by controls

Quick Start

# Scan your AWS account (smart scan: auto-detects active services)
/compliance-pilot:scan

# Scan a specific service
/compliance-pilot:scan s3

# Full scan across all regions and services
/compliance-pilot:scan --full

# View compliance posture
/compliance-pilot:posture

# Fix open findings (asks for approval before each change)
/compliance-pilot:remediate

# Generate audit report
/compliance-pilot:audit-report

How It Works

No application code. Claude Code IS the engine. The plugin provides agents, skills, rules, and hooks:

Scanner agent runs Prowler against your AWS account, auto-discovers active services/regions, filters noise, and creates structured finding files
Remediator agent proposes fixes with risk assessment, captures before/after evidence, requires explicit human approval, and verifies with Prowler re-scan
Auditor agent reads findings and evidence to generate reports grouped by SOC 2 and HIPAA controls

All runtime data (scans, findings, evidence, reports) is stored in .compliance/ in your project directory.

Safety

Guardrail hook blocks all destructive AWS operations (delete, terminate, destroy)
Mutating operations (create, modify, put) require user confirmation
Read-only operations (describe, list, get) pass through automatically
Remediator always shows the exact command and waits for explicit approval

Supported Frameworks

Framework	Prowler Flag	Controls Mapped
SOC 2	`soc2_aws`	CC4, CC5, CC6, CC7, CC8, CC9
HIPAA	`hipaa_aws`	164.308, 164.310, 164.312

Plugin Structure

compliance-pilot/
  .claude-plugin/plugin.json    # Plugin manifest
  agents/                       # Scanner, remediator, auditor agents
  skills/                       # /scan, /remediate, /posture, /audit-report
  rules/                        # SOC 2 and HIPAA control mappings
  hooks/                        # AWS safety guardrail
  knowledge/                    # Compliance data (controls, requirements, policies)
  .mcp.json                     # AWS API MCP server
  CLAUDE.md                     # Project brain (architecture, schemas, mappings)

Credits

Prowler — Open source cloud security scanner
Claude Code — AI coding assistant

License

MIT