SOC 2 audit prep costs 20K/year, so I wrote a Agent skill to automate most of it. It goes beyond policy generation from templates by leveraging the abilities to access your codebase:
- asks contextual questions about your company and specifics about each policy - scans your source code - uses aws, azure-cli, gcp to check your cloud infra - writes shell scripts to fetch configs from your SaaS: Okta, Datadog, PagerDuty, Jira etc.
As a result you get:
- A set of policy documentation tailored to your company - All evidences are automatically versioned with your repo - Automatic evidence collection through Github Workflow Actions - Leverage Claude Code to add new integration scripts easily - No secrets leave your environment
This is targeted at small companies and startups who’d rather spend an afternoon with an agent than $20K/year on a compliance platform. It doesn’t replace the auditor and various aspects of compliance platforms, but handles a good trunk of the grunt work for free.
Some design choices I made: Each evidence collection script is a readable shell you can run locally: make it easy to unit test each script rather than relying on runtime agents. Organize frameworks & integrations so it’s easy to add new ones. Progressive Disclosure: only load context when needed
Repo: https://github.com/screenata/compliance-automation
Demo Video: https://www.youtube.com/shorts/EevpE6bKwhA
I'd love your feedback on:
If you’ve been through SOC 2, what controls were hardest to evidence?
PRs with new frameworks, evidence collection scripts with your SaaS tools
What would you like to see next