qa-compliance
Compliance test patterns + readiness review: 8 skills (audit-trail-test-author, ccpa-test-patterns, compliance-evidence-generator, gdpr-test-patterns, hipaa-test-patterns, iso27001-test-patterns, pci-dss-scope-checker, soc2-evidence-collector) and 1 agent (compliance-readiness-reviewer). Covers regulated-industry test pattern catalogs.
Install this plugin
/plugin install qa-compliance@testland-qaPart of role bundle: qa-role-security
qa-compliance
Compliance test patterns + readiness review for regulated industries. Five per-framework reference + workflow skills (GDPR, CCPA/CPRA, SOC 2 Type II, HIPAA, PCI DSS v4.0) plus an audit-trail-test-author build-an-X for the universal logging requirement plus an adversarial agent that scores test coverage against any framework's criteria.
Covers the regulated-industry gap (healthcare, finance, EU operations, federal contractors).
Components
| Type | Name | Description |
|---|---|---|
| Skill | gdpr-test-patterns | Test patterns by GDPR Article (Art. 7 consent / Art. 15 access / Art. 17 erasure / Art. 20 portability / Art. 33 breach / Art. 44 - 50 transfers / Art. 5 minimization) |
| Skill | ccpa-test-patterns | CCPA + CPRA patterns: GPC opt-out, right-to-know, deletion, sensitive PI limit, right to correct, notice; SPI category catalog |
| Skill | soc2-evidence-collector | Build-an-X for SOC 2 Type II evidence collection per Trust Services Criterion (CC1 - CC9 + A1/C1/PI1/P1 - P9); Vanta/Drata/Secureframe alignment |
| Skill | hipaa-test-patterns | HIPAA Security Rule patterns: §164.308 admin, §164.310 physical, §164.312 technical, §164.502 minimum-necessary; 18-identifier PHI catalog |
| Skill | pci-dss-scope-checker | Build-an-X for PCI DSS v4.0 scope verification: CDE boundary, segmentation, no-SAD-storage, encryption at rest + in transit, access control, scope-reduction strategies |
| Skill | audit-trail-test-author | Build-an-X for compliance-grade audit logs: required-events catalog, structured format, hash-chain or signed-batch tamper-evidence, immutability + retention, PII redaction, cross-system aggregation |
| Agent | compliance-readiness-reviewer | Adversarial readiness reviewer per framework; per-criterion coverage matrix (covered/partial/missing/N/A); refuses "ready" if missing required criterion; refuses N/A without justification + approver + re-review-date |
| Skill | iso27001-test-patterns | Pure reference: ISO/IEC 27001:2022 Annex A control themes and testable technical controls. |
| Skill | compliance-evidence-generator | Build auditor-facing evidence packages: control-to-test mapping, evidence matrix, chain of custody. |
Install
/plugin marketplace add testland/qa
/plugin install qa-compliance@testland-qaSkills
audit-trail-test-author
Build-an-X for audit-log tests across compliance frameworks - required-events catalog (auth events / privilege change / data access / admin action / config change / export / impersonation); structured-log-format assertions per OWASP A09:2021; tamper-evident chain (hash-chain + signed-batch patterns) for HIPAA §164.312(b) + PCI Req 10 + SOC 2 CC7.3; immutability + retention per framework; query-replay tests for forensic reconstruction. Use when authoring audit log tests for any compliance framework (HIPAA / PCI / SOC 2 / GDPR / etc.).
ccpa-test-patterns
Reference catalog of CCPA + CPRA-aligned test patterns - do-not-sell-or-share opt-out via Global Privacy Control (GPC) signal; data-disclosure category tests per Cal. Civ. Code §1798.110; sensitive personal information (SPI) handling per CPRA §1798.121; deletion-request workflows per §1798.105; CPRA's right to correct (§1798.106) + limit-use (§1798.121). Use when authoring CCPA/CPRA-readiness tests for any product processing California consumer data.
compliance-evidence-generator
Build-an-X workflow that produces auditor-facing evidence packages from automated test results: maps control IDs to test outcomes across any compliance framework (SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, FedRAMP); generates the control-evidence matrix, timestamped evidence bundles (screenshots, log excerpts, CI exports), and chain-of-custody notes per NIST SP 800-72. Distinct from soc2-evidence-collector (SOC2-only raw log harvest) and compliance-readiness-reviewer (coverage gap analysis without artifact production). Use when an audit engagement requires auditor-ready evidence packages built from existing automated test output.
gdpr-test-patterns
Reference catalog of GDPR-aligned test patterns - data-subject-rights workflows (Art. 15 access, Art. 16 rectification, Art. 17 erasure / "right to be forgotten", Art. 18 restriction, Art. 20 portability, Art. 21 objection); consent recording + revocation per Art. 7; data-residency assertions per Art. 44 - 50 international transfers; breach-notification timing tests per Art. 33 (72 hours); data-minimization assertions in fixtures per Art. 5(1)(c). Use when authoring GDPR-readiness tests for any product processing EU personal data.
hipaa-test-patterns
Reference catalog of HIPAA Security Rule-aligned test patterns - administrative safeguards (45 CFR §164.308: workforce training, access management, contingency planning), physical safeguards (§164.310: facility access, workstation security, device disposal), technical safeguards (§164.312: access control, audit logs, integrity, transmission security); PHI handling assertions in fixtures; minimum-necessary tests per §164.502(b); BAA-scope boundary verification. Use when authoring HIPAA-readiness tests for any product handling Protected Health Information.
iso27001-test-patterns
Reference catalog of ISO/IEC 27001:2022 Annex A test patterns - per-control-theme coverage across 93 controls in four themes (organizational A.5, people A.6, physical A.7, technological A.8); testable technical controls with code-level assertions for access control (A.8.2-A.8.5), logging and monitoring (A.8.15-A.8.16), cryptography (A.8.24), and secure development (A.8.25-A.8.31); evidence patterns for Stage 1 and Stage 2 certification audits; Statement of Applicability scoping. Use when authoring ISMS test coverage for an ISO 27001:2022 certification engagement or gap assessment.
pci-dss-scope-checker
Build-an-X for PCI DSS v4.0 scope verification - cardholder data environment (CDE) boundary tests, segmentation tests (PCI Req 1), prohibited-data-storage assertions per Req 3 (no full track data, no CVV/CAV2/CVC2/CID, no PIN/PIN block post-authorization), key-management tests per Req 3.6, encryption-of-transmissions per Req 4. Use when authoring PCI DSS scope-reduction + control tests for any system handling payment-card data.
soc2-evidence-collector
Build-an-X for SOC 2 Type II evidence collection - per-Trust-Services-Criterion test artifacts (Common Criteria CC1.1 - CC9.2; plus Availability A1, Confidentiality C1, Processing Integrity PI1, Privacy P1 - P9 if in scope); auto-collection from CI logs + audit trails + access logs + change-management records; alignment with Vanta / Drata / Secureframe evidence shapes; observation-period sampling. Use when the team is preparing for SOC 2 Type II audit and needs continuous evidence collection automation.