Skill Being Reviewed
Skill name: soc2-gap
Skill path: skills/compliance/soc2-gap/
False Positive Analysis
Benign evidence that should not be flagged:
change_id: CHG-2026-0522
type: emergency
production_deployment: true
reason: "patch exploited dependency in public API image"
incident_link: SEC-INC-2026-2214
requester: appsec-oncall
approver: engineering-manager
deployer: platform-release-engineer
verifier: sre-oncall
approval:
status: retroactive_approved
retroactive_approval_due: "2026-05-23T10:00:00Z"
retroactive_approval_completed: "2026-05-22T22:40:00Z"
ci_result: "passed"
smoke_test: "api-healthcheck-run-1942"
rollback_plan: "redeploy previous known-good image and disable the risky feature flag"
abort_criteria: "5xx rate above policy threshold or auth latency regression"
post_implementation_review:
reviewer: security-engineering-manager
completed_at: "2026-05-23T15:30:00Z"
Why this is benign: the emergency path is expedited but still traceable: it has an incident-backed reason, separated requester/approver/deployer/verifier identities, validation evidence, rollback details, and a completed post-implementation review.
Coverage Gaps
Missed variant 1: emergency change with no rollback or post-implementation review
change_id: CHG-2026-0418
type: emergency
production_deployment: true
reason: "hotfix login failures"
incident_link: INC-2026-8871
requester: api-team-lead
approver: api-team-lead
deployer: api-team-lead
verifier: api-team-lead
approval:
status: missing
rollback_plan: null
abort_criteria: null
post_implementation_review: null
Why it should be caught: CC8.1 readiness depends on authorization, tested implementation, approval, and controlled deployment evidence. Emergency changes are often sampled by auditors because they are high-risk bypass paths; without rollback and post-review evidence, operating effectiveness is not testable.
Missed variant 2: no segregation of duties in emergency production changes
requester: api-team-lead
approver: api-team-lead
deployer: api-team-lead
verifier: api-team-lead
compensating_review: null
Why it should be caught: the current skill asks whether segregation of duties exists but does not require an emergency-change evidence table that identifies requester, approver, deployer, verifier, and compensating review when those roles collapse.
Edge Cases
- Retroactive emergency approvals may be acceptable only when completed inside the policy-defined SLA.
- Chat-only approvals should not be treated as complete evidence unless they are linked into the formal change record.
- Generic rollback runbooks are weaker than change-specific rollback and abort criteria.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| Semgrep |
No |
This is audit-readiness evidence logic, not source-code pattern matching. |
| CodeQL |
No |
CodeQL cannot validate SOC 2 change records or emergency approvals. |
| Auditor sampling / GRC evidence review |
Partial |
Auditors usually test this manually; the skill should prompt for the evidence before readiness scoring. |
Overall Assessment
Strengths: soc2-gap already references CC8.1, change management policy, PR approvals, CAB minutes, emergency records, and segregation of duties.
Needs improvement: the skill does not make emergency-change evidence independently testable. A reviewer can mark CC8.1 as partially ready without collecting rollback, abort, approval-SLA, SoD, and post-implementation review evidence for emergency changes during the audit period.
Priority recommendations:
- Add a CC8.1 emergency-change evidence gate with required fields.
- Add finding IDs for missing ticket, reason, approval, SoD, rollback, and post-implementation review evidence.
- Add benign/vulnerable fixtures so reviewers can distinguish a controlled emergency change from a bypass.
Bounty Info
Skill Being Reviewed
Skill name: soc2-gap
Skill path:
skills/compliance/soc2-gap/False Positive Analysis
Benign evidence that should not be flagged:
Why this is benign: the emergency path is expedited but still traceable: it has an incident-backed reason, separated requester/approver/deployer/verifier identities, validation evidence, rollback details, and a completed post-implementation review.
Coverage Gaps
Missed variant 1: emergency change with no rollback or post-implementation review
Why it should be caught: CC8.1 readiness depends on authorization, tested implementation, approval, and controlled deployment evidence. Emergency changes are often sampled by auditors because they are high-risk bypass paths; without rollback and post-review evidence, operating effectiveness is not testable.
Missed variant 2: no segregation of duties in emergency production changes
Why it should be caught: the current skill asks whether segregation of duties exists but does not require an emergency-change evidence table that identifies requester, approver, deployer, verifier, and compensating review when those roles collapse.
Edge Cases
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths:
soc2-gapalready references CC8.1, change management policy, PR approvals, CAB minutes, emergency records, and segregation of duties.Needs improvement: the skill does not make emergency-change evidence independently testable. A reviewer can mark CC8.1 as partially ready without collecting rollback, abort, approval-SLA, SoD, and post-implementation review evidence for emergency changes during the audit period.
Priority recommendations:
Bounty Info