Compliance Skills

Compliance skills are rich guidance documents that sit alongside each standards pack. Where rules tell sentrik what to flag, skills tell AI agents how to write compliant code in the first place — before any violation occurs.

What skills provide

Each skill is a Markdown file with structured sections:

Section	Content
Purpose	Why this standard exists and what problem it solves
When to Apply	Conditions that trigger the skill (ASIL level, jurisdiction, file type)
Requirements	Numbered, code-enforceable obligations from the standard
Patterns	Correct code examples with inline rationale
Anti-Patterns	Code to avoid, with explanation of why each is wrong
Verification Checklist	Pre-ship checklist aligned to the standard
References	Canonical standard citations

Where skills appear

Skills are injected automatically in four places:

AI agent context (MCP + check-inline)

When an AI agent calls get_compliance_context or sentrik check-inline --context <file>, the response includes a skills array alongside the applicable rules. Each skill entry contains the requirements, patterns, and anti-patterns for the agent to reference while generating or reviewing code.

{
  "file": "src/auth/login.py",
  "frameworks": ["HIPAA", "OWASP Top 10"],
  "rules": [...],
  "skills": [
    {
      "skill_id": "HIPAA-PHI-PROTECTION",
      "pack": "hipaa",
      "guidance": "### Skill: HIPAA-PHI-PROTECTION\n\n**Requirements:**\n1. ..."
    }
  ]
}

The AI sees the requirements and correct code patterns before writing code — not just after a violation is flagged.

Threat modeling and design review

When you run sentrik threat-model or sentrik review-design, sentrik injects applicable skills into the LLM prompt as a "COMPLIANCE SKILLS" block. The model reasons about threats and design decisions in the context of the standards that apply to the files being analyzed.

sentrik threat-model --git-range HEAD~3..HEAD
# Skills for Python, HIPAA, and OWASP are injected automatically
# based on the file extensions and enabled packs in the diff

Dashboard finding detail

When you expand a finding in the sentrik dashboard, the detail panel fetches and displays the skill for that rule — including the numbered requirements and the verification checklist. This gives you the standard's context alongside the specific violation.

VS Code hover

Hovering over a finding underline in VS Code shows the skill guidance for that rule. Sentrik calls sentrik check-inline --context <file> once per rule (cached), then displays the skill in the editor hover popup.

Built-in skills

All 22 standards packs ship with hand-authored skills covering their full rule sets. Skills are loaded from each pack's skills/ directory at runtime via importlib.resources and cached for the process lifetime.

Pack	Skills
OWASP Top 10	10 (one per category, A01–A10)
Python Security	7
Go Security	6
Supply Chain Security	4
SOC2	4
FDA IEC 62304	4
HIPAA	3
PCI DSS	3
ISO 27001	2
GDPR	2
NIST 800-53	2
CMMC 2.0	2
NIST AI RMF	2
EU AI Act	1
PHP Security	2
Kotlin Security	2
IEC 81001-5-1	1
21 CFR Part 11	1
ISO 14971	1
MISRA C/C++	1
DO-178C	1
ISO 26262	1

Custom pack skills

Custom packs (.sentrik/rules/) are supported in two ways.

Hand-authored skills (recommended)

Place skill Markdown files in .sentrik/rules/<pack-name>/skills/:

.sentrik/rules/
  my-api-rules/
    pack.yaml
    skills/
      api-security.md
      rate-limiting.md

Sentrik loads these exactly like built-in skills. They appear in AI context, the dashboard, and VS Code hover.

Auto-synthesized skills (zero work)

If no skills/ directory exists, sentrik generates a minimal skill at runtime from the pack YAML's rule definitions. The synthesized skill includes:

• requirements — assembled from each rule's description field
• Guidance — assembled from each rule's remediation_guidance field
• languages — inferred from file_glob patterns
• severity_floor — the highest severity found across all rules

This means a custom pack with well-written rule descriptions and remediation guidance gets useful skill content in AI context automatically, with no additional authoring.

Improving synthesized skills

Synthesized skills have no code examples or anti-patterns. Add a skills/ directory with hand-authored .md files to get the full benefit — patterns, anti-patterns, and a verification checklist.

Writing a skill file

Skill files use YAML frontmatter followed by Markdown sections.

Frontmatter

---
skill_id: MYPACK-API-SECURITY          # unique ID
version: 1.0.0
last_updated: 2026-05-11
pack: my-api-rules                     # pack ID it belongs to
rules:                                 # rule IDs this skill covers
  - MYAPI-001
  - MYAPI-002
  - MYAPI-003
languages: [python]                    # or [all] to match any file
applies_to: [all]                      # or specific safety classes
jurisdiction: [internal]               # or [FDA, EU MDR, ...] for regulated packs
severity_floor: high                   # minimum severity of covered rules
---

Sections

## Purpose
Why this skill exists and what it protects against.

## When to Apply
- Condition 1
- Condition 2

## Requirements
1. First requirement — enforceable in code.
2. Second requirement.

## Patterns

```python
# Correct: explicit input validation before use
def create_user(data: UserCreate) -> User:
    if not (1 <= len(data.username) <= 50):
        raise ValueError("username out of range")
    ...

Anti-Patterns

# WRONG: no validation — direct trust of user input
def create_user(username, email):
    db.execute(f"INSERT INTO users VALUES ('{username}', '{email}')")

Verification Checklist

• [ ] All inputs validated at API boundary
• [ ] SQL queries use parameterized statements
• [ ] Errors do not leak internal details

References

• OWASP Input Validation Cheat Sheet
• CWE-89: SQL Injection

  ### Section name mapping
  
  The loader recognises these section headings (case-insensitive):
  
  | Markdown heading | Skill field |
  |-----------------|-------------|
  | `## Purpose` | `purpose` |
  | `## When to Apply` | `when_to_apply` |
  | `## Requirements` | `requirements` |
  | `## Patterns` | `patterns` |
  | `## Anti-Patterns` | `anti_patterns` |
  | `## Verification Checklist` | `verification_checklist` |
  | `## Traceability` | `traceability` |
  | `## References` | `references` |
  
  ## Skill filtering
  
  Skills are filtered by two dimensions before being returned:
  
  **Enabled packs** — only skills from packs listed in `standards_packs` in your config are loaded. A skill for the MISRA C pack will not appear unless `misra-c` is enabled.
  
  **Language** — skills with `languages: [python]` only appear for `.py` files. Skills with `languages: [all]` appear for every file type.
  
  ## API access
  
  You can query skills directly via the REST API when the dashboard server is running:
  
  ```bash
  # Get skill guidance for a specific rule
  curl http://localhost:8000/api/skill?rule_id=HIPAA-164.312-a1
  

Response:

{
  "skill": {
    "skill_id": "HIPAA-PHI-PROTECTION",
    "pack": "hipaa",
    "purpose": "...",
    "requirements": "1. All ePHI must be encrypted at rest...",
    "verification_checklist": "- [ ] PHI fields use AES-256...",
    "references": "- 45 CFR §164.312(a)(2)(iv)..."
  }
}

Returns {"skill": null} if no skill covers the rule.