Afrexai Soc2 Evidence Collector.Skip
by @shark1973
Generate SOC2 evidence collection checklists, automate evidence gathering scripts, and produce audit-ready evidence packages. Covers all 5 Trust Service Crit...
clawhub install afrexai-soc2-evidence-collector-skipπ About This Skill
name: soc2-evidence-collector description: > Generate SOC2 evidence collection checklists, automate evidence gathering scripts, and produce audit-ready evidence packages. Covers all 5 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Use when preparing for SOC2 Type I/II audits, maintaining continuous compliance, or building evidence collection automation. Built by AfrexAI. metadata: version: 1.0.0 author: AfrexAI tags: [soc2, compliance, audit, security, evidence-collection, enterprise]
SOC2 Evidence Collector
Automate evidence gathering for SOC2 Type I and Type II audits across all 5 Trust Service Criteria.
When to Use
Input
Gather these from the user before generating:
Required
1. Audit type: Type I (point-in-time) or Type II (over a period, typically 3-12 months) 2. Trust Service Criteria in scope: Security (CC β always required), plus any of: Availability, Processing Integrity, Confidentiality, Privacy 3. Cloud provider(s): AWS, GCP, Azure, multi-cloud, on-prem, hybrid 4. Primary tech stack: languages, frameworks, CI/CD, IaC tools 5. Team size: engineering + ops headcountOptional
Evidence Categories
CC β Common Criteria (Security) β Always In Scope
#### CC1: Control Environment | Evidence | Source | Collection Method | |----------|--------|-------------------| | Org chart with security roles | HR system / Confluence | Manual export quarterly | | Security policy documents | Policy repo / wiki | Git log showing annual review | | Code of conduct acknowledgments | HR system | Export signed acknowledgments | | Board/management meeting minutes on security | Calendar + notes | Screenshot + agenda export | | Risk assessment documentation | GRC tool / spreadsheet | Export current risk register |
#### CC2: Communication and Information | Evidence | Source | Collection Method | |----------|--------|-------------------| | Security awareness training records | LMS / training platform | Completion report export | | Onboarding security checklist | HR system | Template + completion logs | | Incident communication procedures | Runbook / wiki | Version-controlled doc with review history | | External communication policies | Policy repo | Git log + approval records |
#### CC3: Risk Assessment | Evidence | Source | Collection Method | |----------|--------|-------------------| | Annual risk assessment report | GRC tool | PDF export with sign-off | | Vendor risk assessments | Vendor management tool | Export assessment records | | Penetration test reports | Security vendor | PDF reports with remediation tracking | | Vulnerability scan results | Scanner (Qualys, Nessus, etc.) | Automated export, monthly |
#### CC4: Monitoring Activities | Evidence | Source | Collection Method | |----------|--------|-------------------| | SIEM dashboards and alert configs | Datadog / Splunk / CloudWatch | Screenshot + config export | | Uptime monitoring evidence | Pingdom / Datadog / UptimeRobot | Monthly uptime reports | | Log retention configuration | Cloud provider console | Config export / IaC snippet | | Anomaly detection rules | SIEM / monitoring tool | Rule export with change log |
#### CC5: Control Activities
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Access control matrix | IdP / IAM console | Export user-role mappings |
| MFA enforcement evidence | IdP admin console | Policy config screenshot |
| Firewall / security group rules | Cloud console / IaC | terraform state or console export |
| Encryption at rest configuration | Cloud console / IaC | Config export showing encryption enabled |
| Encryption in transit (TLS) | Load balancer / CDN config | Certificate + config export |
#### CC6: Logical and Physical Access Controls | Evidence | Source | Collection Method | |----------|--------|-------------------| | User access reviews (quarterly) | IdP + spreadsheet | Review meeting notes + updated access list | | Terminated user deprovisioning | IdP audit log | Export showing timely deactivation | | SSH key / credential rotation logs | Secrets manager | Rotation event logs | | Physical access logs (if applicable) | Building management | Badge access reports |
#### CC7: System Operations | Evidence | Source | Collection Method | |----------|--------|-------------------| | Change management records | Jira / GitHub PRs | Export merged PRs with approvals | | CI/CD pipeline configuration | GitHub Actions / CircleCI | Config file export from repo | | Deployment approval process | PR review settings | Branch protection rule screenshots | | Incident response logs | PagerDuty / Opsgenie | Incident timeline exports | | Backup configuration and test results | Cloud console / IaC | Backup policy + restore test logs |
#### CC8: Change Management | Evidence | Source | Collection Method | |----------|--------|-------------------| | PR review requirements | GitHub / GitLab settings | Branch protection config | | Code review evidence | GitHub PR history | Export PRs with review comments | | Release notes / changelogs | Repo | CHANGELOG.md with version history | | Rollback procedures | Runbook | Documented procedure with test evidence |
#### CC9: Risk Mitigation | Evidence | Source | Collection Method | |----------|--------|-------------------| | Business continuity plan | Policy repo | Document with annual review evidence | | Disaster recovery test results | DR runbook | Test execution logs + results | | Insurance certificates | Finance / legal | Current certificate copies | | Sub-processor agreements | Legal / contract management | Signed DPAs + vendor list |
A β Availability (If In Scope)
| Evidence | Source | Collection Method | |----------|--------|-------------------| | SLA definitions and monitoring | Product docs + monitoring | SLA doc + uptime dashboard exports | | Capacity planning documentation | Architecture docs | Quarterly capacity review notes | | Auto-scaling configuration | Cloud console / IaC | Config export | | Incident response SLA adherence | PagerDuty / incident tracker | Response time reports | | Redundancy / failover configuration | Cloud architecture | Architecture diagram + failover test logs |PI β Processing Integrity (If In Scope)
| Evidence | Source | Collection Method | |----------|--------|-------------------| | Data validation rules | Application code / config | Code snippets + test results | | QA / testing procedures | CI/CD pipeline | Test suite config + pass/fail reports | | Error handling and correction procedures | Runbook / code | Error handling docs + incident examples | | Data reconciliation reports | Application logs / reports | Monthly reconciliation output |C β Confidentiality (If In Scope)
| Evidence | Source | Collection Method | |----------|--------|-------------------| | Data classification policy | Policy repo | Document with review history | | NDA / confidentiality agreements | Legal / HR | Signed agreement copies | | Data retention and disposal policy | Policy repo | Policy doc + disposal logs | | DLP tool configuration | DLP tool admin | Config export + alert samples |P β Privacy (If In Scope)
| Evidence | Source | Collection Method | |----------|--------|-------------------| | Privacy policy (public) | Website | URL + version history | | Data processing agreements | Legal | Signed DPAs | | Consent management records | CMP / application | Consent log exports | | Data subject request procedures | Policy repo / ticketing | Procedure doc + DSR ticket samples | | Privacy impact assessments | GRC tool / docs | PIA reports for high-risk processing |Automation Scripts
When the user's stack is identified, generate shell scripts for automated evidence collection:
AWS Evidence Collection (example)
#!/bin/bash
SOC2 Evidence Collector β AWS
Generated by AfrexAI SOC2 Evidence Collector skill
set -euo pipefailEVIDENCE_DIR="soc2-evidence/$(date +%Y-%m-%d)"
mkdir -p "$EVIDENCE_DIR"/{iam,network,encryption,logging,compute}
echo "=== CC5: Access Controls ==="
aws iam get-account-summary > "$EVIDENCE_DIR/iam/account-summary.json"
aws iam generate-credential-report && sleep 5
aws iam get-credential-report --output text --query Content | base64 -d > "$EVIDENCE_DIR/iam/credential-report.csv"
aws iam list-users --output json > "$EVIDENCE_DIR/iam/users.json"
aws iam list-policies --scope Local --output json > "$EVIDENCE_DIR/iam/custom-policies.json"
echo "=== CC5: Encryption at Rest ==="
aws rds describe-db-instances --query 'DBInstances[*].{ID:DBInstanceIdentifier,Encrypted:StorageEncrypted,KmsKey:KmsKeyId}' > "$EVIDENCE_DIR/encryption/rds-encryption.json"
aws s3api list-buckets --query 'Buckets[*].Name' --output text | tr '\t' '\n' | while read bucket; do
aws s3api get-bucket-encryption --bucket "$bucket" >> "$EVIDENCE_DIR/encryption/s3-encryption.json" 2>/dev/null || echo "{\"bucket\":\"$bucket\",\"encryption\":\"NONE\"}" >> "$EVIDENCE_DIR/encryption/s3-encryption.json"
done
echo "=== CC4: Logging ==="
aws cloudtrail describe-trails > "$EVIDENCE_DIR/logging/cloudtrail-config.json"
aws cloudwatch describe-alarms --state-value ALARM > "$EVIDENCE_DIR/logging/active-alarms.json"
echo "=== CC5: Network Security ==="
aws ec2 describe-security-groups > "$EVIDENCE_DIR/network/security-groups.json"
aws ec2 describe-vpcs > "$EVIDENCE_DIR/network/vpcs.json"
echo "=== CC6: MFA Status ==="
aws iam list-virtual-mfa-devices > "$EVIDENCE_DIR/iam/mfa-devices.json"
echo "Evidence collected in $EVIDENCE_DIR"
echo "Review and redact sensitive values before sharing with auditors."
GitHub Evidence Collection (example)
#!/bin/bash
SOC2 Evidence Collector β GitHub
set -euo pipefailORG="${1:?Usage: $0 }"
EVIDENCE_DIR="soc2-evidence/$(date +%Y-%m-%d)/github"
mkdir -p "$EVIDENCE_DIR"
echo "=== CC8: Branch Protection ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | while read repo; do
gh api "/repos/$ORG/$repo/branches/main/protection" 2>/dev/null > "$EVIDENCE_DIR/${repo}-branch-protection.json" || true
done
echo "=== CC7: Recent Deployments ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | head -10 | while read repo; do
gh api "/repos/$ORG/$repo/deployments?per_page=10" > "$EVIDENCE_DIR/${repo}-deployments.json" 2>/dev/null || true
done
echo "=== CC8: PR Review Evidence ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | head -10 | while read repo; do
gh pr list --repo "$ORG/$repo" --state merged --limit 20 --json number,title,mergedAt,reviewDecision > "$EVIDENCE_DIR/${repo}-merged-prs.json" 2>/dev/null || true
done
echo "=== CC5: Org Security Settings ==="
gh api "/orgs/$ORG" --jq '{two_factor_requirement: .two_factor_requirement_enabled, default_permissions: .default_repository_permission}' > "$EVIDENCE_DIR/org-security.json"
echo "Evidence collected in $EVIDENCE_DIR"
Output Format
Generate a structured evidence package:
soc2-evidence/
βββ README.md # Overview, scope, period, auditor info
βββ evidence-matrix.md # Full checklist with status (collected/pending/N-A)
βββ collection-scripts/
β βββ collect-aws.sh
β βββ collect-github.sh
β βββ collect-idp.sh
β βββ collect-monitoring.sh
βββ gap-analysis.md # Missing evidence + remediation steps
βββ schedule.md # Evidence collection calendar (what to refresh when)
evidence-matrix.md Format
| # | Control | Evidence | Status | Source | Last Collected | Notes |
|---|---------|----------|--------|--------|---------------|-------|
| CC1.1 | Org chart | org-chart-2026-Q1.pdf | β
Collected | HR export | 2026-01-15 | |
| CC5.3 | MFA enforcement | mfa-config.json | β
Automated | IdP API | 2026-03-17 | Script: collect-idp.sh |
| CC3.2 | Pen test report | β | β³ Pending | External vendor | β | Due 2026-04-01 |
Workflow
1. Gather inputs (audit type, scope, stack, team size) 2. Generate the full evidence matrix for in-scope criteria 3. Mark known evidence sources based on their stack 4. Generate collection scripts for automated gathering 5. Identify gaps and generate remediation recommendations 6. Create an evidence collection schedule (daily/weekly/monthly/quarterly) 7. Output the complete evidence package
Tips for Users
AfrexAI Note
This skill generates the framework and automation scaffolding. For hands-on SOC2 audit preparation with managed AI agents handling continuous evidence collection, monitoring, and auditor coordination β that's what AfrexAI's AI-as-a-Service delivers. Contact us at hello@afrexai.com.