Add compliance plugin with CVE analysis command

Signed-off-by: chiragkyal <[email protected]>

Author: chiragkyal

.claude-plugin/marketplace.json

@@ -68,6 +68,11 @@
       "name": "must-gather",
       "source": "./plugins/must-gather",
       "description": "A plugin to analyze and report on must-gather data"
+    },
+    {
+      "name": "compliance",
+      "source": "./plugins/compliance",
+      "description": "Security compliance and vulnerability analysis tools for Go projects"
     }
   ]
-}
+}

PLUGINS.md

@@ -4,6 +4,7 @@ This document lists all available Claude Code plugins and their commands in the
 
 - [Agendas](#agendas-plugin)
 - [Ci](#ci-plugin)
+- [Compliance](#compliance-plugin)
 - [Doc](#doc-plugin)
 - [Git](#git-plugin)
 - [Hello World](#hello-world-plugin)
@@ -38,6 +39,15 @@ Miscellaenous tools for working with OpenShift CI
 
 See [plugins/ci/README.md](plugins/ci/README.md) for detailed documentation.
 
+### Compliance Plugin
+
+Security compliance and vulnerability analysis tools for Go projects
+
+**Commands:**
+- **`/compliance:analyze-cve` `<CVE-ID>`** - Analyze Go codebase for CVE vulnerabilities and suggest fixes
+
+See [plugins/compliance/README.md](plugins/compliance/README.md) for detailed documentation.
+
 ### Doc Plugin
 
 A plugin for engineering documentation and notes

docs/data.json

@@ -391,6 +391,21 @@
         }
       ],
       "has_readme": true
+    },
+    {
+      "name": "compliance",
+      "description": "Security compliance and vulnerability analysis tools for Go projects",
+      "version": "0.0.1",
+      "commands": [
+        {
+          "name": "analyze-cve",
+          "description": "Analyze Go codebase for CVE vulnerabilities and suggest fixes",
+          "synopsis": "/compliance:analyze-cve <CVE-ID>",
+          "argument_hint": "<CVE-ID>"
+        }
+      ],
+      "skills": [],
+      "has_readme": true
     }
   ]
 }

plugins/compliance/.claude-plugin/plugin.json

@@ -0,0 +1,8 @@
+{
+    "name": "compliance",
+    "description": "Security compliance and vulnerability analysis tools for Go projects",
+    "version": "0.0.1",
+    "author": {
+        "name": "chiragkyal"
+    }
+}

plugins/compliance/README.md

@@ -0,0 +1,86 @@
+# Compliance Plugin
+
+Security compliance and vulnerability analysis tools for Go projects.
+
+## Command
+
+### `/compliance:analyze-cve <CVE-ID>`
+
+Analyzes Go codebases to determine CVE impact with multi-level confidence assessment.
+
+**Example:**
+```
+/compliance:analyze-cve CVE-2024-24783
+```
+
+**Features:**
+- Fetches CVE details from NVD, MITRE, and Go Vulnerability Database
+- Multi-level verification (dependency check → static analysis → govulncheck → **call graph reachability**)
+- Generates reports with confidence levels (HIGH/MEDIUM/LOW)
+- Provides exact remediation commands
+- Optionally applies fixes with approval
+
+**Output:**
+- `.work/compliance/analyze-cve/{CVE-ID}/report.md` - Full analysis with confidence assessment
+- `.work/compliance/analyze-cve/{CVE-ID}/callgraph.svg` - Visual execution path (if call graph analysis performed)
+- `.work/compliance/analyze-cve/{CVE-ID}/govulncheck-output.txt` - Scanner results
+
+## Verification Levels
+
+The command uses multiple methods with increasing confidence:
+
+1. **Dependency check** → Confirms package presence
+2. **Static analysis** → Finds function usage  
+3. **govulncheck** → Official Go vulnerability scanner
+4. **Call graph reachability** → Proves execution path (HIGHEST confidence)
+5. **Context analysis** → Checks security controls
+
+Reports include confidence level (HIGH/MEDIUM/LOW) based on verification methods used.
+
+## Prerequisites
+
+**Required:** Go toolchain
+
+**Recommended (for higher confidence):**
+```bash
+# Go vulnerability tools
+go install golang.org/x/vuln/cmd/govulncheck@latest
+go install golang.org/x/tools/cmd/callgraph@latest
+go install golang.org/x/tools/cmd/digraph@latest
+
+# Optional: For visual graphs
+brew install graphviz  # macOS
+```
+
+The command auto-detects available tools and uses the most comprehensive methods possible.
+
+## Fallback Mode
+
+If internet access fails, the command prompts for manual CVE information (description, affected packages, versions, fixes). Analysis proceeds with user-provided data, clearly marked in the report.
+
+## Report Includes
+
+- **Executive Summary**: Verdict (AFFECTED/NOT AFFECTED) with confidence level
+- **Analysis Methodology**: Which verification methods were used
+- **Impact Assessment**: Evidence from codebase, call chains (if found)
+- **Remediation Steps**: Exact commands and fixes
+- **Visual Artifacts**: Call graph SVG, scanner outputs
+
+## Examples
+
+### Basic usage
+```
+/compliance:analyze-cve CVE-2024-24783
+```
+Analyzes codebase for crypto/x509 vulnerability, provides upgrade command if affected.
+
+### High-confidence analysis
+```
+/compliance:analyze-cve CVE-2024-45338
+```
+**Result:**
+- Finds `golang.org/x/net/html v0.21.0` (vulnerable)
+- Proves execution path: `main → HTTPHandler → ParseHTML → html.Parse`
+- **Confidence**: HIGH | **Verdict**: AFFECTED
+- Generates `callgraph.svg` showing call chain
+- Recommends: `go get golang.org/x/[email protected]`