✦ Sample Prompt
Generate FedRAMP security control documentation for each service. Analyze the
codebase and create a SECURITY.md file that documents:
1. Data Classification: What types of data this service processes (PII, PHI,
financial, public). Infer from models, schemas, database migrations, and
API request/response types.
2. Encryption: Document encryption at rest (database encryption, file storage)
and in transit (TLS configuration, certificate management). Reference
actual configuration files.
3. Access Control: Document authentication mechanisms (OAuth, JWT, API keys),
authorization patterns (RBAC, ABAC), and any service-to-service auth.
4. Audit Logging: Document what events are logged, log format, and log
destinations. Reference actual logging configuration.
5. Input Validation: Document input validation and sanitization approaches
used in the codebase.
Base all documentation on actual code analysis, not assumptions. If a security
control cannot be determined from the codebase, note it as "Requires manual
review" rather than guessing.The Problem
FedRAMP certification requires documenting security controls for every component in your system. Each service needs to describe how it handles data classification, encryption at rest and in transit, access controls, audit logging, and incident response procedures. This documentation has to accurately reflect what the code actually does, not just boilerplate.
For an organization with 100+ services, producing this documentation manually takes hundreds of developer hours. Developers are pulled away from feature work to write security docs about code they may not have authored. The docs go stale the moment they're written, and the next audit cycle requires another round of updates.
What Tidra Does
- Analyzes each repository's codebase (models, schemas, configuration files, authentication middleware, logging setup) to understand what security controls are actually implemented
- Generates a structured SECURITY.md file documenting data classification, encryption, access control, audit logging, and input validation based on what the code reveals
- Marks any controls that couldn't be determined as "Requires manual review" rather than generating inaccurate documentation
- Creates PRs that include the generated documentation, ready for security team review and refinement
Before & After
diff
SECURITY.md
+ # Security Controls, payments-service
+
+ ## Data Classification
+ This service processes **financial data** including transaction
+ amounts, payment method tokens, and billing addresses.
+ PII fields identified: email, billing_address, phone_number.
+
+ ## Encryption
+ - **At rest:** Database encryption via AWS RDS (AES-256)
+ - **In transit:** TLS 1.3 enforced via ingress configuration
+ - **Sensitive fields:** Payment tokens encrypted with
+ application-level encryption (see src/crypto/tokenizer.ts)
+
+ ## Access Control
+ - Authentication: OAuth 2.0 via Auth0 (see middleware/auth.ts)
+ - Authorization: Role-based (admin, merchant, readonly)
+ - Service-to-service: mTLS via service mesh
+
+ ## Audit Logging
+ - All API requests logged with correlation ID
+ - Payment events sent to audit-log-service via Kafka
+ - Log format: structured JSON, shipped to Datadog
+
+ ## Input Validation
+ - Request validation via Zod schemas (see src/schemas/)
+ - SQL injection prevention via parameterized queries (Prisma)
+ - *Requires manual review:* File upload validation in
+ /api/receipts endpoint
Customization Tips
- Framework-specific: Add your compliance framework requirements to the prompt (SOC 2, HIPAA, PCI-DSS) to generate documentation targeting those specific control families.
- Template structure: If your security team has a specific documentation template, include it in the prompt so the generated docs match the expected format.
- Supplementary docs: Pair this with a
docs/compliance/directory for more detailed control documentation that references the SECURITY.md overview.