GRC Engineering Plugin Suite - Tools for auditors, internal teams, TPRM, and framework-specific compliance
npx claudepluginhub vantainc/claude-grc-engineeringGRC Engineering Plugin - Maps IaC to compliance controls, generates policies, collects evidence, reviews PRs for compliance, and transforms risks to Jira tickets
GRC Auditor Plugin - Evidence review, control validation, and audit workpaper generation for external auditors and assessors
GRC Internal Plugin - Policy management, risk registers, and compliance tracking for internal GRC teams
GRC Third-Party Risk Management Plugin - Vendor assessments, questionnaire analysis, and risk scoring
GRC Reporter - translate findings, risks, and metrics into narratives leadership actually reads. Reference implementation of the Reporting category from RFC #38.
Ralph-loop mechanism specialized for GRC iteration patterns: gap-remediation burndown and quarterly evidence sweeps. Each loop drives /grc-engineer:* commands until a completion criterion fires.
Knowledge source for Google Developer Knowledge API: searches, cites, and answers from current Google developer documentation.
Teach-me - get up to speed on a framework, control, or GRC role. Socratic primer + drill plugin built for new-to-GRC practitioners and career transitioners. Closes #61.
Editable draw.io diagram skills for GRC system boundaries, evidence flows, control maps, risks, audits, crosswalks, TPRM, POA&M, data flows, RACI, and operating models.
SOC 2 Compliance Plugin - Trust Service Criteria expertise, Type I/II assessment support, and control mapping
NIST 800-53 Plugin - Control families, baseline selection (Low/Moderate/High), and FedRAMP alignment
ISO 27001 Plugin - Annex A controls, ISMS implementation guidance, and certification support
FedRAMP Rev 5 Plugin - Traditional authorization path with SSP/SAP/SAR/POA&M documentation and NIST 800-53 Rev 5 control mapping
FedRAMP 20X Plugin - Modern automated authorization with Key Security Indicators (KSIs), continuous monitoring, and machine-readable policies synced from official FedRAMP docs
PCI DSS v4.0.1 Plugin - Payment Card Industry compliance with ROC guidance, SAQ selection, and March 2025 mandatory requirements
CMMC v2.0 Plugin - Cybersecurity Maturity Model Certification for DoD contractors with 5 levels and C3PAO assessment prep
HITRUST CSF Plugin - Healthcare Information Trust Alliance Common Security Framework with i1/r2 assessments and 156 controls
CIS Controls v8 Plugin - Center for Internet Security baseline with IG1/IG2/IG3 implementation groups and 153 safeguards
GDPR Plugin - EU General Data Protection Regulation with DPIA, data subject rights, and 72-hour breach notification
CSA CCM Plugin - Cloud Security Alliance Cloud Controls Matrix with 197 controls and CAIQ support
NYDFS 23 NYCRR 500 Plugin - New York Department of Financial Services cybersecurity requirements with annual certification
DORA Plugin - EU Digital Operational Resilience Act for financial entities with ICT risk management (effective January 2025)
StateRAMP Plugin - State Risk and Authorization Management Program for state and local government cloud services
Essential 8 Plugin - Australian Cyber Security Centre mitigation strategies with 3 maturity levels
GLBA Plugin - Gramm-Leach-Bliley Act for financial institutions with Safeguards Rule and Privacy Rule compliance
US Export Controls Plugin - ITAR and EAR compliance for defense and dual-use technologies
HIPAA Security Rule compliance for ePHI protection with Administrative, Physical, and Technical Safeguards
Canadian PBMM (Protected B Medium Medium) with ITSG-33 controls
Japanese ISMAP government cloud security (ISO 27001/27017/27018)
Australian IRAP (ISM + Essential Eight) for government cloud
GRC connector for AWS: evaluates IAM, S3, CloudTrail, EBS, and RDS for compliance misconfigurations. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for GitHub: evaluates repo protections, branch policies, Actions, secret scanning, Dependabot, and deploy keys. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for Google Cloud: evaluates IAM, Cloud Storage, audit logs, KMS rotation, and Compute for compliance misconfigurations. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for Microsoft Azure: evaluates Entra ID, Storage, Key Vault, Monitor, and Defender for Cloud. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for Slack: evaluates workspace 2FA, SSO/session posture, retention, app approvals, and DLP visibility. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for Datadog: evaluates log retention, audit log coverage, monitor coverage, SSO visibility, and RBAC roles. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for CrowdStrike Falcon: evaluates sensor coverage, detection/prevention policy visibility, and host-group scoping. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for Drata: wraps drata-cli curated workflows and normalizes compliance posture into schemas/finding.schema.json v1.
GRC connector for Splunk: evaluates index retention, RBAC roles, audit-source coverage, saved-search ACLs, and user authentication signals. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for Tenable.io/Tenable.sc: evaluates scan coverage, credentialed scan signals, vulnerability age, and scan access visibility. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for Snowflake ACCOUNT_USAGE: evaluates MFA, network policies, masking/row access policies, session timeout, and data retention. Emits findings conforming to schemas/finding.schema.json v1.
GRC connector for Wiz CNAPP: normalizes configuration findings, issues, vulnerabilities, and cloud resource inventory into v1 Findings.
GRC connector wrapping testssl.sh. Scans HTTPS endpoints for protocol/cipher posture, certificate issues, and known TLS CVEs (Heartbleed, ROBOT, POODLE, FREAK, LOGJAM, SWEET32, ...). Emits findings conforming to schemas/finding.schema.json v1, anchored on SCF CRY-01/CRY-03/CRY-05/CRY-08/NET-09/VPM-01/VPM-06/WEB-03 and fanned out at scan time via SCF crosswalks to SOC 2 TSC 2017, NIST 800-53 r5, PCI DSS 4.0.1, and ISO 27002:2022.
GRC connector for Okta: evaluates authentication policies, MFA enrollment, password policy, session management, and admin/privileged accounts. Emits findings conforming to schemas/finding.schema.json v1.
OSCAL (Open Security Controls Assessment Language) toolkit for Claude Code. Wraps ethanolivertroy/oscal-cli for validation and conversion of catalogs, profiles, SSPs, SAPs, SARs, POA&Ms, component definitions, and assessment results.
Convert FedRAMP Rev 5 Moderate SSP DOCX templates to validated OSCAL 1.2.0 JSON. Wraps ethanolivertroy/frdocx-to-froscal-ssp — ready for oscal-cli, Compliance Trestle, eMASS, and FedRAMP 20X workflows.
Singapore - Personal Data Protection Ac (PDPA) (2012) — Reference plugin with evidence checklist, scope determination, and SCF-backed gap assessment. Level up to Full by adding framework-specific workflow commands.
FINRA Plugin - Broker-dealer cybersecurity guidance (builds on SEC Reg S-P, SEC 17a-4)
UK NCSC Cyber Essentials Plus (CE+) v3.3 Danzell — Reference plugin with evidence checklist, scope determination, and SCF-backed gap assessment. Five core controls: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management.
Swiss Federal Act on Data Protection (nFADP) plugin - data protection compliance with voluntary DSO, risk-based breach notification, and Swiss transfer mechanisms
India DPDPA 2023 + DPDP Rules 2025 — Reference-depth plugin: scope, evidence checklist, breach process, and sectoral overlap (RBI / SEBI / IRDAI / TRAI) for Data Fiduciaries operating in India.
FedRAMP POA&M lifecycle management and VDR generation. Converts Nessus, Tenable, Qualys, and Wiz scanner exports into a FedRAMP-compliant POA&M, manages the full finding lifecycle, generates FedRAMP 20x VDR reports with live CISA KEV and EPSS enrichment, and produces per-release Product Vulnerability Disclosure Reports.
EU NIS2 Directive (Directive (EU) 2022/2555) — Reference plugin: scope determination across essential vs important entities, Article 21 risk-management measure evidence checklist, and the 24h/72h/1mo incident-reporting runbook. SCF-backed gap assessment via the crosswalk.
NIST Cybersecurity Framework (v2.0) — Reference plugin with scope determination, evidence checklist, and SCF-backed gap assessment across the six Functions (GV/ID/PR/DE/RS/RC).
Sarbanes-Oxley Act of 2002 (SOX) — Reference-depth plugin for ICFR scoping, IT General Control (ITGC) testing, and §302/§404/§906 evidence preparation. Frames SOX as the governance layer over ICFR; security work flows in via ITGCs and SOC 1 reliance on vendor systems.
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) compliance for businesses subject to California Civil Code §1798.100 et seq., enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General.
Localhost compliance posture dashboard for monitor-continuous JSON output. Reference implementation of the Dashboards category from RFC #38.
Japan APPI - Reference plugin with evidence checklist, scope determination, and SCF-backed gap assessment. Level up to Full by adding framework-specific workflow commands.
Singapore MAS TRM - Reference plugin with scope determination, evidence checklist, and SCF-backed gap assessment for technology risk management.
APRA CPS 234 - Reference plugin with scope determination, evidence checklist, and SCF-backed gap assessment for information security.
NERC CIP - Reference plugin with scope determination, evidence checklist, and SCF-backed gap assessment for BES Cyber Systems.
Build and deploy a professional portfolio website for GRC engineers — certifications, frameworks, audit experience, and AWS hosting included.
Build and deploy a serverless trust center — public compliance posture, gated access to SOC 2/policy documents with optional NDA e-signature, and an admin dashboard. Deploys to AWS (S3, CloudFront, WAF, API Gateway, Lambda, DynamoDB, Cognito).
Claude Code marketplace entries for the plugin-safe Agentic Awesome Skills library and its compatible editorial bundles.
Production-ready workflow orchestration with 94 marketplace plugins, 203 local specialized agents, and 175 local skills - optimized for granular installation and minimal token usage
Directory of popular Claude Code extensions including development tools, productivity plugins, and MCP integrations