By dexcopeland
GRC Engineering Plugin - Maps IaC to compliance controls, generates policies, collects evidence, reviews PRs for compliance, and transforms risks to Jira tickets
Generate scripts to collect audit evidence
Identify conflicting requirements across frameworks
List every SCF-mapped framework (249) and show which have a dedicated plugin
Aggregate connector findings, map to requested frameworks via SCF crosswalk, and produce a prioritized gap report with remediation links.
Generate implementation code for a security control
Helps you triage a quarterly user access review from an Okta, Azure AD, AWS IAM, GitHub, or generic CSV/JSON export. For each row, recommends certify, revoke, manager confirm, or investigate using rules that catch the usual audit-fail patterns: terminated users still active, dormant admin accounts, separation-of-duty conflicts, service accounts in a human review. Drafts manager confirmation emails and writes an audit evidence packet mapped to SOC 2 CC6.1/CC6.2, PCI 7-8, ISO A.9, NIST AC-2. Built for small and mid-size orgs running UARs in spreadsheets without an IGA tool. Never auto-revokes. Output is a draft for human review before action.
Reviews pull requests for compliance regressions. Scans code diffs for security and compliance violations, flags issues, and suggests fixes aligned with frameworks like SOC 2, ISO 27001, NIST 800-53.
Maps infrastructure code (Terraform, Kubernetes, CloudFormation) to compliance controls (ISO 27001, SOC 2, NIST 800-53). Analyzes IaC files and generates compliance evidence mappings showing which controls are satisfied.
Generates CLI commands and API scripts to collect point-in-time evidence for audit controls. Automates evidence gathering from cloud providers (AWS, Azure, GCP) and outputs formatted reports.
Generates focused assessor interview questions from a technology stack and maps them to compliance frameworks with practical CLI/API evidence hints.
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
https://github.com/user-attachments/assets/a83aa297-9fba-4a7d-b56c-06f962d1ec6b
Open-source GRC Engineering resource for Claude.
claude-grc-engineering turns technical evidence from cloud, SaaS, code, and security tools into framework-aligned findings, gap reports, remediation guidance, evidence packages, and OSCAL workflows.
It is built for the Claude ecosystem: Claude Code plugin installs first, with Claude Desktop and Claude Cowork usage supported through the same Markdown skills, command runbooks, schemas, and repository files.
It is maintained by the GRC Engineering Club for people who want compliance work to behave more like engineering work: repeatable, testable, versioned, and easy to extend.
Not affiliated with Anthropic. Claude, Anthropic, and related marks are property of their respective owners.
The toolkit is a Claude Code plugin marketplace. The same plugin skills and command runbooks are also useful in Claude Desktop and Claude Cowork when you add this repository as project context or a shared workspace. Install the pieces you need:
grc-engineer: the core automation hub for gap assessment, IaC scanning, evidence collection, remediation generation, policy generation, PR review, continuous monitoring, and multi-framework optimization.The common path is:
connectors collect evidence
↓
findings match schemas/finding.schema.json
↓
grc-engineer maps findings through SCF
↓
reports, remediation, evidence packages, OSCAL outputs
The Secure Controls Framework (SCF) crosswalk is used as the control backbone: 1,468 controls mapped to 249 frameworks. The toolkit references control IDs and implementation guidance; it does not reproduce copyrighted standards text.
Inside Claude Code:
/plugin marketplace add GRCEngClub/claude-grc-engineering
/plugin install grc-engineer@grc-engineering-suite
For a first run without cloud credentials, use GitHub as the evidence source:
/plugin install github-inspector@grc-engineering-suite
/plugin install soc2@grc-engineering-suite
/github-inspector:setup
/github-inspector:collect --scope=@me
/grc-engineer:gap-assessment SOC2 --sources=github-inspector
Full walkthrough: docs/QUICKSTART.md.
Using Claude Desktop or Claude Cowork instead of Claude Code? Start with docs/CLAUDE-COWORK.md. Anthropic's security and compliance posture is documented at trust.anthropic.com, and the Claude Cowork third-party platform guide is here: Claude Desktop on third-party platforms.
GRC Internal Plugin - Policy management, risk registers, and compliance tracking for internal GRC teams
PCI DSS v4.0.1 Plugin - Payment Card Industry compliance with ROC guidance, SAQ selection, and March 2025 mandatory requirements
HITRUST CSF Plugin - Healthcare Information Trust Alliance Common Security Framework with i1/r2 assessments and 156 controls
NIST 800-53 Plugin - Control families, baseline selection (Low/Moderate/High), and FedRAMP alignment
Ralph-loop mechanism specialized for GRC iteration patterns: gap-remediation burndown and quarterly evidence sweeps. Each loop drives /grc-engineer:* commands until a completion criterion fires.
npx claudepluginhub dexcopeland/claude-grc-engineering --plugin grc-engineerComprehensive skill pack with 66 specialized skills for full-stack developers: 12 language experts (Python, TypeScript, Go, Rust, C++, Swift, Kotlin, C#, PHP, Java, SQL, JavaScript), 10 backend frameworks, 6 frontend/mobile, plus infrastructure, DevOps, security, and testing. Features progressive disclosure architecture for 50% faster loading.
Upstash Context7 MCP server for up-to-date documentation lookup. Pull version-specific documentation and code examples directly from source repositories into your LLM context.
Consult multiple AI coding agents (Gemini, OpenAI, Grok, Perplexity, plus codex, antigravity, and grok CLIs when installed) to get diverse perspectives on coding problems
Comprehensive startup business analysis with market sizing (TAM/SAM/SOM), financial modeling, team planning, and strategic research
v9.54.0 — Reliability wave: tangle contextual review correction loop with hard round ceiling, progress-supervised review rounds (per-agent stall watch, descendant-tree kills), council diversity and agy pin fixes, marketplace generator source-of-truth fix, provider troubleshooting runbook and cost-expectations docs. Run /octo:setup.
Complete creative writing suite with 10 specialized agents covering the full writing process: research gathering, character development, story architecture, world-building, dialogue coaching, editing/review, outlining, content strategy, believability auditing, and prose style/voice analysis. Includes genre-specific guides, templates, and quality checklists.