Search everything...

Stats

Actions

Available In

Help us improve

Share bugs, ideas, or general feedback.

grc-engineer - Claude Code Plugin | ClaudePluginHub

Plugin

grc-engineer

Name: grc-engineer
Author: grcengclub

By GRCEngClub

Automate GRC engineering workflows: map IaC (Terraform, Kubernetes, CloudFormation) to compliance controls (SOC2, NIST, ISO27001), generate policy-as-code (Rego, Sentinel, Checkov), collect audit evidence from AWS/Azure/GCP/K8s via scripts, scan IaC/PRs for violations with fixes, test control effectiveness, resolve framework conflicts, and transform risks into Jira tickets.

npx claudepluginhub grcengclub/claude-grc-engineering --plugin grc-engineer

Popularity

Stars

Top 5%

256

Med: 0·Avg: 273

Installs

Med: 0·Avg: 1

What's Inside

Slash Commands14

Collect Evidence

/collect-evidence

Generate scripts to collect audit evidence

Find Conflicts

/find-conflicts

Identify conflicting requirements across frameworks

Gap Assessment

/gap-assessment

Aggregate connector findings, map to requested frameworks via SCF crosswalk, and produce a prioritized gap report with remediation links.

Generate Implementation

/generate-implementation

Generate implementation code for a security control

Generate Policy

/generate-policy

Generate policy-as-code from natural language requirements

Skills5

audit-ready-pr-reviewer

/audit-ready-pr-reviewer

Reviews pull requests for compliance regressions. Scans code diffs for security and compliance violations, flags issues, and suggests fixes aligned with frameworks like SOC 2, ISO 27001, NIST 800-53.

code-to-control-mapper

/code-to-control-mapper

Maps infrastructure code (Terraform, Kubernetes, CloudFormation) to compliance controls (ISO 27001, SOC 2, NIST 800-53). Analyzes IaC files and generates compliance evidence mappings showing which controls are satisfied.

evidence-artifact-collector

/evidence-artifact-collector

Generates CLI commands and API scripts to collect point-in-time evidence for audit controls. Automates evidence gathering from cloud providers (AWS, Azure, GCP) and outputs formatted reports.

policy-as-code-generator

/policy-as-code-generator

Converts natural language compliance requirements into executable policies (OPA Rego, AWS Config Rules, Sentinel, Terraform). Standardizes governance by making it part of the build process.

risk-to-jira-transformer

/risk-to-jira-transformer

Converts unstructured risk assessments into structured Jira tickets. Extracts Likelihood, Impact, Mitigation from natural language and generates JSON formatted for Jira API with clear Definition of Done criteria.

The plugin manifest points to a different repository than the source indexed by ClaudePluginHub.

Stats

Version0.1.0

ReleasedApr 13, 2026

LanguageJavaScript

Stars256

Forks49

MaintenanceExcellent

LicenseMIT

Last CommitApr 13, 2026

AddedApr 17, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge.

Available In

grc-engineering-suite276

Help us improve

Share bugs, ideas, or general feedback.

README

claude-grc-engineering

I've worked both sides of FedRAMP: years as a 3PAO assessor, and I build open-source GRC tooling for the teams stuck doing the work by hand. Every team I've assessed ends up re-inventing the same pipeline: pull evidence from AWS, GitHub, GCP, and Okta; map it to SOC 2 or NIST 800-53 or FedRAMP Moderate/High; generate a gap report; fight with OSCAL. I wanted one toolkit that did the whole pipeline end-to-end without bolting me into a vendor platform. This is it.

Install as a Claude Code plugin. Run:

/grc-engineer:gap-assessment SOC2,FedRAMP-Moderate --sources=aws,github

You get a prioritized, effort-estimated, remediation-linked gap report backed by 1,468 Secure Controls Framework controls crosswalked to 249 frameworks.

Not affiliated with Anthropic. Independent open-source project. Claude, Anthropic, and any related marks are property of their respective owners.

What I'm taking a position on

A few opinionated design choices worth naming up front, since they're most of what makes this different from a Vanta or Drata clone.

SCF is the right crosswalk source. Everyone rolls their own control-mapping tables. They're usually incomplete, and nobody maintains them past the quarter they were built in. SCF has 1,468 controls mapped bidirectionally to 249 frameworks, publishes quarterly, and ships as a static JSON API. Use it as the backbone. Stop hand-maintaining CSVs.

Connectors should be thin. Most GRC platforms bundle giant agents that do everything. That's a vendor lock-in pattern, not an engineering pattern. Every connector here is a few hundred lines that shells out to tools you already have (aws, gcloud, gh, direct Okta API). You can rip and replace any of them without touching the rest of the toolkit.

Framework plugins don't reproduce standard text. ISO 27001, PCI DSS, and HITRUST CSF text is copyrighted. Plenty of GRC tools publish that text inside their product and hope nobody notices. This toolkit references control IDs and ships implementation guidance in my own words. Your licensed copy of the standard is the source of truth.

Vanta, Drata, OneTrust, and Archer are good at what they do. They're also expensive, slow to extend, and assume you have a compliance team. This is for teams that want the engineering layer without the platform lock-in, and for 3PAOs and assessors who want to cross-check what a platform is reporting.

60-second install

# In Claude Code
/plugin marketplace add ethanolivertroy/claude-grc-engineering
/plugin install grc-engineer@ethanolivertroy-plugins

For a first run with no cloud credentials, use your GitHub account as the data source:

/plugin install github-inspector@ethanolivertroy-plugins
/plugin install soc2@ethanolivertroy-plugins
/github-inspector:setup
/github-inspector:collect --scope=@me
/grc-engineer:gap-assessment SOC2 --sources=github-inspector

Full walkthrough: docs/QUICKSTART.md.

What you can do with it

Workflow	Command
Gap-assess an environment against one or many frameworks at once	`/grc-engineer:gap-assessment`
Scan Terraform, CloudFormation, or Kubernetes for compliance violations, optionally auto-fix	`/grc-engineer:scan-iac`
Validate a control end-to-end: config, functionality, compliance	`/grc-engineer:test-control`
Generate remediation (Terraform modules, Python evidence scripts, Rego/Cedar policies)	`/grc-engineer:generate-implementation`, `generate-policy`
See one control across every framework it maps to	`/grc-engineer:map-controls-unified`
Find conflicting requirements across frameworks, with "most-restrictive wins" resolution	`/grc-engineer:find-conflicts`
Optimize multi-framework implementation (satisfy many with one)	`/grc-engineer:optimize-multi-framework`
Continuous monitoring with Slack, PagerDuty, or email alerts	`/grc-engineer:monitor-continuous`
Check pipeline health: which connectors are configured, last-run, cache freshness	`/grc-engineer:pipeline-status`
Review a PR for compliance regressions before merge	`/grc-engineer:review-pr`
Build audit workpapers and evidence packages	`/grc-auditor:generate-workpaper`, `/grc-engineer:collect-evidence`
Generate OSCAL SSP, SAP, SAR, or POA&M from findings and framework configs	`/oscal:*` (see OSCAL plugin)
Analyze a vendor security questionnaire (SIG, CAIQ, Yardstick)	`/grc-tprm:analyze-questionnaire`

Every command's reference page lives in its plugin's commands/ directory with full input and output documentation.

Plugin categories

Engineering hub

View full README on GitHub

Help us improve

Find plugins for your project

Help us improve

grc-engineer

Popularity

What's Inside

Help us improve

Health & Quality

Confidence

README

claude-grc-engineering

What I'm taking a position on

60-second install

What you can do with it

Plugin categories

Engineering hub

Similar Plugins

grc-internal

compliance-checker

grc

fullstack-dev-skills

context7-plugin

startup-business-analyst

More by GRCEngClub

trust-center

soc2

essential8

github-inspector

grc-tprm

claude-grc-engineering

What I'm taking a position on

60-second install

What you can do with it

Plugin categories

Engineering hub