GRC Knowledge Plugin
A plugin that turns your AI coding agent into a senior GRC (Governance, Risk, and Compliance) analyst. 72+ reference files covering 15 frameworks, 24 slash commands, and deep domain knowledge for federal and commercial compliance work.
Works with: Claude Code, OpenCode
What It Does
Load this plugin and Claude gains expertise in:
- 15 compliance frameworks — NIST 800-53, FedRAMP, FISMA, CMMC, SOC 2, ISO 27001, PCI DSS, HIPAA, CIS Controls, COBIT, CSA CCM, GDPR, SLSA, OSCAL, and NIST Rev 4→5 transition
- Cross-framework mapping — Map any control to any other framework through NIST 800-53 as the hub
- Document review — Feed it SSP narratives, POA&Ms, policies, CRMs and get structural quality feedback with 0-5 maturity scoring
- Operational workflows — Significant change analysis, inheritance modeling, SAR responses, compliance calendars, tabletop exercises
It cites specific control IDs, knows baseline assignments, understands assessment procedures, and speaks the language of auditors, ISSOs, and compliance engineers.
Install
From a Plugin Marketplace (Recommended)
Add the marketplace and install:
/plugin marketplace add mlunato47/claude-grc-plugin
/plugin install grc@mlunato47
Or from the CLI:
claude plugin install grc@mlunato47
You can install at different scopes:
claude plugin install grc@mlunato47 # User scope (all projects)
claude plugin install grc@mlunato47 --scope project # Project scope (shared via git)
claude plugin install grc@mlunato47 --scope local # Local only
From a Local Directory
Clone the repo and load directly:
git clone https://github.com/mlunato47/claude-grc-plugin.git
claude --plugin-dir ./grc-plugin/grc
Or load alongside other plugins:
claude --plugin-dir ./grc-plugin/grc --plugin-dir ./other-plugin
Once loaded, type /grc: to see all available commands.
OpenCode
You can ask OpenCode to self-install by telling it:
Fetch and follow the instructions at https://raw.githubusercontent.com/mlunato47/claude-grc-plugin/main/.opencode/INSTALL.md
Or install manually:
# Clone
git clone https://github.com/mlunato47/claude-grc-plugin.git ~/.config/opencode/grc
# Symlink plugin, skills, and commands
mkdir -p ~/.config/opencode/plugins ~/.config/opencode/skills ~/.config/opencode/commands
ln -s ~/.config/opencode/grc/.opencode/plugins/grc.js ~/.config/opencode/plugins/grc.js
ln -s ~/.config/opencode/grc/grc/skills/grc-knowledge ~/.config/opencode/skills/grc-knowledge
for cmd in ~/.config/opencode/grc/grc/commands/*.md; do
ln -s "$cmd" ~/.config/opencode/commands/$(basename "$cmd")
done
Restart OpenCode. Commands are available as /grc-control-lookup, /grc-map-controls, etc.
Commands
Note: In Claude Code, commands use /grc:command-name. In OpenCode, commands use /grc-command-name.
Framework & Controls
| Command | Purpose |
|---|
/grc:control-lookup | Look up controls by framework and ID or keyword |
/grc:map-controls | Map controls between any two frameworks |
/grc:conmon-guide | Continuous monitoring guidance by topic |
/grc:audit-prep | Audit preparation checklists by audit type |
/grc:poam-help | POA&M creation, templates, and metrics |
/grc:gap-analysis | Structured gap analysis worksheets |
/grc:ssp-section | Draft SSP narrative language by control family |
/grc:deviation-request | Draft deviation/risk acceptance documentation |
Document Review & Analysis
| Command | Purpose |
|---|
/grc:review-narrative | Review SSP control narratives — Five W's, ODPs, 0-5 maturity score |
/grc:review-ssp | Validate SSP structure against FedRAMP template |
/grc:review-poam | Check POA&M entries for field completeness and SLA compliance |
/grc:review-policy | Review policy structure, control coverage, and language quality |
/grc:review-crm | Review CRM coverage, responsibility clarity, and common gaps |
/grc:score-maturity | Score control implementation maturity 0-5 with next-level guidance |
/grc:evidence-checklist | Generate audit evidence prep checklists (no user content needed) |
Operational Workflows
