claude-grc-engineering
The official open-source GRC toolkit from the GRC Engineering Club — turning checkbox compliance into engineered systems. It ships as a Claude Code plugin marketplace: persona plugins for engineers, auditors, internal GRC teams, and TPRM; 20+ framework reference plugins from SOC 2 to FedRAMP to APRA; and thin cloud/SaaS connectors that emit a common Finding contract. Assessors, platform engineers, and GRC teams everywhere end up re-inventing the same pipeline — pull evidence, crosswalk to a framework, generate a gap report, wrestle OSCAL. The Club maintains one toolkit that does the whole pipeline end-to-end without locking anyone into a vendor platform.
/grc-engineer:gap-assessment SOC2,FedRAMP-High --sources=aws,github
A prioritized, effort-estimated, remediation-linked gap report backed by 1,468 Secure Controls Framework controls crosswalked to 249 frameworks.
Not affiliated with Anthropic. Community open-source project. Claude, Anthropic, and any related marks are property of their respective owners.
Design positions
A few opinionated choices worth naming up front, since they're most of what makes this different from a Vanta or Drata clone.
SCF is the right crosswalk source. Most GRC tools roll their own control-mapping tables. They're usually incomplete, and nobody maintains them past the quarter they were built in. SCF has 1,468 controls mapped bidirectionally to 249 frameworks, publishes quarterly, and ships as a static JSON API. The toolkit uses it as the backbone. No hand-maintained CSVs.
Connectors should be thin. Platform vendors bundle giant agents that do everything. That's a lock-in pattern, not an engineering pattern. Every connector here is a few hundred lines that shells out to tools teams already have (aws, gcloud, gh, direct Okta API). Any connector can be ripped out and replaced without touching the rest of the toolkit.
Framework plugins don't reproduce standard text. ISO 27001, PCI DSS, and HITRUST CSF text is copyrighted. Plenty of GRC tools publish that text inside their product and hope nobody notices. This toolkit references control IDs and ships implementation guidance in paraphrased form. Each team's licensed copy of the standard is the source of truth.
Vanta, Drata, OneTrust, and Archer are good at what they do. They're also expensive, slow to extend, and assume a dedicated compliance team. This toolkit is for teams that want the engineering layer without the platform lock-in, and for 3PAOs and assessors who want to cross-check what a platform is reporting.
60-second install
# In Claude Code
/plugin marketplace add GRCEngClub/claude-grc-engineering
/plugin install grc-engineer@grc-engineering-suite
For a first run with no cloud credentials, use a GitHub account as the data source:
/plugin install github-inspector@grc-engineering-suite
/plugin install soc2@grc-engineering-suite
/github-inspector:setup
/github-inspector:collect --scope=@me
/grc-engineer:gap-assessment SOC2 --sources=github-inspector
Full walkthrough: docs/QUICKSTART.md.
What you can do with it
| Workflow | Command |
|---|
| Gap-assess an environment against one or many frameworks at once | /grc-engineer:gap-assessment |
| Scan Terraform, CloudFormation, or Kubernetes for compliance violations, optionally auto-fix | /grc-engineer:scan-iac |
| Validate a control end-to-end: config, functionality, compliance | /grc-engineer:test-control |
| Generate remediation (Terraform modules, Python evidence scripts, Rego/Cedar policies) | /grc-engineer:generate-implementation, generate-policy |
| See one control across every framework it maps to | /grc-engineer:map-controls-unified |
| Find conflicting requirements across frameworks, with "most-restrictive wins" resolution | /grc-engineer:find-conflicts |
| Optimize multi-framework implementation (satisfy many with one) | /grc-engineer:optimize-multi-framework |
| Continuous monitoring with Slack, PagerDuty, or email alerts | /grc-engineer:monitor-continuous |
| Check pipeline health: which connectors are configured, last-run, cache freshness | /grc-engineer:pipeline-status |
| Review a PR for compliance regressions before merge | /grc-engineer:review-pr |
| Build audit workpapers and evidence packages | /grc-auditor:generate-workpaper, /grc-engineer:collect-evidence |
| Generate OSCAL SSP, SAP, SAR, or POA&M from findings and framework configs | /oscal:* (see OSCAL plugin) |
| Analyze a vendor security questionnaire (SIG, CAIQ, Yardstick) | /grc-tprm:analyze-questionnaire |
Every command's reference page lives in its plugin's commands/ directory with full input and output documentation.
Plugin categories
Engineering hub