From grc-engineer
Reviews pull requests for compliance regressions. Scans code diffs for security and compliance violations, flags issues, and suggests fixes aligned with frameworks like SOC 2, ISO 27001, NIST 800-53.
How this skill is triggered — by the user, by Claude, or both
Slash command
/grc-engineer:audit-ready-pr-reviewerThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Reviews GitHub/GitLab pull requests specifically for compliance regressions. Shifts compliance "left" into the developer's daily workflow.
Reviews GitHub/GitLab pull requests specifically for compliance regressions. Shifts compliance "left" into the developer's daily workflow.
Review a PR for SOC 2 compliance:
node plugins/grc-engineer/scripts/review-pr.js myorg/infrastructure 42 SOC2
Review a PR for ISO 27001:
node plugins/grc-engineer/scripts/review-pr.js myorg/infrastructure 42 ISO27001
Review a PR with custom framework:
node plugins/grc-engineer/scripts/review-pr.js myorg/infrastructure 42 NIST80053
Posts GitHub comments with:
⚠️ **Compliance Warning: SOC 2 CC6.1 - Least Privilege**
This PR introduces an IAM role with `AdministratorAccess`, which violates the Least Privilege principle.
**Issue:** Line 23 in `terraform/iam.tf` assigns full administrative access.
**Suggested Fix:**
```hcl
resource "aws_iam_role" "app_role" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:PutObject"
]
Resource = "arn:aws:s3:::my-bucket/*"
}]
})
}
Control Reference: SOC 2 CC6.1, NIST 800-53 AC-6
## Prerequisites
- GitHub repository (owner/repo format)
- PR number
- `GITHUB_TOKEN` environment variable (requires `repo` scope)
- Optional: Framework name (defaults to SOC2)
npx claudepluginhub vantainc/claude-grc-engineering --plugin grc-engineer4plugins reuse this skill
First indexed Jul 18, 2026
Guides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.