claude-grc-engineering: The Open-Source Claude Code Toolkit for GRC

What is claude-grc-engineering?

claude-grc-engineering is a marketplace of Claude Code plugins you install in minutes and run from the command line. Claude Code is Anthropic's command-line agent, and the toolkit turns it into a GRC pipeline. One command captures the idea:

/grc-engineer:gap-assessment SOC2,FedRAMP-High --sources=aws,github

That returns a prioritized, effort-estimated, remediation-linked gap report backed by the Secure Controls Framework crosswalk. The project is community open source and is not affiliated with Anthropic. For the hands-on command walkthrough, see How to Use Claude Code for GRC.

The design positions

The toolkit makes a few opinionated choices on purpose. They are the engineering principles the community builds around, and they explain why it is structured the way it is.

The Secure Controls Framework is the crosswalk source

Most GRC tools roll their own control-mapping tables. They are usually incomplete and rarely maintained past the quarter they were built. The Secure Controls Framework maps its controls bidirectionally to 249 frameworks, publishes quarterly, and ships as a static data API. The toolkit uses it as the backbone so there are no hand-maintained mapping files.

Connectors should be thin

Every connector is a few hundred lines that shells out to a tool teams already have: the aws CLI, gcloud, the gh CLI, or the Okta API. Any connector can be ripped out and replaced without touching the rest of the toolkit. That makes it easy for commercial platforms, internal teams, and individual engineers to each ship one.

Framework plugins do not reproduce standard text

ISO 27001, PCI DSS, and HITRUST CSF text is copyrighted. The toolkit references control identifiers and ships implementation guidance in paraphrased form. Each team's licensed copy of the standard stays the source of truth. That is what lets the project scale toward a plugin for every framework without legal exposure.

It complements your platform, it does not replace it

This is GRC in Claude Code. It gives practitioners an open place to learn the engineering layer and ship it in public. Commercial platforms, internal GRC teams, third-party assessors, and individual engineers all land in Claude Code eventually, and the shared finding contract is designed to normalize output from any source. The goal is to invite the whole ecosystem in, not to compete with it.

Who each plugin is for

The toolkit is organized by role, so the commands match how you work.

• grc-engineer is the engineering hub where the pipeline lives: gap assessment, infrastructure-as-code scanning, control testing, remediation generation, and continuous monitoring.
• grc-auditor is for external and internal auditors: evidence review, workpaper generation, and control validation.
• grc-internal is for internal GRC teams: risk registers, policy lifecycle, and certification portfolio tracking.
• grc-reporter is for communicating up: exec summaries, board briefs, and automation return-on-investment.
• grc-tprm is for third-party risk: vendor assessments and questionnaire analysis.
• teach-me is for career transitioners: paraphrased framework primers, single-control deep dives, and Socratic drills.

That last plugin is worth calling out. The toolkit is a learning tool as much as a working one, which is why it pairs naturally with the GRC Engineer Certification.

The framework and connector layers

There are 20-plus dedicated framework plugins today, including SOC 2, NIST 800-53 Rev 5, ISO/IEC 27001:2022, FedRAMP Rev 5 and 20X, PCI DSS v4.0.1, CMMC 2.0, HITRUST CSF, CIS Controls v8, GDPR, and several government cloud regimes. Each ships control identifiers, families, implementation guidance, and evidence patterns.

On the data side, the Tier 1 connectors cover AWS, GCP, GitHub, and Okta, with a long roadmap of Tier 2 integrations open for contribution. A typical connector is around 200 lines, which is the point: contributing one is a weekend project, not a quarter.

How the pieces connect

Every connector emits findings matching one shared schema. One finding is one resource with one or more control evaluations, and the contract is versioned with tests running in continuous integration for every connector. When a connector reports a control failure, the gap assessment expands it into every requested framework through the crosswalk.

That single contract is the architectural decision that makes everything else composable. It is why a GitHub finding and an AWS finding can land in the same SOC 2 report, and it is why a vendor can normalize their own tool's output and contribute it back. The evidence and control mapping guide shows the contract in action.

How to contribute

The toolkit is built in public and the community maintains it. There are a few clear on-ramps:

• Ship a connector for a tool that is not covered yet. The wrapper pattern is small and well documented.
• Improve or add a framework plugin from the Secure Controls Framework crosswalk.
• Improve documentation, evidence patterns, or implementation guidance.

If you work at a compliance platform or security vendor, you are explicitly welcome here. The finding contract exists so your stack can plug in. Contributing a connector or a framework plugin is a way to meet practitioners where they already work.

Frequently Asked Questions

Next Steps

You now know what claude-grc-engineering is, the design positions behind it, who each plugin serves, and how to contribute. It is the open, practical front door to GRC engineering.

Explore the toolkit and install it from the claude-grc-engineering project page, or join the GRC Engineering Club to learn it alongside other practitioners.