GRC Engineering in Claude Code
The official open-source GRC toolkit for Claude Code. Pull evidence from your cloud and SaaS tools, crosswalk findings across 1,468 SCF controls mapped to 249 frameworks, generate prioritized gap reports, and produce OSCAL artifacts.
Not affiliated with Anthropic. Community open-source project.What is claude-grc-engineering?
claude-grc-engineering is what GRC looks like in Claude Code. It is the official open-source plugin toolkit from the GRC Engineering Club: persona plugins for engineers, auditors, internal GRC teams, and TPRM; 20 plus framework reference plugins from SOC 2 to FedRAMP to IRAP; and thin cloud and SaaS connectors that emit a common Finding contract.
Run the whole pipeline end-to-end. Collect evidence, crosswalk to a framework, generate a gap report, wrestle OSCAL, review PRs for compliance regressions. One open toolkit, maintained by the community.
60-second install
# In Claude Code /plugin marketplace add GRCEngClub/claude-grc-engineering /plugin install grc-engineer@grc-engineering-suite # First run with no cloud credentials, using a GitHub account /plugin install github-inspector@grc-engineering-suite /plugin install soc2@grc-engineering-suite /github-inspector:setup /github-inspector:collect --scope=@me /grc-engineer:gap-assessment SOC2 --sources=github-inspector
Full walkthrough: docs/QUICKSTART.md
What you can do with it
Every workflow ships as a Claude Code slash command. Each one is documented in its plugin’s commands directory.
| Command | Outcome |
|---|---|
| /grc-engineer:gap-assessment | Gap-assess an environment against one or many frameworks at once. |
| /grc-engineer:scan-iac | Scan Terraform, CloudFormation, or Kubernetes for compliance violations and optionally auto-fix. |
| /grc-engineer:test-control | Validate a control end-to-end: configuration, functionality, and compliance. |
| /grc-engineer:generate-implementation | Generate Terraform modules, Python evidence scripts, and Rego or Cedar policies. |
| /grc-engineer:map-controls-unified | See one control across every framework it maps to. |
| /grc-engineer:find-conflicts | Find conflicting requirements across frameworks with most-restrictive-wins resolution. |
| /grc-engineer:optimize-multi-framework | Optimize multi-framework implementation so one control satisfies many. |
| /grc-engineer:monitor-continuous | Continuous monitoring with Slack, PagerDuty, or email alerts. |
| /grc-engineer:review-pr | Review a pull request for compliance regressions before merge. |
| /grc-engineer:collect-evidence | Build audit workpapers and evidence packages. |
| /report:exec-summary | Draft a weekly leadership update from findings, risks, and metrics. |
| /report:automation-coverage | Report week-over-week automation coverage and ROI. |
| /oscal:ssp-export | Generate OSCAL SSP, SAP, SAR, or POA&M from findings and framework configs. |
| /grc-tprm:analyze-questionnaire | Analyze a vendor security questionnaire (SIG, CAIQ, Yardstick). |
| /grc-engineer:scaffold-framework | Scaffold a new framework plugin from the SCF crosswalk in one command. |
Frameworks supported
Twenty plus dedicated framework plugins today. Plus 229 more accessible via the SCF crosswalk.
Plus 229 more via the Secure Controls Framework crosswalk. Scaffold any of them with /grc-engineer:scaffold-framework.
Connectors for cloud and SaaS
Thin integration plugins that wrap external inspector tools and emit findings against a versioned schema.
Tier 1: ship-ready
AWS Inspector
IAM, S3, EBS, RDS, CloudTrail, VPC, Security Hub, Config
GCP Inspector
IAM, Cloud Storage, Compute, Audit Logs, Security Command Center
GitHub Inspector
Branch protections, Actions, secret scanning, deploy keys, Dependabot
Okta Inspector
Auth policies, MFA, session, password, admin factor enrollment
Tier 2: roadmap
Want a connector that is not here? A typical wrapper is around 200 lines. Contribute one.
How the pipeline works
Four stages, end-to-end, all inside Claude Code.
Collect
Thin connectors pull evidence from your cloud and SaaS tools and emit findings against a versioned data contract.
Crosswalk
1,468 SCF controls map bidirectionally to 249 frameworks. Findings expand into every framework you request.
Gap-assess
Get a prioritized, effort-estimated, remediation-linked gap report for one or many frameworks at once.
OSCAL out
Generate SSP, SAP, SAR, and POA&M from findings and framework configs. Validate and convert via the OSCAL plugin.
Design principles
Opinionated choices that shape what good contributions look like.
SCF is the right crosswalk source
1,468 controls bidirectionally mapped to 249 frameworks, published quarterly, shipped as a static JSON API. The toolkit uses it as the backbone, so there are no hand-maintained CSVs that go stale every quarter.
Connectors should be thin
Every connector is a few hundred lines that shells out to tools teams already have (aws, gcloud, gh, direct Okta API). Any connector can be ripped out and replaced without touching the rest of the toolkit.
Framework plugins do not reproduce standard text
ISO 27001, PCI DSS, and HITRUST CSF text is copyrighted. The toolkit references control IDs and ships implementation guidance in paraphrased form. Each team’s licensed copy of the standard is the source of truth.
GRC in Claude Code, not a replacement for your platform
This toolkit gives practitioners an open place to learn the engineering layer and ship it in public. Commercial platforms, internal GRC teams, 3PAOs, and individual engineers all land in Claude Code eventually. The Finding contract normalizes output from any source, so anyone can plug their stack in and contribute.
Vendors, 3PAOs, and platform teams: this toolkit is invitational. The Finding contract is designed to normalize output from any source. Contribute a connector or a framework plugin.
Who built it
Ethan Troy founded claude-grc-engineering in 2025. He shaped the architecture, wrote the first 30 plus plugins, designed the SCF crosswalk as the backbone, and donated the whole project to the GRC Engineering Club in 2026.
The Club is steward, not creator. The toolkit is now an open-source community project with contributions from practitioners, vendors, and platform teams.
Get involved
Pick one this week. Ranked by effort.
Star the repo
Costs nothing, signals interest, helps the project surface in search.
Pick a good-first-issue
Open issues are labeled and scoped. Most take two to four hours.
Comment on the architecture RFC
Five new plugin categories are open for comment. Shape where the toolkit goes next.
Ship a framework plugin
229 of the 249 SCF-mapped frameworks have no dedicated plugin yet. Scaffold one with /grc-engineer:scaffold-framework.
Support the work
Join the GRC Engineering Club on Patreon to back the project and the broader community.
Frequently asked questions
Quick answers about the toolkit, licensing, and contributing.
What is claude-grc-engineering?
claude-grc-engineering is the official open-source GRC toolkit from the GRC Engineering Club. It is a set of Claude Code plugins that pull evidence from your cloud and SaaS tools, crosswalk findings across 1,468 SCF controls mapped to 249 frameworks, generate prioritized gap reports, and produce OSCAL artifacts. Everything runs locally inside Claude Code with no SaaS sign-up.
Is this affiliated with Anthropic?
No. claude-grc-engineering is a community open-source project maintained by the GRC Engineering Club. Claude, Anthropic, and any related marks are property of their respective owners.
Is it free? What is the license?
Yes, the toolkit is free and open-source. The repo lives at github.com/GRCEngClub/claude-grc-engineering. SCF data is fetched and redistributed verbatim under CC BY-ND 4.0; see docs/SCF-ATTRIBUTION.md.
Which frameworks does it support today?
Twenty plus dedicated framework plugins ship today, including SOC 2, NIST 800-53, ISO 27001, FedRAMP Rev 5, FedRAMP 20X, PCI DSS v4, CMMC 2.0, HITRUST, CIS, GDPR, CSA CCM, NYDFS 500, EU DORA, StateRAMP, Essential 8, GLBA, US Export, PBMM, ISMAP, and IRAP. The remaining 229 frameworks in the SCF crosswalk are accessible via /grc-engineer:gap-assessment, and any of them can be scaffolded with /grc-engineer:scaffold-framework.
Does it replace Vanta, Drata, or other GRC platforms?
No. This is a learning toolkit and reference implementation, not a GRC platform. Commercial platforms and this toolkit are complementary. The Finding contract is designed so any source can normalize its output and contribute, including commercial vendors.
What data leaves my machine?
Nothing leaves by default. Connectors run locally and emit findings to your local filesystem. SCF crosswalk data is fetched once and cached locally. You choose what to share if you ship results to Slack, PagerDuty, or another destination.
How do I contribute a framework or connector?
A typical connector is around 200 lines of code. Framework plugins ship at three depth tiers (Stub, Reference, Full). Read docs/CONTRIBUTING.md for the connector path and docs/FRAMEWORK-PLUGIN-GUIDE.md for the framework path. Good first issues are labeled in the repo.
Who maintains it?
Ethan Troy founded the project in 2025, built the architecture and the first 30 plus plugins, and donated it to the GRC Engineering Club in 2026. The Club stewards it now as an open-source community, with contributions from practitioners, vendors, and platform teams.
Build with us.
claude-grc-engineering is open-source, community-maintained, and invitational. The work is in public.