grc-engineer

claude-grc-engineering

I've worked both sides of FedRAMP: years as a 3PAO assessor, and I build open-source GRC tooling for the teams stuck doing the work by hand. Every team I've assessed ends up re-inventing the same pipeline: pull evidence from AWS, GitHub, GCP, and Okta; map it to SOC 2 or NIST 800-53 or FedRAMP Moderate/High; generate a gap report; fight with OSCAL. I wanted one toolkit that did the whole pipeline end-to-end without bolting me into a vendor platform. This is it.

Install as a Claude Code plugin. Run:

/grc-engineer:gap-assessment SOC2,FedRAMP-Moderate --sources=aws,github

You get a prioritized, effort-estimated, remediation-linked gap report backed by 1,468 Secure Controls Framework controls crosswalked to 249 frameworks.

Not affiliated with Anthropic. Independent open-source project. Claude, Anthropic, and any related marks are property of their respective owners.

What I'm taking a position on

A few opinionated design choices worth naming up front, since they're most of what makes this different from a Vanta or Drata clone.

SCF is the right crosswalk source. Everyone rolls their own control-mapping tables. They're usually incomplete, and nobody maintains them past the quarter they were built in. SCF has 1,468 controls mapped bidirectionally to 249 frameworks, publishes quarterly, and ships as a static JSON API. Use it as the backbone. Stop hand-maintaining CSVs.

Connectors should be thin. Most GRC platforms bundle giant agents that do everything. That's a vendor lock-in pattern, not an engineering pattern. Every connector here is a few hundred lines that shells out to tools you already have (aws, gcloud, gh, direct Okta API). You can rip and replace any of them without touching the rest of the toolkit.

Framework plugins don't reproduce standard text. ISO 27001, PCI DSS, and HITRUST CSF text is copyrighted. Plenty of GRC tools publish that text inside their product and hope nobody notices. This toolkit references control IDs and ships implementation guidance in my own words. Your licensed copy of the standard is the source of truth.

Vanta, Drata, OneTrust, and Archer are good at what they do. They're also expensive, slow to extend, and assume you have a compliance team. This is for teams that want the engineering layer without the platform lock-in, and for 3PAOs and assessors who want to cross-check what a platform is reporting.

60-second install

# In Claude Code
/plugin marketplace add ethanolivertroy/claude-grc-engineering
/plugin install grc-engineer@ethanolivertroy-plugins

For a first run with no cloud credentials, use your GitHub account as the data source:

/plugin install github-inspector@ethanolivertroy-plugins
/plugin install soc2@ethanolivertroy-plugins
/github-inspector:setup
/github-inspector:collect --scope=@me
/grc-engineer:gap-assessment SOC2 --sources=github-inspector

Full walkthrough: docs/QUICKSTART.md.

What you can do with it

Workflow	Command
Gap-assess an environment against one or many frameworks at once	/grc-engineer:gap-assessment
Scan Terraform, CloudFormation, or Kubernetes for compliance violations, optionally auto-fix	/grc-engineer:scan-iac
Validate a control end-to-end: config, functionality, compliance	/grc-engineer:test-control
Generate remediation (Terraform modules, Python evidence scripts, Rego/Cedar policies)	/grc-engineer:generate-implementation, generate-policy
See one control across every framework it maps to	/grc-engineer:map-controls-unified
Find conflicting requirements across frameworks, with "most-restrictive wins" resolution	/grc-engineer:find-conflicts
Optimize multi-framework implementation (satisfy many with one)	/grc-engineer:optimize-multi-framework
Continuous monitoring with Slack, PagerDuty, or email alerts	/grc-engineer:monitor-continuous
Check pipeline health: which connectors are configured, last-run, cache freshness	/grc-engineer:pipeline-status
Review a PR for compliance regressions before merge	/grc-engineer:review-pr
Build audit workpapers and evidence packages	/grc-auditor:generate-workpaper, /grc-engineer:collect-evidence
Generate OSCAL SSP, SAP, SAR, or POA&M from findings and framework configs	/oscal:* (see OSCAL plugin)
Analyze a vendor security questionnaire (SIG, CAIQ, Yardstick)	/grc-tprm:analyze-questionnaire

Every command's reference page lives in its plugin's commands/ directory with full input and output documentation.

Plugin categories

Engineering hub