trust-center

claude-grc-engineering

https://github.com/user-attachments/assets/a83aa297-9fba-4a7d-b56c-06f962d1ec6b

Open-source GRC Engineering resource for Claude.

claude-grc-engineering turns technical evidence from cloud, SaaS, code, and security tools into framework-aligned findings, gap reports, remediation guidance, evidence packages, and OSCAL workflows.

It is built for the Claude ecosystem: Claude Code plugin installs first, with Claude Desktop and Claude Cowork usage supported through the same Markdown skills, command runbooks, schemas, and repository files.

It is maintained by the GRC Engineering Club for people who want compliance work to behave more like engineering work: repeatable, testable, versioned, and easy to extend.

Not affiliated with Anthropic. Claude, Anthropic, and related marks are property of their respective owners.

What it does

The toolkit is a Claude Code plugin marketplace. The same plugin skills and command runbooks are also useful in Claude Desktop and Claude Cowork when you add this repository as project context or a shared workspace. Install the pieces you need:

• grc-engineer: the core automation hub for gap assessment, IaC scanning, evidence collection, remediation generation, policy generation, PR review, continuous monitoring, and multi-framework optimization.
• Persona plugins: workflows for auditors, internal GRC teams, third-party risk, reporting, learning, and iterative GRC automation.
• Framework plugins: reference guidance for SOC 2, NIST 800-53, ISO 27001, FedRAMP, PCI DSS, CMMC, HITRUST, CIS Controls, GDPR, DORA, HIPAA Security, regional privacy/security regimes, and more.
• Connector plugins: thin wrappers around tools such as AWS CLI, GitHub CLI, gcloud, Azure CLI, Okta, Slack, Datadog, CrowdStrike, Drata, Splunk, Tenable, Snowflake, and POA&M automation.
• Diagram plugins: editable draw.io system boundaries, evidence flows, control maps, risk treatment, audit workflows, framework crosswalks, TPRM, POA&M, data flows, RACI, and operating model visuals.
• OSCAL and bridge plugins: tooling for FedRAMP/OSCAL workflows and integrations with external GRC systems.

The common path is:

connectors collect evidence
        ↓
findings match schemas/finding.schema.json
        ↓
grc-engineer maps findings through SCF
        ↓
reports, remediation, evidence packages, OSCAL outputs

The Secure Controls Framework (SCF) crosswalk is used as the control backbone: 1,468 controls mapped to 249 frameworks. The toolkit references control IDs and implementation guidance; it does not reproduce copyrighted standards text.

Install in 60 seconds

Inside Claude Code:

/plugin marketplace add GRCEngClub/claude-grc-engineering
/plugin install grc-engineer@grc-engineering-suite

For a first run without cloud credentials, use GitHub as the evidence source:

/plugin install github-inspector@grc-engineering-suite
/plugin install soc2@grc-engineering-suite
/github-inspector:setup
/github-inspector:collect --scope=@me
/grc-engineer:gap-assessment SOC2 --sources=github-inspector

Full walkthrough: docs/QUICKSTART.md.

Using Claude Desktop or Claude Cowork instead of Claude Code? Start with docs/CLAUDE-COWORK.md. Anthropic's security and compliance posture is documented at trust.anthropic.com, and the Claude Cowork third-party platform guide is here: Use Claude Cowork with third-party platforms.

Common workflows