Summary

This open-source toolkit transforms technical evidence from cloud, SaaS, code, and security tools into framework-aligned GRC findings, gap reports, and OSCAL workflows. Targeting GRC practitioners and engineers, it aims to make compliance work more repeatable, testable, and extensible by integrating GRC functions into the Claude AI ecosystem.

How It Works

The toolkit functions as a Claude Code plugin marketplace, enabling GRC tasks within an AI assistant. Its core is the grc-engineer automation hub, which processes technical evidence collected by various connector plugins. This evidence, normalized against a finding.schema.json, is mapped using the Secure Controls Framework (SCF) as a control backbone (1,468 controls across 249 frameworks). The system generates framework-aligned findings, gap reports, remediation guidance, evidence packages, and OSCAL outputs, aiming for engineering-like GRC processes.

Quick Start & Requirements

Installation within Claude Code is initiated via /plugin marketplace add GRCEngClub/claude-grc-engineering, followed by /plugin install grc-engineer@grc-engineering-suite. Initial setup without cloud credentials can leverage plugins like github-inspector and soc2. Detailed setup and usage guides are available in docs/QUICKSTART.md and docs/CLAUDE-COWORK.md.

Highlighted Details

• Leverages the Secure Controls Framework (SCF) to map 1,468 controls across 249 compliance frameworks.
• Offers extensive connector plugins for evidence collection from cloud, SaaS, code, and security tools (e.g., AWS CLI, GitHub CLI, Splunk, Tenable).
• Automates generation of gap assessments, remediation code, policy documents, OSCAL artifacts (SSP, SAP, SAR, POA&M), and GRC diagrams.
• Provides specialized commands for tasks like IaC scanning (scan-iac), control validation (test-control), and multi-framework optimization (optimize-multi-framework).

Maintenance & Community

Maintained by the GRC Engineering Club, contributions are welcomed from GRC practitioners and security engineers. Contribution guidelines are detailed in docs/CONTRIBUTING.md. Security-sensitive reports should follow the private advisory process outlined in SECURITY.md.

Licensing & Compatibility

The core code is MIT licensed, permitting commercial use and closed-source integration. However, specific components carry different licenses: the CIS Controls plugin is CC BY-SA 4.0, and SCF data is CC BY-ND 4.0 (attribution-no-derivatives). Users must adhere to these distinct terms.

Limitations & Caveats

The project is currently in a pre-1.0 development phase, with potential for breaking changes to the Finding schema, as documented in CHANGELOG.md. The toolkit does not reproduce copyrighted standards text, and SCF data is distributed verbatim under a no-derivatives license.