Compliance, in your pull requests

Find compliance problems in code review, not in your audit.

heygrc reviews every pull request the moment it opens, catches the changes that put a control at risk, and says exactly what to fix, whether a person or an AI agent wrote the code.

Get early access See how it works

Security & trust center by ISMS Copilot

Pull request #248github.com/acme/platform

config/logging.ts+1-1

17export const auditConfig = {

18- const AUDIT_LOG_RETENTION_DAYS = 365

18+ const AUDIT_LOG_RETENTION_DAYS = 30

heygrcCompliance issueISO 27001:2022 A.8.15SOC 2 CC7.2

This cuts audit-log retention from 365 to 30 days. ISO 27001:2022 A.8.15 expects logs kept to your defined retention policy, and SOC 2 CC7.2 monitoring evidence typically needs at least 90 days. Confirm this matches your retention policy before merging.

heygrc1 compliance issueRequired

Reviews pull requests fromClaude CodeCursorCopilotCodexyour team

How it works

Live in two minutes. Reviewing on the next PR.

Install the GitHub App

Add heygrc to your repositories. No CI config, no YAML to maintain.

Set your frameworks

Pick the frameworks your company must meet and add your company context. Onboarding takes under two minutes.

Every PR gets reviewed

heygrc posts a review, inline comments, and a check status you can require before merge.

Framework breadth

Speaks every framework your auditors do.

76 frameworks, one reviewer. Choose the ones your company must comply with.

ISO 27001
SOC 2
SOC 1
GDPR
DORA
NIS 2
ISO 42001
EU AI Act
PCI DSS
HIPAA
ISO 27701
ISO 27017
ISO 27018
NIST CSF
NIST 800-53
NIST 800-171
CMMC
FedRAMP
CCPA / CPRA
Cyber Essentials
TISAX
ISO 22301
SOX
CIS Controls
+ 52 more

Why heygrc

Built for the moment a change ships, not the audit after.

Built for AI-written code

Agents ship faster than any human can compliance-check. heygrc reviews every pull request they open, so speed never outruns your controls.

Cites the actual control

Every finding grounds in a specific clause: ISO 27001:2022 A.8.15, SOC 2 CC6.1. No vague hand-waving.

Knows your company

Reviews against your sector, data types, and hosting region, not a generic checklist.

Gate your merges

A GitHub check status you can require in branch protection. Compliance becomes part of CI.

Built by ISMS Copilot

The compliance depth behind ISMS Copilot, now reviewing your code.

heygrc is the pull-request compliance product from ISMS Copilot, the compliance platform covering 76 frameworks. The same framework knowledge that powers compliance work, now reading your diffs and citing the exact control before a change ships.

Trust & security by ISMS Copilot

FAQ

Questions, answered.

Which frameworks does heygrc cover?

76 and counting, from ISO 27001 and SOC 2 to GDPR, DORA, NIS 2, and the EU AI Act. You choose which apply to your company.

Is there a free tier?

Yes. You get a set number of pull-request reviews for free, then it is usage-based. The same applies to public and private repositories. Final numbers at launch.

Does it block my pull requests?

Only if you want it to. heygrc posts a GitHub check status you can optionally require in branch protection.

How is this different from a bug bot?

Bug bots catch defects. heygrc catches compliance-relevant changes, measured against the frameworks you must comply with.

When can I use it?

heygrc is in early access. Join the waitlist and we will reach out as we onboard teams.

Catch the issue at the PR.

Join the early-access list. We are onboarding teams now.

Get early access