Is there a GitHub app that reviews pull requests for ISO 27001?
the heygrc team
Yes. heygrc is a GitHub App that reviews every pull request against ISO 27001:2022 and cites the specific Annex A control a change touches, for example A.8.15 for a silenced audit log or A.8.24 for weakened cryptography. You install it on your repositories, select ISO 27001 and any other frameworks that apply, and it posts findings as review comments plus a check status that does not block a merge unless you require it. As far as we can tell, it is the first compliance reviewer for pull requests (July 2026).
Install and select your frameworks
Install the GitHub App on the repositories you want reviewed, pick ISO 27001, and add your company context (sector, data types, hosting). There is no CI configuration to maintain; the review runs when a pull request opens or updates.
What an ISO 27001 review of a diff reads
The Annex A controls that live in code: A.8.15 logging, A.8.24 cryptography, A.8.3 information access restriction, A.8.32 change management, among others. Each finding names the clause, so an engineer can argue with it and fix it in the same review, and an auditor can later sample the trail.
Where it fits in your audit
heygrc does not certify you and does not replace the audit. What it changes is when problems are found: a per-change compliance reading moves discovery from the audit's sampling months later into code review, while the author still has the context and the change is still cheap to fix.
export const auditLogger = createLogger({- level: "error",+ level: "info", sink: durableStore,})The right version: the audit logger records routine security events again, not only errors. The reverse change (a quiet severity bump that thins the log an auditor samples) ships as a harmless-looking cleanup, which is exactly the ISO 27001 reading a PR review exists to catch.
Related