Static analysis (SAST)
heyGRC and Semgrep
Semgrep is built to find patterns in code: security anti-patterns, correctness issues, and whatever custom rules you write, fast and at the line level. heygrc works at a different layer, mapping a change to the compliance control it touches and citing the clause. Both meet you in the pull request: Semgrep on code patterns, heygrc on your framework obligations.
What Semgrep focuses on
- Pattern-based scanning for security and correctness issues.
- Custom rules you can write for your own codebase.
- Fast, line-level findings in the pull request.
What heygrc adds alongside it
- A finding expressed as a framework control with its exact clause, checkable against your audit.NIST 800-53 SI-10 in code→
- The compliance reading of a change, mapped across the frameworks you report on.
- A compliance-control view of process and data-handling changes.GDPR data minimisation in code→
Use them together
Let Semgrep catch the code patterns; let heygrc tell you when a change touches a compliance control.