Extend your reach to every pull request, every framework.
For security engineers who cannot personally review every change against every obligation. A framework-grounded second set of eyes on the diff.
Security engineers are outnumbered by the pull requests they are responsible for. You cannot read every diff against every framework your company must meet, and the changes that matter most are often the quiet ones: a dropped check, a widened scope, a weakened default. The goal is leverage, not another queue.
A framework-aware reviewer that does not tire
Linters and scanners already cover vulnerability classes. What they cannot do is reason about the specific obligations your company carries: which controls apply, what the clause expects, whether this change erodes it. heygrc is built to read each pull request against your selected frameworks and cite the control, so the framework-aware review you would do if you had time can happen on every PR, and you spend your attention on the findings that need a human.
It is built to surface and cite, not to decide. You stay the judge of what blocks and what ships.
Changes that read as ordinary code.
A few of the control-relevant changes heygrc is built to flag for this case, each cited to the clause it touches.
An MFA check is skipped on a sensitive path
NIS 2 Art. 21(2)(j)Input validation is removed, opening an injection path
NIST 800-53 SI-10Certificate verification is disabled
NIST 800-53 SC-8
The frameworks that matter most here.
Guide: What SOC 2 actually checks in your repo
heygrc flags control-relevant changes and cites the clause so the issue can be handled in the pull request. It does not certify you, run your audit, or replace your own judgment. heygrc is in early access.