What compliance looks like inside a pull request.
Most controls in a framework never touch code. A few do, and those are the ones a review can catch. These pages take a framework apart and show the controls that surface in a diff, the change that trips each one, and the exact clause heygrc cites.
One framework at a time, at the grain of a code change.
We are writing these in order. ISO 27001 is up first; the rest are in progress.
- ISO 27001
The Annex A controls that surface in a diff: logging, cryptography, access restriction, change management, and the clauses heygrc cites for each.
- SOC 2Writing
How the Trust Services Criteria, especially the CC6 logical-access family, map to auth, IAM, and secrets changes in a pull request.
- GDPRWriting
Where data-protection duties land in code: retention bounds, lawful-basis gates, and personal-data flows a review can catch before they ship.
- DORAWriting
ICT risk and resilience obligations for EU financial entities, and the operational-resilience changes that show up at the PR.
- NIS 2Writing
Baseline security and incident-handling duties for in-scope EU operators, mapped to the configuration and monitoring code that carries them.
76 frameworks, one reviewer.
A deep dive exists for a few of these today and more land over time. heygrc is in early access; once you are onboarded it reviews against whichever ones your company must meet.