Introduction
Automated pull request compliance review ensures that code changes meet regulatory requirements before merging. heygrc is a GitHub App that reviews every pull request the moment it opens and flags changes that put a control at risk, regardless of whether a human or an AI agent wrote the code. By integrating compliance checks directly into the development workflow, it helps teams catch issues early and avoid costly audit findings later.
What is heygrc?
heygrc is a compliance review tool designed for development teams that need to meet frameworks such as ISO 27001, SOC 2, GDPR, and many more. It works as a GitHub App that automatically reviews each pull request (PR) at open time. The product scans code changes for modifications that could violate a compliance control, then posts inline comments and a check status that can be required before merging. This shift‑left approach moves compliance verification from the audit room into the daily code review process.
The product is built by ISMS Copilot and currently supports 76 frameworks. It is especially useful for teams that use AI coding assistants like Claude Code, Cursor, Copilot, or Codex, because AI agents can produce large volumes of code quickly. heygrc ensures that speed does not outrun security and compliance controls. Organizations with compliance obligations to SOC 2, ISO 27001, PCI DSS, HIPAA, or other standards will find it valuable for maintaining continuous adherence.
Key Features of heygrc
Real‑time PR compliance checks
heygrc reviews every pull request immediately upon creation. It scans the diff for changes that could weaken a control, such as reducing audit log retention or modifying encryption settings.
Broad framework coverage
The product supports 76 compliance frameworks, including ISO 27001, SOC 2, SOC 1, GDPR, DORA, NIS 2, EU AI Act, PCI DSS, HIPAA, NIST CSF, and many more. Users pick the frameworks that apply to their company.
Control‑specific citations
Each finding cites the exact control clause (e.g., ISO 27001:2022 A.8.15, SOC 2 CC6.1). This eliminates vague warnings and gives developers a clear reason to adjust their code.
Company context awareness
heygrc reviews against the user’s sector, data types, and hosting region rather than a generic checklist. This reduces false positives and makes each review relevant.
Built for AI‑generated code
The tool treats AI‑written code the same as human‑written code. It flags compliance risks introduced by any agent, so teams can safely adopt AI assistants without exposing themselves to control failures.
Gate merges via GitHub check status
heygrc posts a check status on each PR. Branch protection rules can require this check to pass before merging, making compliance a hard gate in the CI pipeline.
Use Cases for heygrc
Shifting compliance left in engineering workflows
Teams that traditionally review compliance only during audit preparation use heygrc to catch issues at the pull request stage. This reduces the cost and effort of remediation later in the release cycle.
Supporting SOC 2 and ISO 27001 compliance
Companies pursuing or maintaining SOC 2 Type II or ISO 27001 certification need to demonstrate that code changes do not violate controls. heygrc automatically validates against those frameworks and provides evidence of checks.
Enabling safe adoption of AI coding tools
When developers use Claude Code, Cursor, Copilot, or Codex, they produce code faster than manual compliance reviews can keep up. heygrc fills the gap by checking every AI‑generated change for compliance risks before it ships.
How to Use heygrc
- Install the GitHub App – Add heygrc to your GitHub repositories. No CI configuration or YAML files are needed.
- Set your frameworks and context – Choose the compliance frameworks your company must meet (e.g., SOC 2, ISO 27001) and provide relevant company context, such as industry and data types. Onboarding typically takes under two minutes.
- Every PR gets reviewed – On the next pull request, heygrc posts a review with inline comments and a check status. You can optionally require that check to pass in your branch protection rules.
The entire setup is live in about two minutes, and the first PR review begins automatically.
Target Audience for heygrc
- Engineering teams that use GitHub and need to embed compliance checks into their daily code review process
- Compliance officers and security managers who want to reduce audit risk by catching issues before code is merged
- DevOps and platform engineers who manage CI/CD pipelines and need to add compliance gates
- Startups and scale‑ups working toward SOC 2 or ISO 27001 certification
- Enterprises that must comply with multiple frameworks (e.g., DORA, PCI DSS, HIPAA) and have diverse codebases
- Teams using AI coding assistants who want to maintain compliance velocity without slowing down development
Is heygrc Free?
| Plan | Price | Features |
|---|---|---|
| Free | $0 | A set number of pull‑request reviews per billing period, for both public and private repositories. Usage‑based pricing applies after the free allotment. |
Exact numbers and usage thresholds are still being finalized at launch. The official pricing page will provide full details. heygrc is currently in early access, and interested teams can join a waitlist.
heygrc's Pros and Cons
| Aspect | Pros | Cons |
|---|---|---|
| Setup | Installs in minutes with no YAML or CI configuration. | Currently only works with GitHub (other platforms not announced). |
| Framework coverage | Covers 76+ frameworks, including SOC 2, ISO 27001, and many more. | Not all frameworks may have the same depth of rules; breadth may vary. |
| AI‑code readiness | Reviews AI‑generated code identically to human code. | Early access – may still be maturing rules for newer AI patterns. |
| Control citations | Every finding references a specific clause, making remediation clear. | Requires some familiarity with compliance frameworks to interpret clauses. |
| Pricing | Free tier available; no upfront commitment. | Usage‑based pricing beyond free tier; exact costs not yet published. |
| Integration | Natively integrates as GitHub check status for gating merges. | Does not yet offer direct integrations with GitLab, Bitbucket, or other Git hosts. |
Frequently Asked Questions about heygrc
Which frameworks does heygrc cover?
heygrc currently supports 76 frameworks, including ISO 27001, SOC 2, SOC 1, GDPR, DORA, NIS 2, EU AI Act, PCI DSS, HIPAA, NIST CSF, and many more. Users select only the frameworks that apply to their company.
Is there a free tier?
Yes. heygrc gives you a set number of pull‑request reviews for free. After that, it converts to usage‑based pricing. The same terms apply to public and private repositories. Exact numbers are still being finalized at launch.
Does heygrc block pull requests from being merged?
Only if you configure it to do so. heygrc posts a GitHub check status. You can optionally require that check to pass in your branch protection rules; otherwise, it simply provides feedback without blocking.
How is heygrc different from a typical bug bot or linter?
Bug bots and linters catch software defects like syntax errors or security vulnerabilities. heygrc catches compliance‑relevant changes measured against specific regulatory frameworks. It answers the question “Does this code change still meet our compliance requirements?” rather than “Is this code correct?”
When can I start using heygrc?
heygrc is in early access. You can join the waitlist on the product website, and the team will reach out as they onboard new teams.
Can heygrc review code written by AI agents like Claude Code or Copilot?
Yes. heygrc reviews every pull request, regardless of whether the code was written by a human or an AI agent. This ensures that fast AI‑generated changes never outrun compliance controls.
heygrc Tags
heygrc, pull request compliance review, SOC 2 compliance, ISO 27001 compliance, automated compliance check, GitHub compliance check, AI code review compliance, shift left compliance, compliance as code, DORA compliance, NIST CSF, PCI DSS compliance, HIPAA compliance, compliance in CI/CD
