heyGRC docs
Source for docs.heygrc.com. Customer-facing.
heyGRC is compliance review for your pull requests — like a code reviewer, but for your ISMS and the frameworks you must comply with (ISO 27001, ISO 42001, SOC 2, GDPR, the EU AI Act, and ~75 more). It runs as a GitHub App and is configured as code through a small REST API, so you can set it up entirely from your coding agent (Claude Code, Cursor, Copilot, …).
Start here
- Set up heyGRC with your agent — the ~3-minute onboarding.
- API reference — the
/v1/configcontract + the framework catalog.
How it works
- Install the heyGRC GitHub App on the repos you want reviewed.
- Configure your company context + the frameworks you care about (one API call — your agent can do it for you).
- heyGRC reviews each pull request, grounded in that context, and posts a review with inline comments plus a Checks status. It never blocks merges — findings are surfaced as a neutral check, not a gate.
That grounding is the whole point: heyGRC measures your diff against your obligations, not generic advice. A change to auth, data handling, logging, or a new dependency gets read against the specific controls of the frameworks you selected.