gigachad-grc

Open-source GRC platform for modern security teams. Manage compliance (SOC 2, ISO 27001, HIPAA), risk registers, vendor assessments, and audits—all in one place. AI-powered, containerized, enterprise-ready.

Stars: 75

Visit

A comprehensive, modular, containerized Governance, Risk, and Compliance (GRC) platform built with modern technologies. Manage your entire security program from compliance tracking to risk management, third-party assessments, and external audits. The platform includes specialized modules for Compliance, Data Management, Risk Management, Third-Party Risk Management, Trust, Audit, Tools, AI & Automation, and Administration. It offers features like controls management, frameworks assessment, policies lifecycle management, vendor risk management, security questionnaires, knowledge base, audit management, awareness training, phishing simulations, AI-powered risk scoring, and MCP server integration. The tech stack includes Node.js, TypeScript, React, PostgreSQL, Keycloak, Traefik, Redis, and RustFS for storage.

README:

GigaChad GRC

🚀 Quick Start (Just Docker Required!)

Prerequisites

You only need one thing: Docker Desktop

Platform	Install Docker
macOS	Download for Mac (Apple Silicon or Intel)
Windows	Download for Windows (requires WSL 2)
Linux	`curl -fsSL https://get.docker.com \| sh`

No Node.js, npm, or other development tools required!

Start in 3 Commands

git clone https://github.com/grcengineering/gigachad-grc.git
cd gigachad-grc
./start.sh

Windows Users:

start.bat

That's it! Your browser opens to http://localhost:3000 — click "Dev Login" to access.

First time? Initial build takes 3-5 minutes. Subsequent starts are ~30 seconds.

Available Commands

Command	Description
`./start.sh`	Start the platform
`./start.sh stop`	Stop all services
`./start.sh logs`	View live logs
`./start.sh status`	Check service health

Need Help Getting Started?

📖 Complete Getting Started Guide — Step-by-step instructions with screenshots, troubleshooting, and system requirements.

Alternative Setup Options

For developers who prefer more control:

./init.sh demo    # Interactive demo setup with sample data
./init.sh dev     # Local development mode (requires Node.js 20+)
make help         # See all Makefile commands

Try in your browser (no installation):

➡️ See the Demo & Sandbox Guide for detailed walkthrough with sample data.

📚 Documentation

Getting Started

Document	Description
Getting Started Guide	Start here! Complete setup guide for all skill levels
Quick Start Guide	Fast-track setup for experienced users
Demo & Sandbox	Try with sample data, one-click demo setup
Troubleshooting	Common issues and solutions

Core Documentation

Document	Description
Architecture Guide	System architecture, API gateway, microservices, network topology
API Reference	Complete API documentation with endpoints, authentication, examples
Configuration Reference	Environment variables, service configuration, Traefik, database
Development Guide	Local setup, project structure, coding standards, testing
Deployment Guide	Production deployment, CI/CD, monitoring, backups
Upgrade Guide	Upgrading between versions, migration steps

Security & Compliance

Document	Description
Security Policy	Security vulnerability reporting and policies
Security Audit	Dependency audit findings, vulnerability status, remediation
Security Model	Comprehensive security architecture, authentication, authorization, and hardening
Permissions Matrix	Role-based access control and permission definitions
MCP Credential Security	Secure handling of MCP server credentials

Configuration & Operations

Document	Description
Environment Configuration	Detailed environment variable reference
Module Configuration	Enable/disable platform modules
Production Deployment	Production-ready deployment checklist

Platform Guides

Document	Description
Platform Review	Comprehensive platform capabilities overview
Help Center	User guides and how-to documentation
MCP Quick Start	Getting started with MCP server integration

Audit & Stability Reports

Document	Description
Stability Audit Phase 1	Phase 1 stability audit findings and fixes
Stability Audit Phase 2	Phase 2 stability audit findings and fixes

Quick Links

API Gateway: Traefik v3.0 - Configuration Details
Authentication: Keycloak OAuth 2.0 - Setup Guide
Database: PostgreSQL 16 - Schema Details
Monitoring: Prometheus + Grafana - Setup Guide
AI Integration: OpenAI/Anthropic - AI Configuration

Platform Overview

GigaChad GRC is a complete enterprise GRC solution organized into specialized modules, each handling a critical aspect of your compliance and risk management program:

Compliance: Controls, frameworks, policies, and evidence management
Data Management: Evidence library, policies, assets, and integrations
Risk Management: Risk register, scenarios, heatmaps, and treatment tracking
Third-Party Risk (TPRM): Vendor management, assessments, and contracts
Trust: Security questionnaires, knowledge base, and public trust center
Audit: Internal and external compliance audits with auditor portal
Tools: Awareness training, security education programs
AI & Automation: AI-powered risk scoring, categorization, smart search, and MCP server integration
Administration: User management, permissions, audit logs, and settings

Modules & Capabilities

1. Compliance Module

Controls Management (Port 3001)

Complete lifecycle management for security controls across all frameworks.

Features:

Control library with pre-loaded SOC 2 and ISO 27001 controls
Implementation status tracking (Not Started, In Progress, Implemented, Validated)
Testing history with evidence collection
Control owners and assignment
Evidence linking and attachment
Test scheduling and reminders
Control effectiveness scoring
Cross-framework mapping

API Endpoints:

GET/POST /api/controls - List and create controls
GET/PATCH/DELETE /api/controls/:id - Manage individual controls
GET /api/controls/:id/evidence - View linked evidence
POST /api/controls/:id/test - Record testing activities

Frameworks (Port 3002)

Framework readiness assessment and gap analysis for major compliance standards.

Pre-loaded Frameworks:

SOC 2 Type II (Trust Services Criteria)
ISO 27001:2022 (with Annex A controls)
NIST CSF 2.0 (ready)
PCI DSS (ready)
HIPAA (ready)
Custom frameworks

Features:

Real-time readiness scoring
Gap analysis with prioritized recommendations
Control mapping across frameworks
Implementation roadmaps
Evidence collection per requirement
Compliance status dashboards
Framework comparison and overlap analysis

API Endpoints:

GET /api/frameworks - List all frameworks
GET /api/frameworks/:id - Framework details with requirements
GET /api/frameworks/:id/readiness - Calculate readiness score
POST /api/frameworks/:id/assess - Submit control assessments

2. Data Management Module

Evidence Library

Centralized repository for all compliance evidence with intelligent organization.

Features:

Multi-backend storage (Local, RustFS/S3, Azure Blob)
Document versioning and history
Evidence types (Policy, Procedure, Screenshot, Report, Log, Certificate)
Control linking with many-to-many relationships
Automated retention policies
Full-text search and filtering
Collection dates and validity periods
Evidence review workflows

API Endpoints:

GET/POST /api/evidence - List and upload evidence
GET/DELETE /api/evidence/:id - Manage evidence items
GET /api/evidence/:id/download - Download evidence files

Policies (Port 3004)

Policy lifecycle management with versioning and approval workflows.

Features:

Policy document management with versions
Approval workflows (Draft → Review → Approved → Published)
Review scheduling and reminders
Control linking
Policy effectiveness tracking
Document history and audit trail
Policy categories and tagging

API Endpoints:

GET/POST /api/policies - List and create policies
GET /api/policies/:id - Policy details
POST /api/policies/:id/approve - Approve policy version
GET /api/policies/:id/versions - Version history

Assets

IT asset inventory with security metadata and classification.

Features:

Asset inventory management (Hardware, Software, Data, People, Services)
Criticality classification (Critical, High, Medium, Low)
Data sensitivity classification (Public, Internal, Confidential, Restricted)
Asset owner assignment
Risk and control linking
Business process association
Asset lifecycle tracking (Active, Retired, Decommissioned)
Custom metadata and tagging

API Endpoints:

GET/POST /api/assets - List and create assets
GET/PATCH/DELETE /api/assets/:id - Manage individual assets
POST /api/assets/:id/link - Link assets to risks/controls

Integrations

External tool integrations for automated evidence collection.

Supported Integrations:

AWS: S3 bucket configs, IAM policies, EC2 security groups, VPC flow logs, Config rules
Azure: Resource inventory, security center findings, compliance policies
GitHub: Branch protection rules, Dependabot alerts, secrets scanning, code scanning
Okta: MFA enrollment, password policies, inactive users, admin access logs
Google Workspace: User MFA status, admin roles, Drive sharing settings
Jamf: Device encryption status, OS versions, security patch compliance

Features:

Scheduled evidence collection (hourly, daily, weekly)
Credential management with encryption
Collection history and status tracking
Automatic evidence upload to library
Integration health monitoring

API Endpoints:

GET/POST /api/integrations - Integration management
POST /api/integrations/:id/test - Test connection
POST /api/integrations/:id/collect - Trigger manual collection

3. Risk Management Module (Ports 3001-3002)

Complete enterprise risk management with quantitative and qualitative approaches.

Risk Dashboard

Executive overview of organizational risk posture.

Metrics:

Total risks by severity
Risk trend analysis
Treatment status
High-priority risks
Risk appetite vs. actual
Top risk categories

Risk Register

Central repository for all identified risks with comprehensive tracking.

Features:

Risk identification and documentation
Likelihood and impact scoring (1-5 scale)
Inherent vs. residual risk calculation
Risk owners and accountability
Treatment plans (Accept, Mitigate, Transfer, Avoid)
Status tracking (Identified → Assessed → Treated → Monitored)
Control linking and effectiveness
Risk categories and tagging

Risk Scoring:

Quantitative: Likelihood × Impact (1-25 scale)
Qualitative: Low, Medium, High, Critical
Customizable risk matrices
Automated risk level calculations

Risk Heatmap

Visual risk matrix showing risk distribution by likelihood and impact.

Features:

Interactive heat map visualization
Risk clustering by category
Drill-down to risk details
Filter by status, owner, category
Export to PDF/PNG

Risk Scenarios

Scenario-based risk modeling and planning.

Features:

Threat scenario modeling
Impact analysis
Mitigation strategy planning
Scenario libraries (Cyber attacks, Data breaches, Disasters)

My Risk Queue

Personal task list for assigned risks and actions.

Features:

Assigned risks requiring action
Overdue treatment plans
Upcoming risk reviews
Evidence collection tasks

Risk Reports

Comprehensive risk reporting and analytics.

Report Types:

Executive risk summary
Risk register report
Treatment effectiveness
Risk trend analysis
Control effectiveness
Custom reports with filters

API Endpoints:

GET/POST /api/risks - List and create risks
GET/PATCH /api/risks/:id - Manage risks
POST /api/risks/:id/assess - Update risk assessment
GET /api/risk-dashboard - Dashboard statistics
GET /api/risk-heatmap - Heatmap data

4. Third-Party Risk Management (TPRM) (Port 3005)

Complete vendor risk management lifecycle.

Vendor Management

Centralized vendor database with risk profiles.

Features:

Vendor contact information
Risk tier classification (Critical, High, Medium, Low)
Vendor categories (Cloud, SaaS, Consultant, etc.)
Vendor status (Active, Under Review, Offboarded)
Due diligence documentation
Vendor lifecycle tracking
Relationship owners

Assessments

Security assessments and questionnaires for vendors.

Assessment Types:

Initial due diligence
Annual reviews
Incident-triggered assessments
Ad-hoc assessments

Features:

Customizable questionnaire templates
Assessment scoring and risk rating
Finding tracking and remediation
Evidence collection from vendors
Assessment history and trends
Approval workflows

Contracts

Contract lifecycle management for vendor relationships.

Features:

Contract metadata (dates, value, terms)
SLA tracking
Renewal reminders
Contract document storage
Amendment history
Contract status (Draft, Active, Expiring, Expired)
Vendor linking

API Endpoints:

GET/POST /api/vendors - Vendor management
GET/POST /api/assessments - Assessment workflows
GET/POST /api/contracts - Contract management

5. Trust Module (Port 3006)

Build and maintain customer trust through transparency and responsiveness.

Questionnaires

Security questionnaire response management system.

Features:

Questionnaire templates (SOC 2, ISO 27001, Custom)
Question bank with reusable answers
Response history and versioning
Customer portal for submission
Approval workflows
Evidence attachment
Auto-population from knowledge base

Knowledge Base

Centralized security knowledge repository for consistent responses.

Features:

Question and answer library
Categories and tagging
Search and filtering
Version control
Approval workflows
Control/policy linking
Confidence scoring

Use Cases:

Pre-populate questionnaire responses
Sales engineering reference
Customer FAQ
Internal training

Trust Center

Public-facing security and compliance transparency portal.

Features:

Customizable branding (logo, colors, description)
Section-based content management:
- Overview: Company security commitment
- Certifications & Compliance: Frameworks and certifications
- Security Controls: Technical and operational controls
- Policies & Documentation: Security policies
- Security Updates: News and incident communications
- Contact: Security team contact information
Publish/draft workflow
Preview mode before publishing
SEO-friendly public URLs
Responsive design

API Endpoints:

GET/POST /api/questionnaires - Questionnaire management
GET/POST /api/knowledge-base - Knowledge base entries
GET/PATCH /api/trust-center/config - Trust center configuration
GET/POST /api/trust-center/content - Content management
GET /api/trust-center/public - Public trust center view

6. Audit Module (Port 3007) [NEW]

Comprehensive audit management for internal and external compliance audits.

Audits

Central audit management with support for multiple audit types.

Audit Types:

Internal audits
External audits (SOC 2, ISO 27001)
Surveillance audits
Certification audits

Features:

Audit planning and scoping
Framework selection (SOC 2, ISO 27001, HIPAA, PCI DSS)
Audit team management
External auditor information tracking
Timeline tracking (planned vs. actual)
Audit status workflow (Planning → Fieldwork → Testing → Reporting → Completed)
Finding aggregation and statistics
Portal access for external auditors
FieldGuide integration ready

Auditor Portal:

Secure access code generation
Temporary access with expiration
Document request submission
Evidence review interface
Comment threads on requests

Audit Requests

Evidence and documentation request tracking.

Request Categories:

Control documentation
Policy review
Evidence collection
Interviews
System access
Walkthroughs

Features:

Request assignment to internal team
Priority levels (Low, Medium, High, Critical)
Due date tracking with overdue alerts
Status workflow (Open → In Progress → Submitted → Under Review → Approved)
Evidence attachment
Comment threads
Clarification requests
Control/requirement linking

Findings

Audit finding and observation management.

Finding Types:

Control deficiencies
Documentation gaps
Process issues
Compliance gaps

Features:

Severity classification (Critical, High, Medium, Low, Observation)
Root cause analysis
Impact assessment
Remediation planning
Remediation owner assignment
Target and actual completion dates
Management response tracking
Status tracking (Open → Remediation Planned → In Progress → Resolved)
Control/requirement linking

Additional Capabilities:

Test Results: Control testing with sampling methodologies
Meetings: Audit kickoffs, status updates, interviews, closing meetings
Activity Log: Complete audit trail of all actions
Dashboard: Real-time audit statistics and progress

API Endpoints:

GET/POST /api/audits - Audit management
GET /api/audits/dashboard - Audit statistics
POST /api/audits/:id/portal/enable - Enable auditor portal
GET/POST /api/audit-requests - Request management
POST /api/audit-requests/:id/comments - Discussion threads
GET/POST /api/audit-findings - Finding management

FieldGuide Integration:

OAuth 2.0 authentication with FieldGuide
Bi-directional sync with FieldGuide platform
Audit data synchronization
Request mapping with automatic updates
Evidence sharing between platforms
Webhook support for real-time updates
Conflict resolution for simultaneous edits
Sync history and audit logging

FieldGuide API Endpoints:

GET /api/fieldguide/connect - Initiate OAuth connection
GET /api/fieldguide/callback - OAuth callback handler
POST /api/fieldguide/sync - Trigger bi-directional sync
POST /api/fieldguide/webhooks - Webhook receiver

7. Tools Module

Awareness & Training

Comprehensive security awareness training program management.

Features:

Training course management (Security Basics, Phishing Awareness, Data Protection, etc.)
Training assignment to users and groups
Progress tracking and completion status
Quiz engine with multiple question types
Certificate generation upon completion
Compliance tracking for required training
Training content management

Quiz Engine:

Multiple choice, true/false, and multi-select questions
Configurable passing scores
Question randomization
Answer explanations
Retake policies

Certificate Features:

Automatic generation on course completion
PDF download
Unique certificate IDs for verification
Expiration dates for recurring training

API Endpoints:

GET/POST /api/training/courses - Course management
GET/POST /api/training/assignments - Assign training
POST /api/training/:courseId/quiz - Take quiz
GET /api/training/:courseId/certificate - Download certificate

Phishing Simulations

Security awareness through realistic phishing simulations.

Campaign Features:

Campaign creation with templates
Target group selection
Scheduling (immediate, scheduled, recurring)
Email template customization
Landing page configuration
Real-time tracking and analytics

Analytics & Reporting:

Click rates by department
Report rates
Training completion correlation
Historical trend analysis
User risk scoring
Department benchmarking

Template Library:

Pre-built phishing templates (Credential harvesting, Malware, Gift card scams, etc.)
Custom template creation
Template difficulty ratings
Industry-specific templates

API Endpoints:

GET/POST /api/phishing/campaigns - Campaign management
GET /api/phishing/campaigns/:id/analytics - Campaign analytics
GET/POST /api/phishing/templates - Template management
POST /api/phishing/report - User phishing report submission

8. AI & Automation Module

Enterprise AI capabilities and MCP (Model Context Protocol) server integration for intelligent GRC operations.

AI Configuration

AI-powered features using GPT-5 (OpenAI) or Claude Opus 4.5 (Anthropic).

Supported AI Providers:

OpenAI: GPT-5 (Most Capable), GPT-5 Mini, o3 (Advanced Reasoning), o3-mini
Anthropic: Claude Opus 4.5 (Most Capable), Claude Sonnet 4, Claude 3.5 Sonnet, Claude 3.5 Haiku

AI Features:

Risk Scoring: AI-suggested risk likelihood and impact with rationale
Auto-Categorization: Automatic categorization and tagging of controls, risks, policies
Smart Search: Natural language search across all GRC modules
Policy Drafting: Generate policy drafts based on requirements and context
Control Suggestions: AI-recommended controls for risks and compliance requirements

MCP Server Integration

Model Context Protocol servers for automated GRC workflows.

Available MCP Servers:

grc-evidence: Automated evidence collection from cloud providers and security tools
- AWS (S3, IAM, EC2, VPC, Config)
- Azure resources
- GitHub (branch protection, secrets scanning, Dependabot)
- Okta (MFA status, password policies, inactive users)
- Google Workspace (user MFA, admin roles, sharing settings)
- Jamf (device encryption, OS versions, security patches)
- Vulnerability scanning integration
- Screenshot capture for visual evidence
grc-compliance: Automated compliance checking and reporting
- Control testing automation
- Policy validation against requirements
- Compliance report generation
- Framework-specific checks (SOC 2, ISO 27001, HIPAA, GDPR)
grc-ai-assistant: AI-powered GRC operations
- Deep risk analysis with contextual understanding
- Control recommendations based on risks and requirements
- Policy document drafting
- Automatic requirement mapping
- Finding explanation in plain language
- Remediation prioritization
- Compliance gap analysis
- Vendor risk assessment

API Endpoints:

GET /api/ai/config - Get AI configuration
POST /api/ai/risk-scoring - AI risk scoring suggestions
POST /api/ai/categorize - Auto-categorization
POST /api/ai/search - Smart natural language search
GET /api/mcp/servers - List active MCP servers
POST /api/mcp/tools/call - Execute MCP tool
POST /api/mcp/workflows - Manage MCP workflows

9. Settings & Administration

User Management

User account and access control management via Keycloak.

Features:

User provisioning and deactivation
Role assignment (Admin, Compliance Manager, Auditor, Viewer)
SSO integration via Keycloak
Multi-factor authentication
Session management

Permissions

Role-based access control and permission groups.

Default Roles:

Admin: Full system access
Compliance Manager: Manage controls, evidence, frameworks
Risk Manager: Manage risks and treatments
Auditor: Read-only access to controls and evidence
Viewer: Limited read access

Audit Log

Complete system audit trail for compliance and forensics.

Tracked Events:

User actions (login, logout, changes)
Entity changes (create, update, delete)
Access attempts
Configuration changes
Evidence uploads/downloads
Approval actions

Features:

Search and filtering
Export to CSV
Date range queries
User activity reports
Change history with before/after values

Risk Configuration

Risk management system configuration.

Settings:

Risk scoring methodology
Likelihood definitions (1-5)
Impact definitions (1-5)
Risk appetite thresholds
Risk categories
Treatment options
Review frequencies

Dashboard

The main dashboard provides an executive overview of your entire GRC program:

Compliance Metrics:

Overall compliance score
Control implementation status
Framework readiness percentages
Evidence collection status
Upcoming control tests

Risk Metrics:

Risk distribution by severity
High-priority risks requiring attention
Risk treatment progress
Top risk categories

Audit Metrics:

Active audits
Open audit requests
Pending findings
Upcoming audit activities

Recent Activity:

Control updates
Evidence uploads
Risk assessments
Audit progress
Policy approvals

Architecture

┌───────────────────────────────────────────────────────────────────────┐
│                           Traefik Gateway                              │
│                           (API Routing)                                │
├──────────┬──────────┬──────────┬──────────┬──────────┬──────────┬────┤
│ Controls │Frameworks│ Policies │   TPRM   │  Trust   │  Audit   │ UI │
│  :3001   │  :3002   │  :3004   │  :3005   │  :3006   │  :3007   │:5173
├──────────┴──────────┴──────────┴──────────┴──────────┴──────────┴────┤
│                          Shared Library                                │
│          (Prisma Schema, Types, Auth, Storage, Events)                 │
├──────────┬──────────┬──────────┬──────────────────────────────────────┤
│PostgreSQL│  Redis   │ Keycloak │              RustFS                  │
│  :5433   │  :6380   │  :8080   │         :9000 / :9001                │
│(Database)│ (Cache)  │  (Auth)  │    (S3-Compatible Storage)           │
└──────────┴──────────┴──────────┴──────────────────────────────────────┘

Frontend (React + Vite)
    ↓
Traefik (API Gateway)
    ↓
Microservices Layer:
  - Controls Service (NestJS) → Controls + Evidence + Audit Logging
  - Frameworks Service (NestJS) → Frameworks + Risk Management
  - Policies Service (NestJS) → Policy Lifecycle
  - TPRM Service (NestJS) → Vendors + Assessments + Contracts
  - Trust Service (NestJS) → Questionnaires + Knowledge Base + Trust Center
  - Audit Service (NestJS) → Audit Management + Auditor Portal
    ↓
Infrastructure Layer:
  - PostgreSQL (Single database, multi-tenant schema)
  - Redis (Caching + Session Management)
  - Keycloak (SSO + RBAC)
  - RustFS (S3-compatible object storage - https://github.com/rustfs/rustfs)

Tech Stack

Backend: Node.js + TypeScript with NestJS
Frontend: React + TypeScript with Vite, TailwindCSS
Database: PostgreSQL with Prisma ORM
Authentication: Keycloak (SSO, RBAC)
API Gateway: Traefik
Cache/Events: Redis
Storage: RustFS (S3-compatible, Apache 2.0 - https://github.com/rustfs/rustfs)
Containers: Docker with Docker Compose

Quick Start

Prerequisites

Docker and Docker Compose
Node.js 20+ (for local development)

The Easy Way (Recommended)

git clone https://github.com/grcengineering/gigachad-grc.git
cd gigachad-grc
./init.sh demo

This single command:

Generates secure secrets and creates .env
Starts all infrastructure (PostgreSQL, Redis, Keycloak, RustFS)
Builds and starts all backend services
Starts the frontend and opens your browser

Login: Click "Dev Login" - no password needed!

Using Make

make demo      # One-click demo
make dev       # Development setup  
make up        # Start containers
make down      # Stop containers
make logs      # View logs
make help      # See all commands

Manual Setup

If you prefer manual control:

# 1. Create environment
cp env.example .env

# 2. Start infrastructure
docker compose up -d postgres redis keycloak rustfs

# 3. Start services
docker compose up -d

# 4. Access the app
open http://localhost:3000

Access Points

Frontend: http://localhost:3000 (or :5173 in dev)
Keycloak Admin: http://localhost:8080 (admin/admin)
API Docs: http://localhost:3001/api/docs
RustFS Console: http://localhost:9001 (rustfsadmin/rustfsadmin)

Production Readiness & Resilience

GigaChad GRC includes comprehensive built-in tools for ensuring production readiness:

Production Validation CLI

Before deploying to production, run the validation script to check all configuration:

# Basic validation
npm run validate:production

# Strict mode (exit non-zero on warnings)
npm run validate:production:strict

The script validates:

Security configuration (encryption keys, passwords, auth mode)
Database connections and SSL
Backup configuration
Authentication setup (Keycloak)
Network/CORS settings

System Health Dashboard

Administrators can view real-time system health in Settings > Organization Settings > System Health:

System Health Banner: Displays critical warnings for security issues, backup problems, and misconfigurations
Production Readiness Score: 0-100 score indicating deployment readiness
Setup Wizard: Guided configuration for new installations

Automatic Features

When running with Docker, the entrypoint script provides:

Feature	Environment Variable	Description
Auto-backup scheduling	`AUTO_BACKUP_ENABLED=true`	Schedules daily backups via cron
Database migrations	`AUTO_MIGRATE=true`	Runs migrations on startup
Dependency wait	`WAIT_FOR_DB=true`	Waits for PostgreSQL before starting
Config warnings	Always enabled	Logs warnings for production misconfigurations

Data Persistence

All critical data is stored in Docker named volumes that survive container restarts:

Data Type	Volume	Survives Crash
Database	`postgres_data`	✅ Yes
Evidence Files	`rustfs_data`	✅ Yes
Cache/Sessions	`redis_data`	✅ Yes
Metrics	`prometheus_data`	✅ Yes

Important: Running docker-compose down -v will delete volumes. Always run backups before maintenance.

Backup & Restore

# Create backup (stored in /backups/gigachad-grc/)
npm run backup

# Restore from backup
npm run restore /path/to/backup.tar.gz

For detailed resilience documentation, see System Health Guide.

Project Structure

gigachad-grc/
├── services/
│   ├── shared/               # Shared TypeScript library
│   │   ├── src/
│   │   │   ├── types/        # Type definitions
│   │   │   ├── auth/         # Auth middleware
│   │   │   ├── storage/      # Storage abstraction
│   │   │   ├── events/       # Event bus
│   │   │   ├── utils/        # Utilities
│   │   │   └── logger/       # Logging
│   │   └── prisma/           # Unified database schema (all modules)
│   │       └── schema.prisma # Single source of truth
│   │
│   ├── controls/             # Controls + Evidence + Audit Logging
│   │   ├── src/
│   │   │   ├── controls/     # Control management
│   │   │   ├── evidence/     # Evidence library
│   │   │   ├── audit/        # Activity audit logging
│   │   │   └── testing/      # Control testing
│   │   ├── Dockerfile
│   │   └── package.json
│   │
│   ├── frameworks/           # Frameworks + Risk Management
│   │   ├── src/
│   │   │   ├── frameworks/   # Framework assessments
│   │   │   ├── risks/        # Risk register
│   │   │   ├── scenarios/    # Risk scenarios
│   │   │   └── treatments/   # Risk treatments
│   │   ├── Dockerfile
│   │   └── package.json
│   │
│   ├── policies/             # Policy Lifecycle Management
│   │   ├── src/
│   │   │   ├── policies/     # Policy CRUD
│   │   │   ├── versions/     # Version control
│   │   │   └── approvals/    # Approval workflows
│   │   ├── Dockerfile
│   │   └── package.json
│   │
│   ├── tprm/                 # Third-Party Risk Management
│   │   ├── src/
│   │   │   ├── vendors/      # Vendor management
│   │   │   ├── assessments/  # Security assessments
│   │   │   └── contracts/    # Contract lifecycle
│   │   ├── Dockerfile
│   │   └── package.json
│   │
│   ├── trust/                # Trust & Transparency
│   │   ├── src/
│   │   │   ├── questionnaires/  # Security questionnaires
│   │   │   ├── knowledge-base/  # Q&A repository
│   │   │   └── trust-center/    # Public trust portal
│   │   ├── Dockerfile
│   │   └── package.json
│   │
│   └── audit/                # Audit Management (NEW)
│       ├── src/
│       │   ├── audits/       # Audit orchestration
│       │   ├── requests/     # Evidence requests
│       │   ├── findings/     # Audit findings
│       │   ├── evidence/     # Audit evidence
│       │   ├── portal/       # External auditor portal
│       │   └── fieldguide/   # FieldGuide integration
│       ├── Dockerfile
│       └── package.json
│
├── frontend/                 # React SPA
│   ├── src/
│   │   ├── pages/            # Page components
│   │   │   ├── Controls.tsx
│   │   │   ├── Frameworks.tsx
│   │   │   ├── Risks.tsx
│   │   │   ├── Vendors.tsx
│   │   │   ├── Questionnaires.tsx
│   │   │   ├── Audits.tsx    # NEW
│   │   │   └── ...
│   │   ├── components/       # Reusable components
│   │   ├── contexts/         # React contexts (Auth)
│   │   └── lib/              # Utilities and API clients
│   └── package.json
│
├── auth/                     # Keycloak configuration
│   └── realm-export.json     # Pre-configured realm
│
├── gateway/                  # Traefik configuration
│   └── traefik.yml
│
├── database/
│   ├── init/                 # Database initialization
│   └── seeds/                # Seed data (frameworks, controls)
│
├── docker-compose.yml        # Production compose
├── docker-compose.dev.yml    # Development overrides
├── .env.example              # Environment template
└── README.md                 # This file

Service Ports & Documentation

Each microservice runs on its own port with Swagger API documentation:

Service	Port	Swagger Docs	Description
Frontend	5173	N/A	React SPA (Vite dev server)
Controls	3001	http://localhost:3001/api/docs	Controls, Evidence, Testing
Frameworks	3002	http://localhost:3002/api/docs	Frameworks, Risk Management
Policies	3004	http://localhost:3004/api/docs	Policy Lifecycle Management
TPRM	3005	http://localhost:3005/api/docs	Vendor Risk Management
Trust	3006	http://localhost:3006/api/docs	Questionnaires, KB, Trust Center
Audit	3007	http://localhost:3007/api/docs	Audit Management
PostgreSQL	5433	N/A	Primary database
Redis	6380	N/A	Cache & sessions
Keycloak	8080	http://localhost:8080	Auth & SSO (admin/admin)
Traefik	80/443	http://localhost:8090	API Gateway dashboard
RustFS API	9000	N/A	S3-compatible object storage API
RustFS Console	9001	http://localhost:9001	Storage admin UI (rustfsadmin/rustfsadmin)

Configuration

Environment Variables

Variable	Description	Default
`POSTGRES_USER`	Database user	grc
`POSTGRES_PASSWORD`	Database password	grc_secret
`POSTGRES_DB`	Database name	gigachad_grc
`REDIS_PASSWORD`	Redis password	redis_secret
`KEYCLOAK_ADMIN`	Keycloak admin user	admin
`KEYCLOAK_ADMIN_PASSWORD`	Keycloak admin password	admin
`MINIO_ROOT_USER`	RustFS/S3 root user	rustfsadmin
`MINIO_ROOT_PASSWORD`	RustFS/S3 root password	(secure password)
`STORAGE_TYPE`	Storage backend (local/s3/minio)	s3

Storage Configuration

The platform supports multiple storage backends:

Local Storage:

STORAGE_TYPE=local
LOCAL_STORAGE_PATH=./storage

RustFS/S3 (Recommended):

# RustFS is a high-performance, Apache 2.0 licensed S3-compatible storage
# https://github.com/rustfs/rustfs
STORAGE_TYPE=s3
S3_ENDPOINT=rustfs
S3_PORT=9000
S3_ACCESS_KEY=rustfsadmin
S3_SECRET_KEY=your_secure_password
S3_BUCKET=grc-evidence

Module Extraction

Each service is designed to run independently. To extract a module:

Copy the service directory
Update the DATABASE_URL in the service's environment
Run migrations: npm run prisma:migrate
Build and run: docker build -t my-service . && docker run my-service

Security Considerations

All passwords should be changed in production
Enable TLS/SSL for all services
Configure Keycloak for production use
Use proper secrets management
Review and harden Docker images
Images should be pulled from Docker Hub's Hardened Images

License

This project is licensed under the Elastic License 2.0 (ELv2).

What You CAN Do:

Use internally at your company for commercial purposes
Modify the software for your own use
Self-host on your own infrastructure
Contribute improvements back to the project

What You CANNOT Do:

Offer this software as a hosted/managed service to third parties
Sell the software or derivatives to others
Create a competing commercial GRC product based on this code
Remove or obscure license/copyright notices

See the LICENSE file for the complete license terms.

For commercial licensing inquiries (e.g., to offer as a managed service), please contact the project maintainers.

Contributing

We welcome contributions! Please read our Contributing Guide to get started.

By contributing, you agree that your contributions will be licensed under the same Elastic License 2.0. Please also review our Code of Conduct.

Quick Start:

Fork the repository
Create a feature branch (git checkout -b feature/amazing-feature)
Make your changes following our coding standards
Run tests (npm test)
Submit a pull request

Support

Documentation: Check the docs folder for guides and references
Issues: Use the GitHub issue tracker for bugs and feature requests
Security: Report vulnerabilities privately via GitHub Security Advisories
Discussions: Use GitHub Discussions for questions and ideas

For Tasks:

Click tags to check more tools for each tasks

manage compliance controls assess risk scenarios conduct security audits train on security awareness integrate ai for risk scoring

For Jobs:

security analyst compliance manager risk manager auditor security awareness trainer

Alternative AI tools for gigachad-grc

Similar Open Source Tools

gigachad-grc

github

: 75

hia

HIA (Health Insights Agent) is an AI agent designed to analyze blood reports and provide personalized health insights. It features an intelligent agent-based architecture with multi-model cascade system, in-context learning, PDF upload and text extraction, secure user authentication, session history tracking, and a modern UI. The tech stack includes Streamlit for frontend, Groq for AI integration, Supabase for database, PDFPlumber for PDF processing, and Supabase Auth for authentication. The project structure includes components for authentication, UI, configuration, services, agents, and utilities. Contributions are welcome, and the project is licensed under MIT.

github

: 54

template-repo

The template-repo is a comprehensive development ecosystem with 6 AI agents, 14 MCP servers, and complete CI/CD automation running on self-hosted, zero-cost infrastructure. It follows a container-first approach, with all tools and operations running in Docker containers, zero external dependencies, self-hosted infrastructure, single maintainer design, and modular MCP architecture. The repo provides AI agents for development and automation, features 14 MCP servers for various tasks, and includes security measures, safety training, and sleeper detection system. It offers features like video editing, terrain generation, 3D content creation, AI consultation, image generation, and more, with a focus on maximum portability and consistency.

github

: 74

Archon

Archon is an AI meta-agent designed to autonomously build, refine, and optimize other AI agents. It serves as a practical tool for developers and an educational framework showcasing the evolution of agentic systems. Through iterative development, Archon demonstrates the power of planning, feedback loops, and domain-specific knowledge in creating robust AI agents.

github

: 12.2k

VT.ai

VT.ai is a multimodal AI platform that offers dynamic conversation routing with SemanticRouter, multi-modal interactions (text/image/audio), an assistant framework with code interpretation, real-time response streaming, cross-provider model switching, and local model support with Ollama integration. It supports various AI providers such as OpenAI, Anthropic, Google Gemini, Groq, Cohere, and OpenRouter, providing a wide range of core capabilities for AI orchestration.

github

: 66

DeepTutor

DeepTutor is an AI-powered personalized learning assistant that offers a suite of modules for massive document knowledge Q&A, interactive learning visualization, knowledge reinforcement with practice exercise generation, deep research, and idea generation. The tool supports multi-agent collaboration, dynamic topic queues, and structured outputs for various tasks. It provides a unified system entry for activity tracking, knowledge base management, and system status monitoring. DeepTutor is designed to streamline learning and research processes by leveraging AI technologies and interactive features.

github

: 10.2k

multi-agent-shogun

multi-agent-shogun is a system that runs multiple AI coding CLI instances simultaneously, orchestrating them like a feudal Japanese army. It supports Claude Code, OpenAI Codex, GitHub Copilot, and Kimi Code. The system allows you to command your AI army with zero coordination cost, enabling parallel execution, non-blocking workflow, cross-session memory, event-driven communication, and full transparency. It also features skills discovery, phone notifications, pane border task display, shout mode, and multi-CLI support.

github

: 806

bifrost

Bifrost is a high-performance AI gateway that unifies access to multiple providers through a single OpenAI-compatible API. It offers features like automatic failover, load balancing, semantic caching, and enterprise-grade functionalities. Users can deploy Bifrost in seconds with zero configuration, benefiting from its core infrastructure, advanced features, enterprise and security capabilities, and developer experience. The repository structure is modular, allowing for maximum flexibility. Bifrost is designed for quick setup, easy configuration, and seamless integration with various AI models and tools.

github

: 2.2k

gemini-flow

github

: 104

aiconfigurator

The `aiconfigurator` tool assists in finding a strong starting configuration for disaggregated serving in AI deployments. It helps optimize throughput at a given latency by evaluating thousands of configurations based on model, GPU count, and GPU type. The tool models LLM inference using collected data for a target machine and framework, running via CLI and web app. It generates configuration files for deployment with Dynamo, offering features like customized configuration, all-in-one automation, and tuning with advanced features. The tool estimates performance by breaking down LLM inference into operations, collecting operation execution times, and searching for strong configurations. Supported features include models like GPT and operations like attention, KV cache, GEMM, AllReduce, embedding, P2P, element-wise, MoE, MLA BMM, TRTLLM versions, and parallel modes like tensor-parallel and pipeline-parallel.

github

: 188

claude-code-settings

A repository collecting best practices for Claude Code settings and customization. It provides configuration files for customizing Claude Code's behavior and building an efficient development environment. The repository includes custom agents and skills for specific domains, interactive development workflow features, efficient development rules, and team workflow with Codex MCP. Users can leverage the provided configuration files and tools to enhance their development process and improve code quality.

github

: 84

astrsk

astrsk is a tool that pushes the boundaries of AI storytelling by offering advanced AI agents, customizable response formatting, and flexible prompt editing for immersive roleplaying experiences. It provides complete AI agent control, a visual flow editor for conversation flows, and ensures 100% local-first data storage. The tool is true cross-platform with support for various AI providers and modern technologies like React, TypeScript, and Tailwind CSS. Coming soon features include cross-device sync, enhanced session customization, and community features.

github

: 106

nono

nono is a secure, kernel-enforced capability shell for running AI agents and any POSIX style process. It leverages OS security primitives to create an environment where unauthorized operations are structurally impossible. It provides protections against destructive commands and securely stores API keys, tokens, and secrets. The tool is agent-agnostic, works with any AI agent or process, and blocks dangerous commands by default. It follows a capability-based security model with defense-in-depth, ensuring secure execution of commands and protecting sensitive data.

github

: 312

vibe-remote

Vibe Remote is a tool that allows developers to code using AI agents through Slack or Discord, eliminating the need for a laptop or IDE. It provides a seamless experience for coding tasks, enabling users to interact with AI agents in real-time, delegate tasks, and monitor progress. The tool supports multiple coding agents, offers a setup wizard for easy installation, and ensures security by running locally on the user's machine. Vibe Remote enhances productivity by reducing context-switching and enabling parallel task execution within isolated workspaces.

github

: 164

aegra

Aegra is a self-hosted AI agent backend platform that provides LangGraph power without vendor lock-in. Built with FastAPI + PostgreSQL, it offers complete control over agent orchestration for teams looking to escape vendor lock-in, meet data sovereignty requirements, enable custom deployments, and optimize costs. Aegra is Agent Protocol compliant and perfect for teams seeking a free, self-hosted alternative to LangGraph Platform with zero lock-in, full control, and compatibility with existing LangGraph Client SDK.

github

: 137

pluely

Pluely is a versatile and user-friendly tool for managing tasks and projects. It provides a simple interface for creating, organizing, and tracking tasks, making it easy to stay on top of your work. With features like task prioritization, due date reminders, and collaboration options, Pluely helps individuals and teams streamline their workflow and boost productivity. Whether you're a student juggling assignments, a professional managing multiple projects, or a team coordinating tasks, Pluely is the perfect solution to keep you organized and efficient.

github

: 687

For similar tasks

gigachad-grc

github

: 75

AutoAudit

AutoAudit is an open-source large language model specifically designed for the field of network security. It aims to provide powerful natural language processing capabilities for security auditing and network defense, including analyzing malicious code, detecting network attacks, and predicting security vulnerabilities. By coupling AutoAudit with ClamAV, a security scanning platform has been created for practical security audit applications. The tool is intended to assist security professionals with accurate and fast analysis and predictions to combat evolving network threats.

github

: 201

hound

Hound is a security audit automation pipeline for AI-assisted code review that mirrors how expert auditors think, learn, and collaborate. It features graph-driven analysis, sessionized audits, provider-agnostic models, belief system and hypotheses, precise code grounding, and adaptive planning. The system employs a senior/junior auditor pattern where the Scout actively navigates the codebase and annotates knowledge graphs while the Strategist handles high-level planning and vulnerability analysis. Hound is optimized for small-to-medium sized projects like smart contract applications and is language-agnostic.

github

: 325

explain-openclaw

Explain OpenClaw is a comprehensive documentation repository for the OpenClaw framework, a self-hosted AI assistant platform. It covers various aspects such as plain English explanations, technical architecture, deployment scenarios, privacy and safety measures, security audits, worst-case security scenarios, optimizations, and AI model comparisons. The repository serves as a living knowledge base with beginner-friendly explanations and detailed technical insights for contributors.

github

: 69

For similar jobs

ciso-assistant-community

CISO Assistant is a tool that helps organizations manage their cybersecurity posture and compliance. It provides a centralized platform for managing security controls, threats, and risks. CISO Assistant also includes a library of pre-built frameworks and tools to help organizations quickly and easily implement best practices.

github

: 3.2k

gigachad-grc

github

: 75

PyRIT

PyRIT is an open access automation framework designed to empower security professionals and ML engineers to red team foundation models and their applications. It automates AI Red Teaming tasks to allow operators to focus on more complicated and time-consuming tasks and can also identify security harms such as misuse (e.g., malware generation, jailbreaking), and privacy harms (e.g., identity theft). The goal is to allow researchers to have a baseline of how well their model and entire inference pipeline is doing against different harm categories and to be able to compare that baseline to future iterations of their model. This allows them to have empirical data on how well their model is doing today, and detect any degradation of performance based on future improvements.

github

: 2.9k

zillionare

This repository contains a collection of articles and tutorials on quantitative finance, including topics such as machine learning, statistical arbitrage, and risk management. The articles are written in a clear and concise style, and they are suitable for both beginners and experienced practitioners. The repository also includes a number of Jupyter notebooks that demonstrate how to use Python for quantitative finance.

github

: 223

emerging-trajectories

Emerging Trajectories is an open source library for tracking and saving forecasts of political, economic, and social events. It provides a way to organize and store forecasts, as well as track their accuracy over time. This can be useful for researchers, analysts, and anyone else who wants to keep track of their predictions.

github

: 70

www-project-ai-security-and-privacy-guide

The OWASP AI Exchange and OWASP AI security and privacy guide are initiatives to collect and present the state of the art on AI threats, controls, security, and privacy through community collaboration. The AI Exchange is a living set of documents that collect AI threats and controls from collaboration between experts worldwide. The AI Security and Privacy Guide project has a security part that links directly to the AI Exchange, and a privacy part.

github

: 350

finagg

finagg is a Python package that provides implementations of popular and free financial APIs, tools for aggregating historical data from those APIs into SQL databases, and tools for transforming aggregated data into features useful for analysis and AI/ML. It offers documentation, installation instructions, and basic usage examples for exploring various financial APIs and features. Users can install recommended datasets from 3rd party APIs into a local SQL database, access Bureau of Economic Analysis (BEA) data, Federal Reserve Economic Data (FRED), Securities and Exchange Commission (SEC) filings, and more. The package also allows users to explore raw data features, install refined data features, and perform refined aggregations of raw data. Configuration options for API keys, user agents, and data locations are provided, along with information on dependencies and related projects.

github

: 410

jupyter-quant

Jupyter Quant is a dockerized environment tailored for quantitative research, equipped with essential tools like statsmodels, pymc, arch, py_vollib, zipline-reloaded, PyPortfolioOpt, numpy, pandas, sci-py, scikit-learn, yellowbricks, shap, optuna, ib_insync, Cython, Numba, bottleneck, numexpr, jedi language server, jupyterlab-lsp, black, isort, and more. It does not include conda/mamba and relies on pip for package installation. The image is optimized for size, includes common command line utilities, supports apt cache, and allows for the installation of additional packages. It is designed for ephemeral containers, ensuring data persistence, and offers volumes for data, configuration, and notebooks. Common tasks include setting up the server, managing configurations, setting passwords, listing installed packages, passing parameters to jupyter-lab, running commands in the container, building wheels outside the container, installing dotfiles and SSH keys, and creating SSH tunnels.

github

: 58