OpenRisk is a modern, enterprise-grade Risk Management Platform that transforms how organizations identify, assess, mitigate, and monitor risks. Built with a scalable microservices architecture, OpenRisk enables teams to move beyond spreadsheets and legacy systems into a seamless, automated risk management experience.
OpenRisk allows every organization to:
- β Identify IT & security risks
- β Score & Prioritize risks based on impact and probability
- β Track mitigation plans and action items
- β Monitor trends in real-time with interactive dashboards
- CTO & CISO - Strategic risk oversight and compliance
- DevSecOps - Integrated security in CI/CD pipelines
- Security Analysts - Risk assessment and investigation
- Compliance Teams - Audit trails and governance
- β‘ Automated Risk Assessment - Reduce manual evaluation time
- π Interactive Dashboards - Real-time risk visualization
- π Native Integrations - Elastic, Splunk, TheHive, OpenCTI, AWS
- π³ Easy Deployment - Docker & Kubernetes ready
- π Enterprise Security - RBAC, SSO, audit logging
- π Scalable Architecture - Microservices-ready
- π² Risk Assessment - Comprehensive risk identification and scoring
- π‘οΈ Mitigation Tracking - Monitor and track risk mitigations in real-time
- π Advanced Analytics - Real-time dashboards and trend analysis
- π Enterprise Security - RBAC, audit logging, OAuth2/SAML2 SSO
- π Integration Ready - TheHive, OpenCTI, Splunk, Elastic connectors
- βοΈ Custom Fields - Flexible schema for organizational needs
- π Gamification - Engagement and incentive system
- Docker & Docker Compose
- Git
- 4GB RAM, 2GB disk space
# Clone the repository
git clone https://github.com/opendefender/OpenRisk.git
cd OpenRisk
# Start all services (PostgreSQL, Redis, Backend, Frontend)
docker compose up -d
# Access the application
# Frontend: http://localhost:5173
# Backend API: http://localhost:8080
# API Docs: http://localhost:8080/swaggerEmail: admin@openrisk.local
Password: admin123
| Component | Technology | Version |
|---|---|---|
| Language | Go | 1.25.4 |
| Framework | Fiber | v2.52 |
| Database | PostgreSQL | 16 |
| ORM | GORM | v1.31 |
| Testing | Testify | v1.11 |
| Architecture | CLEAN | Domain-Driven |
| Component | Technology | Version |
|---|---|---|
| Framework | React | 19.2.0 |
| State | Zustand | 5.0.8 |
| Styling | Tailwind CSS | 3.4.0 |
| Forms | React Hook Form | 7.66 |
| Routing | React Router | 7.9.6 |
| Charts | Recharts | 3.5.0 |
| Component | Technology | Purpose |
|---|---|---|
| Containerization | Docker | Application packaging |
| Orchestration | Kubernetes | Production deployment |
| Charts | Helm | K8s configuration |
| CI/CD | GitHub Actions | Automated testing & deployment |
| Caching | Redis | Session & cache layer |
- β Risk CRUD operations (Create, Read, Update, Delete, List)
- β Risk scoring engine with weighted calculations
- β Mitigation tracking with checklist sub-actions
- β Asset management and relationships
- β Soft-delete support with audit trails
- β JWT-based authentication
- β API Token management (create, revoke, rotate)
- β Role-Based Access Control (RBAC) - Backend (37+ endpoints, 11 domain models)
- β Permission matrices (resource-level granularity)
- β Comprehensive audit logging
- β OAuth2/SAML2 SSO (Google, GitHub, Azure AD)
- β Docker Compose local development
- β GitHub Actions CI/CD pipeline
- β Integration test suite
- β Kubernetes Helm charts
- β Staging & production runbooks
- β Permission gate components (7 reusable wrappers)
- β Route-level permission guards (4 types)
- β Role & Tenant management pages (admin interfaces)
- β Advanced RBAC utilities (35+ functions)
- β Audit logging system (compliance tracking)
- β Permission caching (performance optimization)
- β Custom React hooks (usePermissions, useAuditLog)
- β Comprehensive documentation (2,000+ lines)
- β Custom fields framework (5 types)
- β Bulk operations with validation
- β Risk timeline (audit trail)
- β Advanced reporting & export
- β Analytics dashboard with real-time data
- β Risk heatmaps and trend analysis
- β Incident management system
- β Threat tracking and mapping
- β Gamification & engagement system
- π Permission checking utilities (wildcard support, pattern matching)
- π Audit trail for compliance (event logging, filtering, export)
- π Performance optimization (permission caching with TTL)
- π Feature flag system (role-based feature enablement)
- π Comprehensive component library (10+ components)
| Document | Purpose |
|---|---|
| LOCAL_DEVELOPMENT.md | Setup guide for development environment |
| API_REFERENCE.md | Complete API endpoint documentation |
| KUBERNETES_DEPLOYMENT.md | K8s deployment instructions |
| PRODUCTION_RUNBOOK.md | Production operations guide |
| INTEGRATION_TESTS.md | Testing procedures |
| SAML_OAUTH2_INTEGRATION.md | SSO integration guide |
| SYNC_ENGINE.md | Integration sync documentation |
| RBAC_FRONTEND_COMPONENTS_GUIDE.md | Frontend RBAC components & hooks |
| RBAC_PHASE3_COMPREHENSIVE_SUMMARY.md | Phase 3 implementation details |
| ADVANCED_PERMISSIONS.md | RBAC & permissions documentation |
For more documentation, see the docs directory.
docker compose up -d# See docs/STAGING_DEPLOYMENT.md
./scripts/deploy-kubernetes.sh --environment staging# See docs/PRODUCTION_RUNBOOK.md
helm install openrisk ./helm/openrisk \
-f helm/values-prod.yaml \
--namespace openrisk# Run all tests
make test-all
# Backend unit tests
cd backend && go test ./...
# Frontend tests
cd frontend && npm test
# Integration tests
./scripts/run-integration-tests.shTest Statistics: 142+ tests passing β
OpenRisk provides a comprehensive REST API with 37+ endpoints:
POST /api/risks - Create risk
GET /api/risks - List risks
GET /api/risks/:id - Get risk details
PATCH /api/risks/:id - Update risk
DELETE /api/risks/:id - Delete risk
POST /api/mitigations - Create mitigation
GET /api/mitigations - List mitigations
PATCH /api/mitigations/:id - Update mitigation
POST /api/mitigations/:id/sub-actions - Add checklist item
PATCH /api/mitigations/:id/sub-actions/:aid - Toggle completion
POST /auth/login - JWT authentication
POST /auth/register - User registration
POST /auth/oauth2/:provider - OAuth2 login
POST /auth/saml/acs - SAML assertion endpoint
GET /api/tokens - List API tokens
POST /api/tokens - Create new token
DELETE /api/tokens/:id - Revoke token
GET /rbac/roles - List roles
POST /rbac/roles - Create role
PUT /rbac/roles/:id - Update role
DELETE /rbac/roles/:id - Delete role
GET /rbac/permissions - List permissions
GET /rbac/tenants - List tenants
POST /rbac/tenants - Create tenant
GET /rbac/tenants/:id/stats - Tenant statistics
DELETE /rbac/tenants/:id - Delete tenant
GET /api/analytics/dashboard - Dashboard metrics
GET /api/analytics/trends - Risk trends
GET /api/reports - List reports
POST /api/reports/export - Export risks/mitigations
See API_REFERENCE.md for complete endpoint documentation with examples.
OpenRisk implements enterprise-grade security:
- Authentication: JWT tokens with expiration
- Authorization: RBAC with permission matrices
- Encryption: SHA256 hashing for sensitive data
- Audit: Complete audit trail for all operations
- SSO: OAuth2 and SAML2 support
- Rate Limiting: API rate limiting middleware
- Input Validation: Request validation with Zod/validator
See ADVANCED_PERMISSIONS.md for detailed security documentation.
OpenRisk includes keyboard shortcuts to help you work faster. Below is a complete list of available shortcuts:
| Shortcut | Action | Context |
|---|---|---|
| βK or Ctrl+K | Open global search | Anywhere in the app |
| βN or Ctrl+N | Create new risk | Dashboard and Risks page |
| Esc | Close modal/dialog | Any open modal or dialog |
| Shortcut | Action | Context |
|---|---|---|
| β | Previous search result | In search suggestions |
| β | Next search result | In search suggestions |
| Enter | Select search result | Search suggestions open |
| Esc | Close search dropdown | Search suggestions open |
| Shortcut | Action | Context |
|---|---|---|
| Esc | Close risk details | Risk details panel open |
| Esc | Close edit modal | Risk editing modal open |
- Search Tip: Use βK / Ctrl+K from anywhere to quickly search for risks, assets, or mitigations
- Quick Create: Press βN / Ctrl+N on the dashboard to rapidly create new risks
- Navigation: Use arrow keys in search results to navigate without your mouse
- Mobile: These shortcuts work best on desktop/laptop keyboards
- Edit Last Risk - βE / Ctrl+E
- Filter Results - βF / Ctrl+F
- Delete Selected - βD / Ctrl+D
- Focus Search - / key
- Settings - β, / Ctrl+,
We welcome contributions from the community! Please see CONTRIBUTING.md for guidelines.
- Fork the repository
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
OpenRisk is licensed under the MIT License - see the LICENSE file for details.
- GitHub Issues: Report bugs or request features
- Discussions: Join community discussions
- Security: See SECURITY.md for security vulnerability reporting
- β Permission gate components & hooks
- β Route-level permission guards
- β Role & tenant management pages
- β Audit logging system
- β Permission caching optimization
- π Code review & testing phase
- Multi-tenant advanced features
- Permission analytics dashboard
- Role templates & bulk operations
- Mobile application (React Native)
- Advanced RBAC enhancements
- Additional connector integrations
- Machine learning risk predictions
- API webhook support
- Enterprise audit compliance
- Advanced analytics engine
- Custom dashboard builder
- Workflow automation
OpenRisk is developed and maintained by the OpenDefender community.
- π Check the documentation
- π Search existing issues
- π¬ Ask in discussions
Made with β€οΈ by OpenDefender Community