OpenRisk is a modern, enterprise-grade Risk Management Platform that transforms how organizations identify, assess, mitigate, and monitor risks. Built with a scalable microservices architecture, OpenRisk enables teams to move beyond spreadsheets and legacy systems into a seamless, automated risk management experience.
OpenRisk allows every organization to:
- ✅ Identify IT & security risks
- ✅ Score & Prioritize risks based on impact and probability
- ✅ Track mitigation plans and action items
- ✅ Monitor trends in real-time with interactive dashboards
- CTO & CISO - Strategic risk oversight and compliance
- DevSecOps - Integrated security in CI/CD pipelines
- Security Analysts - Risk assessment and investigation
- Compliance Teams - Audit trails and governance
- ⚡ Automated Risk Assessment - Reduce manual evaluation time
- 📊 Interactive Dashboards - Real-time risk visualization
- 🔌 Native Integrations - Elastic, Splunk, TheHive, OpenCTI, AWS
- 🐳 Easy Deployment - Docker & Kubernetes ready
- 🔐 Enterprise Security - RBAC, SSO, audit logging
- 📈 Scalable Architecture - Microservices-ready
- 🎲 Risk Assessment - Comprehensive risk identification and scoring
- 🛡️ Mitigation Tracking - Monitor and track risk mitigations in real-time
- 📊 Advanced Analytics - Real-time dashboards and trend analysis
- 🔐 Enterprise Security - RBAC, audit logging, OAuth2/SAML2 SSO
- 🔌 Integration Ready - TheHive, OpenCTI, Splunk, Elastic connectors
- ⚙️ Custom Fields - Flexible schema for organizational needs
- 📈 Gamification - Engagement and incentive system
- Docker & Docker Compose
- Git
- 4GB RAM, 2GB disk space
# Clone the repository
git clone https://github.com/alex-dembele/OpenRisk.git
cd OpenRisk
# Start all services (PostgreSQL, Redis, Backend, Frontend)
docker compose up -d
# Access the application
# Frontend: http://localhost:5173
# Backend API: http://localhost:8080
# API Docs: http://localhost:8080/swaggerEmail: admin@openrisk.local
Password: admin123
| Component | Technology | Version |
|---|---|---|
| Language | Go | 1.25.4 |
| Framework | Fiber | v2.52 |
| Database | PostgreSQL | 16 |
| ORM | GORM | v1.31 |
| Testing | Testify | v1.11 |
| Architecture | CLEAN | Domain-Driven |
| Component | Technology | Version |
|---|---|---|
| Framework | React | 19.2.0 |
| State | Zustand | 5.0.8 |
| Styling | Tailwind CSS | 3.4.0 |
| Forms | React Hook Form | 7.66 |
| Routing | React Router | 7.9.6 |
| Charts | Recharts | 3.5.0 |
| Component | Technology | Purpose |
|---|---|---|
| Containerization | Docker | Application packaging |
| Orchestration | Kubernetes | Production deployment |
| Charts | Helm | K8s configuration |
| CI/CD | GitHub Actions | Automated testing & deployment |
| Caching | Redis | Session & cache layer |
- ✅ Risk CRUD operations (Create, Read, Update, Delete, List)
- ✅ Risk scoring engine with weighted calculations
- ✅ Mitigation tracking with checklist sub-actions
- ✅ Asset management and relationships
- ✅ Soft-delete support with audit trails
- ✅ JWT-based authentication
- ✅ API Token management (create, revoke, rotate)
- ✅ Role-Based Access Control (RBAC)
- ✅ Permission matrices (resource-level granularity)
- ✅ Comprehensive audit logging
- ✅ OAuth2/SAML2 SSO (Google, GitHub, Azure AD)
- ✅ Docker Compose local development
- ✅ GitHub Actions CI/CD pipeline
- ✅ Integration test suite
- ✅ Kubernetes Helm charts
- ✅ Staging & production runbooks
- ✅ Custom fields framework (5 types)
- ✅ Bulk operations with validation
- ✅ Risk timeline (audit trail)
- ✅ Advanced reporting & export
- ✅ Analytics dashboard with real-time data
- ✅ Risk heatmaps and trend analysis
- ✅ Incident management system
- ✅ Threat tracking and mapping
- ✅ Gamification & engagement system
| Document | Purpose |
|---|---|
| LOCAL_DEVELOPMENT.md | Setup guide for development environment |
| API_REFERENCE.md | Complete API endpoint documentation |
| KUBERNETES_DEPLOYMENT.md | K8s deployment instructions |
| PRODUCTION_RUNBOOK.md | Production operations guide |
| INTEGRATION_TESTS.md | Testing procedures |
| SAML_OAUTH2_INTEGRATION.md | SSO integration guide |
| SYNC_ENGINE.md | Integration sync documentation |
For more documentation, see the docs directory.
docker compose up -d# See docs/STAGING_DEPLOYMENT.md
./scripts/deploy-kubernetes.sh --environment staging# See docs/PRODUCTION_RUNBOOK.md
helm install openrisk ./helm/openrisk \
-f helm/values-prod.yaml \
--namespace openrisk# Run all tests
make test-all
# Backend unit tests
cd backend && go test ./...
# Frontend tests
cd frontend && npm test
# Integration tests
./scripts/run-integration-tests.shTest Statistics: 142+ tests passing ✅
OpenRisk provides a comprehensive REST API with 29+ endpoints:
POST /api/risks - Create risk
GET /api/risks - List risks
GET /api/risks/:id - Get risk details
PATCH /api/risks/:id - Update risk
DELETE /api/risks/:id - Delete risk
POST /api/mitigations - Create mitigation
GET /api/mitigations - List mitigations
PATCH /api/mitigations/:id - Update mitigation
POST /api/mitigations/:id/sub-actions - Add checklist item
PATCH /api/mitigations/:id/sub-actions/:aid - Toggle completion
POST /auth/login - JWT authentication
POST /auth/register - User registration
POST /auth/oauth2/:provider - OAuth2 login
POST /auth/saml/acs - SAML assertion endpoint
GET /api/tokens - List API tokens
POST /api/tokens - Create new token
DELETE /api/tokens/:id - Revoke token
GET /api/analytics/dashboard - Dashboard metrics
GET /api/analytics/trends - Risk trends
GET /api/reports - List reports
POST /api/reports/export - Export risks/mitigations
See API_REFERENCE.md for complete endpoint documentation with examples.
OpenRisk implements enterprise-grade security:
- Authentication: JWT tokens with expiration
- Authorization: RBAC with permission matrices
- Encryption: SHA256 hashing for sensitive data
- Audit: Complete audit trail for all operations
- SSO: OAuth2 and SAML2 support
- Rate Limiting: API rate limiting middleware
- Input Validation: Request validation with Zod/validator
See ADVANCED_PERMISSIONS.md for detailed security documentation.
We welcome contributions from the community! Please see CONTRIBUTING.md for guidelines.
- Fork the repository
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
OpenRisk is licensed under the MIT License - see the LICENSE file for details.
- GitHub Issues: Report bugs or request features
- Discussions: Join community discussions
- Security: See SECURITY.md for security vulnerability reporting
- Multi-tenant support
- Advanced RBAC enhancements
- Additional connector integrations
- Mobile application (React Native)
- Marketplace for plugins
- Advanced reporting (BI dashboards)
- Machine learning risk predictions
- API webhook support
- Enterprise audit compliance
- Advanced analytics engine
- Custom dashboard builder
- Workflow automation
OpenRisk is developed and maintained by the OpenDefender community.
- 📖 Check the documentation
- 🐛 Search existing issues
- 💬 Ask in discussions
Made with ❤️ by OpenDefender Community