{"id":45942931,"url":"https://github.com/hanalyx/openwatch","last_synced_at":"2026-06-17T07:01:18.761Z","repository":{"id":312310926,"uuid":"1029885938","full_name":"Hanalyx/OpenWatch","owner":"Hanalyx","description":"OpenWatch is an open-source web security compliance scanning engine that helps organizations detect and track configuration and policy violations across their infrastructure.","archived":false,"fork":false,"pushed_at":"2026-06-16T03:58:07.000Z","size":23755,"stargazers_count":1,"open_issues_count":26,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-16T04:15:12.554Z","etag":null,"topics":["cis","cis-benchmark","compliance","it","security","security-tools","stig","stig-compliance"],"latest_commit_sha":null,"homepage":"https://hanalyx.com/openwatch","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Hanalyx.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":"audit/events.yaml","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-31T18:22:46.000Z","updated_at":"2026-06-16T00:59:22.000Z","dependencies_parsed_at":"2025-09-17T17:21:04.351Z","dependency_job_id":"55010b2e-0ef2-4034-8d9d-aabae75ccaab","html_url":"https://github.com/Hanalyx/OpenWatch","commit_stats":null,"previous_names":["hanalyx/openwatch"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/Hanalyx/OpenWatch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hanalyx%2FOpenWatch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hanalyx%2FOpenWatch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hanalyx%2FOpenWatch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hanalyx%2FOpenWatch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Hanalyx","download_url":"https://codeload.github.com/Hanalyx/OpenWatch/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hanalyx%2FOpenWatch/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34437451,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-17T02:00:05.408Z","response_time":127,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cis","cis-benchmark","compliance","it","security","security-tools","stig","stig-compliance"],"created_at":"2026-02-28T10:52:34.009Z","updated_at":"2026-06-17T07:01:18.754Z","avatar_url":"https://github.com/Hanalyx.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenWatch\n\n**The Compliance Operating System — See Everything, Continuously.**\n\n[![License: AGPLv3 + MSE](https://img.shields.io/badge/License-AGPLv3%20%2B%20MSE-blue.svg)](LICENSE)\n[![Go CI](https://github.com/Hanalyx/OpenWatch/actions/workflows/go-ci.yml/badge.svg)](https://github.com/Hanalyx/OpenWatch/actions/workflows/go-ci.yml)\n[![Documentation](https://img.shields.io/badge/docs-latest-brightgreen)](https://hanalyx.github.io/OpenWatch/)\n[![GitHub Discussions](https://img.shields.io/github/discussions/Hanalyx/OpenWatch)](https://github.com/Hanalyx/OpenWatch/discussions)\n\n---\n\nAn auditor asks: *\"Were these 200 servers compliant with STIG on January 15th?\"*\n\nWith manual processes, that question takes a week to answer. With point-in-time scanning tools, you can only answer if you happened to scan that day. With OpenWatch, it is a query — executed in seconds, backed by machine-verifiable evidence, exportable as CSV, JSON, or PDF.\n\nOpenWatch is the compliance operating system for teams managing Linux infrastructure under STIG, CIS, NIST 800-53, PCI-DSS, and FedRAMP. It connects to your servers over SSH, runs 508 compliance checks via the [Kensa](https://github.com/Hanalyx/kensa) engine, and provides continuous visibility into compliance posture — not just what's passing now, but what was passing last Tuesday, what drifted since your last assessment, and what needs attention before your next one.\n\n\u003e **Project status — Go rebuild, pre-release.** OpenWatch is a single Go binary\n\u003e that serves both the REST API and the embedded React UI (the original\n\u003e Python/FastAPI implementation was archived out of the repo on 2026-06-05). The\n\u003e Go tree lives at the **repo root**: Go 1.26 backend (`cmd/`, `internal/`),\n\u003e React 19 + TanStack frontend (`frontend/`), PostgreSQL-only. The current\n\u003e version is `0.2.0-rc.8`, a pre-release — not a GA build.\n\n![OpenWatch Compliance Dashboard](docs/images/dashboard-preview.png)\n\n## The Problem with Point-in-Time Compliance\n\nMost compliance tools scan your systems and tell you what's passing today. That's useful, but it is not enough:\n\n- **The posture decays immediately.** A server that passed STIG on Monday can drift by Wednesday. Without continuous monitoring, you won't know until the next audit.\n- **Historical questions are unanswerable.** \"Were we compliant during the assessment window?\" requires re-scanning, which only tells you about *now*, not *then*.\n- **Exceptions live in spreadsheets.** Approved deviations from policy are tracked in email threads and shared drives, disconnected from the scanning tool.\n- **Drift is invisible.** When a rule that was passing starts failing, no one notices until an assessor finds it.\n- **Evidence is assembled, not generated.** Teams spend days before an audit compiling screenshots and command outputs into binders.\n\nOpenWatch solves all five problems.\n\n## What OpenWatch Does\n\n### Continuous Compliance Posture\n\nScan your fleet on a schedule — or let OpenWatch adapt the schedule based on host health. Healthy servers scan every 15 minutes. Degraded servers every 5. Critical servers every 2. The posture dashboard updates in real time.\n\n### Temporal Compliance Queries\n\nAsk \"What was our STIG compliance on February 1st?\" and get an answer backed by historical scan data. OpenWatch captures daily posture snapshots and stores the full history. Compliance posture is not a snapshot; it is a timeline.\n\n### Compliance Drift Detection\n\nWhen a rule that was passing starts failing, OpenWatch raises an alert automatically. Track drift events through acknowledgment to resolution. Know the moment your posture degrades — not weeks later when an assessor tells you.\n\n### Governance and Exception Management\n\nSome controls require approved exceptions. OpenWatch provides structured exception workflows: request, approve, reject, time-limit, revoke — all with an audit trail. No more tracking waivers in spreadsheets.\n\n### Audit-Ready Evidence and Exports\n\nEvery check captures the exact command executed, the system's raw output, the expected value, and the actual value. Export compliance data as CSV, JSON, or PDF. Build saved queries for recurring audit requests. The evidence is generated by the scan, not assembled after the fact.\n\n### Multi-Framework, Single Scan\n\nOne scan maps findings to STIG, CIS, NIST 800-53, PCI-DSS, and FedRAMP simultaneously. The same evidence satisfies multiple assessors. No duplicate scans, no duplicate reports.\n\n## How It Compares\n\nOpenWatch is a compliance *platform* — it manages the lifecycle of compliance across a fleet, not just the scan itself. This table compares approaches to managing ongoing compliance posture:\n\n| | OpenWatch | Manual Processes | Point-in-Time Scanners | Enterprise Platforms (Tenable, etc.) |\n|---|---|---|---|---|\n| Multi-host scanning | One click, 100+ hosts | SSH into each server | Script it yourself | Agent or credentialed scan |\n| Dashboard and history | Built-in | Spreadsheets | None | Commercial dashboard |\n| Temporal compliance | Query any date | Impossible | Not available | Limited |\n| Drift detection | Automatic alerts | Manual discovery | Not available | Partial |\n| Exception workflows | Structured with audit trail | Spreadsheets and email | Not available | Not available |\n| Framework coverage | STIG + CIS + NIST + PCI + FedRAMP | Whatever you check | Per-benchmark profiles | CIS/STIG/PCI |\n| Remediation | 23 typed mechanisms with rollback | Run commands by hand | Basic scripts | Not available |\n| Evidence model | Structured JSON per check | Screenshots | Varies by tool | PDF reports |\n| Setup time | 10 minutes | N/A | Varies | Days + licensing |\n| Cost | Free (Community) / Paid (Pro) | Labor | Free - varies | $50K+/year |\n\n**Note:** OpenWatch's scanning engine is [Kensa](https://github.com/Hanalyx/kensa), which takes a different architectural approach than SCAP-based tools. Kensa separates rules from implementations, treats frameworks as metadata, and detects host capabilities at runtime. Organizations with SCAP mandate requirements can use SCAP tools for assessment alongside OpenWatch for remediation, governance, and continuous monitoring.\n\n## Deploy in 10 minutes\n\n**Requirements:** a Linux host (RHEL/Rocky/Fedora/Oracle or Ubuntu/Debian),\nPostgreSQL, and 4 GB RAM. No Docker, Podman, or containers are required.\n\n```bash\nsudo dnf install ./openwatch-*.rpm     # RHEL / Rocky / Fedora / Oracle\nsudo apt install ./openwatch_*.deb     # Ubuntu / Debian\n\nsudo openwatch migrate                 # apply database migrations\nsudo openwatch create-admin \\          # create the first admin user\n  --username admin --email you@example.com --password '...'\nsudo systemctl enable --now openwatch  # start at boot\n```\n\nOpen **https://localhost:8443** and sign in with the admin user you created.\n\n### Run your first scan\n\n1. **Add credentials** — Settings \u003e System Credentials \u003e add your SSH user/key\n2. **Add a host** — Hosts \u003e Add Host \u003e enter IP, select credentials\n3. **Scan** — Click the play button on the host card\n\nResults appear in under a minute. OpenWatch ships with 508 built-in [Kensa](https://github.com/Hanalyx/kensa) rules — human-readable YAML, not XML — ready to go.\n\n## Architecture\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│                       You / Your Team                       │\n└──────────────────────────┬──────────────────────────────────┘\n                           │\n┌──────────────────────────▼──────────────────────────────────┐\n│  OpenWatch UI (React 19 · TanStack Router/Query · MUI)      │\n│  Dashboard · Posture · Alerts · Exceptions · Reports        │\n├─────────────────────────────────────────────────────────────┤\n│  OpenWatch API (Go 1.26 · REST)                             │\n│  Auth · RBAC · Scheduling · Audit · Exports                 │\n├────────────────────────┬────────────────────────────────────┤\n│  Kensa Engine          │  Worker (Go)                       │\n│  508 YAML rules        │  Async scanning                   │\n│  23 remediation types  │  Adaptive scheduling              │\n│  Evidence capture      │  Drift detection                  │\n├────────────────────────┴────────────────────────────────────┤\n│  PostgreSQL                                                 │\n│  All persistent data + native job queue (SKIP LOCKED)      │\n└─────────────────────────────────────────────────────────────┘\n                           │\n                      SSH (port 22)\n                           │\n┌──────────────────────────▼──────────────────────────────────┐\n│            Your Linux Servers (RHEL 8/9, Rocky, Alma)       │\n└─────────────────────────────────────────────────────────────┘\n```\n\n## Security\n\nOpenWatch is built for environments where security is the requirement, not an afterthought:\n\n| Control | Implementation |\n|---|---|\n| Encryption at rest | AES-256-GCM for stored credentials and sensitive data |\n| Authentication | RS256 JWT with Argon2id password hashing |\n| Multi-factor auth | TOTP (Google Authenticator, Authy) with backup codes |\n| FIPS 140-2 | Compliant cryptography (enable via `OPENWATCH_FIPS_MODE=true`) |\n| Authorization | RBAC with 6 roles — Superadmin, Security Admin, Analyst, Compliance Officer, Auditor, Guest |\n| Audit logging | All authentication, authorization, and compliance events logged |\n| Rate limiting | 100 req/min per user, 1,000 req/min per IP |\n| Transport | TLS 1.2+ with FIPS cipher suites in production |\n| Target security | No agents — scans over SSH, nothing installed on targets |\n\nReport vulnerabilities to security@hanalyx.com.\n\n## API-First Design\n\nOpenWatch exposes a versioned REST API under `/api/v1/`. The contract lives in\n`api/openapi.yaml` (the source of truth). Everything you can do in the UI, you\ncan automate:\n\n```bash\n# Authenticate\nTOKEN=$(curl -sk -X POST https://localhost:8443/api/v1/auth/login \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"username\":\"admin\",\"password\":\"...\"}' | jq -r '.access_token')\n\n# Add a host\nHOST_ID=$(curl -sk -X POST https://localhost:8443/api/v1/hosts \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"hostname\":\"web-01\",\"ip_address\":\"192.168.1.10\",\"ssh_port\":22}' | jq -r '.id')\n\n# List hosts\ncurl -sk https://localhost:8443/api/v1/hosts \\\n  -H \"Authorization: Bearer $TOKEN\" | jq '.'\n```\n\nIntegrate compliance scanning into CI/CD pipelines, SIEM platforms, or custom dashboards.\n\n## Administration\n\nOpenWatch is a single binary. Service lifecycle is managed by **systemd**; admin\noperations are subcommands of the `openwatch` binary itself:\n\n```bash\n# Service lifecycle (systemd unit installed by the RPM/DEB)\nsystemctl start openwatch        # start the service\nsystemctl status openwatch       # service status\njournalctl -u openwatch -f       # follow logs\n\n# Admin operations (openwatch subcommands)\nopenwatch migrate                # apply pending database migrations\nopenwatch create-admin \\         # create the first admin user\n  --username admin --email admin@example.com --password '...'\nopenwatch check-config           # validate and print the resolved config\nopenwatch --version              # build metadata\n\n# Health\ncurl -k https://localhost:8443/api/v1/health\n```\n\n## Production Deployment\n\nInstall the native package (see [docs/guides/INSTALLATION.md](docs/guides/INSTALLATION.md)):\n\n```bash\nsudo dnf install ./openwatch-*.rpm     # RHEL / Rocky / Fedora / Oracle\nsudo apt install ./openwatch_*.deb     # Ubuntu / Debian\n\nsudo openwatch migrate                 # apply migrations\nsudo openwatch create-admin --username admin --email you@example.com --password '...'\nsudo systemctl enable --now openwatch  # start at boot\n```\n\nThe package installs the `openwatch` binary (API + embedded UI), a hardened\nsystemd unit, default config under `/etc/openwatch/`, and a system user.\nReplace the demo TLS cert under `/etc/openwatch/tls/` with your own before\nproduction use. FIPS-mode builds are available via `make build-fips`.\n\n## Monitoring\n\nOpenWatch exposes Prometheus metrics and a liveness probe for external\nmonitoring:\n\n```bash\ncurl -k https://localhost:8443/api/v1/health\n```\n\nSee [docs/guides/MONITORING_SETUP.md](docs/guides/MONITORING_SETUP.md) for\nwiring Prometheus, Grafana dashboards, and alerting against the metrics\nendpoint.\n\n## Documentation\n\n| Topic | Link |\n|---|---|\n| API contract | [api/openapi.yaml](api/openapi.yaml) (source of truth) |\n| API guide | [docs/guides/API_GUIDE.md](docs/guides/API_GUIDE.md) |\n| Full documentation | [hanalyx.github.io/OpenWatch](https://hanalyx.github.io/OpenWatch/) |\n| Quickstart | [docs/guides/QUICKSTART.md](docs/guides/QUICKSTART.md) |\n| Production deployment | [docs/guides/PRODUCTION_DEPLOYMENT.md](docs/guides/PRODUCTION_DEPLOYMENT.md) |\n| Security hardening | [docs/guides/SECURITY_HARDENING.md](docs/guides/SECURITY_HARDENING.md) |\n| Engineering docs | [docs/engineering/](docs/engineering/) |\n\n## Part of the Hanalyx Compliance Platform\n\nOpenWatch is the compliance operating system — the dashboard, the scheduler, the governance layer.  **[Kensa](https://github.com/Hanalyx/kensa)** is the compliance engine underneath — 508 rules, 23 remediation mechanisms, automatic rollback, all over SSH.\n\nIf you want a CLI that integrates into scripts and pipelines, start with Kensa. If you want a platform for your team with a dashboard, scheduling, and audit workflows, start here.\n\n## Community\n\nHave a question, idea, or want to share how you're using OpenWatch?\n\n**[Join the Discussion](https://github.com/Hanalyx/OpenWatch/discussions)**\n\n- **Q\u0026A** — Get help with setup, scanning, and configuration\n- **Ideas** — Propose features and integrations\n- **Show and Tell** — Share your compliance workflows\n\nFound a bug? [Open an issue](https://github.com/Hanalyx/OpenWatch/issues/new).\n\n## Contributing\n\nThe Go tree lives at the repo root:\n\n```bash\n# Backend (Go 1.26)\ngo build ./...\ngo test ./internal/... -count=1\nspecter check          # spec schema validation\n\n# Frontend (React 19 + TanStack + Vite)\ncd frontend\nnpm install\nnpm run dev            # http://localhost:5173\nnpx vitest run\n```\n\nThe legacy Python implementation is archived outside the repo and is no longer\nbuilt or tested here. See [CONTRIBUTING.md](CONTRIBUTING.md) before submitting a PR.\n\n## License\n\n**OpenWatch Community License (AGPLv3 + Managed Service Exception)**\n\n- Free to use, modify, and self-host\n- Cannot offer as a managed/hosted service without a commercial license\n\nSee [LICENSE](LICENSE) for details. Commercial licensing: [legal@hanalyx.com](mailto:legal@hanalyx.com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhanalyx%2Fopenwatch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhanalyx%2Fopenwatch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhanalyx%2Fopenwatch/lists"}