https://github.com/opendefender/openrisk
Unified Risk & Threat Intelligence Management Platform
https://github.com/opendefender/openrisk
analysis cyber-threat-intelligenece cybersecurity digital-forensics digital-forensics-analysis freesoftware grc incidence-response-plan observable obsevability opendefender openrisk python risk-analysis risk-assessment risk-management risks risks-score security-tools
Last synced: about 2 months ago
JSON representation
Unified Risk & Threat Intelligence Management Platform
- Host: GitHub
- URL: https://github.com/opendefender/openrisk
- Owner: opendefender
- License: other
- Created: 2025-10-29T16:56:45.000Z (6 months ago)
- Default Branch: master
- Last Pushed: 2026-03-10T14:03:50.000Z (about 2 months ago)
- Last Synced: 2026-03-10T20:09:58.797Z (about 2 months ago)
- Topics: analysis, cyber-threat-intelligenece, cybersecurity, digital-forensics, digital-forensics-analysis, freesoftware, grc, incidence-response-plan, observable, obsevability, opendefender, openrisk, python, risk-analysis, risk-assessment, risk-management, risks, risks-score, security-tools
- Language: Go
- Homepage:
- Size: 158 MB
- Stars: 13
- Watchers: 3
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: changelog.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Audit: AUDIT_MANIFEST.md
- Security: SECURITY.md
- Authors: AUTHORS.md
- Copyright: COPYRIGHT.md
Awesome Lists containing this project
README
# OpenRisk
**Enterprise-Grade Risk Management Platform**
Part of the [OpenDefender](https://github.com/opendefender) Ecosystem
[](LICENSE)
[](https://github.com/opendefender/OpenRisk/releases)
[](https://golang.org)
[](https://react.dev)
---
## ๐ฏ Overview
**OpenRisk** is a modern, enterprise-grade **Risk Management Platform** that transforms how organizations identify, assess, mitigate, and monitor risks. Built with a scalable microservices architecture, OpenRisk enables teams to move beyond spreadsheets and legacy systems into a seamless, automated risk management experience.
### ๐ฏ What OpenRisk Enables
OpenRisk allows every organization to:
- โ
**Identify** IT & security risks
- โ
**Score & Prioritize** risks based on impact and probability
- โ
**Track** mitigation plans and action items
- โ
**Monitor** trends in real-time with interactive dashboards
### ๐ก Designed For
- **CTO & CISO** - Strategic risk oversight and compliance
- **DevSecOps** - Integrated security in CI/CD pipelines
- **Security Analysts** - Risk assessment and investigation
- **Compliance Teams** - Audit trails and governance
### ๐ Key Advantages
- โก **Automated Risk Assessment** - Reduce manual evaluation time
- ๐ **Interactive Dashboards** - Real-time risk visualization
- ๐ **Native Integrations** - Elastic, Splunk, TheHive, OpenCTI, AWS
- ๐ณ **Easy Deployment** - Docker & Kubernetes ready
- ๐ **Enterprise Security** - RBAC, SSO, audit logging
- ๐ **Scalable Architecture** - Microservices-ready
### Key Capabilities
- ๐ฒ **Risk Assessment** - Comprehensive risk identification and scoring
- ๐ก๏ธ **Mitigation Tracking** - Monitor and track risk mitigations in real-time
- ๐ **Advanced Analytics** - Real-time dashboards and trend analysis
- ๐ **Enterprise Security** - RBAC, audit logging, OAuth2/SAML2 SSO
- ๐ **Integration Ready** - TheHive, OpenCTI, Splunk, Elastic connectors
- โ๏ธ **Custom Fields** - Flexible schema for organizational needs
- ๐ **Gamification** - Engagement and incentive system
---
## ๐ Quick Start (5 Minutes)
### Prerequisites
- Docker & Docker Compose
- Git
- 4GB RAM, 2GB disk space
### Local Development
```bash
# Clone the repository
git clone https://github.com/opendefender/OpenRisk.git
cd OpenRisk
# Start all services (PostgreSQL, Redis, Backend, Frontend)
docker compose up -d
# Access the application
# Frontend: http://localhost:5173
# Backend API: http://localhost:8080
# API Docs: http://localhost:8080/swagger
```
### Default Credentials
```
Email: admin@openrisk.local
Password: admin123
```
---
## ๐ Technical Stack
### Backend
| Component | Technology | Version |
|-----------|-----------|---------|
| **Language** | Go | 1.25.4 |
| **Framework** | Fiber | v2.52 |
| **Database** | PostgreSQL | 16 |
| **ORM** | GORM | v1.31 |
| **Testing** | Testify | v1.11 |
| **Architecture** | CLEAN | Domain-Driven |
### Frontend
| Component | Technology | Version |
|-----------|-----------|---------|
| **Framework** | React | 19.2.0 |
| **State** | Zustand | 5.0.8 |
| **Styling** | Tailwind CSS | 3.4.0 |
| **Forms** | React Hook Form | 7.66 |
| **Routing** | React Router | 7.9.6 |
| **Charts** | Recharts | 3.5.0 |
### Infrastructure
| Component | Technology | Purpose |
|-----------|-----------|---------|
| **Containerization** | Docker | Application packaging |
| **Orchestration** | Kubernetes | Production deployment |
| **Charts** | Helm | K8s configuration |
| **CI/CD** | GitHub Actions | Automated testing & deployment |
| **Caching** | Redis | Session & cache layer |
---
## ๐ Features
### Phase 1: Core Risk Management โ
- โ
Risk CRUD operations (Create, Read, Update, Delete, List)
- โ
Risk scoring engine with weighted calculations
- โ
Mitigation tracking with checklist sub-actions
- โ
Asset management and relationships
- โ
Soft-delete support with audit trails
### Phase 2: Security & Authentication โ
- โ
JWT-based authentication
- โ
API Token management (create, revoke, rotate)
- โ
Role-Based Access Control (RBAC) - Backend (37+ endpoints, 11 domain models)
- โ
Permission matrices (resource-level granularity)
- โ
Comprehensive audit logging
- โ
OAuth2/SAML2 SSO (Google, GitHub, Azure AD)
### Phase 3: Infrastructure & Deployment โ
- โ
Docker Compose local development
- โ
GitHub Actions CI/CD pipeline
- โ
Integration test suite
- โ
Kubernetes Helm charts
- โ
Staging & production runbooks
### Phase 3.5: RBAC Frontend Implementation โ
- โ
Permission gate components (7 reusable wrappers)
- โ
Route-level permission guards (4 types)
- โ
Role & Tenant management pages (admin interfaces)
- โ
Advanced RBAC utilities (35+ functions)
- โ
Audit logging system (compliance tracking)
- โ
Permission caching (performance optimization)
- โ
Custom React hooks (usePermissions, useAuditLog)
- โ
Comprehensive documentation (2,000+ lines)
### Phase 4: Enterprise Features โ
- โ
Custom fields framework (5 types)
- โ
Bulk operations with validation
- โ
Risk timeline (audit trail)
- โ
Advanced reporting & export
- โ
SSO integration (OAuth2/SAML2)
### Phase 5: Performance Optimization & Comprehensive Testing โ
**Performance Optimization:**
- โ
Redis caching layer (generic CacheService, TTL management)
- โ
Query optimization (7 GORM patterns, N+1 elimination)
- โ
Database indexing (70+ strategic indexes, 100x+ faster)
- โ
Load testing framework (k6 baseline, 50+ concurrent users)
**Testing & Validation:**
- โ
Integration tests (8 test cases, 312 lines, CRUD + concurrency)
- โ
E2E tests with Playwright (12+ scenarios, 5 browsers/viewports)
- โ
Security testing (11 categories, SQL injection/XSS/CSRF/auth)
- โ
Performance benchmarks (9 benchmarks, all targets met)
- โ
Docker Compose testing infrastructure (9 services, isolated env)
- โ
Comprehensive testing guide (529 lines, CI/CD examples)
**Performance Targets Met:**
- Risk creation > 100 ops/sec โ
- Risk retrieval > 500 ops/sec โ
- Cache operations > 1000 ops/sec โ
- Dashboard load < 3 seconds โ
- Risk list (100 items) < 5 seconds โ
### Phase 6: Advanced Analytics & Monitoring ๐
- ๐ Analytics dashboard with real-time data
- ๐ Risk heatmaps and trend analysis
- ๐ Incident management system
- ๐ Threat tracking and mapping
- ๐ Gamification & engagement system
- ๐ Performance monitoring & alerting
---
## ๐ Documentation
| Document | Purpose |
|----------|---------|
| [TESTING_GUIDE.md](docs/TESTING_GUIDE.md) | Complete testing procedures & execution guide |
| [TESTING_COMPLETION_SUMMARY.md](docs/TESTING_COMPLETION_SUMMARY.md) | Phase 5 testing overview & metrics |
| [OPTIMIZATION_REPORT.md](docs/OPTIMIZATION_REPORT.md) | Performance optimization strategies & analysis |
| [PERFORMANCE_TESTING.md](docs/PERFORMANCE_TESTING.md) | k6 load testing configuration & guide |
| [LOCAL_DEVELOPMENT.md](docs/LOCAL_DEVELOPMENT.md) | Setup guide for development environment |
| [API_REFERENCE.md](docs/API_REFERENCE.md) | Complete API endpoint documentation |
| [KUBERNETES_DEPLOYMENT.md](docs/KUBERNETES_DEPLOYMENT.md) | K8s deployment instructions |
| [PRODUCTION_RUNBOOK.md](docs/PRODUCTION_RUNBOOK.md) | Production operations guide |
| [SAML_OAUTH2_INTEGRATION.md](docs/SAML_OAUTH2_INTEGRATION.md) | SSO integration guide |
| [ADVANCED_PERMISSIONS.md](docs/ADVANCED_PERMISSIONS.md) | RBAC & permissions documentation |
For more documentation, see the [docs](docs/) directory.
---
## ๐ Deployment
### Local Development
```bash
docker compose up -d
```
### Staging Environment
```bash
# See docs/STAGING_DEPLOYMENT.md
./scripts/deploy-kubernetes.sh --environment staging
```
### Production Deployment
```bash
# See docs/PRODUCTION_RUNBOOK.md
helm install openrisk ./helm/openrisk \
-f helm/values-prod.yaml \
--namespace openrisk
```
---
## ๐งช Testing & Quality Assurance
### Test Suites Available
**Integration Tests** - Database-level testing with PostgreSQL & Redis
```bash
go test -v ./tests/integration_test.go -timeout 30m
```
- 8 test cases covering CRUD, relationships, concurrency
- Query performance validation
- Audit logging verification
**E2E Tests** - User workflows in real browsers with Playwright
```bash
npx playwright test [--headed] [--project=chromium|firefox|webkit]
npx playwright show-report
```
- 12+ test scenarios across 5 browsers/viewports
- Authentication, risk management, custom fields
- Mobile responsiveness (iPhone 12, Pixel 5)
- Performance metrics validation
**Security Tests** - Vulnerability scanning and protection verification
```bash
go test -v ./tests/security_test.go -timeout 30m
```
- CSRF protection, SQL injection prevention
- XSS protection, rate limiting, auth bypass detection
- Security headers validation, CORS verification
**Performance Benchmarks** - Throughput and latency measurements
```bash
go test -v -bench=. ./tests/performance_benchmark_test.go -timeout 30m
```
- 9 benchmarks covering all critical operations
- Cache vs database performance comparison
- Concurrent operation handling
**Docker Compose Testing** - Isolated test environment
```bash
docker-compose -f docker-compose.test.yaml up -d
docker-compose -f docker-compose.test.yaml run integration_tests
docker-compose -f docker-compose.test.yaml run security_tests
docker-compose -f docker-compose.test.yaml run performance_tests
docker-compose -f docker-compose.test.yaml run e2e_tests
docker-compose -f docker-compose.test.yaml down -v
```
### Test Statistics
- **30+ test cases** across all test suites
- **2,707 lines** of test code
- **11 security categories** (OWASP coverage)
- **9 performance benchmarks** (all targets met)
- **5 browser/viewport combinations**
See [TESTING_GUIDE.md](docs/TESTING_GUIDE.md) and [TESTING_COMPLETION_SUMMARY.md](docs/TESTING_COMPLETION_SUMMARY.md) for detailed testing documentation.
---
## ๐ API Overview
OpenRisk provides a comprehensive REST API with 37+ endpoints:
### Core Endpoints
```
POST /api/risks - Create risk
GET /api/risks - List risks
GET /api/risks/:id - Get risk details
PATCH /api/risks/:id - Update risk
DELETE /api/risks/:id - Delete risk
POST /api/mitigations - Create mitigation
GET /api/mitigations - List mitigations
PATCH /api/mitigations/:id - Update mitigation
POST /api/mitigations/:id/sub-actions - Add checklist item
PATCH /api/mitigations/:id/sub-actions/:aid - Toggle completion
```
### RBAC & Security
```
POST /auth/login - JWT authentication
POST /auth/register - User registration
POST /auth/oauth2/:provider - OAuth2 login
POST /auth/saml/acs - SAML assertion endpoint
GET /api/tokens - List API tokens
POST /api/tokens - Create new token
DELETE /api/tokens/:id - Revoke token
GET /rbac/roles - List roles
POST /rbac/roles - Create role
PUT /rbac/roles/:id - Update role
DELETE /rbac/roles/:id - Delete role
GET /rbac/permissions - List permissions
GET /rbac/tenants - List tenants
POST /rbac/tenants - Create tenant
GET /rbac/tenants/:id/stats - Tenant statistics
DELETE /rbac/tenants/:id - Delete tenant
```
### Analytics & Reporting
```
GET /api/analytics/dashboard - Dashboard metrics
GET /api/analytics/trends - Risk trends
GET /api/reports - List reports
POST /api/reports/export - Export risks/mitigations
```
See [API_REFERENCE.md](docs/API_REFERENCE.md) for complete endpoint documentation with examples.
---
## ๐ Security
OpenRisk implements enterprise-grade security:
- **Authentication**: JWT tokens with expiration
- **Authorization**: RBAC with permission matrices
- **Encryption**: SHA256 hashing for sensitive data
- **Audit**: Complete audit trail for all operations
- **SSO**: OAuth2 and SAML2 support
- **Rate Limiting**: API rate limiting middleware
- **Input Validation**: Request validation with Zod/validator
See [ADVANCED_PERMISSIONS.md](docs/ADVANCED_PERMISSIONS.md) for detailed security documentation.
---
## โจ๏ธ Keyboard Shortcuts
OpenRisk includes keyboard shortcuts to help you work faster. Below is a complete list of available shortcuts:
### Global Shortcuts
| Shortcut | Action | Context |
|----------|--------|---------|
| โK or Ctrl+K | Open global search | Anywhere in the app |
| โN or Ctrl+N | Create new risk | Dashboard and Risks page |
| Esc | Close modal/dialog | Any open modal or dialog |
### Search & Navigation
| Shortcut | Action | Context |
|----------|--------|---------|
| โ | Previous search result | In search suggestions |
| โ | Next search result | In search suggestions |
| Enter | Select search result | Search suggestions open |
| Esc | Close search dropdown | Search suggestions open |
### Risk Management
| Shortcut | Action | Context |
|----------|--------|---------|
| Esc | Close risk details | Risk details panel open |
| Esc | Close edit modal | Risk editing modal open |
### Tips for Power Users
- **Search Tip**: Use โK / Ctrl+K from anywhere to quickly search for risks, assets, or mitigations
- **Quick Create**: Press โN / Ctrl+N on the dashboard to rapidly create new risks
- **Navigation**: Use arrow keys in search results to navigate without your mouse
- **Mobile**: These shortcuts work best on desktop/laptop keyboards
### Planned Shortcuts (Coming Soon)
- **Edit Last Risk** - โE / Ctrl+E
- **Filter Results** - โF / Ctrl+F
- **Delete Selected** - โD / Ctrl+D
- **Focus Search** - / key
- **Settings** - โ, / Ctrl+,
---
## ๐ค Contributing
We welcome contributions from the community! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
### Development Workflow
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/AmazingFeature`)
3. Commit your changes (`git commit -m 'Add AmazingFeature'`)
4. Push to the branch (`git push origin feature/AmazingFeature`)
5. Open a Pull Request
---
## ๐ License
OpenRisk is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
---
## ๐ Support & Contact
- **GitHub Issues**: [Report bugs or request features](https://github.com/opendefender/OpenRisk/issues)
- **Discussions**: [Join community discussions](https://github.com/opendefender/OpenRisk/discussions)
- **Security**: See [SECURITY.md](SECURITY.md) for security vulnerability reporting
---
## ๐ Audit & Verification Reports
**Phase 6C Pre-Launch Audit** (March 10, 2026) - Complete project assessment before SaaS deployment:
### Comprehensive Analysis Available
- ๐ **[COMPREHENSIVE_AUDIT_REPORT.md](COMPREHENSIVE_AUDIT_REPORT.md)** - Executive summary with 8 analysis dimensions:
- Performance Analysis (Score: 8/10)
- Architecture & Design Patterns (Score: 9/10)
- Security Audit (Score: 9/10)
- Code Quality Assessment (Score: 8/10)
- Documentation Review (50+ files)
- Testing Coverage (28 test files, ~40%)
- Dependency Analysis (50+ total dependencies)
- Zero AI/ML patterns detected โ
- ๐ฏ **[RISK_REGISTER_FEATURES_ANALYSIS.md](RISK_REGISTER_FEATURES_ANALYSIS.md)** - Core feature verification:
- โ
13/13 Risk Register features confirmed present
- โ
All 4 visualization types implemented
- โ
Custom fields & templates working
- โ
Bulk operations (UPDATE, DELETE, ASSIGN, EXPORT)
- โ
Audit trail & timeline tracking
- โ
Search, filtering & sorting
- **Status: 95% COMPLETE & PRODUCTION READY**
- ๐ **[ANALYSIS_INDEX.md](ANALYSIS_INDEX.md)** - Navigation hub for all audit documents with quick metrics
- โ
**[COMPLETION_SUMMARY.md](COMPLETION_SUMMARY.md)** - Final verdict & next steps
### New Feature: Advanced Typeahead Search ๐
- **Implementation**: Complete typeahead hook with fuzzy matching algorithm
- **Features**:
- Keyboard shortcuts (Cmd+K, Cmd+/, โโ, Enter, Esc)
- Fuzzy match scoring (0-1 relevance ranking)
- Recent searches (localStorage-backed)
- Command palette with global actions
- **Status**: โ
Production-ready
- **Documentation**: [ADVANCED_TYPEAHEAD_IMPLEMENTATION.md](docs/ADVANCED_TYPEAHEAD_IMPLEMENTATION.md)
---
## ๐ Roadmap
### Q1 2026 - Phase 5: Performance Optimization & Testing โ
COMPLETE
- โ
Redis caching layer implementation
- โ
Query optimization (N+1 elimination)
- โ
Database indexing (70+ indexes)
- โ
Integration test suite (8 tests)
- โ
E2E tests with Playwright (12+ scenarios)
- โ
Security testing suite (11 categories)
- โ
Performance benchmarking (9 benchmarks)
- โ
Docker Compose testing infrastructure
- โ
Comprehensive testing documentation
- โ
All performance targets met (100-1000 ops/sec)
### Q2 2026 - Phase 6: Advanced Analytics & Monitoring
- ๐ Real-time analytics dashboard
- ๐ Risk trend analysis
- ๐ Incident management
- ๐ Performance monitoring & alerting
- ๐ Gamification system
### Q3 2026
- [ ] Advanced RBAC enhancements
- [ ] Additional connector integrations
- [ ] Machine learning risk predictions
- [ ] API webhook support
### Q4 2026
- [ ] Enterprise audit compliance
- [ ] Custom dashboard builder
- [ ] Workflow automation
- [ ] Multi-tenant advanced features
---
## ๐ฅ Credits
**OpenRisk** is developed and maintained by the [OpenDefender](https://github.com/opendefender) community.
---
## ๐ Questions?
- ๐ Check the [documentation](docs/)
- ๐ Search existing [issues](https://github.com/opendefender/OpenRisk/issues)
- ๐ฌ Ask in [discussions](https://github.com/opendefender/OpenRisk/discussions)
---
Made with โค๏ธ by OpenDefender Community
[โญ Star us on GitHub](https://github.com/opendefender/OpenRisk)