OpenRisk is a modern, enterprise-grade Risk Management Platform that transforms how organizations identify, assess, mitigate, and monitor risks. Built with a scalable microservices architecture, OpenRisk enables teams to move beyond spreadsheets and legacy systems into a seamless, automated risk management experience.
OpenRisk allows every organization to:
- β Identify IT & security risks
- β Score & Prioritize risks based on impact and probability
- β Track mitigation plans and action items
- β Monitor trends in real-time with interactive dashboards
- CTO & CISO - Strategic risk oversight and compliance
- DevSecOps - Integrated security in CI/CD pipelines
- Security Analysts - Risk assessment and investigation
- Compliance Teams - Audit trails and governance
- β‘ Automated Risk Assessment - Reduce manual evaluation time
- π Interactive Dashboards - Real-time risk visualization
- π Native Integrations - Elastic, Splunk, TheHive, OpenCTI, AWS
- π³ Easy Deployment - Docker & Kubernetes ready
- π Enterprise Security - RBAC, SSO, audit logging
- π Scalable Architecture - Microservices-ready
- π² Risk Assessment - Comprehensive risk identification and scoring
- π‘οΈ Mitigation Tracking - Monitor and track risk mitigations in real-time
- π Advanced Analytics - Real-time dashboards and trend analysis
- π Enterprise Security - RBAC, audit logging, OAuth2/SAML2 SSO
- π Integration Ready - TheHive, OpenCTI, Splunk, Elastic connectors
- βοΈ Custom Fields - Flexible schema for organizational needs
- π Gamification - Engagement and incentive system
- Docker & Docker Compose
- Git
- 4GB RAM, 2GB disk space
# Clone the repository
git clone https://github.com/opendefender/OpenRisk.git
cd OpenRisk
# Start all services (PostgreSQL, Redis, Backend, Frontend)
docker compose up -d
# Access the application
# Frontend: http://localhost:5173
# Backend API: http://localhost:8080
# API Docs: http://localhost:8080/swaggerEmail: admin@openrisk.local
Password: admin123
| Component | Technology | Version |
|---|---|---|
| Language | Go | 1.25.4 |
| Framework | Fiber | v2.52 |
| Database | PostgreSQL | 16 |
| ORM | GORM | v1.31 |
| Testing | Testify | v1.11 |
| Architecture | CLEAN | Domain-Driven |
| Component | Technology | Version |
|---|---|---|
| Framework | React | 19.2.0 |
| State | Zustand | 5.0.8 |
| Styling | Tailwind CSS | 3.4.0 |
| Forms | React Hook Form | 7.66 |
| Routing | React Router | 7.9.6 |
| Charts | Recharts | 3.5.0 |
| Component | Technology | Purpose |
|---|---|---|
| Containerization | Docker | Application packaging |
| Orchestration | Kubernetes | Production deployment |
| Charts | Helm | K8s configuration |
| CI/CD | GitHub Actions | Automated testing & deployment |
| Caching | Redis | Session & cache layer |
- β Risk CRUD operations (Create, Read, Update, Delete, List)
- β Risk scoring engine with weighted calculations
- β Mitigation tracking with checklist sub-actions
- β Asset management and relationships
- β Soft-delete support with audit trails
- β JWT-based authentication
- β API Token management (create, revoke, rotate)
- β Role-Based Access Control (RBAC) - Backend (37+ endpoints, 11 domain models)
- β Permission matrices (resource-level granularity)
- β Comprehensive audit logging
- β OAuth2/SAML2 SSO (Google, GitHub, Azure AD)
- β Docker Compose local development
- β GitHub Actions CI/CD pipeline
- β Integration test suite
- β Kubernetes Helm charts
- β Staging & production runbooks
- β Permission gate components (7 reusable wrappers)
- β Route-level permission guards (4 types)
- β Role & Tenant management pages (admin interfaces)
- β Advanced RBAC utilities (35+ functions)
- β Audit logging system (compliance tracking)
- β Permission caching (performance optimization)
- β Custom React hooks (usePermissions, useAuditLog)
- β Comprehensive documentation (2,000+ lines)
- β Custom fields framework (5 types)
- β Bulk operations with validation
- β Risk timeline (audit trail)
- β Advanced reporting & export
- β SSO integration (OAuth2/SAML2)
Performance Optimization:
- β Redis caching layer (generic CacheService, TTL management)
- β Query optimization (7 GORM patterns, N+1 elimination)
- β Database indexing (70+ strategic indexes, 100x+ faster)
- β Load testing framework (k6 baseline, 50+ concurrent users)
Testing & Validation:
- β Integration tests (8 test cases, 312 lines, CRUD + concurrency)
- β E2E tests with Playwright (12+ scenarios, 5 browsers/viewports)
- β Security testing (11 categories, SQL injection/XSS/CSRF/auth)
- β Performance benchmarks (9 benchmarks, all targets met)
- β Docker Compose testing infrastructure (9 services, isolated env)
- β Comprehensive testing guide (529 lines, CI/CD examples)
Performance Targets Met:
- Risk creation > 100 ops/sec β
- Risk retrieval > 500 ops/sec β
- Cache operations > 1000 ops/sec β
- Dashboard load < 3 seconds β
- Risk list (100 items) < 5 seconds β
- π Analytics dashboard with real-time data
- π Risk heatmaps and trend analysis
- π Incident management system
- π Threat tracking and mapping
- π Gamification & engagement system
- π Performance monitoring & alerting
| Document | Purpose |
|---|---|
| TESTING_GUIDE.md | Complete testing procedures & execution guide |
| TESTING_COMPLETION_SUMMARY.md | Phase 5 testing overview & metrics |
| OPTIMIZATION_REPORT.md | Performance optimization strategies & analysis |
| PERFORMANCE_TESTING.md | k6 load testing configuration & guide |
| LOCAL_DEVELOPMENT.md | Setup guide for development environment |
| API_REFERENCE.md | Complete API endpoint documentation |
| KUBERNETES_DEPLOYMENT.md | K8s deployment instructions |
| PRODUCTION_RUNBOOK.md | Production operations guide |
| SAML_OAUTH2_INTEGRATION.md | SSO integration guide |
| ADVANCED_PERMISSIONS.md | RBAC & permissions documentation |
For more documentation, see the docs directory.
docker compose up -d# See docs/STAGING_DEPLOYMENT.md
./scripts/deploy-kubernetes.sh --environment staging# See docs/PRODUCTION_RUNBOOK.md
helm install openrisk ./helm/openrisk \
-f helm/values-prod.yaml \
--namespace openriskIntegration Tests - Database-level testing with PostgreSQL & Redis
go test -v ./tests/integration_test.go -timeout 30m- 8 test cases covering CRUD, relationships, concurrency
- Query performance validation
- Audit logging verification
E2E Tests - User workflows in real browsers with Playwright
npx playwright test [--headed] [--project=chromium|firefox|webkit]
npx playwright show-report- 12+ test scenarios across 5 browsers/viewports
- Authentication, risk management, custom fields
- Mobile responsiveness (iPhone 12, Pixel 5)
- Performance metrics validation
Security Tests - Vulnerability scanning and protection verification
go test -v ./tests/security_test.go -timeout 30m- CSRF protection, SQL injection prevention
- XSS protection, rate limiting, auth bypass detection
- Security headers validation, CORS verification
Performance Benchmarks - Throughput and latency measurements
go test -v -bench=. ./tests/performance_benchmark_test.go -timeout 30m- 9 benchmarks covering all critical operations
- Cache vs database performance comparison
- Concurrent operation handling
Docker Compose Testing - Isolated test environment
docker-compose -f docker-compose.test.yaml up -d
docker-compose -f docker-compose.test.yaml run integration_tests
docker-compose -f docker-compose.test.yaml run security_tests
docker-compose -f docker-compose.test.yaml run performance_tests
docker-compose -f docker-compose.test.yaml run e2e_tests
docker-compose -f docker-compose.test.yaml down -v- 30+ test cases across all test suites
- 2,707 lines of test code
- 11 security categories (OWASP coverage)
- 9 performance benchmarks (all targets met)
- 5 browser/viewport combinations
See TESTING_GUIDE.md and TESTING_COMPLETION_SUMMARY.md for detailed testing documentation.
OpenRisk provides a comprehensive REST API with 37+ endpoints:
POST /api/risks - Create risk
GET /api/risks - List risks
GET /api/risks/:id - Get risk details
PATCH /api/risks/:id - Update risk
DELETE /api/risks/:id - Delete risk
POST /api/mitigations - Create mitigation
GET /api/mitigations - List mitigations
PATCH /api/mitigations/:id - Update mitigation
POST /api/mitigations/:id/sub-actions - Add checklist item
PATCH /api/mitigations/:id/sub-actions/:aid - Toggle completion
POST /auth/login - JWT authentication
POST /auth/register - User registration
POST /auth/oauth2/:provider - OAuth2 login
POST /auth/saml/acs - SAML assertion endpoint
GET /api/tokens - List API tokens
POST /api/tokens - Create new token
DELETE /api/tokens/:id - Revoke token
GET /rbac/roles - List roles
POST /rbac/roles - Create role
PUT /rbac/roles/:id - Update role
DELETE /rbac/roles/:id - Delete role
GET /rbac/permissions - List permissions
GET /rbac/tenants - List tenants
POST /rbac/tenants - Create tenant
GET /rbac/tenants/:id/stats - Tenant statistics
DELETE /rbac/tenants/:id - Delete tenant
GET /api/analytics/dashboard - Dashboard metrics
GET /api/analytics/trends - Risk trends
GET /api/reports - List reports
POST /api/reports/export - Export risks/mitigations
See API_REFERENCE.md for complete endpoint documentation with examples.
OpenRisk implements enterprise-grade security:
- Authentication: JWT tokens with expiration
- Authorization: RBAC with permission matrices
- Encryption: SHA256 hashing for sensitive data
- Audit: Complete audit trail for all operations
- SSO: OAuth2 and SAML2 support
- Rate Limiting: API rate limiting middleware
- Input Validation: Request validation with Zod/validator
See ADVANCED_PERMISSIONS.md for detailed security documentation.
OpenRisk includes keyboard shortcuts to help you work faster. Below is a complete list of available shortcuts:
| Shortcut | Action | Context |
|---|---|---|
| βK or Ctrl+K | Open global search | Anywhere in the app |
| βN or Ctrl+N | Create new risk | Dashboard and Risks page |
| Esc | Close modal/dialog | Any open modal or dialog |
| Shortcut | Action | Context |
|---|---|---|
| β | Previous search result | In search suggestions |
| β | Next search result | In search suggestions |
| Enter | Select search result | Search suggestions open |
| Esc | Close search dropdown | Search suggestions open |
| Shortcut | Action | Context |
|---|---|---|
| Esc | Close risk details | Risk details panel open |
| Esc | Close edit modal | Risk editing modal open |
- Search Tip: Use βK / Ctrl+K from anywhere to quickly search for risks, assets, or mitigations
- Quick Create: Press βN / Ctrl+N on the dashboard to rapidly create new risks
- Navigation: Use arrow keys in search results to navigate without your mouse
- Mobile: These shortcuts work best on desktop/laptop keyboards
- Edit Last Risk - βE / Ctrl+E
- Filter Results - βF / Ctrl+F
- Delete Selected - βD / Ctrl+D
- Focus Search - / key
- Settings - β, / Ctrl+,
We welcome contributions from the community! Please see CONTRIBUTING.md for guidelines.
- Fork the repository
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
OpenRisk is licensed under the MIT License - see the LICENSE file for details.
- GitHub Issues: Report bugs or request features
- Discussions: Join community discussions
- Security: See SECURITY.md for security vulnerability reporting
- β Redis caching layer implementation
- β Query optimization (N+1 elimination)
- β Database indexing (70+ indexes)
- β Integration test suite (8 tests)
- β E2E tests with Playwright (12+ scenarios)
- β Security testing suite (11 categories)
- β Performance benchmarking (9 benchmarks)
- β Docker Compose testing infrastructure
- β Comprehensive testing documentation
- β All performance targets met (100-1000 ops/sec)
- π Real-time analytics dashboard
- π Risk trend analysis
- π Incident management
- π Performance monitoring & alerting
- π Gamification system
- Advanced RBAC enhancements
- Additional connector integrations
- Machine learning risk predictions
- API webhook support
- Enterprise audit compliance
- Custom dashboard builder
- Workflow automation
- Multi-tenant advanced features
OpenRisk is developed and maintained by the OpenDefender community.
- π Check the documentation
- π Search existing issues
- π¬ Ask in discussions
Made with β€οΈ by OpenDefender Community