Open Source · MIT License

Built in the open.
For everyone who protects.

ComplianceOS is a fully open-source GRC platform. Self-host it for free, inspect every line of code, and contribute to the security community that keeps organizations safe.

View on GitHub Self-Host in 5 Minutes
bash

$ git clone https://github.com/Sectutor/ComplianceOS-Core

$ cd complianceos

$ cp .env.example .env

$ docker compose up -d

# ✓ Running at http://localhost:5173

30+
Frameworks Supported
MIT
License — 100% Free
1000+
Pre-built Controls
Open
Issues & Discussions
Philosophy

Why open source GRC matters

Security programs built on black boxes are compliance theater. Real trust requires transparency — in your controls, your tools, and your code.

Radical Transparency

Every algorithm, every control mapping, every audit log — fully inspectable. No hidden logic, no vendor lock-in. Your auditors can see exactly how decisions are made.

Data Sovereignty

Self-host on your own infrastructure. Your compliance data — risk registers, evidence, policies — never leaves your environment unless you choose it. True data sovereignty.

Community Intelligence

Control frameworks, threat libraries, and policy templates built and validated by hundreds of security practitioners — not just one vendor's opinion.

The Platform

Everything is open. Everything.

Not just the frontend. The risk engine, the policy generator, the mapping logic — all of it.

⚙️

Risk Engine

Quantitative & qualitative risk assessment, heatmaps, treatment workflows

📝

Policy Generator

AI-assisted policy drafting with version control, approvals, and distribution

🗺️

Framework Library

ISO 27001, SOC 2, NIST CSF, CMMC, HIPAA, GDPR, and 25+ more built in

🏢

Multi-Tenant

Role-based access, workspace isolation, perfect for MSPs and consultants

📊

Evidence Collection

Structured evidence tasks, intake forms, audit trails for every artifact

🤖

AI Copilot

Bring your own LLM key. Gap analysis, policy refinement, control suggestions

🔗

Vendor Management

TPRM workflows, vendor risk scoring, contract repository, DPA templates

🔌

Plugin SDK

Extend with your own modules. Public plugin registry coming Q2 2026

Get Involved

Three ways to contribute

Whether you write code or write policies — there's a place for you here.

Star the Repo

The simplest way to support the project. Stars help us reach more security professionals who need a free, open alternative.

Star on GitHub
🐛

Report & Discuss

Found a bug? Have an idea for a new framework or feature? Open an issue or join a discussion — every report makes the platform better for everyone.

Open an Issue
🔧

Submit a PR

Add a new compliance framework, improve the UI, or fix a bug. Pull requests are reviewed promptly and contributors get credit in the changelog.

Submit a Pull Request
Self-Hosting

Your infra. Your data.
Your compliance.

Run ComplianceOS on any server — on-premise, your own cloud, or a VPS. Full Docker support with a single compose file. No phone-home, no telemetry, no license fees.

  • PostgreSQL + Supabase Auth (or your own auth)
  • Docker Compose — up and running in minutes
  • Bring your own LLM (OpenAI, Anthropic, local Ollama)
  • Full database schema exposed via Drizzle ORM
Read the Docs →
docker-compose.yml (excerpt) 
version: '3.9'
services:
  app:
    image: complianceos/app:latest
    ports: ["5173:5173"]
    environment:
      DATABASE_URL: ${DATABASE_URL}
      SUPABASE_URL: ${SUPABASE_URL}
      OPENAI_API_KEY: ${OPENAI_API_KEY}
  server:
    image: complianceos/server:latest
    ports: ["3002:3002"]
    depends_on: [app]
Compare

Community vs. Cloud

Self-host for full control, or let us manage it for you.

🔓
Community
Free Forever · MIT License
  • Full source code access
  • Self-host on any infrastructure
  • All core GRC modules
  • 30+ compliance frameworks
  • Bring your own LLM key
  • Unlimited workspaces & users
  • Managed hosting & backups
  • SLA & enterprise support
  • Automatic updates
Clone & Self-Host
Managed
☁️
GRCompliance Cloud
Hosted · Fully Managed
  • Everything in Community
  • Managed hosting & backups
  • 99.9% uptime SLA
  • Automatic updates & patches
  • Priority support & onboarding
  • Pre-configured AI & integrations
  • SOC 2 compliant infrastructure
  • MSP white-labeling available
  • Enterprise SSO (SAML / OIDC)
Request Cloud Access →

The GRC platform the
security community deserves.

Free, open, and built by practitioners. Star the repo, fork it, contribute — or just use it. No strings attached.

github.com/Sectutor/ComplianceOS-Core

MIT Licensed · No account required · Fork it today