// the find
bmarsh9/gapps
Security compliance platform - SOC2, CMMC, ASVS, ISO27001, HIPAA, NIST CSF, NIST 800-53, CSC CIS 18, PCI DSS, SSF tracking
Gapps is a self-hosted GRC platform for tracking compliance against frameworks like SOC2, NIST 800-53, ISO 27001, PCI DSS, and seven others. It's built on Flask + PostgreSQL and targets small security teams or startups going through their first audit who can't justify paying for Drata or Vanta. You run it yourself via Docker.
10 frameworks bundled as JSON files you can inspect and modify directly — no black box; the data model is yours. Multi-tenancy with OIDC/SSO support is genuinely useful for consultants managing multiple clients. The custom framework loader (drop a JSON file, reload tenant) makes it practical to add internal control sets without touching code. Risk register and auditor collaboration features are present, not just promised.
The upgrade story is painful: manual docker-compose edits plus manual migration commands with warnings that the wrong order deletes all your data — that will bite someone eventually. No integrations yet ('Next big features: Integrations!') means you're manually checking boxes rather than pulling evidence automatically, which is most of the actual audit work. API token generation via browser URL hit is an odd design and tokens that never expire are a footgun. The repo's primary language shows as HTML, which signals the Jinja templates dominate the codebase — server-side rendering with jQuery is fine, but the frontend will get painful to maintain at any serious scale.