OpenFactstore
Supply Chain Compliance Fact Store for Financial Services DevSecOps
What is OpenFactstore?
OpenFactstore is a self-hosted compliance evidence store that tracks attestations, security scans, and policy decisions for every software release in your organisation. It gives engineering and compliance teams a single source of truth for answering the question: "Is this artifact safe to deploy?"
Built for financial services teams operating under strict regulatory obligations, OpenFactstore provides first-class support for SOX, PCI-DSS, and GDPR audit trails. Every compliance decision is recorded as an immutable fact โ who approved it, what evidence existed, and whether policy gates were satisfied โ making audit preparation a reporting exercise rather than a forensic investigation.
The system models compliance as Flows (templates of required checks), Trails (per-release evidence collections), and Attestations (individual evidence records). Deployment gates evaluate trails against OPA policies before any release proceeds, while approval workflows enforce multi-party sign-off where regulations demand it.
Key Features
Compliance Tracking
Flows, Trails, and Attestations model your entire release compliance lifecycle end-to-end.
Learn more โMulti-tenancy
Organisation isolation ensures each team's compliance data stays separated and auditable.
Learn more โFlow Templates
YAML-defined compliance requirements make it easy to standardise checks across teams.
Learn more โApproval Workflows
Multi-party release approvals with timestamped audit records satisfy four-eyes requirements.
Learn more โDeployment Gates
Policy-based deployment control blocks releases that haven't met all required evidence criteria.
Learn more โSecurity Scans
Auto-parse JUnit XML, Snyk/SARIF, SonarQube quality gates, and Jira references โ status set to PASSED or FAILED automatically.
Learn more โRegulatory Frameworks
SOX, PCI-DSS, and GDPR frameworks are built in, mapping controls to compliance requirements.
Learn more โMonitoring
Prometheus metrics and pre-built Grafana dashboards give real-time compliance visibility.
Learn more โCI/CD Integration
GitHub Actions, GitLab CI, and Jenkins helpers make it easy to record facts from any pipeline.
Learn more โDry-run Mode
Test compliance flows and policy evaluations safely without writing permanent data.
Learn more โOIDC Provenance
Record GitHub Actions and GitLab OIDC identity tokens as tamper-evident provenance attestations โ proving exactly which pipeline produced each artifact.
Learn more โConditional Policy Rules
Use if: expressions in flow templates and policies to enforce attestations only when conditions match the flow name, artifact name, or tags.
See it in action
A snapshot of the OpenFactstore web UI across key compliance workflows.
Screenshots are auto-generated by the Playwright E2E test suite โ run npm run test:e2e from frontend/ to refresh them.
See the full User Guide for annotated walkthroughs of every screen.
Tech Stack
Backend
- Kotlin 2 / JVM 21
- Spring Boot 3.4
- Spring Data JPA
- H2 in-memory DB
- Springdoc OpenAPI
Frontend
- Vue 3 (Composition API)
- TypeScript 5.4
- Tailwind CSS 3.4
- Vite 5
- Pinia + Axios
Infrastructure
- Docker Compose
- Prometheus
- Grafana
- Nginx (reverse proxy)
Policy & Security
- OPA (Open Policy Agent)
- OWASP ZAP
- Snyk
- Trivy