Get Started
Up and running in under five minutes with Docker Compose.
Prerequisites
Make sure you have the following installed before proceeding.
Quick Start (Docker Compose)
The fastest way to run OpenFactstore is with Docker Compose, which starts all services with a single command.
# 1. Clone the repository
git clone https://github.com/MaximumTrainer/OpenFactstore.git
cd OpenFactstore
# 2. Start all services
docker-compose up -d
# 3. Check services are running
docker-compose psOnce running, the following services are available:
| Service | URL | Description |
|---|---|---|
| Backend API | http://localhost:8080 |
Spring Boot REST API |
| Frontend UI | http://localhost:5173 |
Vue 3 web application |
| Swagger UI | http://localhost:8080/swagger-ui.html |
Interactive API documentation |
| Grafana | http://localhost:3000 |
Compliance dashboards (admin/admin) |
| Prometheus | http://localhost:9090 |
Metrics collection |
Manual Setup (Development)
To run the backend and frontend separately for development:
Backend
cd backend
./gradlew bootRun # Starts on http://localhost:8080Frontend
cd frontend
npm ci
npm run dev # Starts on http://localhost:5173Your First Compliance Trail
Walk through a complete compliance lifecycle using the REST API.
Create a Flow
A Flow is a template that defines the required compliance checks for a type of release.
curl -s -X POST http://localhost:8080/api/v1/flows \
-H "Content-Type: application/json" \
-d '{
"name": "standard-release",
"description": "Standard production release checks",
"requiredAttestations": ["security-scan", "code-review", "qa-signoff"]
}' | jq .Start a Trail
A Trail is a per-release evidence collection linked to a specific artifact (e.g., a container image).
curl -s -X POST http://localhost:8080/api/v1/trails \
-H "Content-Type: application/json" \
-d '{
"flowId": "<flow-id-from-step-1>",
"artifactName": "my-service",
"artifactVersion": "1.4.2",
"artifactDigest": "sha256:abc123..."
}' | jq .Record an Attestation
Attestations are individual evidence records. Record your security scan result:
curl -s -X POST http://localhost:8080/api/v1/trails/<trail-id>/attestations \
-H "Content-Type: application/json" \
-d '{
"type": "security-scan",
"passed": true,
"details": "Trivy scan: 0 critical, 2 medium (accepted)",
"attestedBy": "pipeline-bot"
}' | jq .Check Compliance
Evaluate whether the trail satisfies all flow requirements and is cleared for deployment:
curl -s http://localhost:8080/api/v1/trails/<trail-id>/compliance | jq .When all required attestations are recorded and policies pass, the response will show "compliant": true and the artifact is cleared for deployment.
Evaluate the Deployment Gate
Use the deployment gate to get a binary deploy/block decision:
curl -s -X POST http://localhost:8080/api/v1/gate/evaluate \
-H "Content-Type: application/json" \
-d '{
"trailId": "<trail-id>",
"targetEnvironment": "production"
}' | jq .http://localhost:8080/swagger-ui.html when the server is running.
Dry-run Mode
Any write operation can be tested without persisting data by adding the
X-Dry-Run: true header. The API will validate the request and simulate the
result without making any changes:
curl -s -X POST http://localhost:8080/api/v1/trails \
-H "Content-Type: application/json" \
-H "X-Dry-Run: true" \
-d '{ ... }' | jq .Further Reading
For the complete user guide including CI/CD integration examples, environment configuration, OPA policy authoring, and production hardening, see the USER_GUIDE.md on GitHub â .