Open Source ยท DevSecOps

OpenFactstore

Supply Chain Compliance Fact Store for Financial Services DevSecOps

๐Ÿš€ Get Started View on GitHub โ†—

What is OpenFactstore?

OpenFactstore is a self-hosted compliance evidence store that tracks attestations, security scans, and policy decisions for every software release in your organisation. It gives engineering and compliance teams a single source of truth for answering the question: "Is this artifact safe to deploy?"

Built for financial services teams operating under strict regulatory obligations, OpenFactstore provides first-class support for SOX, PCI-DSS, and GDPR audit trails. Every compliance decision is recorded as an immutable fact โ€” who approved it, what evidence existed, and whether policy gates were satisfied โ€” making audit preparation a reporting exercise rather than a forensic investigation.

The system models compliance as Flows (templates of required checks), Trails (per-release evidence collections), and Attestations (individual evidence records). Deployment gates evaluate trails against OPA policies before any release proceeds, while approval workflows enforce multi-party sign-off where regulations demand it.

Key Features

๐Ÿ”

Compliance Tracking

Flows, Trails, and Attestations model your entire release compliance lifecycle end-to-end.

๐Ÿข

Multi-tenancy

Organisation isolation ensures each team's compliance data stays separated and auditable.

๐Ÿ“‹

Flow Templates

YAML-defined compliance requirements make it easy to standardise checks across teams.

โœ…

Approval Workflows

Multi-party release approvals with timestamped audit records satisfy four-eyes requirements.

๐Ÿšช

Deployment Gates

Policy-based deployment control blocks releases that haven't met all required evidence criteria.

๐Ÿ”’

Security Scans

Native integration with OWASP ZAP, Snyk, and Trivy records scan results as compliance facts.

โš–๏ธ

Regulatory Frameworks

SOX, PCI-DSS, and GDPR frameworks are built in, mapping controls to compliance requirements.

๐Ÿ“Š

Monitoring

Prometheus metrics and pre-built Grafana dashboards give real-time compliance visibility.

๐Ÿ”„

CI/CD Integration

GitHub Actions, GitLab CI, and Jenkins helpers make it easy to record facts from any pipeline.

๐Ÿงช

Dry-run Mode

Test compliance flows and policy evaluations safely without writing permanent data.

Tech Stack

Backend

  • Kotlin 2 / JVM 21
  • Spring Boot 3.4
  • Spring Data JPA
  • H2 in-memory DB
  • Springdoc OpenAPI

Frontend

  • Vue 3 (Composition API)
  • TypeScript 5.4
  • Tailwind CSS 3.4
  • Vite 5
  • Pinia + Axios

Infrastructure

  • Docker Compose
  • Prometheus
  • Grafana
  • Nginx (reverse proxy)

Policy & Security

  • OPA (Open Policy Agent)
  • OWASP ZAP
  • Snyk
  • Trivy