The following default credentials are included for development purposes ONLY. These MUST be changed before deploying to production:

1. PostgreSQL Database

   • Username: grc
   • Password: grc_secret ← CHANGE THIS

2. Redis Cache

   • Password: redis_secret ← CHANGE THIS

3. Keycloak Admin

   • Username: admin
   • Password: admin ← CHANGE THIS

4. RustFS Object Storage (S3-compatible)

   • Access Key: rustfsadmin
   • Secret Key: rustfsadminpassword ← CHANGE THIS

Before deploying to production:

• Change all default passwords in .env file
• Enable TLS/SSL for all services
• Configure Keycloak for production mode
• Use proper secrets management (e.g., HashiCorp Vault, AWS Secrets Manager)
• Review and harden Docker images
• Enable multi-factor authentication in Keycloak
• Configure proper backup strategies for PostgreSQL and RustFS
• Set up monitoring and alerting
• Review and configure CORS policies
• Enable audit logging for all services
• Configure proper firewall rules
• Use environment-specific .env files (never commit to git)

To completely wipe all data and reset the platform:

# Stop all services and remove all data
bash scripts/data-scrub.sh

# Or manually:
docker-compose down
docker volume rm gigachad-grc_postgres_data
docker volume rm gigachad-grc_redis_data
docker volume rm gigachad-grc_rustfs_data

# Start fresh
docker-compose up -d

If using FieldGuide integration, store API keys as environment variables:

FIELDGUIDE_API_KEY=your-api-key-here
FIELDGUIDE_WEBHOOK_SECRET=your-webhook-secret-here

Store all third-party API credentials in environment variables or secrets manager, never in code.

1. Connection Security

   • Use SSL/TLS for database connections in production
   • Restrict database access to internal network only
   • Use strong, unique passwords (minimum 32 characters)

2. Access Control

   • Each service connects with minimal required permissions
   • Separate admin account for migrations
   • Regular password rotation

3. Backup & Recovery

   • Automated daily backups
   • Encrypted backup storage
   • Tested recovery procedures
   • Point-in-time recovery capability

1. Production Setup

   # Disable dev mode
   KC_HOSTNAME_STRICT=true
   KC_HTTP_ENABLED=false
   KC_HTTPS_ENABLED=true

2. Password Policies

   • Minimum 12 characters
   • Require uppercase, lowercase, numbers, symbols
   • Password expiration: 90 days
   • Password history: 5 previous passwords

3. Session Management

   • Session timeout: 30 minutes idle
   • Absolute session timeout: 8 hours
   • Require re-authentication for sensitive operations

Default roles and their permissions:

1. Admin

   • Full system access
   • User management
   • Configuration changes

2. Compliance Manager

   • Manage controls, evidence, frameworks
   • Create and approve policies
   • View audit logs

3. Risk Manager

   • Manage risks and treatments
   • View controls and evidence
   • Generate risk reports

4. Auditor (Internal)

   • Read-only access to controls and evidence
   • View audit logs
   • Access audit findings

5. Auditor (External - Portal Access)

   • Limited time-based access
   • View assigned audit requests
   • Upload evidence to specific requests
   • Comment on requests

6. Viewer

   • Read-only access to dashboards
   • View controls (no edit)
   • No access to audit logs or sensitive data

All services communicate over internal Docker network. External access only through Traefik gateway.

• Rate limiting enabled
• Request size limits
• Timeout configuration
• CORS policies
• Security headers

# Only allow necessary ports
22   - SSH (admin only)
80   - HTTP (redirect to HTTPS)
443  - HTTPS (application)
8080 - Keycloak (internal network only)

• User information stored in Keycloak
• No passwords stored in application database
• Audit logs contain user activities (GDPR/privacy compliance)

• Files encrypted at rest (RustFS/S3 encryption)
• Access control per document
• Audit trail for all file access
• Retention policies enforced

• Audit logs: 7 years
• Evidence: Per policy requirements
• User data: 30 days after account deletion
• Risk assessments: 3 years

1. Immediately disable affected accounts
2. Rotate all credentials
3. Review audit logs for impact assessment
4. Notify affected parties if required
5. Document incident in system

For security concerns, use GitHub Security Advisories.

This platform helps maintain compliance with:

• SOC 2 Type II
• ISO 27001:2022
• GDPR (data protection)
• HIPAA (healthcare data)
• PCI DSS (payment data)

• Monitor error logs
• Check failed login attempts

• Review new user accounts
• Check access permissions
• Review audit logs

• Update dependencies
• Review and rotate API keys
• Security scan of containers
• Penetration testing (external)
• Check for updates to known vulnerability exceptions (see below)

The following vulnerabilities have been identified but cannot be resolved without upstream fixes. These should be monitored for updates:

• Package: @okta/okta-auth-js → broadcast-channel → @babel/runtime
• Description: Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
• Status: Transitive dependency. Waiting for @okta/okta-auth-js to update broadcast-channel
• Mitigation: Low risk - affects RegExp performance, not security directly
• Monitor: Check @okta/okta-auth-js releases for updates

• Package: @modelcontextprotocol/sdk (MCP servers)
• Description: ReDoS vulnerability in MCP TypeScript SDK
• Status: Currently on latest version (1.25.1). Advisory may be stale or fix not yet released
• Mitigation: MCP servers are internal-only, not exposed to untrusted input
• Monitor: Check @modelcontextprotocol/sdk releases and GitHub advisory for updates

• Package: eslint → @eslint/eslintrc → js-yaml
• Description: Prototype pollution in merge (<<) operator
• Status: Transitive dependency. Waiting for eslint to update
• Mitigation: Only affects YAML parsing in linting tools, not runtime code
• Monitor: Check eslint releases for updates

Last reviewed: January 2026

• Full security audit
• Password policy review
• Access control review
• Disaster recovery test

To report a security vulnerability:

1. Do NOT create a public GitHub issue
2. Use GitHub Security Advisories
3. Include detailed description and reproduction steps
4. We will respond within 48 hours

• OWASP Top 10
• Docker Security Best Practices
• NestJS Security
• PostgreSQL Security