Free Governance, Risk & Compliance Tools
Manage governance, risk, and compliance programs with free and open source tools. Browse GRC platforms, audit management, policy management, and compliance automation tools.
Showing 24 of 408 tools
unleash
Unleash/unleash
Open-source feature management platform
the-practical-linux-hardening-guide
trimstray/the-practical-linux-hardening-guide
This guide details creating a secure Linux production system. OpenSCAP (C2S/CIS, STIG).
how-to-secure-anything
veeral-patel/how-to-secure-anything
How to systematically secure anything: a repository about security engineering
404StarLink
knownsec/404StarLink
404StarLink - 推荐优质、有意义、有趣、坚持维护的安全开源项目
steampipe
turbot/steampipe
Zero-ETL, infinite possibilities. Live query APIs, code & more with SQL. No DB required.
DevSecOps
sottlmarek/DevSecOps
Ultimate DevSecOps library
Security-101
microsoft/Security-101
8 Lessons, Kick-start Your Cybersecurity Learning.
glpi
glpi-project/glpi
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
security-101-for-saas-startups
forter/security-101-for-saas-startups
security tips for startups
ciso-assistant-community
intuitem/ciso-assistant-community
CISO Assistant is a one-stop-shop GRC platform for Risk Management, AppSec, Compliance & Audit, TPRM, Privacy, and Reporting. It supports 100+ global frameworks with automatic control mapping, including ISO 27001, NIST CSF, SOC 2, CIS, PCI DSS, NIS2, DORA, GDPR, HIPAA, CMMC, and more.
inspec
inspec/inspec
InSpec: Auditing and Testing Framework
content
ComplianceAsCode/content
Security automation content in SCAP, Bash, Ansible, and other formats
kics
Checkmarx/kics
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
ScubaGear
cisagov/ScubaGear
Automation to assess the state of your M365 tenant against CISA's baselines
cargo-crev
crev-dev/cargo-crev
A cryptographically verifiable code review system for the cargo (Rust) package manager.
sloth
slok/sloth
🦥 Easy and simple Prometheus SLO (service level objectives) generator
tag-security
cncf/tag-security
🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!
ghorg
gabrie30/ghorg
Quickly clone or backup an entire org/users repositories into one directory - Supports GitHub, GitLab, Bitbucket, and more 🐇🥚
slsa
slsa-framework/slsa
Supply-chain Levels for Software Artifacts
cset
cisagov/cset
Cybersecurity Evaluation Tool
guac
guacsec/guac
GUAC aggregates software security metadata into a high fidelity graph database.
cloudformation-guard
aws-cloudformation/cloudformation-guard
Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
pacbot
tmobile/pacbot
PacBot (Policy as Code Bot)
hubcommander
Netflix/hubcommander
A Slack bot for GitHub organization management -- and other things too
Related Security Domains
Frequently Asked Questions
What is GRC in cybersecurity?
GRC (Governance, Risk, and Compliance) is a structured approach to aligning IT with business objectives while managing risk and meeting regulatory requirements. It encompasses policy management, risk assessments, audit management, and compliance tracking across frameworks like ISO 27001, NIST CSF, SOC 2, and PCI DSS.
What are the best free GRC tools?
Open source GRC platforms include Eramba (community edition), SimpleRisk, and OpenGRC. For compliance automation, OpenSCAP provides automated configuration compliance scanning against CIS Benchmarks and STIG profiles. CISO Assistant is a newer open source GRC platform gaining traction.
What is ISO 27001 and how do I achieve it?
ISO 27001 is the international standard for information security management systems (ISMS). Achieving certification requires implementing 93 controls across 4 themes (organizational, people, physical, technological), conducting risk assessments, and passing an external audit. GRC tools help manage the documentation and evidence collection process.
What is the NIST Cybersecurity Framework?
The NIST CSF is a voluntary framework for managing cybersecurity risk, organized around five functions: Identify, Protect, Detect, Respond, and Recover. It's widely adopted as a baseline for security programs and maps to other frameworks like ISO 27001, CIS Controls, and MITRE ATT&CK.