Skip to content

ewilhelm1979-netizen/ISCY

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

173 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

ISCY

CI License: AGPL-3.0-only

Deutsch

Self-hosted open-source cybersecurity governance for ISMS, product security, AI governance, and regulatory evidence.

ISCY connects security risks, controls, assets, incidents, evidence, suppliers, product-security data, and AI systems in one auditable platform. It is designed for organizations working with ISO 27001, NIS2, DORA, the Cyber Resilience Act, the EU AI Act, GDPR, and KRITIS.

The application follows a local-first, privacy-conscious approach. Its production runtime is implemented in Rust with Axum and supports NixOS and Docker-based deployments.

Project status: ISCY is actively developed and is in an early community-adoption phase. Interfaces and operational procedures may still evolve.

What ISCY covers

Area Examples
ISMS and governance risks, controls, requirements, assets, processes, evidence, management reviews
Incident response case files, timelines, runbooks, regulatory reporting packages
Product security SBOM, CSAF, SPDX, CycloneDX, VEX, CVE correlation, PSIRT evidence packages
Third-party risk supplier criticality, dependencies, reviews, contracts, evidence
AI governance AI-system inventory, classification, oversight, risks, monitoring plans
Zero Trust endpoint posture, enrollment, policy evaluation, device-bound credentials
Operations audit-ready exports, health endpoints, Prometheus, Grafana, backup and restore checks

Quick start

NixOS / Nix

./start.sh

Open http://127.0.0.1:9000/login/ and use the development-only demo account:

admin / Admin123!

Docker Compose

cp .env.development.example .env
make dev-up

For stage and production deployment, use the dedicated environment examples and complete the documented readiness checks:

cp .env.production.example .env
chmod 600 .env
make prod-readiness
make prod-up

Do not use demo credentials or demo seeding in production.

Security by design

ISCY is a multi-tenant, security-sensitive application. Core security boundaries include:

  • server-side authentication and tenant-scoped authorization
  • authenticated Evidence downloads with protection-class checks
  • no public static delivery of uploaded Evidence
  • fail-closed production preflight and explicit proxy trust
  • locked Rust builds, advisory scanning, and dependency license/source policy checks
  • non-root containers and verified backup/restore procedures

Start with the threat model, authorization model, production hardening guide, and security policy.

ISCY has not undergone an independent penetration test or certification. Regulatory support does not constitute legal advice, certification, conformity assessment, or an audit opinion.

Validation

The protected CI workflow checks Rust formatting, Clippy, locked tests, dependency advisories, dependency licenses and sources, HTTP/database smoke tests, Nix execution, Compose configurations, and the hardened Docker image.

Local validation:

cargo test --locked --manifest-path rust/iscy-backend/Cargo.toml
make rust-smoke
make rust-restore-smoke

Documentation

Contributing

Focused, tested, and documented contributions are welcome. Security-sensitive changes require explicit trust-boundary analysis and negative authorization tests.

Please read CONTRIBUTING.md, AGENTS.md, CODE_OF_CONDUCT.md, and SECURITY.md.

OpenAI Codex has assisted implementation, migration, testing, and review. Human contributors remain responsible for correctness, security, licensing, provenance, and validation.

License and copyright

Copyright (C) 2026 Enrico Wilhelm.

ISCY is licensed under the GNU Affero General Public License v3.0 only (AGPL-3.0-only). See LICENSE for the license text and NOTICE.md for copyright, attribution, third-party, and AI-assistance information.

About

Self-hosted open-source cybersecurity governance platform for ISO 27001, NIS2, DORA, CRA, product security and AI governance.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

3 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages