zGovern Documentation
Everything you need to achieve and maintain compliance — from initial setup through continuous monitoring and audit-ready reporting.
What is zGovern?
zGovern is an enterprise compliance automation platform that helps engineering and security teams achieve and maintain regulatory compliance across multiple frameworks simultaneously. It replaces spreadsheet-based compliance programs with a unified workspace that continuously monitors your infrastructure, automatically collects evidence, and generates audit-ready reports.
Continuous Monitoring
Automated checks run every 6 hours across all connected integrations. Failures instantly surface as risks and alert your team.
Multi-Framework
Map controls once and satisfy SOC 2, ISO 27001, GDPR, HIPAA, and India DPDP simultaneously — 292 controls pre-built.
Audit-Ready
Export a complete audit bundle (ZIP) with controls, risks, evidence checklists, and policies in seconds.
Quick Links
Getting Started
Deploy with Docker, create your first framework, and invite your team in under 15 minutes.
Get started →Frameworks & Controls
Explore the 292 built-in controls across SOC 2, ISO 27001, GDPR, HIPAA, and India DPDP.
Browse frameworks →Integrations
Connect AWS, GitHub, Azure, GCP, Okta, GitLab, Google Workspace, and Slack for automatic evidence collection.
View integrations →API Reference
Full REST API documentation with request/response examples for every endpoint.
Explore the API →Platform Overview
The table below summarizes every major capability in zGovern and where to find the corresponding documentation.
| Feature | Description | Docs |
|---|---|---|
| Frameworks & Controls | 5 frameworks, 292 pre-built controls with plain-English descriptions and evidence requirements | Frameworks |
| Risk Register | 5×5 risk matrix, lifecycle management, auto-risks from monitoring, severity scoring | Risk Register |
| Policy Management | Versioned policies (DRAFT → ACTIVE → ARCHIVED), 3 built-in templates | Policies |
| Integrations | 8 cloud/IdP/VCS adapters, AES-256-GCM credential encryption, automated sync | Integrations |
| Continuous Monitoring | 6-hour scans, trend analysis, alert dedup, weekly email digest | Monitoring |
| Vendor Risk | Third-party vendor tracking, auto risk scoring, contract renewal alerts | Vendor Risk |
| Questionnaires | AI-assisted auto-answer engine (SIG, CAIQ, custom), keyword matching, .txt export | Questionnaires |
| Audit Workspace | Evidence upload/approval, comment threads, control readiness dashboard | Audit |
| Trust Center | Public-facing page showing frameworks, policies, and control readiness to prospects | Trust Center |
| Audit Bundle Export | One-click ZIP: summary.txt, controls.csv, risks.csv, evidence-checklist.csv, policies.txt | Audit |
| API | Full REST API with JWT auth for all resources | API Reference |
Requirements
zGovern is distributed as a Docker Compose application. The following software must be installed on your host machine:
| Requirement | Minimum Version | Notes |
|---|---|---|
| Docker | 24.0+ | Docker Desktop on macOS/Windows; Docker Engine on Linux |
| Docker Compose | 2.20+ | Included with Docker Desktop; docker compose (v2 syntax) |
| PostgreSQL | 16 | Provided via the official postgres:16-alpine Docker image |
| Node.js | 18 LTS+ | Only needed for local development outside Docker |
| RAM | 2 GB | 4 GB recommended for production |
| Disk | 5 GB | For Docker images, database data, and uploaded evidence files |
Architecture
zGovern is a three-tier application running entirely inside Docker:
- Frontend — React 18 + Vite + TypeScript + Tailwind CSS + shadcn/ui, served on port
3000 - Backend — NestJS + Prisma ORM, serves a REST API on port
4000 - Database — PostgreSQL 16, internal port
5432
prisma db push (not prisma migrate) for schema synchronisation. The database is seeded automatically on first startup with all framework controls, default policies, and the admin user.
Default Ports
| Service | Port | Description |
|---|---|---|
| Frontend | 3000 | React application (Vite) |
| Backend API | 4000 | NestJS REST API (/api/*) |
| PostgreSQL | 5432 | Internal only — not exposed to host by default |