v4 5 min read

Getting Started

Deploy zGovern with Docker Compose, create your first compliance framework, and have your team logging in within 15 minutes.

Prerequisites

Before installing zGovern, ensure the following tools are available on your system:

Tool Minimum Version Check Command
Docker 24.0 docker --version
Docker Compose 2.20 (v2 syntax) docker compose version
Git Any recent version git --version
Docker Compose v2 required Use docker compose (with a space, v2) rather than docker-compose (v1 with a hyphen). The two CLIs behave differently and the v1 plugin is no longer maintained.

Installation

  1. Clone the repository
    bash
    git clone https://github.com/your-org/zgovern.git
cd zgovern
  2. Review environment variables (optional)

    The docker-compose.yml ships with sensible defaults for local development. For production, you should override these values — especially the JWT secret and encryption key.

    docker-compose.yml (backend environment excerpt)
    DATABASE_URL: postgresql://postgres:postgres@db:5432/zgovern
JWT_SECRET: change-me-in-production
ENCRYPTION_KEY: 64-char-hex-key-for-aes-256-gcm
SMTP_HOST: # optional — leave blank to log emails to console
APP_URL: http://localhost:3000
  3. Build and start all services
    bash
    docker compose up --build

    On first run this will:

    • Build the backend (Express) and frontend (React/Vite) Docker images
    • Start PostgreSQL and run prisma db push to create the schema
    • Seed the database with 482 compliance controls across 18 frameworks, default policies, and the admin user
  4. Verify services are running
    bash
    docker compose ps

    You should see three containers in running state:

    expected output
    NAME                STATUS          PORTS
zgovern-frontend    Up              127.0.0.1:3000->80/tcp
zgovern-backend     Up              127.0.0.1:4000->4000/tcp
zgovern-docs        Up              127.0.0.1:4001->80/tcp
zgovern-postgres    Up              5432/tcp
  5. Open the application

    Navigate to http://localhost:3000 in your browser. You should see the zGovern login page.

First Login

A default administrator account is created automatically during database seeding. The admin email is admin@zgovern.com. The password is set by the SEED_ADMIN_PASSWORD environment variable in your .env file (see docker-compose.yml).

FieldValue
Emailadmin@zgovern.com
PasswordSet via SEED_ADMIN_PASSWORD in .env
RoleADMIN
🔒
Use a strong seed password Set SEED_ADMIN_PASSWORD to a random, high-entropy password before first run. Never use a weak or default password in a shared or production environment.

Creating Your First Framework

After logging in, you'll land on the Dashboard. Here's how to set up your first compliance framework:

  1. Navigate to Frameworks

    Click Frameworks & Controls in the left sidebar.

  2. Select a framework

    You'll see 18 available frameworks organised into categories: Security (SOC 2, ISO 27001, PCI-DSS 4.0, NIST CSF 2.0, NIST 800-53, CIS Controls), Privacy (GDPR, CCPA/CPRA, HIPAA, DPDP, ISO 27701, LGPD), Industry (SOC 1, HIPAA), Business/Operations (ISO 22301, ISO 9001, ISO 45001, ISO 14001), and AI (ISO 42001). Click Activate next to the framework you want to start with. We recommend beginning with SOC 2 Type II if you're a SaaS company.

  3. Review the controls

    Once activated, 62 (SOC 2) controls will appear in your control list, each pre-populated with:

    • A plain-English description of what the control means
    • Specific evidence requirements
    • A suggested testing frequency
    • Status set to NOT_STARTED
  4. Assign control ownership

    Click on any control and use the Owner dropdown to assign it to a team member. This person will receive notifications when the control's evidence needs renewal.

  5. Connect an integration

    Navigate to Integrations and connect your cloud provider (AWS, Azure, or GCP) to begin automatic evidence collection. See the Integrations guide for details.

Roles & Permissions

zGovern has five built-in roles. Roles are assigned per-user and apply organisation-wide.

Permission SUPER_ADMIN ADMIN COMPLIANCE_MANAGER AUDITOR USER
View dashboard & all data
View audit logs
Upload evidence / add controls
Approve / reject evidence
Export audit bundle
Create & manage risks / policies
Manage personnel / access reviews
Manage integrations & vendors
Configure Trust Center
Invite & manage users / org settings
Run monitoring scans
Cross-org super access

Inviting Users

User management is available in the Organization Settings page (sidebar → Organization). As an ADMIN you can:

  • Invite users by email address
  • Set their role at invite time
  • Change a user's role at any time
  • Deactivate accounts without deleting them (audit trail is preserved)
💡
Best practice — least privilege Assign USER to most engineers so they can view compliance status without accidentally modifying controls or policies. Use COMPLIANCE_MANAGER for GRC team members who manage controls and risks day-to-day, AUDITOR for external or internal auditors who need read + evidence access, and ADMIN only for your security and GRC leads.

Next Steps

Explore Frameworks

Learn about the 482 built-in controls across 18 frameworks and how to manage evidence for each one.

Frameworks →

Connect Integrations

Link your cloud and IdP accounts to start automated evidence collection within minutes.

Integrations →

Set Up Monitoring

Configure email alerts and review your first automated compliance scan results.

Monitoring →

Prepare for Audit

Walk through the Audit Workspace and learn how to generate your audit bundle.

Audit Workspace →