v3 5 min read

Getting Started

Deploy zGovern with Docker Compose, create your first compliance framework, and have your team logging in within 15 minutes.

Prerequisites

Before installing zGovern, ensure the following tools are available on your system:

Tool Minimum Version Check Command
Docker 24.0 docker --version
Docker Compose 2.20 (v2 syntax) docker compose version
Git Any recent version git --version
Docker Compose v2 required Use docker compose (with a space, v2) rather than docker-compose (v1 with a hyphen). The two CLIs behave differently and the v1 plugin is no longer maintained.

Installation

  1. Clone the repository
    bash
    git clone https://github.com/your-org/zgovern.git
cd zgovern
  2. Review environment variables (optional)

    The docker-compose.yml ships with sensible defaults for local development. For production, you should override these values — especially the JWT secret and encryption key.

    docker-compose.yml (backend environment excerpt)
    DATABASE_URL: postgresql://postgres:postgres@db:5432/zgovern
JWT_SECRET: change-me-in-production
ENCRYPTION_KEY: 64-char-hex-key-for-aes-256-gcm
SMTP_HOST: # optional — leave blank to log emails to console
APP_URL: http://localhost:3000
  3. Build and start all services
    bash
    docker compose up --build

    On first run this will:

    • Build the backend (NestJS) and frontend (React/Vite) Docker images
    • Start PostgreSQL and run prisma db push to create the schema
    • Seed the database with 292 compliance controls, 3 default policies, and the admin user
  4. Verify services are running
    bash
    docker compose ps

    You should see three containers in running state:

    expected output
    NAME                STATUS          PORTS
zgovern-frontend    Up              0.0.0.0:3000->3000/tcp
zgovern-backend     Up              0.0.0.0:4000->4000/tcp
zgovern-db          Up              5432/tcp
  5. Open the application

    Navigate to http://localhost:3000 in your browser. You should see the zGovern login page.

First Login

A default administrator account is created automatically during database seeding. Use these credentials to log in for the first time:

FieldValue
Emailadmin@zgovern.com
Passwordadmin123!
RoleADMIN
🔒
Change the default password immediately Never deploy zGovern with the default credentials in a shared or production environment. Change the admin password in the Organization Settings page as soon as you log in.

Creating Your First Framework

After logging in, you'll land on the Dashboard. Here's how to set up your first compliance framework:

  1. Navigate to Frameworks

    Click Frameworks & Controls in the left sidebar.

  2. Select a framework

    You'll see the 5 available frameworks listed. Click Activate next to the framework you want to start with. We recommend beginning with SOC 2 Type II if you're a SaaS company.

  3. Review the controls

    Once activated, 63 (SOC 2) controls will appear in your control list, each pre-populated with:

    • A plain-English description of what the control means
    • Specific evidence requirements
    • A suggested testing frequency
    • Status set to NOT_STARTED
  4. Assign control ownership

    Click on any control and use the Owner dropdown to assign it to a team member. This person will receive notifications when the control's evidence needs renewal.

  5. Connect an integration

    Navigate to Integrations and connect your cloud provider (AWS, Azure, or GCP) to begin automatic evidence collection. See the Integrations guide for details.

Roles & Permissions

zGovern has three built-in roles. Roles are assigned per-user and apply organization-wide.

Permission ADMIN AUDITOR MEMBER
View dashboard & all data
View audit logs
Upload evidence files
Add / update controls
Approve / reject evidence
Create & manage risks
Create & publish policies
Manage integrations
Manage vendors
Configure Trust Center
Invite & manage users
Export audit bundle
Run monitoring scans

Inviting Users

User management is available in the Organization Settings page (sidebar → Organization). As an ADMIN you can:

  • Invite users by email address
  • Set their role at invite time
  • Change a user's role at any time
  • Deactivate accounts without deleting them (audit trail is preserved)
💡
Best practice — least privilege Assign MEMBER to most engineers so they can view compliance status without accidentally modifying controls or policies. Reserve AUDITOR for team leads who own controls, and ADMIN only for your GRC/security leads.

Next Steps

Explore Frameworks

Learn about the 292 built-in controls and how to manage evidence for each one.

Frameworks →

Connect Integrations

Link your cloud and IdP accounts to start automated evidence collection within minutes.

Integrations →

Set Up Monitoring

Configure email alerts and review your first automated compliance scan results.

Monitoring →

Prepare for Audit

Walk through the Audit Workspace and learn how to generate your audit bundle.

Audit Workspace →