zGovern Documentation
Everything you need to achieve and maintain compliance — from initial setup through continuous monitoring and audit-ready reporting.
What is zGovern?
zGovern is an enterprise compliance automation platform that helps engineering and security teams achieve and maintain regulatory compliance across multiple frameworks simultaneously. It replaces spreadsheet-based compliance programs with a unified workspace that continuously monitors your infrastructure, automatically collects evidence, and generates audit-ready reports.
Continuous Monitoring
Automated checks run every 6 hours across all connected integrations. Failures instantly surface as risks and alert your team.
Multi-Framework
Map controls once and satisfy SOC 2, ISO 27001, GDPR, HIPAA, PCI-DSS 4.0, NIST, and 12 more frameworks simultaneously — 482 controls pre-built.
Audit-Ready
Export a complete audit bundle (ZIP) with controls, risks, evidence checklists, and policies in seconds.
Quick Links
Getting Started
Deploy with Docker, create your first framework, and invite your team in under 15 minutes.
Get started →Frameworks & Controls
Explore the 482 built-in controls across 18 frameworks: SOC 2, ISO 27001, GDPR, HIPAA, PCI-DSS 4.0, NIST CSF, NIST 800-53, CIS Controls, and more.
Browse frameworks →Integrations
Connect 50+ tools — AWS, GitHub, Azure, GCP, Okta, CrowdStrike, Datadog, BambooHR, Workday, Jira, and more — for automatic evidence collection.
View integrations →API Reference
Full REST API documentation with request/response examples for every endpoint.
Explore the API →Platform Overview
The table below summarizes every major capability in zGovern and where to find the corresponding documentation.
| Feature | Description | Docs |
|---|---|---|
| Frameworks & Controls | 18 frameworks, 482 pre-built controls with plain-English descriptions, evidence requirements, and cross-framework mappings | Frameworks |
| Risk Register | 5×5 risk matrix, lifecycle management, auto-risks from monitoring failures, severity scoring | Risk Register |
| Policy Management | Versioned policies (DRAFT → ACTIVE → ARCHIVED), built-in templates, version history, employee sign-off tracking | Policies |
| Integrations | 50 live adapters across cloud, identity, DevOps, security, monitoring, HR, and more — AES-256-GCM credential encryption | Integrations |
| Continuous Monitoring | 6-hour scans, sparkline trend analysis per check, alert deduplication, weekly email digest every Monday | Monitoring |
| Vendor Risk | Third-party vendor tracking, auto risk scoring from certifications & data types, contract renewal alerts, review overdue banners | Vendor Risk |
| Questionnaires | AI-assisted auto-answer engine (SIG Lite, CAIQ, HIPAA SAQ, GDPR Vendor, custom), keyword matching, confidence scoring, .txt export | Questionnaires |
| Audit Workspace | Evidence upload/approval, comment threads, control readiness dashboard, one-click ZIP audit bundle export | Audit |
| Trust Center | Public-facing compliance page (no login required) showing frameworks, policies, and control readiness — shareable via custom slug | Trust Center |
| Personnel & HR | Employee onboarding/offboarding checklists, training tracking, policy sign-off, sync from BambooHR / Rippling / Gusto / Workday | — |
| Access Reviews | Periodic access certifications across Okta, GitHub, and custom sources; APPROVE / REVOKE decisions with auto-deprovisioning | — |
| Incident Management | Full incident lifecycle with SLA tracking (CRITICAL=4h, HIGH=24h), MTTD/MTTR metrics, and 6-month trend charts | — |
| Control Testing | PASS / FAIL / PARTIAL test results per control, configurable testing frequencies, test history linked to frameworks | — |
| Training | Security awareness training programs, completion tracking, due-date alerts, bulk-assign by department or role | — |
| Compliance Calendar | Calendar and list views of compliance deadlines, recurring events, and audit dates; .ics export for Google Calendar / Outlook | — |
| Asset Inventory | Hardware, software, cloud, and data asset tracking with classification, owner assignment, and risk linking | — |
| Readiness Report | Per-framework audit readiness score with projected audit-ready date based on current completion rate | — |
| SOX / Internal Audit | SOX deficiency tracking (Material Weakness, Significant Deficiency, Control Deficiency), remediation plans, audit engagement management | — |
| API | Full REST API with JWT auth for all resources | API Reference |
Requirements
zGovern is distributed as a Docker Compose application. The following software must be installed on your host machine:
| Requirement | Minimum Version | Notes |
|---|---|---|
| Docker | 24.0+ | Docker Desktop on macOS/Windows; Docker Engine on Linux |
| Docker Compose | 2.20+ | Included with Docker Desktop; docker compose (v2 syntax) |
| PostgreSQL | 16 | Provided via the official postgres:16-alpine Docker image |
| Node.js | 18 LTS+ | Only needed for local development outside Docker |
| RAM | 2 GB | 4 GB recommended for production |
| Disk | 5 GB | For Docker images, database data, and uploaded evidence files |
Architecture
zGovern is a three-tier application running entirely inside Docker:
- Frontend — React 18 + Vite + TypeScript + Tailwind CSS + shadcn/ui, served on port
3000 - Backend — Node.js + Express + Prisma ORM, serves a REST API on port
4000 - Database — PostgreSQL 16, internal port
5432
prisma db push (not prisma migrate) for schema synchronisation. The database is seeded automatically on first startup with all framework controls, default policies, and the admin user.
Default Ports
| Service | Port | Description |
|---|---|---|
| Frontend | 3000 | React application (Vite) |
| Backend API | 4000 | Express REST API (/api/*) |
| Docs | 4001 | Static documentation site (nginx) |
| PostgreSQL | 5432 | Internal only — not exposed to host by default |