Wiz
All articles

Gapps: Open‑Source GRC Tool for DevSecOps Compliance Management

Wiz Experts Team
Get your Secure Coding Cheat SheetWatch 12-min demo

TL;DR, What is Gapps?

Gapps is a centralized platform for security governance and compliance.

Designed for DevSecOps and security teams, Gapps replaces the scattered spreadsheets and slow manual evidence collection that hinder development cycles. Gapps provides a single source of truth for compliance tracking, centralizing all documentation and artifacts to improve visibility and collaboration across teams.

By offering pre-loaded security frameworks and controls, the platform helps standardize compliance workflows and makes security audit automation more accessible. This setup allows teams to efficiently manage compliance without sacrificing agility.

As a flexible open-source GRC tool, Gapps provides a community-driven foundation for navigating the complexities of modern compliance management.

Secure Coding Best Practices [Cheat Sheet]

Download the 11-page Secure Coding Best Practices Cheat Sheet – packed with curated insights and code snippets to help you avoid vulnerabilities and write secure, reliable applications.

At-a-Glance

  • URL : https://github.com/bmarsh9/gapps

  • License: GNU AGPL

  • Primary Language: Python

  • Stars: 500+

  • Last Release: August 2025

  • Topics/Tags: SOC 2, CMMC, ASVS, ISO 27001, HIPAA, NIST CSF, NIST 800-53, CSC CIS 18, PCI DSS, Startup Security Framework (SSF)

Common use cases

  1. Streamlining Audit Readiness: Teams prepare for certifications like SOC 2 by mapping controls, uploading evidence, and tracking progress. Auditors can be granted direct platform access, simplifying the review process and accelerating security audit automation.

  2. MSSP Client Management: Managed Security Service Providers use multi-tenancy to manage compliance for multiple clients from one platform, ensuring data isolation while centralizing the administration of diverse frameworks like HIPAA and PCI DSS.

  3. DevSecOps Compliance Integration: Organizations use Gapps as a central repository for evidence generated from CI/CD security tools, providing an up-to-date view of their posture and enabling DevSecOps compliance management.

  4. Internal Policy Enforcement: Companies leverage the custom framework feature to monitor adherence to internal security policies. They can define custom controls, assign ownership, and track implementation across the organization for consistent standards application.

  5. Vendor Risk Management: Security teams manage third-party risk by creating and distributing vendor questionnaires within the platform. This approach centralizes the process of assessing supplier security postures and tracking associated risks in the integrated risk register.

How Gapps Works

Gapps streamlines compliance management through its modern web interface. You start by creating tenants and projects, then select a security framework whose controls are dynamically loaded from JSON files. As you upload evidence for each control, the files are saved to a configured storage backend (like Amazon S3 or local disk), while all metadata and project statuses are stored in a PostgreSQL database. The dashboard queries this metadata via a backend API to provide a real-time overview of your compliance posture.

  • Modular Frameworks: Security controls are loaded from customizable JSON files, allowing you to easily adapt or extend compliance frameworks to meet specific needs.

  • Decoupled Data Storage: Evidence files are stored in scalable object storage (e.g., S3, GCS) or locally, while a PostgreSQL database manages all metadata for efficient querying and reporting.

  • Containerized Deployment: The entire application is packaged using Docker and Docker Compose, which makes for a consistent and straightforward setup process in any environment.

Core Capabilities:

  1. Versatile Compliance Framework Management: Gapps offers robust support for a wide range of security and compliance frameworks, including SOC 2, ISO 27001, and PCI DSS. Its standout feature is the ability to customize or load entirely new frameworks via JSON, allowing your organization to tailor the compliance tracking software precisely to internal policies or specific regulatory needs.

  2. Multi-Tenant Architecture for Scalability: Designed for scalability, Gapps features a multi-tenant architecture that logically isolates data between different business units or clients. This architecture is invaluable for MSSPs managing multiple customers, ensuring data privacy and simplifying the management of complex compliance obligations from a single instance of the tool.

  3. Centralized Evidence & Audit Collaboration: The platform streamlines the audit process with its centralized evidence management system. You can attach supporting documents directly to controls, creating a clear audit trail. Gapps also facilitates direct collaboration by providing auditors with controlled, real-time access to projects, which helps accelerate the security audit automation process.

  4. Integrated Risk and Vendor Management: Gapps extends beyond control tracking by incorporating an integrated Risk Register for identifying and managing security risks. The platform also supports creating and managing vendor security questionnaires—a crucial feature for assessing third-party risk and ensuring security standards are maintained throughout the supply chain.

  5. Structured Project and Workflow Management: The tool provides a structured environment for managing compliance projects. You can create projects, assign them to specific frameworks, and track progress via dashboards. You can also assign controls to specific owners to establish clear accountability, supporting effective task delegation and DevSecOps compliance management workflows.

Limitations

  1. Manual Evidence Collection: Gapps functions as a repository and does not perform automated security checks or evidence collection. Teams must manually upload evidence with their security toolchain to populate controls, increasing the initial setup and maintenance workload.

  2. Requires Technical Configuration: Customizing or adding new compliance frameworks requires creating structured JSON files. Likewise, deployment may involve a technical process like a Gapps docker install, which presents a steeper learning curve for non-technical GRC professionals without dedicated IT support.

  3. Dependency on External Security Tools: For continuous monitoring, Gapps is entirely dependent on an external ecosystem of security tools. It acts as a system of record for findings from SAST, DAST, and infrastructure scanners but lacks native scanning capabilities, meaning you’ll need a mature toolchain to use it effectively.

  4. Potential Reporting Constraints: While the platform offers dashboards for progress tracking, it does not provide advanced or customizable reporting features. Organizations needing sophisticated executive summaries or trend analysis might find the native capabilities basic compared to commercial GRC platforms.

  5. Self-Hosting and Maintenance Overhead: As a self-hosted, open-source GRC tool, you’re responsible for all deployment, security, updates, and maintenance. This operational overhead requires internal resources and technical skills that are not a factor with managed SaaS alternatives.

State of Code Security Report

Secure coding practices are essential, yet 80% of CI/CD workflows in GitHub repositories have insecure permissions, according to the State of Code Security Report 2025. That means even secure code can be compromised through pipeline misconfigurations.

Getting Started:

Step 1:

To get started with Gapps using Docker, you'll first need to download the docker-compose.yml file from the repository.

Step 2:

Change to the directory where you saved it. Then, launch Gapps and its required services by running:

docker compose up

This command starts the application and database automatically with default settings. 

Step 3:

Once running, you can access the platform via your web browser at http://localhost:5000.

Gapps will initialize the database automatically on its first launch. You can now begin using the security compliance platform.

Automate what Gapps can’t

Gapps centralizes compliance workflows, but Wiz automates the evidence. From misconfigurations and vulnerabilities to identity and data risks, Wiz continuously maps real findings into frameworks like SOC 2, ISO 27001, and NIST.

For information about how Wiz handles your personal data, please see our Privacy Policy.

Alternatives

FeatureGappsErambaCISO AssistantVerifyWise
Multi-Framework SupportOver 10 security and compliance frameworks (SOC 2, CMMC, ASVS, ISO 27001, HIPAA, NIST CSF, NIST 800-53, CSC CIS 18, PCI DSS, SSF), customizable via JSON.Allows mapping controls to multiple compliance frameworks; emphasizes cross‑framework mappings via compliance packages/mapping toolsSupports over 100 frameworks with automatic mapping (NIST CSF, ISO 27001, SOC 2, GDPR)Primarily focused on AI governance (EU AI Act, ISO 42001, NIST AI RMF)
Evidence ManagementUpload and attach evidence to controls/sub-controls, auditor collaboration, S3/GCS integration for secure storageFacilitates gathering and managing evidence for controls and policiesCentralizes and manages evidence for audits and complianceProvides comprehensive audit trails, recording AI-related activities and changes
Risk RegisterIncludes a Risk Register to identify, assess, and track risks, plus vendor questionnaires for third-party risk managementIncludes robust risk management capabilities to identify, analyze, and treat risksIncludes built-in risk assessment and remediation tracking workflowsIncludes an AI risk register to help identify and mitigate risks associated with AI systems

FAQs