CISO Dashboard

A compact, role-based GRC (Governance, Risk and Compliance) dashboard. It includes Vulnerability Management, DevSecOps status, Incident Management, and TPRM (Vendors) with audit logs, user/role administration, API integrations and security controls.

Features

• Role-based UI (Admin, Risk Officer, Auditor, User) with client + server enforcement
• Modules: Vulnerabilities, DevSecOps Pipelines, Incidents, Vendors (TPRM)
• Inline edit/delete, CSV bulk import, unified header (severity + status)
• Authentication with JWT (+ issuer/audience validation), optional TOTP
• RBAC with Super Admin protection to avoid lockout
• Audit logs with username, method, path, status and IP
• Secure headers (CSP, HSTS in prod, nosniff, frame‑deny), input sanitization
• SQLite (sql.js) local DB; automatic lightweight migrations on startup

Monorepo layout

backend/   # Express API (TypeScript ESM)
frontend/  # Next.js 14 app (App Router)

Quick start (dev)

Requirements: Node 18+ (or 20+), npm.

Backend:

cd backend
npm install
npm run dev

The server starts on http://localhost:4000

Environment variables (recommended):

• JWT_SECRET – 32+ char random secret
• JWT_ISSUER (default: ciso-dashboard)
• JWT_AUDIENCE (default: ciso-dashboard-web)
• CORS_ORIGIN (comma-separated): http://localhost:3000,http://localhost:3001

Frontend:

cd frontend
npm install
npm run dev -- -p 3001

Create frontend/.env.local if needed:

NEXT_PUBLIC_API_URL=http://localhost:4000

Roles & permissions (summary)

• Admin: Full management (users, integrations, edit data). Cannot delete Super Admin.
• Risk Officer: Manage non‑admin users and edit domain data; cannot create Admin users or change/delete Admin users.
• Auditor/User: Read‑only.

Custom roles (optional) merge permissions with the base role.

Security highlights

• JWT with issuer/audience validation; short‑lived tokens (default 1h)
• Secure headers, sanitization of inputs on write, parameterized SQL
• Audit logging for 401/403 and all responses with IP

Selected API routes

• POST /api/auth/login → { token, user }
• POST /api/auth/update-password – user self‑service
• GET /api/admin/users – list users (Admin/Risk Officer)
• POST /api/admin/users – create user (Risk Officer cannot create Admin)
• PUT /api/admin/users/:id/password – set password (Admin any user; Risk Officer only non‑Admin)
• DELETE /api/admin/users/:id – delete (no Super Admin; Risk Officer only non‑Admin)
• GET /api/logs – audit logs

Domain: /api/vuln, /api/incidents, /api/devsecops, /api/tprm.

Data

SQLite DB is stored at backend/data/grc.sqlite (git‑ignored). Delete it to reset.

Contributing

See CONTRIBUTING.md and CODE_OF_CONDUCT.md.

Security policy

See SECURITY.md for vulnerability reporting.

License

MIT – see LICENSE.

At a glance

• Frontend: Next.js 14 (React 18, App Router), TypeScript, Tailwind CSS
• Backend: Express (TypeScript, ESM), Node 18+
• Auth: JWT (issuer/audience validation), optional TOTP
• RBAC: Admin, Risk Officer, Auditor, User; Super Admin protection
• Database: SQLite via sql.js (file persisted at backend/data/grc.sqlite)
• Security: CSP, HSTS (prod), nosniff, frame‑deny, input sanitization, param queries
• Logs: username, method, path, status, IP; 401/403 attempts captured
• Modules: Vulnerabilities, Incidents, DevSecOps Pipelines, Vendors (TPRM)
• Bulk import: CSV for major modules