NightWatch
Open-source cloud security platform

Scan AWS, review findings, and track framework coverage — self-hosted.

NightWatch is an open-source stack for cloud security operations. It combines a Hono API, a React operator dashboard, BullMQ workers, and PostgreSQL so you can run scans, evaluate rules, and inspect results in your own environment.

  • Open source
  • Self-hosted
  • AWS-first
  • Bun monorepo
View on GitHub Read the architecture

What it is

A cloud security platform you can read, run, and extend.

  • Open source by default

    The code is public and inspectable. Review how scans, workers, queues, and tenant boundaries are implemented before you run anything.

  • Self-hosted control plane

    NightWatch runs as a small set of explicit services: API, web UI, workers, PostgreSQL, and Redis. No hosted account is required.

  • Built for operators

    The project focuses on scan orchestration, findings review, framework rollups, and operational visibility — not a generic security platform pitch.

Architecture

One repo, separate services, explicit data flow.

NightWatch is a Bun monorepo with a Hono API, a React operator dashboard, BullMQ workers, and PostgreSQL with row-level security. The goal is a system you can understand, run locally, and extend without guessing where work happens.

  • apps/api

    Hono API

    Authentication, organization/project flows, and tenant-aware REST endpoints.

  • apps/web

    React operator dashboard

    React SPA for operators: scans, findings, reporting, account onboarding, and settings.

  • apps/worker

    BullMQ workers

    Consumers for scan collection, rule evaluation, notifications, reports, and health jobs.

  • packages/db

    Drizzle schema

    PostgreSQL tables, migrations, and row-level security based on tenant context.

  • packages/queue

    Queue definitions

    Queue names, payload contracts, and producer/consumer boundaries.

  • packages/shared

    Shared utilities

    Permissions, constants, and small cross-cutting helpers used across services.

Async pipeline

BullMQ + Redis
  1. 01 scan-orchestrate
  2. 02 scan-collect
  3. 03 rule-evaluate
  4. 04 notify-deliver
  5. 05 reconcile finding_current
  6. 06 refresh finding_daily_aggregates

Each stage depends on the output of the previous one. Reordering is not supported.

Tenant safety

Tenant isolation is enforced with tenant-scoped services plus PostgreSQL row-level security via app.tenant_id.

Stack

  • Bun
  • Turborepo
  • Hono
  • React
  • TanStack Router
  • BullMQ
  • Drizzle
  • PostgreSQL 17
  • Redis 7
  • Prowler

Operator UI

The dashboard is part of the repo, not a hosted black box.

NightWatch includes a React operator interface for projects, scans, findings, framework coverage, and platform workflows. What you see in the UI is part of the same open-source system described above.

  • Filter findings by severity, service, and resource without exporting data.
  • Drill into framework detail and linked rules from the same workflow.
  • Track compliance and failure trends over time by project and period.

project-alpha

Findings · Frameworks · Trends

CIS 3.0 30d

Recent findings

severity / service

ec2_instance_public_ip

EC2

Critical

s3_bucket_public_access

S3

High

iam_root_mfa_disabled

IAM

Medium

Framework score

84%

Review enabled frameworks and rule mappings by project.

Findings trend

30 days

Latest failures, trend delta, and severity movement are available in analytics.

Coverage

Rules and frameworks are first-class data, not an afterthought.

NightWatch keeps rule and framework metadata in the platform so scan results can be rolled up into coverage views instead of staying as raw scanner output. The numbers below reflect the current seeded catalog in the repo.

  • 573

    seeded rules

    current shipped Prowler catalog snapshot

  • 43

    frameworks

    including CIS, SOC 2, PCI DSS, HIPAA, ISO 27001, and NIST variants

  • 83

    AWS services in catalog

    counted from unique target services in the shipped snapshot

  • 5

    severity levels

    critical, high, medium, low, informational

Capabilities

What the platform actually does.

  • AWS onboarding

    Connect AWS accounts, validate access, and organize scan scope inside the platform.

  • Scan orchestration

    Run scans on demand or on a schedule and keep the execution path explicit through queues and workers.

  • Findings explorer

    Review normalized findings by severity, service, resource, rule, or project instead of digging through raw scanner output.

  • Framework rollups

    Track how findings affect framework coverage and pass rates across the environment you manage.

Findings workflow

From raw scan output to something you can actually work.

NightWatch does more than store scan results. It normalizes findings, evaluates rules, reconciles current state, and rolls the result into searchable views and framework summaries.

  • Triage faster

    Filter findings by severity, service, rule, and resource to cut noise quickly. Normalized data means you are not re-parsing scanner output every time.

  • Keep current state visible

    Reconciliation keeps active findings and historical results from collapsing into one undifferentiated list. You always know what is live.

  • See compliance impact

    Framework views make it clear which findings affect coverage and where posture is improving or regressing over time.

Quick start

Clone it, run it, scan an account.

NightWatch ships as a Bun monorepo with local PostgreSQL, Redis, and Mailpit support. The path from checkout to first scan is short and visible.

  1. 01

    Clone the repo

    Pull the source, install dependencies, and review the architecture before changing anything.

  2. 02

    Start local infrastructure

    Bring up PostgreSQL, Redis, and Mailpit with Docker Compose, then run migrations and seed data for a working local stack.

  3. 03

    Run the platform

    Start the API, web app, and workers from the monorepo and verify the operator UI loads cleanly.

  4. 04

    Connect AWS and queue a scan

    Create a project, validate account access, run a scan, and inspect findings plus framework coverage in the UI.

Terminal 

$ git clone https://github.com/nixbpe/nightwatch.git$ cd nightwatch$ bun install$ docker compose up -d$ bun run db:migrate$ bun run db:setup$ bun run dev

Requires Bun 1.3+ and Docker Compose V2. See docs/setup.md in the repo for the full environment reference.

Get the code. Run it yourself.

If you want to evaluate NightWatch, start with the repository, read the setup docs, and inspect the architecture. The project is designed to be understandable before it is impressive.

View on GitHub Open issues