Open-source · Self-hosted · AWS-first

Cloud security you can run yourself.

NightWatch brings AWS scanning, findings review, framework coverage, and tenant-safe operations into one self-hosted codebase you can read, run, and extend.

  • Open source
  • Self-hosted
  • AWS-first
  • Tenant-safe by design
View on GitHub Read the architecture
Tenant-safe via PostgreSQL RLS Ordered scan pipeline Bun + Turborepo monorepo
localhost:3000 / security-overview
Illustrative

NightWatch catalog

Current seeded rules, frameworks, and coverage

seed data
Rules catalog 573 seeded today
Frameworks 43 mapped in seed data
AWS services 83 current coverage
Severity levels 5 critical → informational
Pipeline stages 6 orchestrate → aggregates
Bootstrap steps 7 clone → run dev
Rules per service · top 10 83 services
S3 bucket blocks public access
check.s3.public_access_blocked
Crit CIS 2.1.5
Root account MFA enforced
check.iam.root_mfa
Crit SOC 2 CC6.1
SSH ingress from 0.0.0.0/0
check.ec2.ingress_ssh_world
High CIS 5.2

What it does

Everything operators need for cloud posture, in one repo.

Detection, triage, compliance, and delivery — not another tab, just one stack that stays understandable before it stays impressive.

AWS account onboarding

Connect AWS accounts, validate access, and define scan scope with explicit project boundaries.

Scan orchestration

Run manual or scheduled scans through an ordered worker pipeline instead of hidden background magic.

Findings explorer

Filter by severity, service, resource, and rule without exporting raw scanner output to another tool.

Framework coverage

See how findings map into framework scorecards and control coverage across every connected account.

Post-scan delivery

Notify, reconcile current findings, and refresh daily aggregates after evaluation completes.

Tenant-safe operations

Keep organization data isolated with tenant-scoped services and PostgreSQL row-level security.

Rules

573 seeded rules with readable identity.

NightWatch ships with a seeded catalog of rules across 83 AWS services. Every rule keeps a stable identifier, a service and severity, and a link back into framework mappings — so findings inherit structure instead of bleeding raw scanner output.

  • Stable identifiers — rules are referenced by the same ID from catalog to finding.
  • Framework mappings — each rule carries its CIS, SOC 2, HIPAA, and PCI links.
  • No opaque engine — rule metadata lives in the repo, not behind a vendor API.
rules/s3/public-access-blocked.yaml illustrative shape 
id: check.s3.public_access_blocked
name: S3 bucket blocks public access
severity: critical
service: aws.s3

frameworks:
  - CIS AWS 2.1.5
  - SOC 2 CC6.1
  - HIPAA §164.312(a)(1)

# Applies to every S3 bucket in project scope
resource: aws.s3.bucket

assert:
  - all:
      - public_access_block.BlockPublicAcls == true
      - public_access_block.BlockPublicPolicy == true
      - public_access_block.IgnorePublicAcls == true
      - public_access_block.RestrictPublicBuckets == true
Framework pass rate · sample project 30d
CIS AWS 1.5
182 / 216
84%
SOC 2 Type II
94 / 112
84%
HIPAA
67 / 84
80%
PCI DSS 4.0
58 / 74
78%
Controls
486
Passing
401
Gaps
85
Trend 7d
+2.4

Findings & compliance

Findings and framework rollups live in the same workflow.

Operators can move from a failing resource to framework impact and trend views without exporting results. Active findings reconcile into framework scorecards so gaps are visible where decisions happen.

  • Faceted filters — severity, service, rule, and resource in one explorer.
  • Framework scorecards — 43 frameworks mapped, with per-control detail.
  • Reconciled state — active findings stay distinct from historical results.
How the pipeline works

Setup

Clone it. Bootstrap it. Run the stack locally.

The strongest proof NightWatch offers is the setup path the repo already supports. Install dependencies, start infra, migrate, seed, and run — no hosted SaaS required.

  • Bun + Turborepo — one install, one dev command for the whole monorepo.
  • Docker-backed infra — PostgreSQL, Redis, and Mailpit via Compose.
  • Setup in the repo — docs/setup.md has the full environment reference.
Open setup guide Browse the repo
~ acme/nightwatch ready 
# 1. clone + install
$ git clone https://github.com/nixbpe/nightwatch.git
$ cd nightwatch
$ bun install

# 2. start local infra + migrate + seed
$ docker compose up -d
$ bun run db:migrate
$ bun run db:seed

# 3. run the stack
$ bun run dev

→ web    http://localhost:3000
→ api    http://localhost:4000/health
→ mail   http://localhost:8025
573
rules in the seeded catalog
43
frameworks mapped in the repo
83
AWS services covered today
5
severity levels tracked

Self-host NightWatch

Clone it. Run it. Own the control plane.

NightWatch is open source and self-hosted. Start with the repository, then follow the setup guide to bring the full stack up locally.

View on GitHub Open setup guide