Skip to content

BavariaByte/GIRP-Stack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.env.example
.env.example
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

GIRP — Guided Incident Response Platform

GIRP is a modular incident response platform for Security Operations Centers. It enables administrators to build dynamic intake forms via a visual playbook editor and provides analysts with a unified dashboard for incident triage, investigation, and lifecycle management.

Modules

Module Description Default Port
Backend-SoCView Central management API. Handles tickets, playbooks, users, and platform configuration. 3000
Backend-InputForm Intake API. Manages form sessions and persists incident submissions. 4000
FrontEnd-SocViewerVue Analyst dashboard. Ticket management, timeline, playbook administration. 5173
Frontend-InputForm Public intake form. Dynamically guided form interface for incident reporters. 4173
FormBuilder Visual playbook editor. Low-code tool for designing form flows. 8080

How It Works

  1. An administrator designs an incident intake form in the FormBuilder and publishes the resulting playbook via the SoC Viewer.
  2. A reporter opens the Intake Form, works through the guided questions, and submits the incident.
  3. The submission is processed by the Intake Backend and written as a ticket to the shared database.
  4. Analysts monitor and manage tickets in the SoC Viewer, backed by the SoC Backend.

Deployment

All services are orchestrated via a single docker-compose.yml at the repository root. A shared .env file in the same directory configures all modules. MongoDB is included as a managed service.

cp .env.example .env
# Edit .env — see Configuration below
docker compose up -d

Configuration

All configuration is done in a single .env file. The following variables must be set before the first start.

Hosting

Variable Description
PLATFORM_URL Public URL of the SoC Viewer frontend, e.g. https://socviewer.example.com
INPUTFORM_URL Public URL of the intake form frontend, e.g. https://form.example.com
SOCVIEW_API_URL Public URL of the SoC backend API, as reachable by the browser
INPUTFORM_API_URL Public URL of the intake backend API, as reachable by the browser

Database

Variable Description
MONGO_ROOT_PASSWORD MongoDB root password (used by Docker for initial setup only)
MONGO_APP_USERNAME MongoDB application user (read/write on girp_db)
MONGO_APP_PASSWORD Password for the application user

Security

Variable Description
CSRF_SECRET Secret for CSRF token derivation. Generate with openssl rand -hex 32.
SESSION_JWT_SECRET Secret for intake session JWT signing.
SUPER_ADMIN_EMAIL Email address that is always granted admin privileges.

Authentication

Minimum one provider must be enabled via the AUTH_*_ENABLED flags.

Provider Required variables
Azure / Entra ID (AUTH_AZURE_ENABLED=true) AZURE_CLIENT_ID, AZURE_TENANT_ID
Auth0 (AUTH_AUTH0_ENABLED=true) AUTH0_OIDC_ISSUER, AUTH0_OIDC_AUDIENCE
Better-Auth (AUTH_BETTERAUTH_ENABLED=true) BETTER_AUTH_SECRET, BETTER_AUTH_COOKIE — optionally with Google or Slack OAuth

Notifications (all optional)

SMTP, Slack, Microsoft Teams, PagerDuty, and a generic webhook are supported. Leave all NOTIFY_* and SMTP_* variables empty to disable notifications entirely.

License

See LICENSE.md.

About

Guided Incident Response Plattform - Docker Compose

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors