Compliance & GRC — get audit-ready and stay there, self-hosted.
pip install cognis-frameworkmap
frameworkmap scan . # → prioritized findings in seconds- Why frameworkmap? · Features · Quick start · Example · Architecture · AI stack · How it compares · Integrations · Install anywhere · Related · Contributing
auto-mapping is the killer GRC feature
frameworkmap is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.
- ✅ Load Catalog
- ✅ Map Control
- ✅ Crosswalk Framework
- ✅ Coverage Report
- ✅ Find Gaps
- ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
- ✅ Ports in Python, JavaScript, Go, and Rust (
ports/)
pip install cognis-frameworkmap
frameworkmap --version
frameworkmap scan . # scan current project
frameworkmap scan . --format json # machine-readable
frameworkmap scan . --fail-on high # CI gate (non-zero exit)$ frameworkmap scan .
[HIGH ] FRA-001 example finding (./src/app.py)
[MEDIUM ] FRA-002 another signal (./config.yaml)
2 findings · risk score 5 · 38ms
flowchart LR
A[Input: file / dir / API] --> B[Collectors]
B --> C[Rules / Analyzers]
C --> D[Scorer]
D --> E{Reporters}
E --> F[Table]
E --> G[JSON / SARIF]
E --> H[MCP tool -. drives .-> AI agents]
frameworkmap is interoperable with every popular way of using AI:
- MCP server —
frameworkmap mcp(Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet) - OpenAI-compatible / JSON — pipe
frameworkmap scan . --format jsoninto any agent or LLM - LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
- CI / scripts — exit codes + SARIF for non-AI pipelines
| Cognis frameworkmap | CISO Assistant | |
|---|---|---|
| Self-hostable, no account | ✅ | varies |
| Single command, zero config | ✅ | |
| JSON + SARIF for CI | ✅ | varies |
| MCP-native (AI agents) | ✅ | ❌ |
| Polyglot ports (JS/Go/Rust) | ✅ | ❌ |
| Open license | ✅ COCL | varies |
Built in the spirit of CISO Assistant, re-framed the Cognis way. Missing a credit? Open a PR.
Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (frameworkmap mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.
pip install "git+https://github.com/cognis-digital/frameworkmap.git" # pip (works today)
pipx install "git+https://github.com/cognis-digital/frameworkmap.git" # isolated CLI
uv tool install "git+https://github.com/cognis-digital/frameworkmap.git" # uv
pip install cognis-frameworkmap # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/frameworkmap:latest --help # Docker
brew install cognis-digital/tap/frameworkmap # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/frameworkmap/main/install.sh | sh| Linux | macOS | Windows | Docker | Cloud |
|---|---|---|---|---|
scripts/setup-linux.sh |
scripts/setup-macos.sh |
scripts/setup-windows.ps1 |
docker run ghcr.io/cognis-digital/frameworkmap |
DEPLOY.md (AWS/Azure/GCP/k8s) |
soc2box— SOC 2 evidence collector and control tracker, self-hostedgdprkit— GDPR/CCPA DSAR, RoPA, and cookie-consent toolkitpolicyforge— Auto-generate security policies from a short questionnairevendorvet— Third-party / vendor risk questionnaires with SBOM cross-refauditrail— Tamper-evident audit-log aggregator with hash-chained attestationdpiaforge— DPIA and EU AI Act impact-assessment generator
Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 hermes
PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.
Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license (licensing@cognis.digital). See LICENSE.