Open, public-domain evidence connectors for governance, risk, and compliance (GRC) tooling. Each connector reads a customer system you've authorized — a GitHub org, an AWS account, an Okta tenant, a Postgres database — and returns normalized, compliance-graded assets. No database, no framework, no vendor lock-in: just the read-and-normalize logic, free for anyone to take.
License: The Unlicense — public domain. Copy it, fork it, ship it in your product, sell it. No attribution required.
Every connector is a pure function of the shape:
(credentials) => Promise<{ assets: DiscoveredAsset[] }>A DiscoveredAsset is a normalized record with a compliance verdict:
interface DiscoveredAsset {
externalId: string; // stable id in the source system (ARN, repo id, user id…)
name: string; // human label
type: string; // asset class, e.g. "S3_BUCKET", "OKTA_USER"
rawConfig: Record<string, unknown>; // sanitized snapshot (no secrets) for evidence
complianceOk: boolean; // true when the asset passes all checks
issues: string[]; // machine-readable failure codes, e.g. ["MFA_DISABLED"]
}Connectors are read-only, single-tenant (they only ever see the credentials for the one system being synced), and never touch a database — they hand back plain objects for your app to persist however it likes.
See src/types.ts for the full contract and per-provider
credential shapes.
- Native connectors — provider-specific readers with real client libraries or REST calls: GitHub, GitLab, AWS, GCP, Google Workspace, Okta, Auth0, Datadog, PagerDuty, CrowdStrike, Snyk, plus HRIS (Deel, Rippling, HiBob, Personio, Justworks, BambooHR-style, Greenhouse, Lever, Ashby, BreezyHR, Omni), ticketing (Asana, ClickUp, Trello, Shortcut, YouTrack, Zoho Desk), and data stores (Postgres, Redis, Oracle, CouchDB, CrateDB, QuestDB, SurrealDB, TimescaleDB, DuckDB).
- Tier 1 REST definitions (
src/tier1-rest.ts) — declarative, read-only REST evidence definitions for dozens more providers. - Generic templates (
src/generic/) — reusable HTTP, OAuth, and webhook building blocks for wiring up a provider that isn't here yet. - Registry (
src/register.ts) — registers every connector against the lightweight SDK insrc/sdk.ts.
These are TypeScript source files, meant to be read, copied, and adapted. Point them at your own persistence and scheduling — there's no runtime here.
npm install
npx tsc --noEmit # type-check the connectorsimport { collectGithub } from "./src/github";
const { assets } = await collectGithub({ token: process.env.GH_TOKEN!, org: "acme-inc" });
const failing = assets.filter((a) => !a.complianceOk);Most connectors use only Node built-ins and fetch. A few native ones pull in
official client libraries:
@octokit/rest— GitHub@aws-sdk/client-iam,@aws-sdk/client-s3— AWSpg— Postgres
They're listed in package.json; install only what you use.
- Copy the closest existing connector (a REST one like
src/datadog.tsis a good template). - Define its credential shape in
src/types.ts. - Return
DiscoveredAsset[]with honestissuescodes. - Register it in
src/register.ts.
Keep it read-only, keep it single-tenant, and never log or return raw secrets.
Extracted from the GRC Oversight platform and released to the public domain so the compliance community can build on it freely.